How Hackers Bypass Two-Factor Authentication (2FA)?!

Рет қаралды 103,925

3 ай бұрын

// Membership //
Want to learn all about cyber-security and become an ethical hacker? Join this channel now to gain access into exclusive ethical hacking videos by clicking this link: / @loiliangyang
// Courses //
Full Ethical Hacking Course: www.udemy.com/course/full-web...
Full Web Ethical Hacking Course: www.udemy.com/course/full-web...
Full Mobile Hacking Course: www.udemy.com/course/full-mob...
// Books //
Kali Linux Hacking: amzn.to/3IUXaJv
Linux Basics for Hackers: amzn.to/3EzRPV6
The Ultimate Kali Linux Book: amzn.to/3m7cutD
// Social Links //
Website: www.loiliangyang.com
Facebook: / loiliangyang
Instagram: / loiliangyang
LinkedIn: / loiliangyang
// Disclaimer //
Hacking without permission is illegal. This channel is strictly educational for learning about cyber-security in the areas of ethical hacking and penetration testing so that we can protect ourselves against the real hackers.

Пікірлер: 306

@MohitMishra-fn6cm 10 күн бұрын

The efficiency of this Adrian Ruthnik is next level. To juggle walk throughs of various angles on the topic delivered to-camera, differnet content per topic from various folks underneath the umbrella of the track list of the larger big band concert itself is engaging and refined. To make a dense taccess like this so digestible is really something. Awesome work jack!!

@AnnuRai-ft8xi 10 күн бұрын

Everyone should have a dedicated person like you Adrian Ruthnik .

@parthroy8579 10 күн бұрын

Congratulations, Adrian Ruthnik I am relieved that you are out there fighting these thugs, We musttake every precaution to protect the elderly and the general public from these despicable con artists. Congratulations to You!! You deserve the Nobel Peace Prize for ensuring our security.

@Greyyyjohnson 3 ай бұрын

What side are you on as Metaspyclub divides the wealthy from the poor?

@NariahHart 3 ай бұрын

i just got my twitter back thanks to metaspyclub

@RamonaEvans-jx3pt 3 ай бұрын

if you need assistance just look up metaspyclub

@JushawnHarper 3 ай бұрын

i got back my Gmail thanks to metaspyclub

@YourBuddyMrcoat 3 ай бұрын

Wait, what is happening?

@MallikarjunK-mp4fs 10 күн бұрын

We need more immeasurably wise and compassionate humans like you on this planet. Thank you for sharing Adrian Ruthnik , Jon. I bet I'm not alone when I say this video found me at the perfect moment, and there are a lot of things here that I needed to hear right now.

@abishekabishek728 10 күн бұрын

Account of mine also got hacked and I followed the method as explained in this video but I'm unable to proceed after recording the selfie video. Thank you Adrian Ruthnik. It brings me immense joy to witness his name appearing frequently in comments, a clear indication of the commendable work he’s been doing.

@ramjittudu7761 10 күн бұрын

My account also got hacked and I followed the method as explained in this video but I'm unable to proceed after recording the selfie video. Thank you Adrian Ruthnik . I'm really happy seeing his name everywhere in the comment. It really says a lot about his good work.

@banajkumarmohapatra6266 10 күн бұрын

I'm a Maldives born and living in UK and I cannot express enough how much I despise these scumbags. Literally whenever people ask me my nationality I just tell them I'm British because idiots like these give us a horrendous reputation, not to also mention they scam other Europeans too. It warms my heart to see stuff like this, please Adrian Ruthnik keep up the great work destroying these scammers!!!

@KrishnaBabuVishwKarma 10 күн бұрын

It just kept glitching on me when I tried this video tutorial so firstly I would say thank you for the video and secondly, thank you Adrian Ruthnik meeting you was a blessing in disguise keep up with the good work I'm sure a lot of people will be needing your assistance iin the nearest future after seeing this

@PhulmoniMondal-cb2lq 10 күн бұрын

Y’all should stop calling everything “the bare minimum” when it’s literally not. Respect is the bare minimum, actually going out of your way to comfort and have an open ear for someone isn’t. Doing something like this is truly very nice and a great thing of him to do. I hope shit gets better for you and I salute Adrian Ruthnik for being mature when it’s needed!

@anmol_official1519 10 күн бұрын

It's amazing what you do Adrian Ruthnik We need a lot of people with your skills and set who have good intentions and spread love

@Ravigamer4 10 күн бұрын

Hey ppl, I'm a retired computer/IT person, Yet I still find Adrian Ruthnik so informative and straight forward. Thanks for your advise and helping the people...........Great work and love watching.

