# JSON Web Tokens

## JWT Tool

JWT Tool is great for finding issues in JSON Web Tokens. It will help to identify the following issues:

* JWT uses HS256 signing algorithm
* JWT contains sensitive data
* JWT does not expire
* JWT permits a NULL signature
* RS256 to HS256

```
python jwt_tool.py <JWT> -X a
```

* <https://github.com/ticarpi/jwt_tool/>

## Cracking with Hashcat

Use the following command to crack JWTs.&#x20;

`hashcat.exe -m 16500 /JWT.txt rockyou.txt --backend-ignore-cuda`

JWT.txt should contain your JWT.

Various password wordlists can be used. rockyou.txt is one example.

* <https://hashcat.net/hashcat/>