How to Hack MFA (Multi-Factor Authentication)

The Cyber Mentor · Beginner ·🔐 Cybersecurity ·3y ago

Key Takeaways

The video covers attacking Multi-Factor Authentication (MFA) in web apps, including a lab demonstration of bypassing and brute-forcing MFA using tools like Burp Suite and Python.

Full Transcript

today we're going to be looking at attacking a multi-factor authentication MFA in web apps I'm going to cover a little bit of theory and then as usual we'll dive into some Labs as always if you like the video don't forget to like And subscribe let's dive in so what is multi-factor authentication anyway well in a nutshell we have to use more than one factor of authentication to prove our identity it's also commonly known as two-factor authentication or 2fa the difference being that 2fa only implies two factors and is essentially a type of MFA multi-factor authentication they're used interchangeably a lot so if you prefer one over the other then no worries but I prefer to say MFA so what are these factors well many people know the old phrase something you know something you have something you are now I think this is an oversimplification of authentication factors and people can often get confused but it does give us a useful starting point for thinking about what we need our authentication to look like so what does a flow for a web apps look like anyway well this can vary wildly but using time-based one-time passwords totp is a pretty popular method and involves the creation of a one-time password or use when you're authenticating for this we have two main Journeys first we have the enrollment so a user provides their credentials their username and password and if they're valid a shared key is created this is stored in an app like authenticator and then the MFA on the account is enabled fairly straightforward if we don't dive into the crypto Etc next we have the login so a user provides their credentials again username and password if they're valid the user is forwarded to a totp login form the user enters the code provided by their app which is then verified by the server and if all is well the user is authenticated there are of course other ways to achieve this but let's move on to how we can actually attack MFA all right for our first track I'm going to make MFA disappear so we just come to my account and we have some credentials so I think it's Fina and then pizza and then we get this usual please enter your four digit security code so let's come to the email clients and we'll just open this up and we get our security 1972 so I'll just grab this come back pop this in and hit login and it looks like we come and end up at our my accounts page which is you know expected Behavior so two things that I notice about this login process one that's a very short MFA code so no only four digits probably quite easily brute forcible and second we're just gonna try and bypass it completely so let's log out the user account that we have is Carlos so we just come back and then we'll log in as colors so in this case we've stolen their credentials and then again we get this four digit security code but really all we're going to do is just come to my account hit enter and we're logged in as color so making sure that your multi-factor authentication is applied to every resource or every place that it needs to be applied to is really really important and you'll be surprised how often these kinds of bypasses actually work to an endpoint or a resource or or a page that should be protected so that is our best lab out of the way alright so here we are at the lab and this time I've switched my proxy on so we have traffic routing through burp Suites and again we're just gonna log in as in a pizza and have a look at the flow just to get a feel for the application so I'm going to come into the email clients grab the code zero seven eight nine and then log in and we successfully log in so let's take a quick look to at the traffic and see what we can find and we can see the post login here we can see our credentials going in sophina and Peter and then we can also see a get login to so something interesting here is we have the verify with the username and then we have the post to log in to as well and the first thing that I would test in this case is will this valid MFA code work with other users for example so can we just change the verify to Carlos and our valid code will this work for another user so let's give this a quick try let's log ourselves out come to my accounts and what I'm going to do is I'm going to switch on intercept Athena Pizza and then we're going to forward this because we want to verify these credentials against this user first otherwise it's probably just going to say hey invalid username password and then we get the login to so we want to change this to colors now we can switch intercept off for the time being come back to our email server refresh and yeah interestingly enough we don't get a code here because we changed the username to Carlos so what we're going to do is come back try and generate a code so Dina then we're not going to use it in this case and then we're going to grab it so if I just refresh 1962 paste it in here and then before we hit send let's come back to intercept and then change this back again to Carla since that's the user that we're targeting and we're going to see if Venus code works with Carlos fortunately we get incorrect security code so this unfortunately doesn't work but what we can also try is brute forcing this code because it's only a four digit security number so if there's no Brute Force protection then this should be fairly trivial so I'm gonna come to map Suites and then all we're going to do is come to http history and we'll grab this post request and press Ctrl I to send it to intruder and then clear all of the selections change this to Carlos and then add the highlights here now we actually need a payload and I suppose the easiest payload would be to just use for Iron Range on Python and then 1 to 10 000 but that wouldn't give us things like zero zero one zero for example so another way we could do this is with a nested Loop or we can just use the string format function so I'm just going to Bim and then call this num.pi and then inserts and then button in range one to ten thousand we want to print dot formats and then we pass in them like this and then if we just do Python 3 num dot Pi you can see that we get the outputs but more importantly if we scroll up you can see that we get zero zero zero one zero zero zero two for example so we can just do the same thing and then I'll put this to num.txt like this and then obviously if we catch num dot txt we have our payload list so we'll come back to Intruder and then we can load in our word list and we'll grab our num.txt and let's just hit start attack and here I'm going to pause this now because I can see a 302 in the list sorry if the text is a little bit small I'm just going to click on this take a look at the response we get a 302 found instead of like a 200 okay and the 200 okay gives us the response of in incorrect security code so let's grab this we'll take the session you can see we have set cookie session so we'll just use this come back to here back to um update our session token and then browse to slash my accounts and we are logged in as Carlos and we also solved the lab as well so that's it for this video now this was a requested topic from a viewer so of course if there are other topics you want me to cover leave them in the comments below and I'll see you next time