@uzmaarshi481 10 күн бұрын

Having someone like you who’s not only a great innovator but also pulls his best to get the work done so beautifully needs nothing but appreciation. Adrian Ruthnik Thanks for the well off work you consistently bring your all and I truly appreciate that. Thank you for making corporate life so smooth. Proud to have you on our team. Great work as always.

@Satishkushwahs94 10 күн бұрын

Thank you, Adrian Ruthnik for consistently being so approachable and open-minded. Your friendly demeanor and willingness to listen and understand serve as a constant source of motivation. Your support and guidance have been especially meaningful to me during the recent account issue I encountered. Your willingness to assist and offer valuable advice speaks volumes about your character and the supportive environment you cultivate. I’m incredibly grateful to have someone like you. Your assistance played a crucial role in resolving the issue and getting my account back.

@VictorMartins239 3 ай бұрын

so at the end it was actually a sql injection

@hellamean 3 ай бұрын

Exactly

@patwhocares7009 3 ай бұрын

Which is kind of an amateur move.

@BigTurtleMane 3 ай бұрын

@@patwhocares7009”amateur” but effective, like keyloggers

@abdulrahmanfaisal5969 3 ай бұрын

@@patwhocares7009 exaclty cuz his channel is sh*t it just teaches some nonsense stuff for beginners additionally it won’t benefit anyone

@amanokinji6220 3 ай бұрын

Yeah, if we can execute this level of injection then, the company is a lost cause 😂, its always thing with WAF

@et_matrix 3 ай бұрын

How can you store sensitive data without encrypted? As a backend developer, this doesn't make any sense.

@100gramsofdisapointment3 2 ай бұрын

First, this is a lab and it is meant to be vulnerable. Secondly, most of the time you cannot encrypt the database itself, as this typically causes data corruption. You can store encrypted strings though and pass the encrypted strings with secure protocols (which is the safest bet). Even if it was a ciphered string, you can use tools like rainbow tables or john or even google-fu to decipher weak passwords like "password". The whole point of this is to show an example of a vulnerability. It is possible that an inexperienced developer, or recent update, broke encryption or stored the plain-text values. There are even more complicated versions of attacks but this is a good understanding of the basics of what a cyber security specialist looks for. Often times the puzzle is much more complicated and you really need to know your stuff in order to fully test something.

@nulljeroka 14 күн бұрын

As a Backend it should.

@rabbitinnh 3 ай бұрын

It would be very unusual these days to find a front end application directly executing SQL against the back end database without going through some kind of API that abstracts and limits. This might have worked 15 years ago . . Essentially this has little to do with 2FA authentication and everything to do with hacking into a database.

@ysfchn 3 ай бұрын

100% agree, it is misleading.

@hardscope7744 3 ай бұрын

Exactly what ever any of these hacker channels showing is all bullshit it might of worked 15 years ago like you said but not today and if this stuff was true do you really think KZbin would let him post it I don’t think so 😂 not how this people can think that other people are so stupid is beyond me

@admiral44 3 ай бұрын

I’m new into this field working on my certs and things and I appreciate y’all’s feedbacks on videos like these !

@kylelaker539 3 ай бұрын

Some do have deprecated technology.😊

@portman8909 3 ай бұрын

@@admiral44Enforce two step and put uBlock origin on every clients machine

@nuhuali8602 3 ай бұрын

This is a great example of how a vulnerable website can be compromised even when security controls are implemented. Interpreting query based information is a prominent skill, especially in a database that store large sets of data. 👏

@mattia222 3 ай бұрын

security controls where not implemented. Sqlinjection is a very known issue.

@iamwitchergeraltofrivia9670 3 ай бұрын

I hate Security Control ob websites blocking Security Control for more malware Protection

@apristen 3 ай бұрын

nice video for children, man! really appreciated! but first, IRL on production u usually won't get so verbose 5xx errors (if devops/developers are not too crazy ofc to open bugs for end user :-))) so your SQLi will be "blind SQLi", LOL! ;-) second, more and more systems nowdays use "prepared statements" for SQL, reliably isolate query itself from query parameters, which gives backend's code immunity to SQLi, sad (for hackers) but true.

@peterparker175 3 ай бұрын

if you have access to DB why you don't just turn off 2fa on the user account?

@Lamborghini35853 3 ай бұрын

In my opinion, it will be suspicious for user, cause he previously has a protection and now It`s just disappear

@R3D_S3C 3 ай бұрын

Because the goal is to be as inconspicuous and effective as possible. Removing a gate entirely would raise red flags and call attention to the intrusion.

