2FAssassin – Bypass Two-Factor-Authentication

Password security protection is not enough anymore regardless of the complexity and length of the one you are using. recent attacks and password leakage demonstrate that relying on the single factor authentication is not enough to protect your online presence. Normally Two-factor authentication extra security may help to resolve this issue while If you are looking to run a security test of 2FA you can check 2FAssassin.

2FAssassin is a tool that will help in exploiting certain misconfiguration or vulnerabilities on remote system to extract private keys from memory. attack scenario will start by enumerating the network for exposed vulnerabilities:

  • SSH-based Attacks to get private keys
  • HeartBleed Attacks to get private keys:
  • Ceragon FibeAir IP-10 SSH Private Key Exposure: CVE-2015-0936
  • ExaGrid Known SSH Key and Default Password : CVE-2016-1560
  • F5 BIG-IP SSH Private Key Exposure: CVE-2012-1493
  • Loadbalancer.org Enterprise VA SSH Private Key
  • Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution
  • Quantum DXi V1000 SSH Private Key Exposure
  • Check & disable Two-Factor Authentication
2FAssassin - Bypass Two-Factor-Authentication

2FAssassin – Bypass Two-Factor-Authentication

Once the scanner will identify the vulnerable system it will start to run exploitation and extract the exposed private keys. If you want to reduce the possible exploitation of 2FA attack it will be important to apply security update as they are released by the vendor and follow the configuration security best practices to avoid making private keys exposed.

You can read more and download this tool over here: https://github.com/maxwellkoh/