{"id":978,"date":"2020-08-16T17:16:00","date_gmt":"2020-08-16T16:16:00","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=978"},"modified":"2020-08-16T17:16:00","modified_gmt":"2020-08-16T16:16:00","slug":"cracking-the-2fa","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/cracking-the-2fa\/","title":{"rendered":"Cracking the 2FA"},"content":{"rendered":"

Cracking – Testing a 2FA system is so much fun because we are breaching the stuff that was meant for additional security. And breaking them is so fun. You can skip to the part wherein the end I have explained the bug. Below are basics of response manipulation<\/p>\n

What is Two-Factor Authorization? Cracking<\/strong><\/p>\n

Two-factor authentication (2FA) is the second layer of security to protect an account or system. Users must go through two layers of security before being granted access to an account or system.<\/h4>\n

What is Response Manipulation? Cracking<\/h4>\n

So normally what we do in burp suite is we browse through multiple requests and wherever we wanna tamper or change anything we do it and forward the request.<\/p>\n

\n
\n
\n
\n
<\/div>\n
\"Cracking\"
Cracking<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n

In Response Manipulation, we need to look for the appropriate request click on the \u201cAction\u201d button next to the \u201cIntercept\u201d button and select \u201cDo Intercept\u201d > \u201cResponse to Request\u201d.<\/p>\n

\n
\n
\n
\n
\n
<\/div>\n
\"Cracking\"
Cracking<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/div>
How to get a response to the request<\/figcaption><\/figure>\n

In Response manipulation, we tamper with the data that comes from the server.<\/p>\n

\n
\n
\n
\n
\n
<\/div>\n
\"Cracking\"
Cracking<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/div>
Response Manipulation<\/figcaption><\/figure>\n

So let\u2019s move on to see the bug,<\/p>\n

It is a private program so let\u2019s continue by saying it\u00a0example.com<\/strong>\u00a0and it had 2FA for account protection and it was well implemented no brute-force or whatever other methods, this also had a \u201cuse recovery codes option\u201d and decided to test that and then I remembered reading some blogs which told that with burp suite we cannot just manipulate requests going to browser but also the incoming responses. So me being a noob still decided to try for this thing I read of response manipulation.<\/p>\n

Steps:-<\/p>\n

1) Enable the 2FA for Attacker and Victims account, I used Google Authenticator and Microsoft Authenticator respectively just to keep no ties between them you know how the private programs are many questions and doubts from the teams.<\/p>\n

2) Then Go to attackers\u2019 account and log in and you\u2019ll see \u201cPlease enter your 2FA code \u201c And also an option just below it \u201cUse Recovery Code\u201d (Codes provide as backups when you don\u2019t have access to your authentication application or lost the device). Cracking<\/p>\n

3)Select the\u00a0\u201cUse Recovery Code\u201d Option<\/strong>\u00a0and Now Enter a correct backup code for the Attacker\u2019s account and intercept the request and get the response of that request. The Response has a session token for security purposes called _example_session=somenos. and string message showing correct code message.<\/p>\n

\n
\n
\n
\n
<\/div>\n
\"Cracking\"
Cracking<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>
The Response you get On Entering a correct recovery Code<\/figcaption><\/figure>\n

4)Copy This response and keep it on a notepad. Cracking<\/p>\n

4)Now, this is where the\u00a0criticality of this bug is<\/strong>;\u00a0Drop<\/strong>\u00a0the Response<\/strong>\u00a0what it does is stops the _example_session token going to websites server and the web application does not invalidate that token.<\/p>\n

5)Now go to the victim\u2019s account follow the same steps for that of attackers (Step 1,2,). But while performing Step 3 enter a wrong recovery code any number you want. Capture the Request and get its response. You\u2019ll see that no session token provided to the error response that means we need a session token and there was an error string.<\/p>\n

\n
\n
\n
\n
<\/div>\n
\"Cracking\"
Cracking<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>
The response you get on entering the wrong recovery code<\/figcaption><\/figure>\n

6)Now We had our attacker\u2019s account response from server replace that response to the error response here for victim’s account and \u2026\u2026\u2026\u2026 Cracking<\/p>\n

\n
\n
\n
\n
<\/div>\n
\"Cracking\"
Cracking<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n

What Went Wrong?<\/h1>\n

1)Session token called _example_session= is not invalidated on the server-side when assigned someone and not got back.<\/p>\n

2)Security is totally left on a string error message response I mean there was a security measure but due to invalidation of tokens, the security could be bypassed.<\/p>\n

Conclusion<\/strong><\/p>\n

Always make sure Session tokens are properly validated and when sending a response back make sure it has some identity tokens attached to it.<\/p>\n

How to use Malicious Softwares?<\/a><\/p><\/blockquote>\n