Looking for some real methods to bypass 2FA and MFA? If so then today your search ends. In this article you will get to know how to bypass two-factor authentication as well as how to bypass multi-factor authentication.
Multi-factor authentication is implemented correctly. It can be extremely powerful and low-cost way to protect against the weakest link in the cyber security defence which is generally the user password.
It works by combining something you know like a password with something like a hard or a soft token. It can be expanded to include other factors such as something you are like biometrics or somewhere you are like geolocation.
Attacks on multi-factor authentication were once considered more of a proof of concept than an actual threat the thinking was as long as multi factor authentication is enabled.
It doesn’t really matter if an attacker gets a user password because it would still need access to the token. Over recent years however more and more attacks have proven to not only be quite successful but quite common in the real world.
In this article we’ll take a look at four of the most common techniques an attacker will utilize to bypass 2FA and MFA. Along with the ways to mitigate against these attacks so that you can protect yourself and your organization. Without any further ado let’s get on to our list of four methods to bypass two-factor authentication and bypass multi-factor authentication.
Table of Contents
No matter how strong a security control can be, attackers will always target the weakest link. A great example of this kind of attack is a framework evilginx2. Evilginx2 works by acting as a proxy between the user and the server that they are trying to go to.
The attacker first needs to find a way to reroute user traffic through the evilginx proxy. The traffic is then sent from the proxy to the real server and displayed back to the user. It’s important to know here that the user is actually seeing the real site and not a replica like they would in a common phishing attack.
Evilginx is merely acting as a proxy which means a user is seeing the content exactly as they would when they visit the actual site. This also means that all communication from the user is routed from the proxy to the site and in turn grabs not only the username and password but the authentication cookies as well.
This is a really important concept to know because captured authentication cookies are goldmine. It allows the attacker to bypass any from of two-factor authentication on the user account. It takes a real user-authenticated session and it presents it to the user so they can be used later offline.
This attack is important because we’re not grabbing the actual token themselves which change frequently and after a new user request will no longer be usable once they’ve successfully logged in. The framework captures the actual authentication cookie from the successful attempt.
This allows the attacker to bypass any form of multi-factor authentication enabled on the user’s account from any machine. If you export the authentication cookie from the victim’s browser and import them into a different browser on a different computer even in a different country you will be completely authenticated and get full access to the account without ever being asked for the username, password or two factor authentication tokens.
READ ALSO : How to Become Real Hacker
How to protect against Evilginx’s bypass 2FA and MFA attack?
There are two ways to protect this kind of sophisticated attack. The first of which is to monitor the url and verify the domain you’re visiting is the actual one from the browser. While this may sound obvious even the most tech savvy users can still have trouble identifyinga real user rail from the attacker’s redirect using the evilginx framework.
The other is to use physical hardware like a universal second factor authentication (UTF). It was introduced to protect against this specific kind of phishing attack. In short the user would need to press a physical button on the hardware which interacts directly with the server once a request is made for the one time code.
The browser is only acting as a channel for communication and therefore not storing any type of session or authentication information in the browser itself. Evilginx is one kind kf attack which can be considered part of a broader type of attack called pass the cookie. This leads us to the next method to bypass 2FA and MFA.
Pass The Cookie
The concept behind this kind of attack is the user has already authenticated with their multi-factor authentication and the website has stored the cookie on the user’s browser. While this cookie is encrypted by default. In this attack we are attempting to retrieve and decrypt the cookie offline.
Unlike evilginx which acts like a proxy between the victim and the real server intercepting the cookie, this attack involves access to the user browser via some other method. Once a system has been compromised the attacker retrieves the cookie database from the web browser.
Once a cookie has been retrieved from the database, mimicat can be used to retrieve the decrypted cookie. The next step is to pass the cookie into the attacker’s web browser and attempt to visit the target application as the authenticated user.
When the authenticated server attempts to request an authentication cookie he’s presented with the victim’s authentication cookie and multi-factor authentication is completely bypassed for the duration of the login.
