How Hackers Bypass Two-Factor Authentication (2FA)?!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today I'll be teaching you how you can bypass two Factor authentication you finally managed to get the password of your friend cooworker or even Mr heck aoy and now when you log in into the site you get a popup that says hey answer to two Factor authentication right now well that is a big problem but as hackers we have to find ways to overcome that so one of the best ways is to just go ahead and hack into the phone so that you get the onetime password too the other way is to hack into the backend database to uncover that secret value which allows you to then add into your own authenticator providing those onetime password for you to and before we get started kids remember hacking is illegal ask your mom for permissions first so the first thing of course is you need a hacker so in this case we have Mr hacker law who is going to be running the hack teaching you exactly what's going on next up you have a website so in this case we have a website that we're targeting and of course on the back end there is a database of record is storing all this different information so the information we're targeting in this case is called the secret value and this secret value is a value that we can then use in our own mobile device or in our own authenticator we insert that value over here and when we get a pop out for the 2fa we're able to place that value over into 2fa allowing us to bypass the authentication and yes it is super cool I know and right in front of us we have col electronic and we are on a login page so in this case we have a Target and of course you have been watching all of Mr hackers LA's videos and perhaps you know the password as 1 2 3 4 5 6 7 8 or the password as as Mr hackery is very handsome so either of these two options you can try to inject them so in this case we have say hacker Loy at hacker.com and I can answer the passive 1 2 3 4 5 6 7 8 I click log in guess what we're able to log right in okay so what we want to do now is we can go ahead and set up the two Factor authentication so in this case there is a generation of a QR code in reality QR code are just values that you can then scan it from your phone so you have two options here one you take out your phone you scan this QR code to get some information from there or two what you can do is do a right click onto the image click save image as so in this case I'm going to save this as Hackle Loy QR code.png click save I will replace this file and what I'll do now is go ahead and analyze the file using a tool so in this case we want to extract the value or information out of the QR code so I'm using in this example read zr. Python and I'll go ahead and analyze the file that we have downloaded hit enter on that and let's go ahead and do a DOT slash on this hit enter on that again and boom we're able to extract the value right here so we have the following in this case we have the value of D4 IC cj3 and so on and so forth and of course before the N which is the issuer of O wsp Juice Shop so now that we've extracted the value we can go ahead and click add and in this case we can either scan a QR code or enter a setup key so let's go ahead and enter the setup key so in this case I'll call this hacker Loy hacked and I'll go ahead and enter the key right here as you can see here I've selected onto the account name as well as the key I click add and boom we are done so what I can do now is go back over into the registration of the two Factor authentication so what we can do now is go Ahad and enter the current password so in this case we're 1 through 3 4 5678 as to current password or Mr hacker Loy could be using hacker Loy is very handsome s and not set of password too next up from the generated six digit PIN all I got to do right now is go ahead and enter 189 all right followed by the following of 297 all right go ahead and enter that click save and boom we're done so now we have set up the two Factor authentication or configuration for it so to show the example of the validat being stored in a backend database in this case we're using sqlite 3 and I go ahead and use sqlite 3 Target ju shop. sqlite H an on that and what I can do now is go ahead and query the tables within this database so you can go ahead and answer the following of say do table see answer that and it shows you all the tables within the database and in this case likely most likely the information is going to be stored under users table so let's go ahead and query that so I can do the following of schema users and see what is the schema like so in this case we have ID we have username we have email and so on and so forth and the one that is most important for us as part of today's hack is top secret so now what we can do is go ahead and query that so I can do this following of Select email all right commer dop secret from users all right where email equal in this case we have hacker Loy and haacker lo.com hit enter in that and this value over here is the same value as the one that we've extracted earlier when we were scanning and extracting value from the QR code image may see like why didn't I scan a QR code directly from my phone well if I scan directly from my phone I wouldn't look like a hacker now if the website has a SQL injection vulnerability I can click under account I click login and what I can do now is enter say hacker LA and hacker.com but because of a SQL injection vulnerability