Vulnerabilities in multi-factor authentication
In this section, we'll look at some of the vulnerabilities that can occur in multi-factor authentication mechanisms. We've also provided several interactive labs to demonstrate how you can exploit these vulnerabilities in multi-factor authentication.
Many websites rely exclusively(仅仅) on single-factor authentication using a password to authenticate users. However, some(websites) require users to prove their identity using multiple authentication factors.
Verifying biometric(生物特征识别的) factors is impractical for most websites. However, it is increasingly common to see both mandatory(强制性的) and optional two-factor authentication (2FA) based on something you know and something you have. This usually requires users to enter both a traditional password and a temporary verification code from an out-of-band physical device in their possession.
While it is sometimes possible for an attacker to obtain a single knowledge-based factor, such as a password, being able to simultaneously obtain another factor from an out-of-band source is considerably less likely. For this reason, two-factor authentication is demonstrably more secure than single-factor authentication. However, as with any security measure, it is only ever as secure as its implementation. Poorly implemented two-factor authentication can be beaten, or even bypassed entirely, just as single-factor authentication can.
It is also worth noting that the full benefits of multi-factor authentication are only achieved by verifying multiple different factors. Verifying the same factor in two different ways is not true two-factor authentication. Email-based 2FA is one such example. Although the user has to provide a password and a verification code, accessing the code only relies on them knowing the login credentials for their email account. Therefore, the knowledge authentication factor is simply being verified twice.
Two-factor authentication tokens
Verification codes are usually read by the user from a physical device of some kind. Many high-security websites now provide users with a dedicated device for this purpose, such as the RSA token or keypad device that you might use to access your online banking or work laptop. In addition to being purpose-built for security, these dedicated devices also have the advantage of generating the verification code directly. It is also common for websites to use a dedicated mobile app, such as Google Authenticator, for the same reason.
On the other hand, some websites send verification codes to a user's mobile phone as a text message. While this is technically still verifying the factor of "something you have", it is open to abuse. Firstly, the code is being transmitted via SMS rather than being generated by the device itself. This creates the potential for the code to be intercepted. There is also a risk of SIM swapping, whereby an attacker fraudulently(欺骗地) obtains a SIM card with the victim's phone number. The attacker would then receive all SMS messages sent to the victim, including the one containing their verification code.
Bypassing two-factor authentication
此处讲述了一个存在漏洞的双因素身份认证过程。具体地说,如果网站分两步进行登录,第一步要求用户输入密码,输入密码后跳转到一个独立页面又要求用户输入验证码。在这种情况下,我们可以尝试在登录后直接绕过第二步输入验证码的步骤,因为很多网站在你登录后就没有再对第二步的验证码进行验证。
At times(有时), the implementation of two-factor authentication is flawed to the point where it can be bypassed entirely.
If the user is first prompted to enter a password, and then prompted to enter a verification code on a separate page, the user is effectively in a "logged in" state before they have entered the verification code. In this case, it is worth testing to see if you can directly skip to "logged-in only" pages after completing the first authentication step. Occasionally, you will find that a website doesn't actually check whether or not you completed the second step before loading the page.
绕过简单的2FA实验
实验思路:
利用受害者的认证信息登录
一步步抓包,直至捕获到了/login2
将/login2直接改为my-account
成功访问受害者账户页面
Flawed two-factor verification logic
Sometimes flawed logic in two-factor authentication means that after a user has completed the initial login step, the website doesn't adequately verify that the same user is completing the second step.
For example, the user logs in with their normal credentials in the first step as follows:
POST /login-steps/first HTTP/1.1
Host: vulnerable-website.com
...
username=carlos&password=qwerty
They are then assigned a cookie that relates to their account, before being taken to the second step of the login process:
HTTP/1.1 200 OK
Set-Cookie: account=carlos
GET /login-steps/second HTTP/1.1
Cookie: account=carlos
When submitting the verification code, the request uses this cookie to determine which account the user is trying to access:
POST /login-steps/second HTTP/1.1
Host: vulnerable-website.com Cookie: account=carlos ...
verification-code=123456
In this case, an attacker could log in using their own credentials but then change the value of the account cookie to any arbitrary username when submitting the verification code.
POST /login-steps/second HTTP/1.1
Host: vulnerable-website.com
Cookie: account=victim-user
...
verification-code=123456
This is extremely dangerous if the attacker is then able to brute-force the verification code as it would allow them to log in to arbitrary users' accounts based entirely on their username. They would never even need to know the user's password.
简单爆破验证码绕过2FA实验
这一关有点意思,虽然登录第二步是根据cookie转到任意账户,但是对应的验证码是有一个校验的,所以我们需要爆破这个验证码。注意到验证码仅由四位数字组成,所以可以轻松爆破出来!
Brute-forcing 2FA verification codes
As with passwords, websites need to take steps to prevent brute-forcing of the 2FA verification code. This is especially important because the code is often a simple 4 or 6-digit number. Without adequate brute-force protection, cracking such a code is trivial.
Some websites attempt to prevent this by automatically logging a user out if they enter a certain number of incorrect verification codes. This is ineffective in practice because an advanced attacker can even automate this multi-step process by creating macros for Burp Intruder. The Turbo Intruder extension can also be used for this purpose.
利用macros绕过具备自动注销功能的2FA身份认证爆破实验
2FA bypass using a brute-force attack
每次登录的第二步如果输入错了验证码就会注销当前用户,所以我们可能要实现一个自动化登录第一步的过程,然后在第二步爆破验证码。
这里我也有个好奇的点,那就是注销再次登录,后台对应的验证码会重新生成吗?
如果会,是不是相当于我们每次都要重新爆破呢?这样的话成功的概率大吗?
如果不会,那么毫无疑问我们可以很快爆破出来。
可以使用burp的macros来实现,所以burp的macros是做什么的?
macros主要是用于在发起http请求之前先执行某个规则集中的行为。在本题中我们定义了一个规则集,里面有三条规则。分别是
GET /login #拿到csrf的值
POST /login #传入账户密码登录
GET /login2 #拿到login2的csrf值
我们在验证码的每一轮爆破之前都要预先执行这三个规则,否则无法完成爆破。注意,一定要设置http请求的并发数,绝对不能太高,同时不要使用burp自带的谷歌浏览器来做这个题,我因为这一点卡了好久。