Wednesday, November 20, 2019

Crack JWTs with JohnTheRipper

Very simple, just paste your entire JWT into a text file like this one from WebGoat:

cat > webgoat-jwt.txt

Run with JTR:
$ ./john webgoat-jwt.txt
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 256/256 AVX2 8x])
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:./password.lst
shipping         (?)
1g 0:00:00:00 DONE 2/3 (2019-11-20 10:56) 16.66g/s 2517Kp/s 2517Kc/s 2517KC/s christophing..Bluebirded
Use the "--show" option to display all of the cracked passwords reliably
Session completed

To use, just echo the password ("shipping" in this case) into webgoat-jwt-cracked.txt and import that as the "secret" file to the JSON Web Tokens Burp plugin:

No comments:

Post a Comment