Bypassing 2FA with Modlishka Reverse Proxy

Posted on by admin_fBTr8D3ct
2FA
01
Jun
Join Cashoutgod On Telegram

First, get yersel’ o’er tae https://github.com/drk1wi/Modlishka an’ gie the instructions a guid read.

Below, ah’ll gie ye a quick rundown of how this tool can help ye bypass maist of’ the 2FA authentication schemes being’ used the day, including’ intercepting’ OTP tokens and hijacking’ post-authentication user sessions.

Intro:

Modlishka was written with the goal of making that second approach (ethical phishing campaigns) as effective as possible, and to show that current 2FA doesn’t offer much protection against this kind of attack.
This tool should be a real boon to penetration testers who want to launch an effective phishing campaign (as part of their red team engagements and all).

Bypassin’ 2FA:
* This’ll be a sample setup that’ll run on yer ain computer, local-like.

1. Fetch the tool:

Code: Select all

$ go get -u github.com/drk1wi/Modlishka
$ cd $GOPATH/src/github.com/drk1wi/Modlishka/

Set up the ‘autocert’ plugin. This step is needed if ye want tae serve the page o’er a browser trusted TLS channel.

Code: Select all

$ openssl genrsa -out MyRootCA.key 2048`
$ openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 1024 -out MyRootCA.pem

Swap oot the const CA_CERT variable wi’ the content o the MyRootCA.pem file and const CA_CERT_KEY wi the content o MyRootCA.key in the ‘plugin/autocert.go’ file.

Get the ‘MyRootCA’ CA installed and set tae the richt trust level in yer browsers certificate store and yer aw done.

2. Compile an launch “Modlishka”.

Code: Select all

$ make
$ sudo ./dist/proxy -config templates/google.com_gsuite.json

Hae a swatch at the webpage in yer browser.
Modlishka daein its thing against an example 2FA (SMS) enabled authentication scheme.

The followin’ link can be uised tae view yer launched test page. Ye can notice hou the ‘ident’ parameter is hid fae the user on a first request: https:// loopback.modlishka.io/?ident=user_tracking_param

Collected credentials, 2FA tokens an’ all ither requests (for all relatit domains) can be fund in the ‘log’ file or in ane o’ the includit plugins (this includes session impersonation proof-o’-concept – still in beta tho).

3. Customise yer settings.
If ye like the tool, ye can start adjustin’ the configuration for yer chosen domain. Modlishka can be easily customised through a set o’ available command line options or JSON configuration files.

Conclution:

Sae the question comes tae mind… is 2FA brokendoun?
Nae at a’, bit wi a richt reverse proxy tar-gettin yer domain ower an encryptit, brooser trustit, communication channel yin cud really huv some serious strugglin tae notice that sumthin is seriously wrang.

Add tae the equation different brooser bugs, that allou URL bar spoofin, an the issue micht be even bigger…
Include lack o user awareness, an it literally means giein awa yer maist valuable assets tae yer adversaries on a siller plate.
At the end even the maist sophisticated security defence systems can fail if there is nae sufficient user awareness an vice versa for that matter.

Currently, the only wey tae address this issue, fae a technical perspective, is tae entirely rely on 2FA hardware tokens, that are based on U2F protocol. Yin can easy buy thaim online. Hooever, mind, that richt user awareness is as equally important.

Leave a Reply

Your email address will not be published. Required fields are marked *