```

The following hash functions are supported for HMAC, i.e. to generate keyed-hashed message authentication codes: "sha256" for JSON HS256 (HMAC using SHA-256), "sha384" for HS384 and "sha512" for HS512, respectively. You can specify the name of any other hash function exactly as it is named in the OpenSSL. If OpenSSL allows this hash function to be used for HMAC, then jwtcrack will try to decode the secret. However, since jwtcrack is only a decoder, there is no guarantee that this algorithm was actually used for encoding, let alone among the list of algorithms allowed for the "JSON Web Algorithms" RFC. See section 3.1. of the RFC 7518 for more details.

In the following example, we use a sha256 hash function that corresponds to JSON HS256 (HMAC-SHA256), see the "sha256" as a last command line parameter. Also, in this example we specify maximum secret length of 5 characters, and limit the alphabet to the following characters: ABCSNFabcsnf1234

In the above example, the key is `Sn1f`, and it takes less than a second on an average notebook manufactured around 2019 (e.g. with an Intel CPU based on Ice Lake microarchitecture). GCC version 9.3.0 with "-O3" was used to compile the jwtcrack program. It was linked with the OpenSSL library version 1.1.1f under Linux Ubuntu 20.04.1 LTS.

Here, in the next example, we use "sha512" as a last command line parameter to specify HS512 (HMAC-SHA512), we also specify maximum secret length of 9 characters, and limit the alphabet to the following seven lowercase latin characters: "adimnps".

In the above example, the key is `Sn1f`. It takes approximately 2 seconds to crack on my Macbook.

In the above example, the key is `adminpass`, and it takes about 15 seconds on average to decode on a notebook with Intel Core i7 1065G7 CPU on Ice Lake microarchitecture (2019), base frequency 1.30 GHz, max turbo 3.90 GHz). The combined number of CPU seconds consumed from each of the cores in the user mode due to multithreading is about 100 on average to decode that secret.

Example of using "sha384":

#include <stdlib.h>

#include <stdio.h>

#include <string.h>

char *g_found_secret = NULL;

struct s_thread_data {

EVP_MD *g_evp_md; // The hash function to apply the HMAC to

constEVP_MD *g_evp_md; // The hash function to apply the HMAC to

// Holds the computed signature at each iteration to compare it with the original

// signature

size_t max_len; // And tries combinations up to a certain length

};

void init_thread_data(struct s_thread_data *data, char starting_letter, size_t max_len) {

void init_thread_data(struct s_thread_data *data, char starting_letter, size_t max_len, constEVP_MD*evp_md) {

data->max_len = max_len;

data->starting_letter = starting_letter;

data->g_evp_md = (EVP_MD*) EVP_sha256();

data->g_evp_md = evp_md;

// Allocate the buffer used to hold the calculated signature

data->g_result = malloc(EVP_MAX_MD_SIZE);

data->g_result = malloc(EVP_MAX_MD_SIZE);

// Allocate the buffer used to hold the generated key

data->g_buffer = malloc(max_len + 1);

data->g_buffer = malloc(max_len + 1);

}

void destroy_thread_data(struct s_thread_data *data) {

pthread_exit(NULL);

}

// Hash to_encryptusing HMAC into result

// Hash the "to_encrypt" buffer using HMAC into the "result" buffer

HMAC(

data->g_evp_md,

(const unsigned char *) secret, secret_len,

return NULL;

}

void usage(const char *cmd) {

printf("%s <token> [alphabet] [max_len]\n"

"Defaults: max_len=6, "

"alphabet=eariotnslcudpmhgbfywkvxzjqEARIOTNSLCUDPMHGBFYWKVXZJQ0123456789", cmd);

void usage(const char *cmd, const char *alphabet, const size_t max_len, const char *hmac_alg) {

printf("%s <token> [alphabet] [max_len] [hmac_alg]\n"

"Defaults: "

"alphabet=%s, "

"max_len=%zd, "

"hmac_alg=%s\n", cmd, alphabet, max_len, hmac_alg);

}

int main(int argc, char **argv) {

const EVP_MD *evp_md;

size_t max_len = 6;

// by default, use OpenSSL EVP_sha256 which corresponds to JSON HS256 (HMAC-SHA256)

const char *default_hmac_alg = "sha256";

g_alphabet = "eariotnslcudpmhgbfywkvxzjqEARIOTNSLCUDPMHGBFYWKVXZJQ0123456789";

if (argc < 2) {

usage(argv[0]);

usage(argv[0], g_alphabet, max_len, default_hmac_alg);

return 1;

}

if (argc > 2)

g_alphabet = argv[2];

if (argc > 3)

max_len = (size_t) atoi(argv[3]);

{

int i3 = atoi(argv[3]);

if (i3 > 0)

{

max_len = i3;

} else

{

printf("Invalid max_len value %s (%d), defaults to %zd\n", argv[3], i3, max_len);

}

}

if (argc > 4)

{

evp_md = EVP_get_digestbyname(argv[4]);

if (evp_md == NULL)

printf("Unknown message digest %s, will use default %s\n", argv[4], default_hmac_alg);

} else

{

evp_md = NULL;

}

if (evp_md == NULL)

{

evp_md = EVP_get_digestbyname(default_hmac_alg);

if (evp_md == NULL)

{

printf("Cannot initialize the default message digest %s, aborting\n", default_hmac_alg);

return 1;

}

}

g_alphabet_len = strlen(g_alphabet);

for (size_t i = 0; i < g_alphabet_len; i++) {

pointers_data[i] = malloc(sizeof(struct s_thread_data));

init_thread_data(pointers_data[i], g_alphabet[i], max_len);

init_thread_data(pointers_data[i], g_alphabet[i], max_len, evp_md);

pthread_create(&tid[i], NULL, (void *(*)(void *)) brute_sequential, pointers_data[i]);

}