In this article, we will be studying Lab: 2-Factor Authentication bypass using a brute-force attack and observing its practical demonstration. Before we dive into the Lab: 2FA bypass using a brute-force attack, we should be familiar with two common terms. One is 2FA, and the other is a brute-force attack.
2FA provides an extra layer of security when a user enters their credentials to log in to any application or website. If a user has enabled 2-factor authentication (2FA) for their account, they will have to perform an extra verification step through the 2FA authentication form. This might include receiving a security code on their email or phone number, which they configured as an authentication method. Alternatively, they may require a token provided to them during 2FA activation, which they can use for 2FA verification.
Now let’s discuss the brute-force attack. In a brute-force attack, an attacker creates a list of possible usernames/passwords or variations of security codes to bypass 2FA authentication. They then hit the list until their attack is successful, bypassing the security and gaining access to the victim’s account.
Example: Let’s take an example to better understand this process. Suppose an attacker has an idea about your username and password, but when they try to log in, they are asked for a security code, which they do not have. In this case, the attacker will create a variation list of security codes and use an automation tool like Burp or Ffuf to spray them. If they successfully guess the code, they can log in.
As a user, you should use a password manager and avoid using the same passwords for different accounts. This will benefit you in case one of your accounts is hacked or compromised, and your other accounts will remain secure. Now let’s move on to the practical lab solution.
Lab Solution | Prectical time
First of all, let’s discuss a bit about the lab that we are going to work on. Basically, this lab is vulnerable with 2-factor authentication, which means any attacker can bypass the 2FA security by brute-forcing. After that, we have been provided with the victim’s credentials, where we have the username as “carlos” and the password as “montoya”. Our objective is to bypass the 2FA security and login to the user’s account using brute-force attack. Since we have experts on our team, this article might get a bit lengthy.
First, I enabled the Burp Suite proxy in my browser and turned on Burp Suite. After that, I accessed the lab login page and logged in successfully to Carlos’ account using the given credentials. Now, I am being asked for a security code which is a part of the 2FA security.
I entered the wrong security code twice, first with 1111 and then with 2222, which resulted in the application logging me out after two incorrect attempts.
Now, I will provide you with some steps to follow carefully.
First, go to Burp Suite and then select “Project options”. In the project options, choose “Sessions”.
After navigating to the Sessions tab in Burp Suite, you will see the Session Handling Rules at the top. Click on the “Add” button to access the Session Handling Rules editor. In the editor, click on the “Scope” option in the menu. This will show the “URL Scope” option, where you should select “Include all URLs”.
Next, navigate to the “Details” menu, which is mentioned before the “Scope” menu.
After accessing the Scope menu, click on the Details menu. Then, go to Rule Actions and click on the Add button. Upon clicking the button, you will be presented with several options. Select “Run a macro”.
After clicking on “Run a macro”, a new window will appear. Click on the “Select macro” button, which is next to the “Add” button. Another window will pop up, as shown in the screenshot above. In this window, select the following three requests:
- GET /login
- POST /login
- GET /login2
Once you have selected these requests, click “OK”.
After that, you should also click on “Test Macro” on the Macro Editor.
After that, click on GET /login2, and verify the error message in the response, which will ask you to enter a 4-digit code. Once you have verified it, click on OK.
After clicking on OK OK, you will see the final interface. Now, go to the Proxy tab and then to the HTTP history tab.
Now, send the POST /login2 request to the Intruder.
time to bruteforce the security code
In the Intruder section, please clear everything and select the “mfa-code” parameter. Then go to the Payloads section and select “Numbers” as the payload type.
Fill out the “Payload Options” as follows:
- From: 0
- To: 9999
- Step: 1
- Minimum integer digits: 4
- Maximum integer digits: 4
- Maximum fraction digits: 0
Add a custom resource pool by specifying a single value in the “Resource Pool” section. Finally, click on the “Start Attack” button and wait for the results to come in one by one.
Congratulations, you have completed the lab! Feel free to follow me on Twitter @masaudsec.