Is it possible to bypass two factor authentication?
#1
Has anyone here ever bypassed two factor authentication? I'm wondering because I'm hoping its a realistic goal.

How would you bypass two factor authentication?

Let's say the user uses Authy on their smartphone.

The reason I ask is because I have Authy on my smartphone and I'm wondering how someone would go about cracking my accounts.
Reply
#2
You can phish your way past 2-factor authorization.

1. Set up phising page for victim. Looks like google with 2fa. But it's fake.
2. Victim gets real (we login to real page as victim in real time) 2fa code from SMS/authy, enter it into phising page.
3. We get the two 2fa code, enter it into the real page. Log in.

Victim <-> Fake 2fa <-> Real 2fa.

Taken out of the iranian apt hackers handbook. From their charming kitten campaign. https://threatpost.com/charming-kitten-i...fa/139979/

Not feasable for a large scale, but could be good for more targeted attacks.
Reply
#3
(04-11-2019, 08:57 AM)Insider Wrote: You can phish your way past 2-factor authorization.

1. Set up phising page for victim. Looks like google with 2fa. But it's fake.
2. Victim gets real (we login to real page as victim in real time) 2fa code from SMS/authy, enter it into phising page.
3. We get the two 2fa code, enter it into the real page. Log in.

Victim <-> Fake 2fa <-> Real 2fa.

Taken out of the iranian apt hackers handbook. From their charming kitten campaign. https://threatpost.com/charming-kitten-i...fa/139979/

Not feasable for a large scale, but could be good for more targeted attacks.

But doesn't 2fa mean that the code is restarting every 30 seconds typically? Like don't most apps like authy require you to log into 2fa using a 6 digit pin that changes every 30 seconds?
Reply
#4
(04-17-2019, 12:07 AM)QMark Wrote:
(04-11-2019, 08:57 AM)Insider Wrote: You can phish your way past 2-factor authorization.

1. Set up phising page for victim. Looks like google with 2fa. But it's fake.
2. Victim gets real (we login to real page as victim in real time) 2fa code from SMS/authy, enter it into phising page.
3. We get the two 2fa code, enter it into the real page. Log in.

Victim <-> Fake 2fa <-> Real 2fa.

Taken out of the iranian apt hackers handbook. From their charming kitten campaign. https://threatpost.com/charming-kitten-i...fa/139979/

Not feasable for a large scale, but could be good for more targeted attacks.

But doesn't 2fa mean that the code is restarting every 30 seconds typically? Like don't most apps like authy require you to log into 2fa using a 6 digit pin that changes every 30 seconds?

Not always, but if it's the case you have to do it in real time.
Reply
#5
(04-17-2019, 12:07 AM)QMark Wrote:
(04-11-2019, 08:57 AM)Insider Wrote: You can phish your way past 2-factor authorization.

1. Set up phising page for victim. Looks like google with 2fa. But it's fake.
2. Victim gets real (we login to real page as victim in real time) 2fa code from SMS/authy, enter it into phising page.
3. We get the two 2fa code, enter it into the real page. Log in.

Victim <-> Fake 2fa <-> Real 2fa.

Taken out of the iranian apt hackers handbook. From their charming kitten campaign. https://threatpost.com/charming-kitten-i...fa/139979/

Not feasable for a large scale, but could be good for more targeted attacks.

But doesn't 2fa mean that the code is restarting every 30 seconds typically? Like don't most apps like authy require you to log into 2fa using a 6 digit pin that changes every 30 seconds?

Better make it fast then Smile That's why I said only feasable for targeted attacks. If you have resources and time, you can do it in real time.
Reply
#6
(04-18-2019, 09:09 PM)Insider Wrote:
(04-17-2019, 12:07 AM)QMark Wrote:
(04-11-2019, 08:57 AM)Insider Wrote: You can phish your way past 2-factor authorization.

1. Set up phising page for victim. Looks like google with 2fa. But it's fake.
2. Victim gets real (we login to real page as victim in real time) 2fa code from SMS/authy, enter it into phising page.
3. We get the two 2fa code, enter it into the real page. Log in.

Victim <-> Fake 2fa <-> Real 2fa.

Taken out of the iranian apt hackers handbook. From their charming kitten campaign. https://threatpost.com/charming-kitten-i...fa/139979/

Not feasable for a large scale, but could be good for more targeted attacks.

