c-jwt-cracker

by brendan-rius

2.5Kstars

269forks

42watchers

Updated 8 months ago

About

A multi-threaded C-based tool that brute forces JWT secret keys to enable forging of valid tokens.

JWT brute force cracker written in C

Primary Use Case

This tool is primarily used by security professionals and penetration testers to assess the strength of JWT secret keys by attempting brute-force attacks. It helps identify weak or guessable secrets in JWT-based authentication systems, enabling organizations to improve their token security.

Key Features

Multi-threaded brute force cracking of JWT secret keys
Supports multiple HMAC hash functions including sha256 (HS256), sha384 (HS384), and sha512 (HS512)
Customizable secret key length and character set for targeted brute forcing
Docker image support for easy deployment
Manual compilation with OpenSSL dependency for flexibility
Uses a modified Apple Base64 implementation for encoding/decoding
Command line interface with options to specify hash function and brute force parameters

Installation

Ensure OpenSSL headers are installed (e.g., on Ubuntu: apt-get install libssl-dev)
Clone the repository (implied, not explicitly stated)
Build the project using 'make'
On Mac, install OpenSSL via Homebrew: brew install openssl
Compile on Mac using: make OPENSSL=/usr/local/opt/openssl/include OPENSSL_LIB=-L/usr/local/opt/openssl/lib
Alternatively, build a Docker image with: docker build . -t jwtcrack

Usage

>_ docker run -it --rm jwtcrack <jwt_token>

Run the JWT cracker inside a Docker container against the provided JWT token.

>_ ./jwtcrack <jwt_token>

Run the JWT cracker locally on the provided JWT token.

>_ ./jwtcrack <jwt_token> ABCSNFabcsnf1234 5 sha256

Brute force the JWT secret with a maximum length of 5 characters using the specified alphabet and HS256 hash function.

>_ ./jwtcrack <jwt_token> adimnps 9 sha512

Brute force the JWT secret with a maximum length of 9 characters using a limited alphabet and HS512 hash function.

>_ ./jwtcrack <jwt_token> 0123456789 6 sha384

Brute force the JWT secret with a maximum length of 6 characters using numeric characters and HS384 hash function.

Security Frameworks

Credential Access

Discovery

Initial Access

Defense Evasion

Persistence

Usage Insights

Integrate with CI/CD pipelines to automate JWT secret strength validation during development.
Use in red team engagements to simulate credential brute forcing and identify weak JWT secrets.
Combine with monitoring tools to detect anomalous JWT token usage indicating potential compromise.
Leverage Docker support for rapid deployment in diverse testing environments.
Incorporate into purple team exercises to improve collaboration between offensive and defensive teams on token security.

Docs Take 2 Hours. AI Takes 10 Seconds.

Ask anything about c-jwt-cracker. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.

3 free chats per tool • Instant responses • No credit card

Security Profile

Red Team85%

Blue Team35%

Purple Team60%

Details

LicenseMIT License

LanguageC

Open Issues16

Topics

jwt-authentication

cracker