2FA bypass using a bf attack (Video solution, Audio)

No video

2FA bypass using a bf attack (Video solution, Audio)

Рет қаралды 48,635

Michael Sommer

3 жыл бұрын

This video shows the lab solution of "2FA bypass using a bf attack" from Web Security Academy (Portswigger)

Пікірлер: 73

@serkanakbulut8317 3 жыл бұрын

I was getting 200 400 responses randomly because I couldn't find number of attacks parameter. Then, I realized in new Burb Suite number of attacks were under resource pool. It took sometime to find it.

@acronproject Жыл бұрын

Thank you Mr. Sommer

@sto2779 Жыл бұрын

Thanks, was so confused how to setup burp suite for session handling. What are some best ways to prevent this hack? I'm assuming the Lab is showing us that the website did not change the 2FA code after every two codes?

@techwithshudarsan559 3 жыл бұрын

Will a new mfa-code be generated if I was send back to login page after two incorrect attempts?

@theexcelord86 3 жыл бұрын

I don't understand why this works. Normally, after you complete first login step, a new code is generated. Therefore, it is not a brute force it is just a guess every Post /login2. Or maybe the vulnerability of the site is that the first code remains valid even if we are logged out because we input a wrong one ?

@sto2779 Жыл бұрын

The probability of getting the code right is extremely low, it seems like the website was using a static code even after 2 failed attempts. I also wonder, why this hack worked, would be great if they explained each Lab how to prevent the hack.

@MohamedTaha-rl7uz 9 ай бұрын

I tried to enter the code that I got from burp manually in the website but it didn't work@@sto2779

@abdulx01 2 жыл бұрын

I couldn't find Request Engine in [ Intruder: Options ] How can I set my Numbers of threads

@jsmoothstudio9327 2 жыл бұрын

I dont have the request engine option in the options tab of intruder

@ericmartin2726 2 жыл бұрын

so would this work trying to get into an old gmail account that has 2 factor authentication blocking it??

@wrench2474 2 жыл бұрын

what if the website change the code every time there is fail

@haamerr823 2 жыл бұрын

hey michael i got my account hacked recently and i was wondering if you could help. He didn't change the password so i have everything except for the 2fa code

@user-jg2qv9tb9n 3 жыл бұрын

For remove 400 status code set Maximum concurent requests to 1 in Resource Pool tab.

@ardian-vn7kt 2 жыл бұрын

would that work on a playstation account ?

@user-jg2qv9tb9n 2 жыл бұрын

@@ardian-vn7kt study the laws of your country and then decide whether it is worth it or not

@ardian-vn7kt 2 жыл бұрын

@@user-jg2qv9tb9n i dont actually care about the laws i just need to get an account back because my 2 step verification is blocked and i broke the sim card for the two step verification

@user-jg2qv9tb9n 2 жыл бұрын

@@ardian-vn7kt write to support about this issue

@studiospan6426 10 ай бұрын

So basically this attack works on requsting a new otp from the server then trying that otp and hope that our combination of generated and payload otp somehow matches . Isn't this , really difficult and completely based on luck i mean yeah we can increase the speed by making our own code in nodejs or some other languages which are very very fast when it comes to webscraping but still the odds are very very high thay we will get the code i am not sure if any website will be willing to pay for this bug . Please correct me if am wrong 🙏

@nishantdalvi9470 7 ай бұрын

I strongly agree with your opinion

@sepehrazizi1491 2 жыл бұрын

That’s not possible because you can’t check all 999999 numbers under 60 seconds which is the default refresh rate for 2fa

@sto2779 Жыл бұрын

its only 4 digit numbers and it seems like the website was using a static 2FA code.

@ahmedaslam960 2 жыл бұрын

This solution doesn't work because, he added GET login2 on the Macro and that requests for a new MFA code to be generated during each iteration. When you Bruteforce, then you are chasing a moving target.

@gamegunner9079 Жыл бұрын

What's the alternate way?

@sto2779 Жыл бұрын

This solution does work, I just tried it and it got right code. I'm using burpsuite, to actually get the "completion" acknowledged by Port Swigger, you need to open the link which got the code right as shown in the video.

@sto2779 Жыл бұрын

@@gamegunner9079 Right here, make a script: kzbin.info/www/bejne/ioixpZiabdCXhMk

@pranjalruhela1103 2 жыл бұрын

How does adding a macro prevent from getting logged out??? PLEASE EXPLAIN

@anonimoxd8896 10 ай бұрын

you are not prevented from loggin out, you just are logged in again with the macro

@jimdiroffii Ай бұрын

I was hoping this was more of an explanation of the attack, why it works on this lab, etc. Instead it is just a word for word video detail of the solution posted on the lab. As other commenters have commented, I would have expected new codes to be generated each time the macro runs. Still not clear on *exactly* what is happening here, just that following the steps leads to a successful login.

@jimdiroffii Ай бұрын

For all practical purposes, it would be impossible to guess the correct MFA code if new codes were being generated on each attempt. If there are 10,000 possible codes, and 2 guesses can be made with each session, the probability of guessing a correct code is ~.0002, or ~.02%. Despite the lab stating that verification codes reset, I don't think that is the case. Either old tokens still work despite the session changing, or the token is not changing between sessions. That may be the bug in the MFA system in this lab, but in any case, it is poorly explained on PortSwigger's side.

@spaffhazz Жыл бұрын

I'm getting invalid CSRF on the 302 request. What can I do to avoid this?

@ensarsamilbese1050 Ай бұрын

Try to not logout by entering the wrong MFA code twice. Start with a clear session, enter the credentials, enter any MFA code once, then proceed with the steps.

@jaiso434 3 жыл бұрын

how did you select each request separately in macro recorder? i can drage em and remove em from macro editor. whats the shortcut key.

