How to Hack MFA (Multi-Factor Authentication)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
today we're going to be looking at attacking a multi-factor authentication MFA in web apps I'm going to cover a little bit of theory and then as usual we'll dive into some Labs as always if you like the video don't forget to like And subscribe let's dive in so what is multi-factor authentication anyway well in a nutshell we have to use more than one factor of authentication to prove our identity it's also commonly known as two-factor authentication or 2fa the difference being that 2fa only implies two factors and is essentially a type of MFA multi-factor authentication they're used interchangeably a lot so if you prefer one over the other then no worries but I prefer to say MFA so what are these factors well many people know the old phrase something you know something you have something you are now I think this is an oversimplification of authentication factors and people can often get confused but it does give us a useful starting point for thinking about what we need our authentication to look like so what does a flow for a web apps look like anyway well this can vary wildly but using time-based one-time passwords totp is a pretty popular method and involves the creation of a one-time password or use when you're authenticating for this we have two main Journeys first we have the enrollment so a user provides their credentials their username and password and if they're valid a shared key is created this is stored in an app like authenticator and then the MFA on the account is enabled fairly straightforward if we don't dive into the crypto Etc next we have the login so a user provides their credentials again username and password if they're valid the user is forwarded to a totp login form the user enters the code provided by their app which is then verified by the server and if all is well the user is authenticated there are of course other ways to achieve this but let's move on to how we can actually attack MFA all right for our first track I'm going to make MFA disappear so we just come to my account and we have some credentials so I think it's Fina and then pizza and then we get this usual please enter your four digit security code so let's come to the email clients and we'll just open this up and we get our security 1972 so I'll just grab this come back pop this in and hit login and it looks like we come and end up at our my accounts page which is you know expected Behavior so two things that I notice about this login process one that's a very short MFA code so no only four digits probably quite easily brute forcible and second we're just gonna try and bypass it completely so let's log out the user account that we have is Carlos so we just come back and then we'll log in as colors so in this case we've stolen their credentials and then again we get this four digit security code but really all we're going to do is just come to my account hit enter and we're logged in as color so making sure that your multi-factor authentication is applied to every resource or every place that it needs to be applied to is really really important and you'll be surprised how often these kinds of bypasses actually work to an endpoint or a resource or or a page that should be protected so that is our best lab out of the way alright so here we are at the lab and this time I've switched my proxy on so we have traffic routing through burp Suites and again we're just gonna log in as in a pizza and have a look at the flow just to get a feel for the application so I'm going to come into the email clients grab the code zero seven eight nine and then log in and we successfully log in so let's take a quick look to at the traffic and see what we can find and we can see the post login here we can see our credentials going in sophina and Peter and then we can also see a get login to so something interesting here is we have the verify with the username and then we have the post to log in to as well and the first thing that I would test in this case is will this valid MFA code work with other users for example so can we just change the verify to Carlos and our valid code will this work for another user so let's give this a quick try let's log ourselves out come to my accounts and what I'm going to do is I'm going to switch on intercept Athena Pizza and then we're going to forward this because we want to verify these credentials against this user first otherwise it's probably just going to say hey invalid username password and then we get the login to so we want to change this to colors now we can switch intercept off for the time being come back to our email server refresh and yeah interestingly enough we don't get a code here because we changed the username to Carlos so what we're going to do is come back try and generate a code so Dina then we're not going to use it in this case and then we're going to grab it so if I just refresh 1962 paste it in here and then before we hit send let's come back to intercept and then change this back again to Carla since that's the user that we're targeting and we're going to see if Venus code works with Carlos fortunately we get incorrect security code so this unfortunately doesn't work but what we can also try is brute forcing this code because it's only a four digit security number so if there's no Brute Force protection then this should be fairly trivial so I'm gonna come to map Suites and then all we're going to do is come to http history and we'll grab this post request and press Ctrl I to send it to intruder and then clear all of the selections change this to Carlos and then add the highlights here now we actually need a payload and I suppose the easiest payload would be to just use for Iron Range on Python and then 1 to 10 000 but that wouldn't give us things like zero zero one zero for example so another way we could do this is with a nested Loop or we can just use the string format function so I'm just going to Bim and then call this num.pi and then inserts and then button in range one to ten thousand we want to print dot formats and then we pass in them like this and then if we just do Python 3 num dot Pi you can see that we get the outputs but more importantly if we scroll up you can see that we get zero zero zero one zero zero zero two for example so we can just do the same thing and then I'll put this to num.txt like this and then obviously if we catch num dot txt we have our payload list so we'll come back to Intruder and then we can load in our word list and we'll grab our num.txt and let's just hit start attack and here I'm going to pause this now because I can see a 302 in the list sorry if the text is a little bit small I'm just going to click on this take a look at the response we get a 302 found instead of like a 200 okay and the 200 okay gives us the response of in incorrect security code so let's grab this we'll take the session you can see we have set cookie session so we'll just use this come back to here back to um update our session token and then browse to slash my accounts and we are logged in as Carlos and we also solved the lab as well so that's it for this video now this was a requested topic from a viewer so of course if there are other topics you want me to cover leave them in the comments below and I'll see you next time
Info
Channel: The Cyber Mentor
Views: 25,171
Rating: undefined out of 5
Keywords:
Id: QSK79bTkBgI
Channel Id: undefined
Length: 8min 56sec (536 seconds)
Published: Mon Apr 10 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.