Offensive Sec Blog

Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

Sunday, September 10, 2017

Simple HS256 JWT Token Brute Force Cracker - jwt-cracker

                 No comments    

Simple HS256 JWT token brute force cracker.
Effective only to crack JWT tokens with weak secrets.
Recommendation: Use strong long secrets or RS256 tokens.

 Install

 With npm:
npm install --global jwt-cracker

Usage

 From command line:
jwt-cracker <token> [<alphabet>] [<maxLength>]
Where:
  • token: the full HS256 JWT token string to crack
  • alphabet: the alphabet to use for the brute force (default: "abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789")
  • maxLength: the max length of the string generated during the brute force (default: 12)

 Requirements

 This script requires Node.js version 6.0.0 or higher

 Example

 Cracking the default jwt.io example:
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6
It takes about 2 hours in a Macbook Pro (2.5GHz quad-core Intel Core i7).


Share:

0 comentários:

Post a Comment

Note: Only a member of this blog may post a comment.

Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition