This video shows the lab solution of "2FA bypass using a bf attack" from Web Security Academy (Portswigger)
Пікірлер: 73
@serkanakbulut83173 жыл бұрын
I was getting 200 400 responses randomly because I couldn't find number of attacks parameter. Then, I realized in new Burb Suite number of attacks were under resource pool. It took sometime to find it.
@acronproject Жыл бұрын
Thank you Mr. Sommer
@sto2779 Жыл бұрын
Thanks, was so confused how to setup burp suite for session handling. What are some best ways to prevent this hack? I'm assuming the Lab is showing us that the website did not change the 2FA code after every two codes?
@techwithshudarsan5593 жыл бұрын
Will a new mfa-code be generated if I was send back to login page after two incorrect attempts?
@theexcelord863 жыл бұрын
I don't understand why this works. Normally, after you complete first login step, a new code is generated. Therefore, it is not a brute force it is just a guess every Post /login2. Or maybe the vulnerability of the site is that the first code remains valid even if we are logged out because we input a wrong one ?
@sto2779 Жыл бұрын
The probability of getting the code right is extremely low, it seems like the website was using a static code even after 2 failed attempts. I also wonder, why this hack worked, would be great if they explained each Lab how to prevent the hack.
@MohamedTaha-rl7uz9 ай бұрын
I tried to enter the code that I got from burp manually in the website but it didn't work@@sto2779
@abdulx012 жыл бұрын
I couldn't find Request Engine in [ Intruder: Options ] How can I set my Numbers of threads
@jsmoothstudio93272 жыл бұрын
I dont have the request engine option in the options tab of intruder
@ericmartin27262 жыл бұрын
so would this work trying to get into an old gmail account that has 2 factor authentication blocking it??
@wrench24742 жыл бұрын
what if the website change the code every time there is fail
@haamerr8232 жыл бұрын
hey michael i got my account hacked recently and i was wondering if you could help. He didn't change the password so i have everything except for the 2fa code
@user-jg2qv9tb9n3 жыл бұрын
For remove 400 status code set Maximum concurent requests to 1 in Resource Pool tab.
@ardian-vn7kt2 жыл бұрын
would that work on a playstation account ?
@user-jg2qv9tb9n2 жыл бұрын
@@ardian-vn7kt study the laws of your country and then decide whether it is worth it or not
@ardian-vn7kt2 жыл бұрын
@@user-jg2qv9tb9n i dont actually care about the laws i just need to get an account back because my 2 step verification is blocked and i broke the sim card for the two step verification
@user-jg2qv9tb9n2 жыл бұрын
@@ardian-vn7kt write to support about this issue
@studiospan642610 ай бұрын
So basically this attack works on requsting a new otp from the server then trying that otp and hope that our combination of generated and payload otp somehow matches . Isn't this , really difficult and completely based on luck i mean yeah we can increase the speed by making our own code in nodejs or some other languages which are very very fast when it comes to webscraping but still the odds are very very high thay we will get the code i am not sure if any website will be willing to pay for this bug . Please correct me if am wrong 🙏
@nishantdalvi94707 ай бұрын
I strongly agree with your opinion
@sepehrazizi14912 жыл бұрын
That’s not possible because you can’t check all 999999 numbers under 60 seconds which is the default refresh rate for 2fa
@sto2779 Жыл бұрын
its only 4 digit numbers and it seems like the website was using a static 2FA code.
@ahmedaslam9602 жыл бұрын
This solution doesn't work because, he added GET login2 on the Macro and that requests for a new MFA code to be generated during each iteration. When you Bruteforce, then you are chasing a moving target.
@gamegunner9079 Жыл бұрын
What's the alternate way?
@sto2779 Жыл бұрын
This solution does work, I just tried it and it got right code. I'm using burpsuite, to actually get the "completion" acknowledged by Port Swigger, you need to open the link which got the code right as shown in the video.
@sto2779 Жыл бұрын
@@gamegunner9079 Right here, make a script: kzbin.info/www/bejne/ioixpZiabdCXhMk
@pranjalruhela11032 жыл бұрын
How does adding a macro prevent from getting logged out??? PLEASE EXPLAIN
@anonimoxd889610 ай бұрын
you are not prevented from loggin out, you just are logged in again with the macro
@jimdiroffiiАй бұрын
I was hoping this was more of an explanation of the attack, why it works on this lab, etc. Instead it is just a word for word video detail of the solution posted on the lab. As other commenters have commented, I would have expected new codes to be generated each time the macro runs. Still not clear on *exactly* what is happening here, just that following the steps leads to a successful login.
@jimdiroffiiАй бұрын
For all practical purposes, it would be impossible to guess the correct MFA code if new codes were being generated on each attempt. If there are 10,000 possible codes, and 2 guesses can be made with each session, the probability of guessing a correct code is ~.0002, or ~.02%. Despite the lab stating that verification codes reset, I don't think that is the case. Either old tokens still work despite the session changing, or the token is not changing between sessions. That may be the bug in the MFA system in this lab, but in any case, it is poorly explained on PortSwigger's side.
@spaffhazz Жыл бұрын
I'm getting invalid CSRF on the 302 request. What can I do to avoid this?
@ensarsamilbese1050Ай бұрын
Try to not logout by entering the wrong MFA code twice. Start with a clear session, enter the credentials, enter any MFA code once, then proceed with the steps.
@jaiso4343 жыл бұрын
how did you select each request separately in macro recorder? i can drage em and remove em from macro editor. whats the shortcut key.