Original Description

00:00 Intro 00:14 What is MFA? 01:00 TOTP flow 01:56 MFA bypass 03:33 MFA brute force 08:45 Outro Pentests & Security Consulting: https://tcm-sec.com Get Trained: https://academy.tcm-sec.com Get Certified: https://certifications.tcm-sec.com Merch: https://merch.tcm-sec.com Sponsorship Inquiries: info@thecybermentor.com 📱Social Media📱 ___________________________________________ Twitter: https://twitter.com/thecybermentor Twitch: https://www.twitch.tv/thecybermentor Instagram: https://instagram.com/thecybermentor LinkedIn: https://www.linkedin.com/in/heathadams TikTok: https://tiktok.com/@thecybermentor Discord: https://discord.gg/tcm 💸Donate💸 ___________________________________________ Like the channel? Please consider supporting me on Patreon: https://www.patreon.com/thecybermentor Support the stream (one-time): https://streamlabs.com/thecybermentor Hacker Books: Penetration Testing: A Hands-On Introduction to Hacking: https://amzn.to/31GN7iX The Hacker Playbook 3: https://amzn.to/34XkIY2 Hacking: The Art of Exploitation: https://amzn.to/2VchDyL The Web Application Hacker's Handbook: https://amzn.to/30Fj21S Real-World Bug Hunting: A Field Guide to Web Hacking: https://amzn.to/2V9srOe Social Engineering: The Science of Human Hacking: https://amzn.to/31HAmVx Linux Basics for Hackers: https://amzn.to/34WvcXP Python Crash Course, 2nd Edition: https://amzn.to/30gINu0 Violent Python: https://amzn.to/2QoGoJn Black Hat Python: https://amzn.to/2V9GpQk My Build: lg 32gk850g-b 32" Gaming Monitor:https://amzn.to/30C0qzV darkFlash Phantom Black ATX Mid-Tower Case: https://amzn.to/30d1UW1 EVGA 2080TI: https://amzn.to/30d2lj7 MSI Z390 MotherBoard: https://amzn.to/30eu5TL Intel 9700K: https://amzn.to/2M7hM2p G.SKILL 32GB DDR4 RAM: https://amzn.to/2M638Zb Razer Nommo Chroma Speakers: https://amzn.to/30bWjiK Razer BlackWidow Chroma Keyboard: https://amzn.to/2V7A0or CORSAIR Pro RBG Gaming Mouse: https://amzn.to/30hvg4P Sennheiser RS 175 RF Wireless Headphones: https://amzn.t
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from The Cyber Mentor · The Cyber Mentor · 0 of 60

