Is it possible to bypass two factor authentication?
#3
(04-11-2019, 08:57 AM)Insider Wrote: You can phish your way past 2-factor authorization.

1. Set up phising page for victim. Looks like google with 2fa. But it's fake.
2. Victim gets real (we login to real page as victim in real time) 2fa code from SMS/authy, enter it into phising page.
3. We get the two 2fa code, enter it into the real page. Log in.

Victim <-> Fake 2fa <-> Real 2fa.

Taken out of the iranian apt hackers handbook. From their charming kitten campaign. https://threatpost.com/charming-kitten-i...fa/139979/

Not feasable for a large scale, but could be good for more targeted attacks.

But doesn't 2fa mean that the code is restarting every 30 seconds typically? Like don't most apps like authy require you to log into 2fa using a 6 digit pin that changes every 30 seconds?
Reply


Messages In This Thread
RE: Is it possible to bypass two factor authentication? - by QMark - 04-17-2019, 12:07 AM

Possibly Related Threads…
Thread Author Replies Views Last Post
  Simple Trick to Bypass File Upload Problem abaykan 2 7,357 05-02-2018, 01:33 PM
Last Post: abaykan
  Bypass LFI filter with double encoding peanutbutter 1 9,054 12-12-2017, 06:46 AM
Last Post: blahblahblah
  Possible way to bypass Apache Mod_Security? oxid 1 8,090 08-05-2017, 09:27 PM
Last Post: lunorian
  Client side authentication in real world cyborgs.txt 5 7,707 10-03-2016, 08:01 PM
Last Post: enmafia2