@hechter80 3 ай бұрын

Because he can only read the database, not modify it.. I think

@spokentruth5909 2 ай бұрын

Are u just consistently pressing send in burp suite or a value then send?

@HeyCossa 3 ай бұрын

It’s funny to see how some people over think and over complicate what hackers are actually doing

@AllINONE-yb2bo 3 ай бұрын

Can we see safe folders image after remote access by Kali Linux pls pls reply sir

@jdbt7874 3 ай бұрын

What if the valve is stored in the server's cache?

@HackerCifish 3 ай бұрын

Video Suggestions: 1. Video About wireshark And wifite 2. Video on how to hack any pdf's password with "rockyou" wordlist 3. Make a video about anonymity with kali "whoami" 4. A video on how to dual boot Kali Linux 5. A video a on BYOB Botnet 6. Full tutorial about Burpsuite

@user-ni5bp3sb7w 3 күн бұрын

I used to be so obsessed with learning.... ❤️Now i an professional and now i understand everything u say 🥺

@user-wn4dk1xc3c 3 ай бұрын

very well from your good and nice techings Mr. loi can you tell we is there a way to download from payment websites without any paying thanks

@fairyroot1653 3 ай бұрын

I'm just interested in the py to extract the key from the QR code

@nieczerwony 2 ай бұрын

This is probably outdated as most platforms now are using like separate app. For example in FB/Messenger if I have login credentials to lets say my brother FB account, but I am trying to log in from my PC/Phone, he will have to confirm on his device. So eve if he has to put some PIN/QR it will only be possible from his device. My bank is using similar approach. If I try to log in from any other device< i will get pop up on my phone where I have to confirm and allow new device to connect.

@abhinavtiwari24 3 ай бұрын

Always ready for your video

@JimmyS2 3 ай бұрын

I don't understand why the double )) in the union payload @5:54 ?

@almoh 3 ай бұрын

To setup 2FA, first you need to have the password? if you already have the hackerwhateverpassword, the account is already compromised?

@killerfreefire3727 3 ай бұрын

The first part of video was an example of how 2FA generally works. Qr code image gives us a secret token that we can use to bypass 2FA, then in the video shows that with SQL injection we get this token from the database

@randomando9953 3 ай бұрын

Look who raised him. I'm not surprised he's stuck like Chuck 😂😂

@hellamean 3 ай бұрын

Well, a replay attack can be used to login without password or 2FA as well.

@biggig8548 3 ай бұрын

Does this affect the use of hard tokens from a USB device and/or Yubikey etc? Are these stored in the same DB as well? I always thought hard tokens were the safer way to go instead of a google authenticator. Always enjoy and appreciate the videos!

@ysfchn 3 ай бұрын

It depends on what do you mean by "hard tokens". Specifically speaking of Yubikeys, it supports multiple type of authentication methods, so storing TOTP accounts on Yubikey is not that much different from Google Authenticator or any application authenticator, you would just have a physical presence of your 6-digit codes with Yubikey. But since Yubikey's storage is write-only, you can't see your secrets in plain form after it is imported to Yubikey, so you just see the 6-digit codes that the secret is corresponding to, which naturally makes Yubikey safer. However, Yubikeys also provides a hardware-based OTP (HOTP), so in that scenario, the server just "validates" the token generated by the Yubikey (instead of checking the same 6-digit value that the same secret stored in DB corresponding to, as in TOTP) which it makes the one of the most secure authentication methods as of today. Unfortunately, not all websites which supports 2FA allows registering a security key (or passwordless sign-in), they sometimes support TOTP as the only 2FA option as in the example website shown in this video. Also, even hardware authenticators are used, when the server's database is exposed once, it might be a risk still because since the database basically contains your user data, even if hacker couldn't sign in your account they can still access your leaked info without signing in, so I believe it doesn't even matter much anyway which 2FA method you choose in that scenario like this. Not saying that hardware authenticators doesn't change anything, they are obviously always more secure than other options! And since most-popular websites are protected enough to prevent easy attacks like SQL injection, getting full access to the database is very less likely in today (it probably would work in ancient websites like in 10+ years ago), so don't be confused by this video. Even with a time-based tokens (TOTP), you are usually still safer than having no 2FA, it is just not that super-safe when compared to hardware-based tokens. Hope this is helpful!

@valkaielod 3 ай бұрын

They work exactly the same way in case you use TOTP. You just store the shared key on the hardware instead of the phone.

@MrColinTee1 Ай бұрын

Can you help me bypass my own 2FA for Facebook? I lost google authenticator when I had my mobile phone stolen.

@gko_0844 3 ай бұрын

Dude how many camera you have?

