Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Questargon

WEB SECURITY: Modlishka - The tool that can intercept your Google Authenticator 2FA

Recommended Posts

17 minutes ago, Questargon said:

I just came up with an idea on how to explain this vulnerability better:

 

Assume you're connected to a remote machine via Remote Desktop Protocol, VNC, Teamviewer or the like. You enter your credentials and 2FA-Code on this machine and just after you send it all away, the connection gets disconnected and the hacker sitting directly at your remote machine takes over your session with the browser open on that account.

That's a pretty poor way of explaining it because there is no disconnection or such. Everything is transparent to the user. To them it just seems like they are browsing a normal website, and their credentials (including 2FA tokens) are silently being logged in the background.

Link to post
Share on other sites

This is why if you want to stay safe you need to be using the newest 2fa technologies all the time now. First it was switching from sms to an app now its from an app to a physical key. I have a USB key for everything and it's safe from about everything outside of getting stolen. Just don't forget to have a backup in case you loose it so you can recover your accounts and then lock them down again.

Link to post
Share on other sites
Posted (edited) · Original PosterOP
15 hours ago, LAwLz said:

That's a pretty poor way of explaining it because there is no disconnection or such. Everything is transparent to the user. To them it just seems like they are browsing a normal website, and their credentials (including 2FA tokens) are silently being logged in the background.

Okok, my example was not perfect. I was trying to illustrate a similar way of how your login might get compromised.

You're absolutely correct though: With Modlishka there would be no warning when your credentials are being phished.

Edited by Questargon
Removed a text I was unsure about... -_- This is complicated.

CPU Ryzen 5 3600 | MoBo Asus Prime X470-Pro | RAM 16GB Vengance RGB@3600/18 | GPU EVGA GTX 1070 SC Gaming | Case Enthoo Pro M SE
PSU bq! Pure Power 10 500W CM | Cooling Scythe Kabuto 3 & Cryorig QF120, 5x Arctic F14 | Sound SB Z Retail | Storage Samsung 970 EVO 500GB
Display(s) DELL 2001FP, DELL 2407WFP, LG 34UM95 | Keyboard Kinesis Freestyle Edge | Mouse Logitech G900 Chaos Spectrum | OS Windows 10

Link to post
Share on other sites

That's why you use physical hardware keys and not some shitty schemes using a phone. Phone has a much larger attack surface, no direct connection to the website you are authenticating to, and phone messages are interceptable with sufficient funds. FIDO2 and U2F are much better since the attack surface is really small and it has direct connection to the website it's authenticating to. I don't understand websites that offer 2FA but don't have FIDO2/U2F to offer, just some shitty phone apps. It makes it way less secure and denies the security to those who are using(arguably more secure) dumbphones. It's not that hard to implement FIDO2/U2F, just do it, the security of your clients will increase WAY more.

Link to post
Share on other sites
Posted · Original PosterOP

Ok. Another try to explain this:

1) Victim logs in to his remote machine

2) Phisher grabs username, password and 2FA token the victim enters as well as any session UUIDs/tokens in his browser by looking directly on that remote machine without the victim noticing anything.

3) Phisher uses these credentials and UUIDs/tokens that were used in this session to login to the victims' account in his own browser. He can even do this after the 2FA token is no longer valid! (I hope I understood the video the creator posted on github correctly).

 

You can be logged in to your Google Account multiple times without getting any notice, so you don't even see somebody messing around.


CPU Ryzen 5 3600 | MoBo Asus Prime X470-Pro | RAM 16GB Vengance RGB@3600/18 | GPU EVGA GTX 1070 SC Gaming | Case Enthoo Pro M SE
PSU bq! Pure Power 10 500W CM | Cooling Scythe Kabuto 3 & Cryorig QF120, 5x Arctic F14 | Sound SB Z Retail | Storage Samsung 970 EVO 500GB
Display(s) DELL 2001FP, DELL 2407WFP, LG 34UM95 | Keyboard Kinesis Freestyle Edge | Mouse Logitech G900 Chaos Spectrum | OS Windows 10

Link to post
Share on other sites

2When you are saying use hardware 2FA tokens are we talking about products like the U2F/OPT keys or something else? (e.g. the physical RSA SecurID token ) Quite frankly even though I have a U2F key they hardly work with many websites at all so I don't really think that is very viable as a complete alternative.

 

EDIT: Say some other hardware OTP tokens I don't know enough about them to have a full opinion but would that really mitigate this vulnerability based on what I read with in the article I am still not clear if they would.

Edited by FratStar
research

Spoiler

Cpu: Ryzen 9 3900X – Motherboard: Gigabyte X570 Aorus Pro Wifi  – RAM: 4 x 16 GB G. Skill Trident Z @ 3200mhz- GPU: ASUS  Strix Geforce GTX 1080ti– Case: Phankteks Enthoo Pro M – Storage: 500GB Samsung 960 Evo, 1TB Intel 800p, Samsung 850 Evo 500GB & WD Blue 1 TB PSU: EVGA 1000P2– Display(s): ASUS PB238Q, AOC 4k, Korean 1440p 144hz Monitor - Cooling: NH-U12S, 2 gentle typhoons and 3 noiseblocker eloops – Keyboard: Corsair K95 Platinum RGB Mouse: G502 Rgb & G Pro Wireless– Sound: Logitech z623 & AKG K240

Link to post
Share on other sites
On 1/14/2019 at 7:18 AM, RejZoR said:

I guess I'll have to write a basic security guide on how to safeguard yourself in general.

I wrote one too. They dont get paid attention to like more clickbaity things.

Link to post
Share on other sites
On 1/14/2019 at 10:27 AM, Questargon said:

The new client will also appear in the list of authenticated clients on his google account page, but who verifies this really?

Me actually -.- i check all my sessions in Google, authy and the like.


                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites
1 hour ago, RorzNZ said:

Great news for me I don’t use anything with two-factor authentication.

 

How is that great news? You're more exposed by default lol

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×