JWT-Brute: Cracking JWT Tokens with Python

Cybersecurity challenges are fun, but can be frustrating at times. Such was the case when I needed to solve an unspecified* challenge last night and spent about two hours spinning my wheels endlessly.

*Challenge is unspecified because it’s not in archive/retired mode yet, so technically write ups are not allowed. I do not believe anything I’m writing or sharing here should spoil the challenge for others.

The course of this challenge brought me to a few interesting tools, one of which was mazen/jwt-pwn/jwt-cracker.py. This is a great tool, but did not really operate how I needed. Instead of adapting the code to suit my needs, I started over from scratch by utilizing the great PyJWT library.

What I was left with was novakeith/JWT-Brute – a python script that takes a JWT token encoded with HS256 and tries all possible combinations of a given keyspace.  I tried to leave the code in a useful, usable state for the next lucky traveler – you can specify a custom keyspace (although it defaults to alphanumeric with some special characters); you can also set a minimum and maximum key length to fine tune guessing and resource usage.

Credit to this stackoverflow.com post for teaching me about itertools, which was important for generating all possible entries given certain parameters.