Skip to content

lmammino/jwt-cracker

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
2 branches 7 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github/workflows
Create npm-publish.yml
January 10, 2023 18:33
.eslintrc.cjs
preparing for v2
January 10, 2023 18:30
.gitignore
Initial commit
August 28, 2016 23:39
LICENSE
Initial commit
August 28, 2016 23:39
README.md
fix rawsec url (#22)
January 13, 2023 18:37
_config.yml
Set theme jekyll-theme-minimal
January 19, 2017 19:43
index.js
Correctly referencing __dirname so thats compatible with windows
January 25, 2023 09:55
package-lock.json
Version bump 2.2.0
January 25, 2023 10:04
package.json
Version bump 2.2.0
January 25, 2023 10:04
process-chunk.js
preparing for v2
January 10, 2023 18:30
test.js
preparing for v2
January 10, 2023 18:30
jwt-cracker Install Usage Requirements Example Contributing License

README.md

npm npm Rawsec's CyberSecurity Inventory GitHub stars GitHub license

jwt-cracker

Simple HS256 JWT token brute force cracker.

Effective only to crack JWT tokens with weak secrets. Recommendation: Use strong long secrets or RS256 tokens.

Install

With npm:

npm install --global jwt-cracker

Usage

From command line:

jwt-cracker <token> [<alphabet>] [<maxLength>]

Where:

  • token: the full HS256 JWT token string to crack
  • alphabet: the alphabet to use for the brute force (default: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")
  • maxLength: the max length of the string generated during the brute force (default: 12)

Requirements

This script requires Node.js version 6.0.0 or higher

Example

Cracking the default jwt.io example:

jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

It takes about 2 hours in a Macbook Pro (2.5GHz quad-core Intel Core i7).

Contributing

Everyone is very welcome to contribute to this project. You can contribute just by submitting bugs or suggesting improvements by opening an issue on GitHub.

License

Licensed under MIT License. © Luciano Mammino.

About

Simple HS256 JWT token brute force cracker

lmammino.github.io/jwt-cracker/

Topics

nodejs javascript jwt command command-line secrets bruteforce alphabet brute-force-attacks brute-force jwt-cracker cracker

Resources

Readme

License

MIT license

Stars

737 stars

Watchers

8 watching

Forks

133 forks

Releases 5

2.2.0 Latest
Jan 25, 2023
+ 4 releases

Packages

No packages published

Used by 1

Contributors 6

Languages