But doesn't 2fa mean that the code is restarting every 30 seconds typically? Like don't most apps like authy require you to log into 2fa using a 6 digit pin that changes every 30 seconds?

Better make it fast then Smile That's why I said only feasable for targeted attacks. If you have resources and time, you can do it in real time.

Ok, this makes sense. Sounds highly advanced.
Reply
#7
This is a very complex question. There are any number of ways that someone might be able to bypass 2fa.

Insider's approach was to assume you couldn't bypass the 2fa authentication - which is not necessarily the case. maybe the developer fucked up the form. maybe it's susceptible to sqli. maybe you could tell the database that you have authenticated even though you haven't. maybe the database is being run open to the internet, with weak credentials. 2fa only works when the system it's implemented on, is also secure. and thats often not the case. so instead of attacking the login, attack the system.

essentially your premise is flawed. the second authentication factor (ie authy/sms/whatever) is generally out of your control. you can't hack what you don't have. so you exploit the things that are in your control.
Reply
#8
(04-21-2019, 12:26 AM)MuddyBucket Wrote: This is a very complex question. There are any number of ways that someone might be able to bypass 2fa.

Insider's approach was to assume you couldn't bypass the 2fa authentication - which is not necessarily the case. maybe the developer fucked up the form. maybe it's susceptible to sqli. maybe you could tell the database that you have authenticated even though you haven't. maybe the database is being run open to the internet, with weak credentials. 2fa only works when the system it's implemented on, is also secure. and thats often not the case. so instead of attacking the login, attack the system.

essentially your premise is flawed. the second authentication factor (ie authy/sms/whatever) is generally out of your control. you can't hack what you don't have. so you exploit the things that are in your control.

So how would this apply to hacking a Facebook page? And couldn't the attacker just get Authy and then get the victim's code generated on their own device? Also, could you give an example of attacking the system and not the login?
Reply
#9
(04-21-2019, 01:24 AM)QMark Wrote: So how would this apply to hacking a Facebook page? And couldn't the attacker just get Authy and then get the victim's code generated on their own device? Also, could you give an example of attacking the system and not the login?

Well, facebook is hella secure, but it's not 100% secure. nothing is. Check out https://www.facebook.com/whitehat/thanks/ - All these people have found some level of vulnerability in the facebook platform. not all are necessarily critical leaks - but some may be. If you're asking me for a way to hack facebook - I don't have one. I don't know anything about the security or design of their platform. but maybe the login form breaks if you enter the character % three times in a row. suddenly you can inject code into the script, or you can pull data from the database. Then you're attacking the system. not the 2fa.

That said - you can't just download Authy and have access to everyone's account. im not an expert on Authy specifically, but there will likely be some sort of shared secret between your account and the app as well. so maybe it will use your device serial number to salt the time based 1 time passcode or something.
Reply
#10
(04-21-2019, 02:09 AM)MuddyBucket Wrote:
(04-21-2019, 01:24 AM)QMark Wrote: So how would this apply to hacking a Facebook page? And couldn't the attacker just get Authy and then get the victim's code generated on their own device? Also, could you give an example of attacking the system and not the login?

Well, facebook is hella secure, but it's not 100% secure. nothing is. Check out https://www.facebook.com/whitehat/thanks/ - All these people have found some level of vulnerability in the facebook platform. not all are necessarily critical leaks - but some may be. If you're asking me for a way to hack facebook - I don't have one. I don't know anything about the security or design of their platform. but maybe the login form breaks if you enter the character % three times in a row. suddenly you can inject code into the script, or you can pull data from the database. Then you're attacking the system. not the 2fa.

That said - you can't just download Authy and have access to everyone's account. im not an expert on Authy specifically, but there will likely be some sort of shared secret between your account and the app as well. so maybe it will use your device serial number to salt the time based 1 time passcode or something.

So what happens if the person switches from iPhone to Android? Will they be able to access their authy on a new phone?
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Simple Trick to Bypass File Upload Problem abaykan 2 6,592 05-02-2018, 01:33 PM
Last Post: abaykan
  Bypass LFI filter with double encoding peanutbutter 1 8,371 12-12-2017, 06:46 AM
Last Post: blahblahblah
  Possible way to bypass Apache Mod_Security? oxid 1 7,398 08-05-2017, 09:27 PM
Last Post: lunorian
  Client side authentication in real world cyborgs.txt 5 6,645 10-03-2016, 08:01 PM
Last Post: enmafia2