what we are doing here is I can enter whatever password I want to which is not an actual password it will still bring us and allow us to log into this user so what I can do now is go ahead and click log in but boom we get stopped we get stopped by the two Factor authentication and we do not have to value so what we need to do is to need to hack into the backend database to extract that value so that we can add it into our own authenticator so what I've done here I went to the top right corner of the browser and I've go ahead and set up an Interceptor so in this case we're using bub Suite as our Interceptor and when I go over into BS you can see right here we're intercepting under the proxy Tab and right here we have a specific request to one21 16.0 1117 of course in the real world it will be a domain name so in this case I can do a right click on this can send over to say repeater and from repeater you can see right here with g/r product search so I can enter say apple and I hit enter on that when I send it over we get some results back so again as you have understood earlier it is using a database on the back end and of course in return whatever we search for it is providing us those values back in Json and this specific query has a vulnerability and as you can see here on the left we have the payload so we have a unit select from SQL life master so we're trying to understand the schema the tables and all this different information behind backend database so I go ahead and click Send on this and you can see right here okay we have some error messages so this is a result of ensuring that we fit into the column that was retrieved for us in order to get back those actual values at the same time if you see over here with have SQL select star from products wearing name like and Etc this is the query that is being run by the application against the backend database that we saw earlier so if you see on the left right now I have updated the payload a little more so we have unit select SQL 2 3 4 5 6 7 8 9 from SQL lightmaster go ahead and click Send on this and boom we are done so if I scroll down further especially past the first table that is providing us a list of products and all the different values of the products if you scroll down further over it it will be able to provide us all the different information regarding the different tables within the database so in this case if I scroll down a little more you'll be able to see here we have create table addresses create table basket items create table baskets and so on so forth so the one that we're really interested in in this case is going to be under the users right so in this case let's go ahead and go over into the users table so in this case we have user ID carts and complaints feedbacks so this gives us an idea about all the tables that we saw earlier when we were directly quering from the database but that requires that we have access to the operating system so in this case let's go over into users all right so let's go ahead and search for that so right here this is the one that we're targeting so we have create table users so same thing that we saw earlier so we have the password we have the email and of course the one that we're targeting in today's case is going to be top secret so you can see right here we have a new set of payload which is unit select email password user so we are cing directly into the users table so when I click Send on this this gives us information again after we pass the first table of all these different products information if I scroll down further we'll be able to see all this different users information so in this case we have like J1 2934 which is atmin account at J shop and so and so forth so all these are different information that we are able to retrieve right now and the one you targeting in this case is going to be hacker Loy and haacker law.com and we can see right here this is the value that we extracted earlier from the extraction of this value I can go back over into say Google Authenticator and I can easily add this as an additional value of time base onetime password setup so what I can do right now is go ahead and click onto plus enter a setup key and so right now what we'll do is enter an account name so in this case hack hacker Loy and after that go ahead and copy and paste a value right here once you're ready go ahead and click add on this and it will generate all this value for us so right here we have 08 9575 but let's give it a second more get the new generation of six-digit pin let's ENT through this 48613 right go ahead and turn off burp Suite in this case I'll turn it off right now I'll click on account click log in and go ahead and enter hacker law and hacker law.com Ander the password or if you have the SQL injection payload ready you can do the same whichever case it is it brings you over in two Factor authentication token so right now if I go back over into Android right 48613 go ahead and click log in just in time we are now in we have managed to hack into the account as a result of breaking into the backend database that is storing all this two Factor authenticated shat Secret

Info

Channel: Loi Liang Yang

Views: 37,554

Rating: undefined out of 5

Keywords: hacker, hacking, cracker, cracking, kali linux, kali, metasploit, ethical hacking, ethical hacker, penetration testing, penetration tester, owasp

Id: e8KZTCM2B8Q

Channel Id: undefined

Length: 9min 20sec (560 seconds)

Published: Sun Feb 25 2024