Perhaps the most unsettling part of this MFA bypass attack is the attacker does not need to know the victim’s username, password or token code. However they would need to compromise the victim machines and escalate privileges via some other methods.
READ ALSO : CTF Complete Guide
How to protect against Pass The Cookie’s bypass 2FA & MFA attack?
Fortunately there are few things we can do to protect against this kind of attack. One way would be to add additional context to the user authentication method behind just am authentication session. Because this attack works by exfiltrating the authenticated cookie out of a legit machine to another location.
One protection method would be to only allow authorized IP or client machines with certificates to have access into sensitive machines and servers. Another option is browser fingerprinting where the remote application would require a new authentication whenever a new browser or device is detected.
This attack illustrates a point that no matter how strong your password policy and multi factor authentication solution may be, an attacker always uses the path of least resistance. On that note that leads us to number three method to bypass 2FA and MFA.
SMS MITM Attacks
The biggest weakness in the use of multi-factor authentication is using sms or email as a delivery vehicle for the one-time token. When using text messages or emails for two-factor authentication, the one-time token is delivered to the user via sms text message this is then inputted by the user to log into the system.
This is perhaps the most popular method of multi-factor authentication because it’s easy to implement and does not require any soft or hard tokens to be deployed. In fact many of us use this kind of method to log into popular sites like banks and other personal websites.
However the use of sms itself over physical or soft tokens is the problem because the attacker can easily get access to any victim sms pretty easily. This particular kind of attack works by doing first a sim swap on the victim’s phone.
READ ALSO : How to Find Bugs
Sim Swap: Bypass 2FA and MFA
A sim swap is when the attacker transfers the phone number of a victim to their own sim card which is then controlled by the attacker. All sms messages are then sent to the attacker’s phone instead of the victim. This means that the one-time tokens which are sent from the application are actually sent to the attacker without the victim ever being aware.
Sim swaps are surprisingly easy to do for as little as $13. All it takes is a prepaid account and a phone number to transfer ownership. Once the attacker is able to reroute a target’s text messages, it can then be trivial to hack into other accounts associated with that phone number. In this case the attacker send login requests to Bumble, WhatsApp and Postmates and easily access all the victim’s accounts.
Attacks on Hard and Soft Tokens
While speaking about hardware and software based tokens it’s worth mentioning that when they are utilized they too can be the weakest link in the chain. Software tokens have come under the biggest scrutiny lately due to recent major zero days that have been found in iOS and android smartphones.
While software tokens like google authenticator or RSA secure id are generally considered secure. The nature of byod means that organizations still have to worry about malware infecting the underlying operating system of the phone itself. In this attack the victim’s phone is compromised and used to retrieve the one-time code from the multi-factor authentication system.
READ ALSO : OSINT Complete Guide
Soft Token Example
One example used by security researcher at nex-web a zero day exploit on android made it possible to mirror a victim’s phone and even launch applications in the background without them knowing. This simple exploit was delivered over sms text message and the victim in most cases didn’t even need to open the link.
The attacker can then log into the victim’s phone. Open up the soft token in the background retrieve the one-time code and all this without the victim ever knowing. By having this level of access to the victim’s phone, no secure software token in the world is safe from prying eyes.
Hard Token Example
Similarly hardware tokens can also fall victim to user errors as well by doing some digging on showdan for open webcams.
Both of these point that attackers can and will almost always find ways around the strongest security technologies by finding the least common denominator in the security chain.
Conclusion: Bypass 2FA and MFA
When it comes to online security, two-factor authentication (2FA) and multi-factor authentication (MFA) are becoming increasingly common. However, there are still ways to bypass these security measures. In this article you saw four methods to bypass 2FA and MFA.
I hope you got the answer “How to bypass 2FA and MFA?” If you have any doubt related to this topic (bypass two-factor and multi-factor authentication) then make sure to clear it through commenting below.