@elmagnifico007 3 жыл бұрын

hold the ctrl key and click on the request

@jaiso434 3 жыл бұрын

@@elmagnifico007 thanks anyway I figured it out, typed in google and saw a Microsoft page which says the same thing for ms word. thanks for the reply.

@elmagnifico007 3 жыл бұрын

@@jaiso434 You're welcome

@sto2779 Жыл бұрын

You need to keep pressing CTRL and select the URLs, I was getting session handling issues and this video explained how to do it properly.

@georgpauwen5944 Жыл бұрын

It is probably me, but I never get a 302. I have run this lab ten times at least...

@shanmughankarikkamudi1044 3 жыл бұрын

it taking more than 3 hours to complete the attack..is that normal timing?

@Michael10Sommer 3 жыл бұрын

Did you use Windows or Linux? In some cases, Burp works faster on Linux as on Windows.

@duongmactung1551 3 жыл бұрын

I think the difference here is that the author used pro version. I'm using the community version and also have the same timing as you

@MatveiZimin 3 жыл бұрын

@@duongmactung1551 I use the pro version and the attack is still way too slow (max concurrent threads = 1)

@kheswas 3 жыл бұрын

Would this work on a page that uses Google Authenticator. I have the user ID and Password but lost the Google Authenticator device

@romainetienne1823 3 жыл бұрын

Same for me :-( .... So does it works ? Do you recover your account ?

@kheswas 3 жыл бұрын

@@romainetienne1823 Please do come back and comment here if you get a working solution. I'm starting to give up coz I'm not getting any answers

@BelowAverageRazzleDazzle 3 жыл бұрын

No. Google Authenticator uses a 6 sigit code and it rolls every 30 seconds. The app that accepts it also probably has a nonce or CSRF token on form submissions. There is no way you can attack it quickly enough before the code changes and you need to start over (every 30 seconds).

@albertflores6682 3 жыл бұрын

@@BelowAverageRazzleDazzle Hi, how about instagram’s constant 8 digit recovery code? Does it detect this kind of attack?

@danieldaves4087 3 жыл бұрын

Wow many people's are testifying the good & legit work noblehacks on Instagram is doing when it comes to recovering ps4 account he just help me recover my account..

@thanhisntreal 2 жыл бұрын

work for roblox?

@Amit-fn7bw Жыл бұрын

you are just following the steps, can you please explain every step like why you are doing a particular steps .....

@BelowAverageRazzleDazzle 3 жыл бұрын

You didn't deal with the CSRF token in intruder. That would change on every form submission in the real world... Repetitively posting with the same CSRF token in the real world would NOT work. You have to extract that token from the get request on the page load and then update it in the subsequent submissions.

@theexcelord86 3 жыл бұрын

Nice I didn''t think about that, How would you automate this process with burp intruder ? Btw isn't it the same problem with the session cookie ? I tried to use recursive grep but we need the csrf toekn from the last macro request for the intruder csrf parameter and I don't know how to do this.

@BelowAverageRazzleDazzle 3 жыл бұрын

@@theexcelord86 Macro to replay the prior page load and grep to extract the token to insert on intruder req.

@theexcelord86 3 жыл бұрын

@@BelowAverageRazzleDazzle Thanks for the answer but I still don't understand. "the prior page" you mean Get /login2 ? How do you extract the token from the login2 that was fetched by the macro with the intruder ? I can only grep expressions from the response to the last payload, I can't grep anything from the macro, Can I ? EDIT : I found a way no problem !

@BelowAverageRazzleDazzle 3 жыл бұрын

@@theexcelord86 Cool man! Yea you grep and extract from the HTML on the prior page.

@lorishuynh8547 2 жыл бұрын

@@BelowAverageRazzleDazzle Hi ThePreBanMan, I have the same thought as you because when I followed the instructions it took too long. But I haven't done it successfully on Burpsuite, step 1 i use Macro to get value from CSRF field in form and i assign variable name csrf. step 2 i use Intruder to brute-force MFA code, i intend to use CSRF token of GET Login2 response (taken in step 1) to load in POST Login2 request, but I can't load this CSRF token to Intruder request, can you guide me how to load CSRF token from the previous response to the next request. thank you very much

@RedBegins 2 жыл бұрын

Working for discord?

@ahmedsadiq1331 2 жыл бұрын

Thru ig

@Random_han Жыл бұрын

already follow all the steps but I got "Invalid CSRF token (session does not contain a CSRF token)" in the response

@UserMS101 Жыл бұрын

You need to set the Maximum concurent requests to 1 in Resource Pool tab and it will work. Follow the steps as it is.

@importexport271 2 жыл бұрын

Omg

@PP-nw1uc 6 ай бұрын

why don't you work with community version? do you think everyone here bought the professional? which one is more? your videos don't make much sense

@jimdiroffii Ай бұрын

You can request a trial license from PortSwigger to get access to Pro for free, which is what I did. Many of the Academy labs require Pro, such as the ones requiring Burp Collaborator.

@SerdceDikarya199 7 ай бұрын

we need some reasoning of what you do and why? not just instruction like a parrot.

@user-jg2qv9tb9n 3 жыл бұрын

Эти задания это просто издевательство, зачем делать задания на подбор 10000 комбинаций, еще и которые идут так долго? Ты тратишь пол часа что бы разобраться в уязвимости а остальное время просто ждешь. Много часов. А если сделал что-то неправильно ждешь опять. Разработчики будут гореть в аду!!!!!!!!111111111 ####################################################### These tasks are just a mockery, why do tasks to select 10,000 combinations, which also take so long? You spend half an hour to understand the vulnerability and the rest of the time just waiting. Many hours. And if you did something wrong, you wait again. Developers will burn in hell !!!!!!!! 111111111