How to Hack MFA (Multi-Factor Authentication)
Key Takeaways
The video covers attacking Multi-Factor Authentication (MFA) in web apps, including a lab demonstration of bypassing and brute-forcing MFA using tools like Burp Suite and Python.
Full Transcript
today we're going to be looking at attacking a multi-factor authentication MFA in web apps I'm going to cover a little bit of theory and then as usual we'll dive into some Labs as always if you like the video don't forget to like And subscribe let's dive in so what is multi-factor authentication anyway well in a nutshell we have to use more than one factor of authentication to prove our identity it's also commonly known as two-factor authentication or 2fa the difference being that 2fa only implies two factors and is essentially a type of MFA multi-factor authentication they're used interchangeably a lot so if you prefer one over the other then no worries but I prefer to say MFA so what are these factors well many people know the old phrase something you know something you have something you are now I think this is an oversimplification of authentication factors and people can often get confused but it does give us a useful starting point for thinking about what we need our authentication to look like so what does a flow for a web apps look like anyway well this can vary wildly but using time-based one-time passwords totp is a pretty popular method and involves the creation of a one-time password or use when you're authenticating for this we have two main Journeys first we have the enrollment so a user provides their credentials their username and password and if they're valid a shared key is created this is stored in an app like authenticator and then the MFA on the account is enabled fairly straightforward if we don't dive into the crypto Etc next we have the login so a user provides their credentials again username and password if they're valid the user is forwarded to a totp login form the user enters the code provided by their app which is then verified by the server and if all is well the user is authenticated there are of course other ways to achieve this but let's move on to how we can actually attack MFA all right for our first track I'm going to make MFA disappear so we just come to my account and we have some credentials so I think it's Fina and then pizza and then we get this usual please enter your four digit security code so let's come to the email clients and we'll just open this up and we get our security 1972 so I'll just grab this come back pop this in and hit login and it looks like we come and end up at our my accounts page which is you know expected Behavior so two things that I notice about this login process one that's a very short MFA code so no only four digits probably quite easily brute forcible and second we're just gonna try and bypass it completely so let's log out the user account that we have is Carlos so we just come back and then we'll log in as colors so in this case we've stolen their credentials and then again we get this four digit security code but really all we're going to do is just come to my account hit enter and we're logged in as color so making sure that your multi-factor authentication is applied to every resource or every place that it needs to be applied to is really really important and you'll be surprised how often these kinds of bypasses actually work to an endpoint or a resource or or a page that should be protected so that is our best lab out of the way alright so here we are at the lab and this time I've switched my proxy on so we have traffic routing through burp Suites and again we're just gonna log in as in a pizza and have a look at the flow just to get a feel for the application so I'm going to come into the email clients grab the code zero seven eight nine and then log in and we successfully log in so let's take a quick look to at the traffic and see what we can find and we can see the post login here we can see our credentials going in sophina and Peter and then we can also see a get login to so something interesting here is we have the verify with the username and then we have the post to log in to as well and the first thing that I would test in this case is will this valid MFA code work with other users for example so can we just change the verify to Carlos and our valid code will this work for another user so let's give this a quick try let's log ourselves out come to my accounts and what I'm going to do is I'm going to switch on intercept Athena Pizza and then we're going to forward this because we want to verify these credentials against this user first otherwise it's probably just going to say hey invalid username password and then we get the login to so we want to change this to colors now we can switch intercept off for the time being come back to our email server refresh and yeah interestingly enough we don't get a code here because we changed the username to Carlos so what we're going to do is come back try and generate a code so Dina then we're not going to use it in this case and then we're going to grab it so if I just refresh 1962 paste it in here and then before we hit send let's come back to intercept and then change this back again to Carla since that's the user that we're targeting and we're going to see if Venus code works with Carlos fortunately we get incorrect security code so this unfortunately doesn't work but what we can also try is brute forcing this code because it's only a four digit security number so if there's no Brute Force protection then this should be fairly trivial so I'm gonna come to map Suites and then all we're going to do is come to http history and we'll grab this post request and press Ctrl I to send it to intruder and then clear all of the selections change this to Carlos and then add the highlights here now we actually need a payload and I suppose the easiest payload would be to just use for Iron Range on Python and then 1 to 10 000 but that wouldn't give us things like zero zero one zero for example so another way we could do this is with a nested Loop or we can just use the string format function so I'm just going to Bim and then call this num.pi and then inserts and then button in range one to ten thousand we want to print dot formats and then we pass in them like this and then if we just do Python 3 num dot Pi you can see that we get the outputs but more importantly if we scroll up you can see that we get zero zero zero one zero zero zero two for example so we can just do the same thing and then I'll put this to num.txt like this and then obviously if we catch num dot txt we have our payload list so we'll come back to Intruder and then we can load in our word list and we'll grab our num.txt and let's just hit start attack and here I'm going to pause this now because I can see a 302 in the list sorry if the text is a little bit small I'm just going to click on this take a look at the response we get a 302 found instead of like a 200 okay and the 200 okay gives us the response of in incorrect security code so let's grab this we'll take the session you can see we have set cookie session so we'll just use this come back to here back to um update our session token and then browse to slash my accounts and we are logged in as Carlos and we also solved the lab as well so that's it for this video now this was a requested topic from a viewer so of course if there are other topics you want me to cover leave them in the comments below and I'll see you next time
Original Description
00:00 Intro
00:14 What is MFA?