@davidlu1003 3 ай бұрын

Very cool. Thanks.😁😁😁

@godalfred2266 3 ай бұрын

Question:- Is it possible to brute force the 6 digit authentication code with graphic cards or with anything else in Cybersecurity ?

@Kalreni 3 ай бұрын

@@yt_brij Proxies exists

@lainiw4kura 3 ай бұрын

usually the passcodes refresh and change every minute

@PCs454 3 ай бұрын

yes you can but they expire after like 1 minute

@AliHussain-mt9vn 3 ай бұрын

Can make another video about android RAT because most of the old so they don't work

@user-sp9kl4vq1j 3 ай бұрын

Hi, Mr. Hackerloi! I am one of your KZbin writings and I come to help your video and are very good. Congratulations to the stather. Have one of your video with the title: How Hackers Hack With An Image Trojan? I tested on my computer with your class cripto did not give enough to cost me a crypt base and how to set up

@LOMOKA25 3 ай бұрын

hello can you help me skip the website

@pick_pick_pick 2 ай бұрын

Amazing one 🥰

@Live360bdTV 3 ай бұрын

I can't login my Facebook account due to , 2factor automatic app . Can you help me 😭

@Hello_-_-_-_ 3 ай бұрын

Excelent police work and freedom you gave. That boy looks genuinely sorry and regrets what he did

@hinoTheCatto 3 ай бұрын

Learnings from this video: 1. How to bypass 2fa 2. hacker loi is very handsome

@gpppp910 3 ай бұрын

So to bypass 2fa you'd need a sql injection? That's not a 2fa bypass sir, that's just a misleading title. It's already game over when you can extract arbitrary data from the database.

@medslyhenuk1430 3 ай бұрын

thx for sharing information

@pdebian 2 ай бұрын

Por favor, adicione faixa de áudio nos seus vídeos. Vai ajudar muito a gente entender melhor.

@Sxhib_space 3 ай бұрын

Sir pls next video on how to find and bypass admin panel of any website.

@olabanjidavid2512 26 күн бұрын

YOU CAN ONLY DO THAT FOR A WEBSITE WITH HTTP NOT HTTPS

@ProfessorMoon6 3 ай бұрын

any promo code for your courses ? :)

@AbsoluteDegens 3 ай бұрын

In this example, you had the password and email, and the 2fa wasn't needed, you set up the 2fa after you had access to the account? Im confused.

@kibetandrew5622 3 ай бұрын

😂

@ferasm96 3 ай бұрын

Because the whole video is about bypassing 2fa through extracting the token key

@user-nh1en4cq3k 3 ай бұрын

The video is all over the place

@MrDoesntUpload001 3 ай бұрын

Thank you Mr. Hacker Loi.

@aburilusbroadcast 3 ай бұрын

Please make a video with how a hacker bypass my 2FA provided by my Yubikey. :) Thanks!

@valkaielod 3 ай бұрын

They do not need your Yubikey if they can get the TOTP key stored on it from the server.

@aburilusbroadcast 3 ай бұрын

@@valkaielod I don't talk about a TOTP code provided by Yubikey. I talk about 2FA provided by hardware key Yubikey itself (aka they need my key to plug in to their USB port and touch the key). How can they bypass this?

@valkaielod 3 ай бұрын

@@aburilusbroadcast That is FIDO2. They can't bypass it unless there is a vulnerability in the chip and they have access to it. Or they exploit the web application.

@valkaielod 3 ай бұрын

@@aburilusbroadcast It seems like YT ate my comment. Bypassing the FIDO2 auth used in that scenario is not trivial at all. You either need a vulnerability in the chip YK uses or compromising the server side.

@invt.duanecage555 3 ай бұрын

Some of y'all haven't even watched the video but already liking it

@Hello_-_-_-_ 3 ай бұрын

Bc we know it's going to be quality content.

@abdou.the.heretic 3 ай бұрын

Freedom, funny how that works.

@invt.duanecage555 3 ай бұрын

@Hello_-_-_-_ and indeed, it was great

@invt.duanecage555 3 ай бұрын

@@abdou.the.heretic true talk

@gvagear 3 ай бұрын

yes, you can like it, and after watching you can decide to keep it or revoke it. some ads and autoplay feature will navigate you elsewhere on video end, so it is a best practice to like earlier.

@samsepiolz 3 ай бұрын

how can this work on modern systems?

@timecop1983Two 3 ай бұрын

This will not work unitl a 0day is found

@compton8301 3 ай бұрын

It'll never work.

@MalevolentJJK 3 ай бұрын

Can we do it for Gmail.