@elmagnifico0073 жыл бұрын
hold the ctrl key and click on the request
@jaiso4343 жыл бұрын
@@elmagnifico007 thanks anyway I figured it out, typed in google and saw a Microsoft page which says the same thing for ms word. thanks for the reply.
@elmagnifico0073 жыл бұрын
@@jaiso434 You're welcome
@sto2779 Жыл бұрын
You need to keep pressing CTRL and select the URLs, I was getting session handling issues and this video explained how to do it properly.
@georgpauwen5944 Жыл бұрын
It is probably me, but I never get a 302. I have run this lab ten times at least...
@shanmughankarikkamudi10443 жыл бұрын
it taking more than 3 hours to complete the attack..is that normal timing?
@Michael10Sommer3 жыл бұрын
Did you use Windows or Linux? In some cases, Burp works faster on Linux as on Windows.
@duongmactung15513 жыл бұрын
I think the difference here is that the author used pro version. I'm using the community version and also have the same timing as you
@MatveiZimin3 жыл бұрын
@@duongmactung1551 I use the pro version and the attack is still way too slow (max concurrent threads = 1)
@kheswas3 жыл бұрын
Would this work on a page that uses Google Authenticator. I have the user ID and Password but lost the Google Authenticator device
@romainetienne18233 жыл бұрын
Same for me :-( .... So does it works ? Do you recover your account ?
@kheswas3 жыл бұрын
@@romainetienne1823 Please do come back and comment here if you get a working solution. I'm starting to give up coz I'm not getting any answers
@BelowAverageRazzleDazzle3 жыл бұрын
No. Google Authenticator uses a 6 sigit code and it rolls every 30 seconds. The app that accepts it also probably has a nonce or CSRF token on form submissions. There is no way you can attack it quickly enough before the code changes and you need to start over (every 30 seconds).
@albertflores66823 жыл бұрын
@@BelowAverageRazzleDazzle Hi, how about instagram’s constant 8 digit recovery code? Does it detect this kind of attack?
@danieldaves40873 жыл бұрын
Wow many people's are testifying the good & legit work noblehacks on Instagram is doing when it comes to recovering ps4 account he just help me recover my account..
@thanhisntreal2 жыл бұрын
work for roblox?
@Amit-fn7bw Жыл бұрын
you are just following the steps, can you please explain every step like why you are doing a particular steps .....
@BelowAverageRazzleDazzle3 жыл бұрын
You didn't deal with the CSRF token in intruder. That would change on every form submission in the real world... Repetitively posting with the same CSRF token in the real world would NOT work. You have to extract that token from the get request on the page load and then update it in the subsequent submissions.
@theexcelord863 жыл бұрын
Nice I didn''t think about that, How would you automate this process with burp intruder ? Btw isn't it the same problem with the session cookie ? I tried to use recursive grep but we need the csrf toekn from the last macro request for the intruder csrf parameter and I don't know how to do this.
@BelowAverageRazzleDazzle3 жыл бұрын
@@theexcelord86 Macro to replay the prior page load and grep to extract the token to insert on intruder req.
@theexcelord863 жыл бұрын
@@BelowAverageRazzleDazzle Thanks for the answer but I still don't understand. "the prior page" you mean Get /login2 ? How do you extract the token from the login2 that was fetched by the macro with the intruder ? I can only grep expressions from the response to the last payload, I can't grep anything from the macro, Can I ? EDIT : I found a way no problem !
@BelowAverageRazzleDazzle3 жыл бұрын
@@theexcelord86 Cool man! Yea you grep and extract from the HTML on the prior page.
@lorishuynh85472 жыл бұрын
@@BelowAverageRazzleDazzle Hi ThePreBanMan, I have the same thought as you because when I followed the instructions it took too long. But I haven't done it successfully on Burpsuite, step 1 i use Macro to get value from CSRF field in form and i assign variable name csrf. step 2 i use Intruder to brute-force MFA code, i intend to use CSRF token of GET Login2 response (taken in step 1) to load in POST Login2 request, but I can't load this CSRF token to Intruder request, can you guide me how to load CSRF token from the previous response to the next request. thank you very much
@RedBegins2 жыл бұрын
Working for discord?
@ahmedsadiq13312 жыл бұрын
Thru ig
@Random_han Жыл бұрын
already follow all the steps but I got "Invalid CSRF token (session does not contain a CSRF token)" in the response
@UserMS101 Жыл бұрын
You need to set the Maximum concurent requests to 1 in Resource Pool tab and it will work. Follow the steps as it is.
@importexport2712 жыл бұрын
Omg
@PP-nw1uc6 ай бұрын
why don't you work with community version? do you think everyone here bought the professional? which one is more? your videos don't make much sense
@jimdiroffiiАй бұрын
You can request a trial license from PortSwigger to get access to Pro for free, which is what I did. Many of the Academy labs require Pro, such as the ones requiring Burp Collaborator.
@SerdceDikarya1997 ай бұрын
we need some reasoning of what you do and why? not just instruction like a parrot.
@user-jg2qv9tb9n3 жыл бұрын
Эти задания это просто издевательство, зачем делать задания на подбор 10000 комбинаций, еще и которые идут так долго? Ты тратишь пол часа что бы разобраться в уязвимости а остальное время просто ждешь. Много часов. А если сделал что-то неправильно ждешь опять. Разработчики будут гореть в аду!!!!!!!!111111111 ####################################################### These tasks are just a mockery, why do tasks to select 10,000 combinations, which also take so long? You spend half an hour to understand the vulnerability and the rest of the time just waiting. Many hours. And if you did something wrong, you wait again. Developers will burn in hell !!!!!!!! 111111111