Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Crack JWT (HMAC) with HashCat/JohnTheRipper on MacOS
"alg": "HS256",
"typ": "JWT"
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
$ echo -n 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.hWgU00w-Sq8jKHr7MD5DSUCMznj5GtHVARKNFgljc9A' > /tmp/jwt.hash
1. HashCat (v.4.1.0)
$ brew install hashcat
$ hashcat -h |grep JWT
16500 | JWT (JSON Web Token) | Network Protocols
$ hashcat -m 16500 /tmp/jwt.hash /path/to/wordlist.txt
Session..........: hashcat
Status...........: Cracked
Hash.Type........: JWT (JSON Web Token)
2. john
; default john on Kali and MacOS's brew do not support JWT Cracking.
$ brew install gcc openssl
$ brew upgrade gcc
$ brew upgrade openssl
$ git clone
$ cd jwtcrack/jwtcrack
$ python eyJhbGciOiJI...c9A > /tmp/jwt.john
$ git clone
$ cd JohnTheRipper/src
$ ./configure CPPFLAGS="-I/usr/local/opt/openssl/include" LDFLAGS="-L/usr/local/opt/openssl/lib" --disable-pkg-config
$ make clean && make
$ make install
$ ../run/john /tmp/jwt.john --wordlist /path/to/wordlist.txt
3. don't use, it's suck.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.