Burp Suite User Forum

Login to post

Lab: 2FA bypass using a brute-force attack

Roman | Last updated: Jun 11, 2020 06:39PM UTC

I have been working on this one for a while. Outside the corporate network and working from home, I have found the responses came back very slowly compared to some other similar labs I have run. Therefore, when I ran my solution, I always ran out of time before I could find the right answer (a 302) coming back. My solution to that problem was to open up 10 burp suite instances on my laptop and run each Intruder against a different range. I did this because the cookie jar was causing issues for attacks running at the same time so I needed to have a unique cookie jar per intruder thread. Unfortunately, after running this attack several times and hitting a 302, I found the code tested on the request when the 302 was received was not the right code to solve the lab. I tried a whole bunch of other codes on other intruders falling around the same time frame just in case the wires got crossed somehow. None of them worked either. Mystified, I finally gave in and looked at your solution. This turned out to be exactly my original solution without the 10 intruders which won't work for me in my current slow network environment. I was wondering if there was any way to disable the session time-out or lengthen it enough to get me to test the entire keyspace. I guess until then, I will keep trying the single intruder until I get lucky enough to get a 302 in random rather than sequential mode. Thanks, Roman

Ben, PortSwigger Agent | Last updated: Jun 12, 2020 09:09AM UTC

Hi Roman, Thank you for your feedback. We did not encounter this when we were testing this lab but we have had several people mention that the lab is causing them issues due to the reasons that you have highlighted. In view of this, we have changed the lab slightly so that the solution is not in the higher range of numbers. Are you able to try the lab again today to see if it improves the situation for you?

Luis | Last updated: Jul 22, 2020 03:53PM UTC

Hi PortSwigger, What range should we be scanning? Thanks!

Ben, PortSwigger Agent | Last updated: Jul 22, 2020 06:35PM UTC

Hi, You should still try the range 0-9999 as detailed in the lab instructions but, as mentioned in the above message, the 2FA value will not be in the higher range of numbers. This should mean users will find the answer before they encounter any potential lab timeout issues.

Luis | Last updated: Jul 23, 2020 03:52PM UTC

It worked thanks!

MBZ | Last updated: Aug 02, 2020 03:01PM UTC

It's not working for me. I've tried two times to no avail.

Ben, PortSwigger Agent | Last updated: Aug 03, 2020 08:19AM UTC

Hi, Are you able to provide us with some details of the issues that you are encountering whilst trying to solve this lab so that we can assist you?

halfluke | Last updated: Aug 20, 2020 09:10PM UTC

Getting session expired after about 4470 attempts starting from 0000 and no solution found. Expert ok... uselessly frustrating is not

Ben, PortSwigger Agent | Last updated: Aug 21, 2020 07:16AM UTC

Hi, What range of number do you get up to when performing the attack? As noted earlier in the thread, we changed the lab so that the solution would always occur in the lower range of numbers to make it slightly less frustrating for users.

halfluke | Last updated: Aug 21, 2020 11:14AM UTC

as I said from 0000 up. It worked in the end after 4 attempts. Thanks

shubham | Last updated: Sep 02, 2020 05:02AM UTC

how to do this turbo intrude? because i have tried so many times & my session expired after 300-400 requests!

shubham | Last updated: Sep 02, 2020 05:04AM UTC

how to do this with turbo intruder? because i have tried so many times & my session get expired after 300-400 requests!

Uthman, PortSwigger Agent | Last updated: Sep 02, 2020 02:07PM UTC

You may find the code in this thread helpful: - https://forum.portswigger.net/thread/lab-2fa-bypass-using-a-brute-force-attack-714dab1f Alternatively, you can try writing your own script. There are helpful generalized examples in the GitHub repo: - https://github.com/PortSwigger/turbo-intruder/tree/master/resources/examples

Motasem | Last updated: Oct 03, 2020 08:55AM UTC

Hi, i have tried many times but it doesn't work lab session expires after reaching 1600 request! starting from 0 to 9999 !! would you please confirm it if it's still working in the lower range?? Thank you,

