<!DOCTYPE html> <html> <head> <title>Cracking JWT Keys</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="shortcut icon" type="image/png" href="/public/img/favicon.ico"> <link href="/public/css/authlab.css" rel="stylesheet" type="text/css" /> <meta property="og:title" content="Authentication Lab - DigiNinja" /> <meta property="og:description" content="A set of authentication challenges covering a range of different technologies." /> <meta property="og:image" content="https://digi.ninja/graphics/twittercards/authlab_twittercard.png" /> <meta property="og:type" content="website" /> <meta property="og:sitename" content="DigiNinja" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:title" content="Authentication Lab - DigiNinja" /> <meta name="twitter:description" content="A set of authentication challenges covering a range of different technologies." /> <meta name="twitter:site" content="@digininja" /> <meta name="twitter:creator" content="@digininja" /> <meta name="twitter:domain" content="authlab.digi.ninja" /> <meta name="twitter:site" content="@digininja" /> <meta name="twitter:image" content="https://digi.ninja/graphics/twittercards/authlab_twittercard.png" /> </head> <body> <h1>Cracking JWT Keys</h1> <p> A JWT is made up of three parts: </p> <ul> <li>The header which gives information about how the JWT is constructed, as a minimum it specifies the method used to generate the signature.</li> <li>The payload contains the claims, this is the authentication information the token is carrying, things such as a user ID or privilege levels.</li> <li>The final segment is the signature, this is generated using the method specified in the header.</li> </ul> <p> When the signature is generated using a HMAC, the function generating the signature requires a secret key. If you can get that key in some way, either by stealing it from the server, guessing it, or brute forcing it, then you are able to sign your own tokens, which, in most cases, means you can make whatever modifications you want to the payload and the claims it contains. </p> <p> Unless you are really lucky and manage to get Local File Inclusion (LFI), or somehow get shell on the web server, your only real option on most tests is to try to brute force the key. One way to do this is to use a tool such as <a href="https://www.openwall.com/john/">John the Ripper</a> or <a href="https://hashcat.net/hashcat/">Hashcat</a> in the same way you would to crack password hashes acquired during a network test. </p> <p> This lab generates four levels of token, the first three with with a progressively stronger key, the last one with a more obscure key. All of the keys can be cracked on a standard workstation, none require a dedicated password cracking rig, the first three with commonly available word lists. For the last one, you may want to have a read about the <a href="https://www.ironman.com/">Ironman racing</a> and have a think about some of my other tools. </p> <p> If you get stuck, or want more information, see my <a href="https://digi.ninja/projects/authlab.php#landjwtcrack">walkthrough</a>. </p> <h2>Weak JWT Keys</h2> <p> The challenge is simple, ask the server for a token, crack the key, update the claims, re-sign the JWT, submit the new token and hope that the server accepts it. </p> <p> The debugger on <a href="https://jwt.io/">JWT.IO</a> is a very useful tool for decoding and re-encoding tokens. </p> <label for="difficulty">Difficulty</label>: <select id="difficulty"> <option value="easy">Easy</option> <option value="medium">Medium</option> <option value="hard">Hard</option> <option value="obscure">Obscure</option> </select> <p> The token is: <textarea class="jwt_textarea" id="generatedToken"></textarea> <input type="submit" value="Get New Token" id="get_token_button" /> </p> <p> Test this token: <textarea class="jwt_textarea" id="testToken"></textarea> <input type="submit" value="Test" id="validate_token_button" /> </p> <p id="header"></p> <p id="user"></p> <p id="level"></p> <p id="error"></p> <p> <a href="/">Back to home</a> </p> <script src="/public/js/jwtcracking.js" type="text/javascript" charset="utf-8"></script> <hr /> <p> Lab created by Robin Wood - <a href="https://digi.ninja">DigiNinja</a> </p> </body> </html>