1. Bypass 2FA, Stealing Private Keys without Social Engineering, and the Introduction to “2FAssassin”
Maxwell Koh, Keith Lee

2. Agenda Getting OTP Getting Private Keys
Client Certificate Authentication
Impersonation
Recommendation

3. So how to bypass 2FA? Obtain “something user has”
Unless you can disable 2FA

4. Classification Time-based Short-lived, unknown expiry e.g., TOTP, HOTP
Key-based
Public key cryptography
e.g., U2F, PKA

5. 2FA: Time vs Key Differences Time-based 2FA Key-based 2FA Time factor
Compulsory
Optional
Impact
Affect both sides
Affect individual
Secret sharing
Sharing same secret
(secret seed)
Never share secret
(private key)
DB security
Required
Not required

6. OTP SMS, Voice Software token Hardware token
e.g., Google Authenticator, Authy, Duo Mobile, etc
Hardware token

7. OTP: Time vs HMAC Differences TOTP HOTP Validity Short-lived Unknown
Moving factor
Time-based
Counter-based
Time Synchronization
Required
Not required
Maintenances
Light
Heavy

8. TOTP
HOTP

9. Get the OTP Brute force OTP Speculating TOTP Capturing OTP
Backup codes
Social engineering
Malware infection
Secret key extraction
Disposable numbers

10. Predicting More applicable to HOTP Chances to get specific OTP
6 digits { – }
Potential formulas ??

11. Brute force OTP More applicable to HOTP Unknown expiry
< 3 invalid OTP attempts
Enhanced by probability analysis

12. Speculating TOTP
Stealing secret key
Time-manipulation attacks

14. Engineering the Arbitrary TOTP
Regardless: label, issuer, any other info

15. Stealing Secret Key
Code leak
Vulnerabilities

16. Codes Leak
3rd party generator (QR)
Decoder (QR)
Insecure storage (QR)

17. Decoder
Hiding QR code
Encoding only
Most are unencrypted

18. Vulnerabilities Vulnerable Software token Time-manipulation attacks
Secret key extraction

19. Vulnerable Software Token
DOM-based XSS: localStorage
Exploits

20. Secret Key Extraction Device: Android (rooted)
file: /data/data/org.fedorahosted.freeotp/shared_prefs/tokens.xml
<map> <string {"algo":"SHA1","type":"TOTP","secret":[68,-62,-15,-121,- 97,110,81,58,-106,- ":0,"digits":6,"period":30} </string> <string name="tokenOrder"> </string> </map>

21. nps3eos2yhmtd5fl2qb7oaosmivg68r4
Time-manipulation Attacks
<secret seed> + <fixed timestamp> = < – >
Secret Key
Local Unix Timestamp
TOTP
Methodology
nps3eos2yhmtd5fl2qb7oaosmivg68r4
394244
Example
Attacker exploits the ntpd daemon to forcefully set the internal clock to , in order to get TOTP (937375)
246524
937375
383285

22. Backup Codes
Similar to HTOP
Eavesdrop
Insecure storage

23. 10 backup codes to bypass 2FA
SAVE YOUR BACKUP CODES
Keep these backup codes somewhere safe but accessible.
1. XXXX XXXX 6. XXXX XXXX
2. XXXX XXXX 7. XXXX XXXX
3. XXXX XXXX 8. XXXX XXXX
4. XXXX XXXX 9. XXXX XXXX
5. XXXX XXXX 10. XXXX XXXX
* You can only use each backup code once.
* Need more? Visit
* These codes were generated on: Sep 6, 2017.

24. OATHTOOL
“YOUR SECRET KEY”
Compile to binary

25. Useful Commands
Search entire hard disk for secret keys
sudo find / -xdev -type f -print0 | xargs -0 grep - H ”oathtool”
Search local directory for secret keys
grep ”oathtool” *