Motasem | Last updated: Oct 03, 2020 11:35AM UTC

Finally!! after the 7th try :) the code: 0315

Deep | Last updated: Nov 14, 2020 11:40AM UTC

hello. im tryn to solve 2FA bypass using a brute-force attack lab but after sending the first request HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 Set-Cookie: session=EusRA8AnKybVaw5Md6cluwhZIH6gCFAG; Path=/; Secure; HttpOnly; SameSite=None Connection: close Content-Length: 60 "Invalid CSRF token (session does not contain a CSRF token)" i dont know if im doing somthing wrong or this is the lab issue

Deep | Last updated: Nov 15, 2020 09:14AM UTC

hello again i try for like 30 time and i get the same error it would be great if some one help me with this please

Ben, PortSwigger Agent | Last updated: Nov 16, 2020 09:48AM UTC

Hi, One of our users, Michael Sommer, has produced some YouTube videos detailing the solutions for most of our labs. You might find it easier to follow along with these, rather than our text solution. The video for this lab is below: https://www.youtube.com/watch?v=B6JuMb3M-KA

Deep | Last updated: Nov 16, 2020 02:31PM UTC

well i saw that video but this is the lab issue now im sure im doing the steps correctly and also i did tryd to make python script for it but i get invalide csrf after the first request i send the response code is 400

Deep | Last updated: Nov 16, 2020 03:16PM UTC

do i need to set the range 0-9999 evrytime when i get 400 error ?

Deep | Last updated: Nov 16, 2020 03:16PM UTC

do i need to set the range 0-9999 evrytime when i get 400 error ?

Ben, PortSwigger Agent | Last updated: Nov 17, 2020 08:51AM UTC

Hi, To clarify, what step of the solution are you having issues with and what steps have you taken so far?

Deep | Last updated: Nov 17, 2020 05:55PM UTC

ok so first i login with the carlos creds and i will try a random number on the mfa-code like 1234 and after i get kicked out i will select this 3 requests and i GET /login POST /login GET /login2 and i will creat a session in project option Macro Recorder and i will send the post /login2 request in repeater with 1 thread at first i did get 400 error with my first request but now after 200 atemp i will get 400 error and i should repeat the whole steps again

Ben, PortSwigger Agent | Last updated: Nov 18, 2020 08:58AM UTC

Hi, If you are getting 400 statuses returned straight away then that would suggest something is not quite right in the requests that you are trying to send via Intruder. It might be easier to troubleshoot this if you can send us some screenshots of your Intruder configuration (and your macro) to support@portswigger.net so that we can take a look for you.

Deep | Last updated: Nov 18, 2020 10:15AM UTC

hello, yes sure i can do that and thank you so much

Stefan | Last updated: Jan 05, 2021 02:09AM UTC

Can you perhaps be more specific regarding the adjusted range of numbers? Is the token guaranteed to be in the range 0-5000 or something? My session keeps timing out like many others. Furthermore, if we know the range is reduced to 0-5000 is there anyway we can optimize / make the search faster? My session is timing out before 5000. Thanks.

BaaL | Last updated: Jan 05, 2021 04:52PM UTC

hi silver.io, i don't know if the token is guaranteed in 0-5000 range or not but my token was 1979. My trick is to keep it in small number range using turbo intruder, like 0-3000 before 504 status code kick in. this is my turbo code : def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=5, engine=Engine.BURP # Use Burp's network stack, including upstream proxies etc ) for i in range(0, 5000): engine.queue(target.req, str(i).rjust(4, '0')) #for word in open('/usr/share/dict/words'): # engine.queue(target.req, word.rstrip()) def handleResponse(req, interesting): if '302' in req.response: table.add(req) elif '504' in req.response: table.add(req) Tip: Remember to add Extender in Scope to enable macros for Turbo. It's disabled by default.

Ben, PortSwigger Agent | Last updated: Jan 06, 2021 08:40AM UTC

Hi, I believe that the token should now be generated somewhere in the 0000-3000 range in order to make the lab easier to manage.