← Previous Next →
1 Buffer Overflows Made Easy - Part 1: Introduction
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
2 Buffer Overflows Made Easy - Part 2: Spiking
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
3 Buffer Overflows Made Easy - Part 3: Fuzzing
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
4 Buffer Overflows Made Easy - Part 4: Finding the Offset
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
5 Buffer Overflows Made Easy - Part 5: Overwriting the EIP
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
6 Buffer Overflows Made Easy - Part 6: Finding Bad Characters
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
7 Buffer Overflows Made Easy - Part 7: Finding the Right Module
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
8 Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
9 HackTheBox - Sunday Walkthrough (Re-Up)
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
10 Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
11 Networking for Ethical Hackers - Network Subnetting (Re-Up)
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
12 Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
13 Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
14 HackTheBox - Fighter Walkthrough (Re-Up)
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
15 Beginner Linux for Ethical Hackers - Navigating the File System
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
16 Beginner Linux for Ethical Hackers - Users and Privileges
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
17 Beginner Linux for Ethical Hackers - Common Network Commands
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
18 Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
19 Beginner Linux for Ethical Hackers - Controlling Kali Services
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
20 Beginner Linux for Ethical Hackers - Scripting with Bash
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
21 Beginner Linux for Ethical Hackers - Installing and Updating Tools
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
22 Cracking Linux Password Hashes with Hashcat
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
23 Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
24 Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
25 Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
26 Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
27 New Zero to Hero Pentest Course, New Website, and 2K Subs?!
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
28 Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
29 Zero to Hero Pentesting: Episode 2 - Python 101
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
30 Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
31 Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
32 Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
33 Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
34 Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
35 Installing Windows Server 2016 on VMWare in 5 Minutes
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
36 Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
37 A Day in the Life of an Ethical Hacker / Penetration Tester
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
38 Active Directory Exploitation - LLMNR/NBT-NS Poisoning
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
39 Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
40 Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
41 Writing a Pentest Report
Writing a Pentest Report
The Cyber Mentor
42 Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
43 The Complete Linux for Ethical Hackers Course for 2019
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
44 Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
45 Popping a Shell with SMB Relay and Empire
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
46 Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
47 Pentesting for n00bs: Episode 2 - Lame
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
48 Pentesting for n00bs: Episode 3 - Blue
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
49 Web App Testing: Episode 1 - Enumeration
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
50 Pentesting for n00bs: Episode 4 - Devel
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
51 Pentesting for n00bs: Episode 5 - Jerry
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
52 Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
53 Pentesting for n00bs: Episode 6 - Nibbles
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
54 Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
55 How NOT to Approach a Cybersecurity Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
56 Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
57 Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
58 Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
59 Pentesting for n00bs: Episode 9 - Grandpa
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
60 Top 5 Internal Pentesting Methods
Top 5 Internal Pentesting Methods
The Cyber Mentor

This video teaches how to attack MFA in web apps, including bypassing and brute-forcing MFA codes, using tools like Burp Suite and Python. The lab demonstration shows how to exploit vulnerabilities in MFA implementations.

Key Takeaways
  1. Understand the basics of MFA and TOTP
  2. Set up a lab environment using Burp Suite and Python
  3. Bypass MFA using Burp Suite
  4. Brute-force MFA codes using Python
  5. Exploit vulnerabilities in MFA implementations
💡 MFA is not foolproof and can be bypassed or brute-forced if not implemented correctly.

Related Reads

📰
The Silent Killer in Your Node.js APIs: Mass Assignment & How to Catch It Before Production
Protect your Node.js APIs from mass assignment vulnerabilities by going beyond ESLint and SonarQube checks
Medium · AI
📰
The Silent Killer in Your Node.js APIs: Mass Assignment & How to Catch It Before Production
Learn to identify and prevent mass assignment vulnerabilities in Node.js APIs, a common weakness that can evade ESLint and SonarQube checks
Medium · Cybersecurity
📰
Australian Cyber Security Centre Issues Alert on Mass Exploitation of CMS Vulnerabilities
The Australian Cyber Security Centre warns of a large-scale campaign exploiting CMS vulnerabilities, urging organizations to patch systems immediately
Dev.to · NetSecOpsIO
📰
Malicious 'jscrambler' NPM Package Versions Deploy Cross-Platform Infostealer in Sophisticated Supply Chain Attack
Learn about a sophisticated supply chain attack on the jscrambler NPM package that deployed a cross-platform infostealer, and how to protect yourself
Dev.to · NetSecOpsIO

Chapters (6)

Intro
0:14 What is MFA?
1:00 TOTP flow
1:56 MFA bypass
3:33 MFA brute force
8:45 Outro
Up next
Want Better Job Opportunities? Vskills Government Certified Skills That Employers Value !!
Vskills Certification
Watch →