27. Capturing OTP
Social engineering attacks
Eavesdrop on air, LAN, WAN

28. Social Engineering Attacks

29. Disable it
Don’t let them get inside your account

30. Disposable Numbers
No interaction with user
Check their phone# 1st

32. Eavesdropping Air Internet? Capture text messages FM TV-Radio Receiver
No need BGP hijacking
Disposable number sites

33. IMSI-catcher Fake mobile tower Hijacking phone signals < 2G
Block 3G & 4G

34. Hacking SMS-C’s Server
It has all the text messages

35. Using Malware Android.Bankosy Call forward to C&C server
forward OTP to attacker
Also affects voice mail

36. SIM Cloner
1 become 2

37. Key-based Also known as asymmetrical cryptography
Authentication & encryption

38. SSH Key Authentication
Where are the targets?
Cracking passphrases

39. Where ELSE? Certificate 2FA devices Network shares
Contains keys + other info
2FA devices
USB token, smart cards, etc.
Network shares
Allow guess access
Is certificate useless if you can’t crack it???
openssl, keytool

40. Impacts Application FREE software token Single Sign-On (+2FA)
Gmail, WordPress, Outlook, Dropbox, Google Play, etc.
FREE software token
Google Authenticator, Authy, Duo, etc.
Single Sign-On (+2FA)
Software vendor
Become malware distributor
Website owner
Phishing site
Servers
Public key authentication

41. Password-less Nightmare
/etc/sshd_config
PubkeyAuthentication yes AuthorizedKeyFile  .ssh/authorized_keys PasswordAuthentication no ChallengeResponseAuthentication no

42. 2FAssassin No biometrics here, that’s 3FA !!
Currently under active development

43. General
Bash: CVE (Shellshock)
Cryptographic libraries: CVE (Libgcrypt)
OpenSSL related issues: CVE , CVE (Heartbleed)
OpenSSH related issues: CVE
Product Specific
Ceragon FibeAir IP-10 SSH Private Key Exposure: CVE
ExaGrid Known SSH Key and Default Password : CVE
F5 BIG-IP SSH Private Key Exposure: CVE
Loadbalancer.org Enterprise VA SSH Private Key
Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution
Quantum DXi V1000 SSH Private Key Exposure

44. No Need Exploits Use default / weak configuration Use weak password
Human factors
Malware infection

45. Exercise Look for private keys on the 172.16.173.0/24 network.
Use the looted keys to access more accounts.

46. Topology Screening Basic
Advanced – bypass firewall, adjoining networks, contiguous networks
Web – Shellshock, Heartbleed
VPN, VLAN, Virtual machines
Hidden host / subnet – detect ARP packet
Network shares
Super - scan all, takes times

48. Administration View activity output: ./assassin.py --log all
See what have been looted:
./assassin.py --log loot

49. Client Certificate Authentication

50. File Analysis ./assassin.py --cert analyze --filetype pfx
Search for potential key files
For each file, do a deep dive into file content
./assassin.py --cert analyze --filetype pfx

51. Cracking P12 Certificate
Dictionary Attacks:
./assassin.py --cert crack --mode dic --filetype pfx
Brute Force Attacks:
./assassin.py --cert crack --mode bruteforce --filetype pfx

