Simon McCabe
WAPT. OSCP. OSWP. PGCert. BSc. Linux+. Security+.
...JWT is Cracking! or is it the other way around?...
git clone https://github.com/lmammino/jwt-cracker.git
sudo npm install --global jwt-cracker
Below is an example of how to use the program. Essentially, we take our full JWT token, append the characters we wish to brute force with (in this case, the lower-case alphabet), and followed by how many characters we want to try brute forcing.
The formula is:
jwt-cracker <token> [alphabet] [max-length]
So a real world example would look like this:
jwt-cracker eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IjdzMjZza
W1vbiIsImFkbWluIjp0cnVlLCJqdGkiOiJiNjZlZTYyYS04YzdjLTQ3OGMtOTY3ZS1kMzFkNGEyNTM1YTkiLC
JpYXQiOjE1OTIwNzA4OTYsImV4cCI6MTU5MjA3NDUzNH0.puJckeBQUyf3CmWommtau6ZXyMg88aDoGhd_
K1TXI44 abcdefghijklmnopqrstuvwxyz 4
So how do we know if it has been cracked? It'll tell you! Beware, if it's a strong password in any way (e.g alphanumeric) this may take a seriously long time.
If you copy and use my provided JWT, you'll find it's cracked very quickly as it's just 4 characters. Here's a slightly more difficult one for you to try and crack:
I have been kind and provided you a with reduced character set to speed it up.
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IjdzMjZzaW1v
biIsImFkbWluIjp0cnVlLCJqdGkiOiI3NzQ3NmE4ZS04MGFkLTQyYWUtYmZhOS03ZDA4NzZlNjQ4MWYiLCJpYXQi
OjE1OTIwNzIyODgsImV4cCI6MTU5MjA3NjA0Nn0.8-chE8fFKsI181IcVmrxxRmw3NAxy3fj63hlM90L0fo
Character set: aechklrdwps
Characters in password: 6
Challenge inspired by TryHackMe
