CyberSndp – Hacker's BLOG

Hi,

In this blog, I wish to share some of my learnings and tips for penetration testing Multi-factor Authentication.

What is Multi-Factor Authentication (MFA)

Just like your passwords, Multi Factor Authentication is an added layer of security that requires additional factors (usually two or more pieces of information) from the user to validate that the user requesting access to the information system is an authorized user of the information system. 

The additional factors are usually:

1. Something you know: Example: passwords, PIN
2. Something you have: Example: Phone, Hardware Tokens
3. Something you are: Example: Biometrics, fingerprints

Why MFA?

In the scenario when a user’s password is compromised, having MFA will still stop the intruder from getting access to the system directly. But this doesn’t mean the second factor cannot be compromised. It is highly possible the second factor can be compromised due to misconfiguration in MFA setup, bugs in the MFA program or exploiting users weakness (Social engineering).

Let me give you brief introduction on some of the common MFA methods that we use.

Common MFA methods

1. TOTP (Time based One time password): Google Authenticator or Microsoft Authenticator is a good example of software based TOTP programs. Time based one time password (TOTP) are generated by application that the user have access to (usually phone) and are validated against the TOTP generated by the MFA system. These codes are valid for a fixed duration usually 30 seconds to 90 seconds. Hence, are called time based one time password. Before the user can use the TOTP code generated by the authenticator app. The user need to sync the authenticator app with the authentication system the user is trying to authenticate to. The authenticator app will share a seed (shared key) which will have a varied length depending on the security. Let’s suppose Google authenticator will share an 80-bit seed value which takes 16 characters of alpha numeric value using the Base 32 encoding system. Base 32 uses English letters (A-Z) and numeric digits (2-7). Each Base32 character can represent 5 bits of information, so 16 characters will be (16*5) an 80-bit seed value. As typing in sixteen Base32 characters can be challenging, Google authenticator allows users to send QR codes instead. Once the seed value is shared with the authentication system, the one time password can be generated. Here’s how it works:

1. The Server (Authentication System) will use the seed value (shared key) with the current time (converted to Unix time) with an hashing algorithm (HMAC-SHA-1) to generate One time password (OTP). Example: OTP = Seed value * Current time * Hashing algorithm
2. The client (Authenticator app) will use the seed value (shared key) with the current time (converted to Unix time) with an hashing algorithm (HMAC-SHA-1) to generate a One time password (OTP). Example: OTP = Seed value * Current time * Hashing algorithm
3. Both the client and server generate exactly the same code which will be valid for the time set (usually 30 seconds).
4. The user sends the code generated by the authenticator app to the authentication system. The Server validates the code and approves/denies authentication requests.

As you can see the OTP is only secure if the Seed value is secured as the rest of the variables (Algorithm (due to use of open internet standard algorithm RFC 6238) is known to the user.

2. OTP to SMS or Email: When user log’s in to MFA protected application. The MFA system sends a short code (ideally number or alphanumeric characters) to user’s registered email or phone. When the user enters the code to the MFA system, the system verifies and grants user access to the application. 

Common Misconfiguration

1. OTP Replay: OTP replays allow systems to accept used OTP codes. If the hacker have access to any of the used OTP codes, they can use the same OTP codes over and over to gain access to the information system.

2. Brute force attacks: Absence of account lockout or rate limiting will allow hackers to bruteforce OTP codes. Hackers also tend to bypass bruteforce measures for example  if an email address is blocked from requesting more then 5 OTPs. Change email address to upper cases or lower cases.

3. Weak Seed Value: Let’s suppose a weak seed of 30 bits of entropy is used. If the hacker has obtained a valid OTP code. The seed can be cracked within a matter of seconds offline. Even if the hacker doesn’t have the OTP code and is bruteforcing the MFA system, considering the hacker is able to bypass rate limiting or there is no rate limiting or account lockout. It is still possible to crack the seed. Hence, compromising the whole MFA setup.

Let’s calculate entropy:

Entropy (in bits) = log2(N^L)

Where:

• N is the size of the character set (in this case, 10).
• L is the length of the string (in this case, 9 digits).

N = 10 (since there are 10 digits, 0 through 9)

L = 9 (since you have 9 digits)

Entropy = log2(10^9)

Let’s calculate:

Entropy = log2(10^9) ≈ log2(1 × 10^9) ≈ 29.90 bits ~ 30 bits.

To calculate the time it would take to crack a shared key with 30 bits of entropy. Let’s suppose on average we need to try around half of the possible combinations i.e 2^30/2 = 0.535 billion keys. It will be a matter of seconds to find the seed key with today’s computing power.

4. Missing MFA in Password Reset: Incorrectly implemented password reset flow can allow users to bypass MFA by using password reset function. If MFA isn’t enforced in Password Reset, intruders can use the compromised password to reset the user’s password and gain system access without having to do the MFA.

5. Blank Code Bypass: Sometimes the application/system logic can be bypassed simply by sending blank codes which is processed as true due to flaw in the logic.

6. Other misconfiguration: 

1. OTP code in response.
2. Response/Status code manipulation
3. Bypass using Direct endpoint access
4. Header manipulation: Referrer header (subdomains)

Attacking MFA

Test Cases

1. OTP Replay
   1. Generate OTP from the authenticator app and use it to login to the system.
   2. Log out from the system and try the same OTP.
2. Bruteforce OTP
   1. Using burp suite, intercept the request where OTP is sent from client to the server for validation.
   2. Using the Intruder module in burp suite, brute force the OTP code.
   3. If the brute force is blocked. Try the following bypasses.
      1. Rotate User Agent
      2. Manipulate IP origins via Headers
         1. X-Originating-IP: 127.0.0.1
         2. X-Forwarded-For: 127.0.0.1
         3. X-Remote-IP: 127.0.0.1
         4. X-Remote-Addr: 127.0.0.1
         5. X-Client-IP: 127.0.0.1
         6. X-Host: 127.0.0.1
         7. X-Forwared-Host: 127.0.0.1
      3. Rotate Cookie
         1. Obtain new cookie logging out and logging in.
3. Weak Seed Value: When configuring MFA. Check the seed value (shared key) generated by the application.
4. Testing Password Reset Flow:
   1. Reset Password
   2. User shouldn’t directly be logged in without MFA
5. Misconfiguration Testing
   1. Intercept the MFA request and remove the MFA code with blank MFA request sent to the Server.
   2. Try manipulating response code to 200 OK