01:00 TOTP flow
01:56 MFA bypass
03:33 MFA brute force
08:45 Outro
Pentests & Security Consulting: https://tcm-sec.com
Get Trained: https://academy.tcm-sec.com
Get Certified: https://certifications.tcm-sec.com
Merch: https://merch.tcm-sec.com
Sponsorship Inquiries: info@thecybermentor.com
📱Social Media📱
___________________________________________
Twitter: https://twitter.com/thecybermentor
Twitch: https://www.twitch.tv/thecybermentor
Instagram: https://instagram.com/thecybermentor
LinkedIn: https://www.linkedin.com/in/heathadams
TikTok: https://tiktok.com/@thecybermentor
Discord: https://discord.gg/tcm
💸Donate💸
___________________________________________
Like the channel? Please consider supporting me on Patreon:
https://www.patreon.com/thecybermentor
Support the stream (one-time): https://streamlabs.com/thecybermentor
Hacker Books:
Penetration Testing: A Hands-On Introduction to Hacking: https://amzn.to/31GN7iX
The Hacker Playbook 3: https://amzn.to/34XkIY2
Hacking: The Art of Exploitation: https://amzn.to/2VchDyL
The Web Application Hacker's Handbook: https://amzn.to/30Fj21S
Real-World Bug Hunting: A Field Guide to Web Hacking: https://amzn.to/2V9srOe
Social Engineering: The Science of Human Hacking: https://amzn.to/31HAmVx
Linux Basics for Hackers: https://amzn.to/34WvcXP
Python Crash Course, 2nd Edition: https://amzn.to/30gINu0
Violent Python: https://amzn.to/2QoGoJn
Black Hat Python: https://amzn.to/2V9GpQk
My Build:
lg 32gk850g-b 32" Gaming Monitor:https://amzn.to/30C0qzV
darkFlash Phantom Black ATX Mid-Tower Case: https://amzn.to/30d1UW1
EVGA 2080TI: https://amzn.to/30d2lj7
MSI Z390 MotherBoard: https://amzn.to/30eu5TL
Intel 9700K: https://amzn.to/2M7hM2p
G.SKILL 32GB DDR4 RAM: https://amzn.to/2M638Zb
Razer Nommo Chroma Speakers: https://amzn.to/30bWjiK
Razer BlackWidow Chroma Keyboard: https://amzn.to/2V7A0or
CORSAIR Pro RBG Gaming Mouse: https://amzn.to/30hvg4P
Sennheiser RS 175 RF Wireless Headphones: https://amzn.t
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from The Cyber Mentor · The Cyber Mentor · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
Writing a Pentest Report
The Cyber Mentor
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
Top 5 Internal Pentesting Methods
The Cyber Mentor
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
The Silent Killer in Your Node.js APIs: Mass Assignment & How to Catch It Before Production
Medium · AI
The Silent Killer in Your Node.js APIs: Mass Assignment & How to Catch It Before Production
Medium · Cybersecurity
Australian Cyber Security Centre Issues Alert on Mass Exploitation of CMS Vulnerabilities
Dev.to · NetSecOpsIO
Malicious 'jscrambler' NPM Package Versions Deploy Cross-Platform Infostealer in Sophisticated Supply Chain Attack
Dev.to · NetSecOpsIO
Chapters (6)
Intro
0:14
What is MFA?
1:00
TOTP flow
1:56
MFA bypass
3:33
MFA brute force
8:45
Outro
🎓
Tutor Explanation
DeepCamp AI