52. Dissecting Certificate
Extract public / private keys
Remove passphrase
./assassin.py --cert dissect –filetype pfx

54. Bag Attributes
localKeyID:
subject=/CN=2FAssassin
issuer=/CN=2FA Assassin CARoot
-----BEGIN CERTIFICATE----- MIIFJTCCAw2gAwIBAgIQs+fpSfKBhJtJloJn1jCJgjANBgkqhkiG9w0BAQ0FADAeMRwwGgYDVQQDExMyRkEgQXNzYXNzaW4gQ0FSb290MB4XDTE0MDEwM TA3MDAwMFoXDTQwMDEwMTA3MDAwMFowFTETMBEGA1UEAxMKMkZBc3Nhc3NpbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANvgFW+1 ktHxNEhLW8n4JSC7VJR2mymNv+FbDT/MQRIi45/3AI7xVQkmmgZ+RGW+GjXlryNdaxn/yZgC6t/84wmJjVWwZRTXqZabs6VOkQj4xSL596V3f9tu19hjy+6te hZqO5PVR/A4M4lest43OwhNMoUh3DbFbJf1Av9+2ee5BUoEOHjtLHJvbnJRgdTs76e+JG1eqxDJNDk7EfSc+i+HA/3+c4TaSzHLiWvWaraIca0ISotbR15nJURQ +/7h4fFrs8qK6YaxADBqDXDVW+mYNqUYYgwhrzZlbQ1cKFbgFLqLwIWhgH9KY2JhjKCWMRORV0P1w+BMqjrztf8gR0hq0x/22RrThPloEK3952tmle5QqxpG bM3w80n4OgPgAu+cNA+XT+pLxJw/+Fkn9bjzZ9SYJqPcYDiKcZMOjgK+26mnxWqxH6WD9XqBQT1TlhIfSRA0epFW3Pvh+oPwnjWGWoQNarrTiZdZr9hw62F Uv1Q0L2yHquIotwRC8KgmMSbwBJ9ihsO3cHA//0TG+Jqt9KSEU8sQg50GoSLfpRaSRtnPg79yNX/VUZfMnGFS7/HMkZSlzKS1f3Ugl48GjSTrOPlaMwziTBpslw RLUzIVMRCxoBctWFGNLP59ISMbiE3BU2Od3Y74umXJAcOPgzUlFGrwIV9Ze7Mo+JCQl8YXAgMBAAGjaDBmMBMGA1UdJQQMMAoGCCsGAQUFBwMCM E8GA1UdAQRIMEaAEJN1U3iDFSE4PT2sGVOwrSChIDAeMRwwGgYDVQQDExMyRkEgQXNzYXNzaW4gQ0FSb290ghA8VSMQAnS9pUPC7qocJhR8MA0GCS qGSIb3DQEBDQUAA4ICAQC3M4BzYKzgUop94ZJFLFT/93S7k1csOZPu+nshmp2ivB7lDfaFyuGldEEsWj7y18UmJDpezFsZwfUxRSNf7MfZIMQh0NlxLOU1cQH ZfV6x/iPVX/Tb5AwlKaawq5SmYN6JG5XcYecLQh8fQ8hBd09USnsIbw2jiblfabE3YFU2mNGO0VezGiqf7ZL5lcpcz6MMxyUav4QRsS4RaufboxPDdygRrgN9Tw 7/eSd67gEKy+9mZOBR3F2FzjE4ab+ac5BW3aG8VIxdQnVmjhSZajMiu4LlQPNv+f4yFA0/sWv+kpzYpb0fgI/WQV5mrilO/CdWwyJBMauk7Lt1hNp13/9Bf+3va kU9i5C4P31aC6iiteW7DE1VYTVYINmKqXa/Lo+0awtrnTzWxD4mt2komAhoz7My+4Ja7M3RpLKInAK3eep20tankUy6+oKT0WiWZuKMAO2kvRmJbEBmDw vc+KBG2fltIifOhz2FPPNq0jsQT60F6vWzOdxYN7SjveyFPQczaMViOdvQox7jk67/y1vH3BunMGdFsVkc6/djpFA9SzQ8FNX+QUq1ij9t6OHjIWBC2ah5YnQ1Bo 5SQQ9duiGL8eVmZ+rmY/iu3IUzzTPWhQ1Dc8IcfUI58fZB/B9AeECkYXaBfev3TfsezySWEW+smh7g4qYMZsBycXwWIXshIg==
-----END CERTIFICATE-----

55. Setting up client system
./assassin.py --cert windows --user <username> --secret <password> - -host <client_machine_ip>

56. Arbitrary SSH Key

57. Disable 2FA on SSH File permission /etc/ssh/sshd_config
Turn off public key authentication
PubkeyAuthentication no

58. 2FA-Postmortem Post module Parse meterpreter session to 2FAssassin.
meterpreter > run post/2fassassin/postmortem

59. Impersonating SSL Website
Using looted server certificate
Must get server key
Client side attacks

61. DNS Poisoning
./assassin.py --filetype <file extension> --spoof <phishing site ip> --user <username> --secret <password> --target <target ip> --gateway <dns ip> --mitm <on | off>

62. Signing Malware with looted private key
__ANYTOOL__.exe sign sha1 FE2EE86351FAA7F6B00C98E5C1351D9F80C6711B malware.exe

63. Myth Busting Session Can MiTM attacks get you the private keys?
Can SSLstrip get you the private keys?
Can sniffing SSL traffic get you the private keys?

64. Tunnel
SSH tunneling with looted private key
Red Team

66. Recommendations Protect the secret keys in QR codes
Encryption
Protect private keys
no share, no store, no reuse, no plaintext
Protect DNS server
DNSSEC
Shorten TTL
Clear cache
Note down critical IP address
Use /etc/hosts
Suspect stolen key/certificate
Remove affected key from all accessible system

67. Questions
Tool: