Let's talk about MFA, it's good, it's useful, but what's your process for resetting it? The reason I ask:
Did some telephone social engineering last week. We had a user who had left the company over a month ago, and thought they'd be a great target.
1/
Did some telephone social engineering last week. We had a user who had left the company over a month ago, and thought they'd be a great target.
1/
We had some useful OSINT info, bosses name etc.
So I rang the helpdesk, explained I was having problems getting into my account, went through some (basic) checks, and get a password reset. Ok, nice. But MFA is enabled.....
2/
So I rang the helpdesk, explained I was having problems getting into my account, went through some (basic) checks, and get a password reset. Ok, nice. But MFA is enabled.....
2/
How to bypass MFA?........ I guessed that the helpdesk closed at 5.30pm.
I knew from when I worked on a helpdesk, I wanted to close the phone lines at exactly 5.30pm! And any calls going on just before 5.30, I wanted finished as soon as possible so I could go home.
3/
I knew from when I worked on a helpdesk, I wanted to close the phone lines at exactly 5.30pm! And any calls going on just before 5.30, I wanted finished as soon as possible so I could go home.
3/
So I timed my call to be just before the helpdesk closed, 3 minutes before. Just enough time to get the problem solved, and quickly because they'll want to close the phone line (hopefully, it's a guess).
4/
4/
I ring back, explain the MFA token is going to my old work phone which I no longer have, and ask how we solve this?
They ask me to confirm my old number. (I don't know it). So I pretend to look through my contacts list for my work number. This eats up time.......
5/
They ask me to confirm my old number. (I don't know it). So I pretend to look through my contacts list for my work number. This eats up time.......
5/
I think I'm right as the questions come thick and fast, they do want to go home! I say I *think* the old work phone number ended in "30".......
Bingo.....they ask for the new work number and reset the MFA sign up process.
6/
Bingo.....they ask for the new work number and reset the MFA sign up process.
6/
I keep them on the phone by saying I want to test it.
I do, it works. We're in. We hunt around, get more creds, this gets us further in the estate.
7/
I do, it works. We're in. We hunt around, get more creds, this gets us further in the estate.
7/
What went wrong?
The "30" was given away by the sign in process. I enter a username, a password, and it tells me the MFA token has been sent to +44 xxx xxx xxx30
That shouldn't be enough to get an MFA reset!
8/
The "30" was given away by the sign in process. I enter a username, a password, and it tells me the MFA token has been sent to +44 xxx xxx xxx30
That shouldn't be enough to get an MFA reset!
8/
So, have a think about your reset process. Would it fail this test?
Could someone bypass it with very little info? Have you tested it recently?
CC: @ZephrFish
EoF/
Could someone bypass it with very little info? Have you tested it recently?
CC: @ZephrFish
EoF/