Simple HS256, HS384 & HS512 JWT token brute force cracker. Effective only to crack JWT tokens with weak secrets.
Recommendation: Use strong long secrets or RS256 tokens. With npm: From command line: Where: This script requires Node.js version 16.0.0 or higher Cracking the default jwt.io example: It takes about 2 hours in a Macbook Pro (2.5GHz quad-core Intel Core i7). Or using a list of passwords taken from https://github.com/danielmiessler/SecLists It takes less than a second. Everyone is very welcome to contribute to this project.
You can contribute just by submitting bugs or suggesting improvements by
opening an issue on GitHub. Licensed under MIT License. © Luciano Mammino.npm install --global jwt-cracker
jwt-cracker -t <token> [-a <alphabet>] [--max <maxLength>] [-d <dictionaryFilePath>] [-f]
jwt-cracker -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ -a abcdefghijklmnopqrstuwxyz --max 6
jwt-cracker -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ -d darkweb2017-top10000.txt