Ariel | Last updated: Jan 17, 2021 03:01PM UTC

i can't reach to 3000 request i get status code 504 after 2700 request. I have tried 4 times already

Ariel | Last updated: Jan 17, 2021 05:15PM UTC

Hi, after 5 times I got 302, but if i right click on "show response in browser" it doesn't login into account.

Ariel | Last updated: Jan 17, 2021 05:20PM UTC

i not click "request in browser". i try it in two browser in chromium and Firefox.

Ben, PortSwigger Agent | Last updated: Jan 18, 2021 07:14PM UTC

Hi, Once you have a request that has received a 302 response you then need to right click the request and select 'Show response in browser'. Once this has loaded in your browser you then need to click the 'My account' link in order to successfully solve the lab. We mentioned this earlier in this forum thread but one of our users has produced a series of videos providing walkthroughs of most of our labs - are you able to check the following video to make sure that you are matching the steps used: https://www.youtube.com/watch?v=B6JuMb3M-KA

Ariel | Last updated: Jan 20, 2021 10:52AM UTC

Hi , i saw this video and many others before i comment and i follow the steps it still don't give My-account when i press right click the request and select 'Show response in browser'

Ariel | Last updated: Jan 20, 2021 10:52AM UTC

Hi , i saw this video and many others before i comment and i follow the steps it still don't give My-account when i press right click the request and select 'Show response in browser'

Ben, PortSwigger Agent | Last updated: Jan 20, 2021 11:37AM UTC

Hi, If you are still having issues with this it might be easier to send us an email at support@portswigger.net with some screenshots of what you are seeing when you try and solve the lab. We can then take a look and see if we can help you further. I ran through this lab yesterday and was able to solve it using the solution provided so it is functioning and the solution is still accurate.

魏苗凤 | Last updated: Jan 28, 2021 07:45AM UTC

Hi,I had got 302 response,but it doesn't login into account when I choose "show response in browser" and open it in browser.I have encountered this situation more than 3 times.Please help me!

Ben, PortSwigger Agent | Last updated: Jan 28, 2021 08:21AM UTC

Hi, Have you viewed the following video solution to make sure that you are completing all of the requisite steps: https://www.youtube.com/watch?v=B6JuMb3M-KA If so, send us an email at support@portswigger.net with some screenshots of what you see when you attempt this lab and we may be able to assist you further.

Alberto | Last updated: Mar 03, 2021 03:29PM UTC

Hi, I tried to solve this problem on my own and I got so close to the solution. My only problem is I don't understand why I must use just 1 threads. I did everything like the solution expect from going 1 threads. Is there any reason for that? Going more then 1 threads give me always error even using your solution. Is it probably due to the fact that if so many CSRF tokens are found, when the request is completed the site think that the previous one is no longer valid? Ty and have a nice day Alberto

Ben, PortSwigger Agent | Last updated: Mar 05, 2021 09:14AM UTC

Hi Alberto, Your summary sounds about right. You will need to stick to running the attack with a single thread or you are likely to hit some issues.

Marielle | Last updated: Apr 22, 2021 11:52AM UTC

Hi Ben, The video as mentioned by you seems no longer available on Youtube because it seems to be 'a violation of their community guidelines'. https://www.youtube.com/watch?v=B6JuMb3M-KA Thanks, Marielle

Ben, PortSwigger Agent | Last updated: Apr 22, 2021 01:52PM UTC

Hi Marielle, Thank you for letting us know. Are you experiencing any issues with this particular lab?

Marielle | Last updated: Apr 23, 2021 07:28AM UTC

Hi Ben, I managed to solve the lab but only after looking at the solution steps and with the adjusted range. Had to retry it multiple times as well. I still do not understand how the macro sort of 'magically' knows that it needs to adjust the csrf token and cookie without me telling it that those are changing parameters as well. Anyway, maybe later I will get it :) Cheers, Marielle

Viren | Last updated: Sep 13, 2021 05:23PM UTC

I guess I was lucky that it ended up being 0789 :D on 1st try thank you for making the 2fa auth code available quicker

You need to Log in to post a reply. Or register here, for free.