Description
c-jwt-cracker is a high-performance JWT secret key brute forcer written in C. It's significantly faster than the JavaScript version, making it suitable for cracking longer secrets. Supports HS256, HS384, and HS512 algorithms.
Installation
BASH
git clone https://github.com/brendan-rius/c-jwt-cracker.git
cd c-jwt-cracker
make
# Requires OpenSSL development libraries
# sudo apt install libssl-devBasic Usage
BASH
# Crack JWT secret
./jwtcrack "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"Advanced Usage
BASH
# Custom max length
./jwtcrack "TOKEN" 8
# Custom character set
./jwtcrack "TOKEN" 6 "abcdefghijklmnopqrstuvwxyz0123456789"
# With dictionary
./jwtcrack "TOKEN" -d /usr/share/wordlists/rockyou.txtCommon Workflows
BASH
# Intercept JWT from target → crack secret → forge tokens
# 1. Intercept JWT from Burp/browser
# 2. Run cracker (choose c-jwt-cracker for speed)
./jwtcrack "TOKEN"
# 3. If secret found → forge admin token using jwt.io