0xBADCA7/crack_jwt.txt

## crack_jwt.txt
Target:

{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

$ echo -n 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.hWgU00w-Sq8jKHr7MD5DSUCMznj5GtHVARKNFgljc9A' > /tmp/jwt.hash

1. HashCat (v.4.1.0)
$ brew install hashcat
$ hashcat -h |grep JWT
  16500 | JWT (JSON Web Token)                             | Network Protocols
$ hashcat -m 16500 /tmp/jwt.hash /path/to/wordlist.txt

...
eyJhbGciOiJ....GtHVARKNFgljc9A:p@ssw0rd

Session..........: hashcat
Status...........: Cracked
Hash.Type........: JWT (JSON Web Token)
...

2. john
; default john on Kali and MacOS's brew do not support JWT Cracking.

$ brew install gcc openssl
$ brew upgrade gcc
$ brew upgrade openssl

$ git clone https://github.com/Sjord/jwtcrack
$ cd jwtcrack/jwtcrack
$ python jwt2john.py eyJhbGciOiJI...c9A > /tmp/jwt.john

$ git clone https://github.com/magnumripper/JohnTheRipper
$ cd JohnTheRipper/src
$ ./configure CPPFLAGS="-I/usr/local/opt/openssl/include" LDFLAGS="-L/usr/local/opt/openssl/lib" --disable-pkg-config
$ make clean && make
$ make install
$ ../run/john /tmp/jwt.john --wordlist /path/to/wordlist.txt


3. don't use jwtcrack.py, it's suck.
	Target:

	{
	"alg": "HS256",
	"typ": "JWT"
	}
	{
	"sub": "1234567890",
	"name": "John Doe",
	"iat": 1516239022
	}

	$ echo -n 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.hWgU00w-Sq8jKHr7MD5DSUCMznj5GtHVARKNFgljc9A' > /tmp/jwt.hash

	1. HashCat (v.4.1.0)
	$ brew install hashcat
	$ hashcat -h \|grep JWT
	16500 \| JWT (JSON Web Token) \| Network Protocols
	$ hashcat -m 16500 /tmp/jwt.hash /path/to/wordlist.txt

	...
	eyJhbGciOiJ....GtHVARKNFgljc9A:p@ssw0rd

	Session..........: hashcat
	Status...........: Cracked
	Hash.Type........: JWT (JSON Web Token)
	...

	2. john
	; default john on Kali and MacOS's brew do not support JWT Cracking.

	$ brew install gcc openssl
	$ brew upgrade gcc
	$ brew upgrade openssl

	$ git clone https://github.com/Sjord/jwtcrack
	$ cd jwtcrack/jwtcrack
	$ python jwt2john.py eyJhbGciOiJI...c9A > /tmp/jwt.john

	$ git clone https://github.com/magnumripper/JohnTheRipper
	$ cd JohnTheRipper/src
	$ ./configure CPPFLAGS="-I/usr/local/opt/openssl/include" LDFLAGS="-L/usr/local/opt/openssl/lib" --disable-pkg-config
	$ make clean && make
	$ make install
	$ ../run/john /tmp/jwt.john --wordlist /path/to/wordlist.txt


	3. don't use jwtcrack.py, it's suck.