How I bypassed the OTP verification process? Part - 3
Turbo Intruder - The Burp Extension I fell in love with!
Hi folks, I haven’t been able to write articles the past month properly after I completed the Docker series. For all the people who have started following me recently, I welcome you all. I have been super busy writing super useful scripts to monitor ubuntu systems and how to grab the most minute security details out of the million lines of logs, you guys won’t believe me I chunked down a 12GB of logs and brought it down to 40Kb by trimming out the normal behavior of the machine from those logs and only focusing on the anomalies. I am proud of it and will shamelessly mention it to all of you.
Well, enough of my ranting and let’s dive into the topic of OTP bypass and why this article is different from the first two that I wrote. You can read my other two articles, the links are right below.
- How I bypassed the OTP verification process? Part - 1
- How I bypassed the OTP verification process? Part -2
These two articles are a great read and to give you a summary of these articles is that I found a movie booking website where they saved the number of the users and then messaged the OTP to the mobile of the user which they can just enter and log in to the website.
The flaw that this website had was that there were no checks on the number of attempts a person carried out in the OTP field and the OTP didn’t expire for a long time ( don’t remember the specifics ). This allowed me to demonstrate that a brute force attack could be carried out on such a website to bypass the login.
Let’s dig in!
The website where I carried out this attack had the same flaw. Let me explain the entire scenario.
Phase - 1
This is the part where a client approached me and he wanted to test the security of the website where if the attacker knows the credentials of the user can they launch an attack where they can bypass the OTP verification process and straight away login to the website.
Now to check if this attack was possible or not, I tried different attempts to this attack, I wanted to try out the brute-force technique at the very ending. I was provided with a test user credentials to go ahead with the attack.
The first thing that I tried out was so to test how properly have they implemented security in regard to the cookies on the website, their expiration time, the uniqueness of those cookies, check if a cookie is still valid even if the user has logged out of the website, are the cookies of a user logged in on different browser can be utilized to login on another system. The website stood tall on all these tests and performed the way it should have.
I tried a few different methods as well but they didn’t work. Those attacks might have worked it’s just that after joining my job I haven’t properly focused on red teaming and being on the attacker side and that really shows in moments like these. I am sorry I won’t sulk anymore and let’s start the second part of the attack.
Phase - 2
Now, that I had almost given up, I tried the brute force attack that I had done in the previous OTP verification bypass write-up as my last attempt if this would have failed I would have reported back to the client that the attack failed and the OTP couldn’t be bypassed by script kiddy kind of attackers but someone more talented than me can maybe find a way to do that.
So, I began with the brute force attack, first I obtained the valid OTP and made a wordlist of 30 numbers with the valid OTP at the very end. Just to check if it is theoretically vulnerable to the brute force attack.
This is the notification the website gives when they have sent the OTP. Now was the time to get cracking with BurpSuite. So, when I intercepted the traffic this was the request that popped up and at the very end was the OTP section.
Now that the 30 word wordlist was ready, I ran a brute-force attack at the OTP bypass worked perfectly as I wanted it to. Even though the correct OTP was on the 31st place it still worked but it gave the following output.
I was disheartened, I typed in the OTP and the website kept popping up the same “OTP has expired” message. I went back to the page and again logged in with the same OTP and it worked!
I was extremely happy, I did this again and again and the same OTP kept on working. That’s how I realized the OTP for every account expired after an entire day, yeah someone on the development team thought it was a good idea to keep the expiration time of the OTP for an entire day.
With this result, I let my client know that the website is vulnerable to OTP bypass and showed him the theoretical proof that how it can be carried out but he needed the attack to be done on an account and for me to log in to show him that it can be done.
Phase - 3
Now starts the fun part where this article takes a different turn from my previous ones. In all the articles that I have written on OTP bypass, they have been theoretical proof of concepts that the attack can be done if someone actually ran a brute force and had the time to do so.
This time I actually had to crunch through 99,999 numbers to find the one number that was the OTP. The OTP, in this case, was 5 digits long that does play on my side as well because having a 6 digit OTP which is the norm it just saved me 9/10ᵗʰ of the computation and that is huge. One thing that totally played against my luck was that I have BurpSuite the community edition and brute-forcing through 100 thousand numbers would take me more than a day or even two and that makes it an impossible job to do if I have to actually prove to my client that it is possible.
It was then when I tried to start figuring out ways to carry out the brute force attack way faster in comparison to the snail-paced attack via the BurpSuite CE. In the time being the client actually was working alongside as well where he referred me a video he thought might help.
Turbo Intruder: Abusing HTTP Misfeatures to Accelerate Attacks by James
This is one of the best extensions that I have come across which is present in the BurpSuite community edition. I ask you all to please have a look at the link above of the video as that will give you a better understanding of the entire attack that I am going to carry out.
To explain in short Turbo Intruder allows to pipeline requests to the website with addition to the features of skipfish which allows making requests to a website at unimaginable speeds.
Once I installed the extension in my BurpSuite then I got down to business and wrote a small bash script to print all the possible combinations of numbers in a file. Now it was time to fine-tune the Turbo Intruder according to my needs to make it work the best.
Once you have Turbo intruder downloaded on your system, you send the request to it the same way you send it to Intruder after you do that you get to something like the above where the top half of the screen will be the request that you want to brute-force upon and the lower half is the python script that actually helps you to enhance the rate of your brute-force attack.
Let’s have a look at the image above, in the first half of the image the value that we need to brute force needs to be represented by “%s”. Let’s have a look at the lower half of the image where the python script is present. Make sure to enable pipeline=True if you really want to take advantage of the tool. The value of concurrentConnection & requestsPerConnection needs to be decided according to the load the server can take and you may need to fine-tune it depending on the server. Then the next step is to set the path of the wordlist and then at the bottom comes the most important part of the fine-tuning process.
Here you need to input the keyword that the script will look for in the response. You can get creative with it and try to find the best if statement that satisfies your needs. Now once that you have all of these ready then you can just start the attack by pressing the button at the very bottom.
This brute force attack is so quick that even though the website could barely handle the traffic, Turbo Intruder got the correct OTP within an hour. What could have been a full day job was brought down to less than an hour. I demonstrated the attack to the client and showed how such an attack is very much possible and easy to carry out as well.
Conclusion
The points to take from this article would be that no matter how good the attacker is you can thwart all his efforts if you have decent security in place at least you can stop 90% to 95% of bad actors by having even basic security policies.
Key points to notice from the blue team perspective here is that the website didn’t have a check for the number of times OTP has been entered, the expiration of the OTP has been kept for one day, continuous requests from the same IP was allowed. If these security features would have been kept in place this attack would not have been the case.
For the red teamer, the key point here is to work with various extensions of BurpSuite as these can help you enhance your skills multi-fold and you don’t need to buy the professional version of it.
If you enjoyed it please do clap & let’s collaborate. Get, Set, Hack!
Website : aditya12anand.com | Donate : paypal.me/aditya12anand
Telegram : https://t.me/aditya12anand
Twitter : twitter.com/aditya12anand
LinkedIn : linkedin.com/in/aditya12anand/
E-mail : aditya12anand@protonmail.com
