> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/authentication-bypass/jwt/trick-0450.md).

# JWT HS256 Secret Cracking

***

JWT tokens signed with HS256 use a shared secret key. If this key is weak or guessable, you can often crack it offline using a wordlist attack. The secret is needed to verify or forge tokens.

Use `hashcat` with mode `16500`, which is specifically for JSON Web Token (JWT) using HMAC-SHA256 (HS256). The attack type `-a 0` specifies a straight attack, typically used with wordlists. The input file should contain the full Base64-encoded JWT token.

```bash
hashcat -m 16500 -a 0 jwt-token.txt /usr/share/wordlists/rockyou.txt
```

Replace `jwt-token.txt` with the file containing the target JWT and `/usr/share/wordlists/rockyou.txt` with your chosen wordlist.
