It is easy to say that the best way to enhance your security is by adding an another layer of security to your resources but have you thought if that another layer got bypassed?

Today many applications and banks worldwide deploy OTP(One Time Password) as one of the security layer to make it more harder for attackers to take the control of another user’s account. The OTP has another significance that it allows you to verify the identity of the user.

The concept of OTP is simple. It is one time password that can be either alphanumeric or PIN numbers that is delivered to the verified user to authenticate it. The delivery of this OTP can be either on the user’s mobile number that he uses, on his email or it can be on some authenticator app that already justifies the identity of the user .

No doubt OTP is one of the best method to secure resources but in today’s article we will show how you can bypass this layer of security by taking help of social engineering. We will use the open source tool KingFish3 which is written in python. It is a tool which is developed with an aim to do advanced phishing. Let’s see how can you do this:

Disclaimer: All the techniques demonstrated here are just for educational purposes. Doing this activity without the consent of the targeted user is absolutely illegal.

LAB SETUP

  • We will use 64 bit Kali Linux version 5.5.0 2020. To know how to setup your own lab, click here.
  • Ngrok should be installed and configured.

CONFIGURING NGROK

Ngrok is a tunneling tool which is used for purposes like Port Forwarding, exposing your localhost web server. It relays your traffic and forwards it where you want. We will use this tool further in our process when we want to expose our local host web server. To configure ngrok:

  • Download ngrok for Linux from its official site https://ngrok.com//download.
  • After downloading , change you current directory with cd <downloaded_path>
  • Unzip it with unzip ngrok-stable-linux-amd64.zip.
  • After unzipping, type ./ngrok help on the terminal.
  • Then, Goto www.ngrok.com.
  • Signup or login into your account.
  • After signing in, navigate to Authentication -> Your Authtoken.
  • Come back to the terminal, type ./ngrok authtoken <YOUR_AUTHTOKEN> to save your authtoken in configuration file of ngrok so that ngrok server can validate you with your authkey when you create tunnels or forward traffic and associate your account with your system.

HOW TO EXECUTE THE ATTACK

git clone https://github.com/termux-lab/kingfish3
Cloning into 'kingfish3'...
remote: Enumerating objects: 40, done.
remote: Counting objects: 100% (40/40), done.
remote: Compressing objects: 100% (34/34), done.
remote: Total 118 (delta 8), reused 0 (delta 0), pack-reused 78
Receiving objects: 100% (118/118), 1.40 MiB | 374.00 KiB/s, done.
Resolving deltas: 100% (32/32), done.
  • After you have downloaded the tool, change the current directory to kingfish by typing the command cd kingfish3.
  • After you have changed the directory, type ls to list the contents you have cloned from github.
  • Then change the directory to kingfish3.0 by typing cd kingfish3.0.
  • Again type ls to list the contents of this directory
  • Now run social.py by typing the command python3 social.py. Make sure that you have installed the version 3 of python on your system. To check the version of python installed in your system type python –version.
  • After you have typed the command a console like this will be opened in front of you.
  • Choose your language as English by typing 1.
  • Then, you will have the catalogue of phishing attack examples that you want to execute. For demonstration, we will show you how you can bypass your OTP.
  • To bypass the OTP for telegram, choose the appropriate option as 5.
  • Now, it will ask you to enter the port you want to listen or start the service on your localhost web server. By default if you don’t put any port number it will start on port 80, but here we will execute this on port 8080 for the sake of customization.
  • Next, it will ask you to enter the URL to which the victim should be redirected after entering the credentials. For simplicity, let’s make the redirection URL to https://google.com
  • After that you can see a message will appear on your console saying that it has been started on your localhost based on your given parameters.
  • After that ,open browser in your host(here Kali Linux) and open the command localhost:8080. It will show a login page for telegram web client.
  • After that open browser in your host(here Kali Linux) and type the command localhost:8080. It will show a login page for telegram web client.
  • Now, this works only on localhost. To setup this, we will take the help of Ngrok.
  • Now after starting this service, open another terminal and type the command ./ngrok help.
    • Now as mentioned in the help menu, forward the service running on port 8080 to ngrok so that it can be accessible by anyone on the internet. To do so, type the command ./ngrok http 8080. It will give a URL on which the same service as your localhost is running.
    • You can send this URL to your victim and using some social engineering techniques make your victim do the next steps.
    • When victim opens the URL into his system, the same page will be opened.
    • When victim enters his phone number and press enter, it will be shown to you in your console as in the background it is listening on port 8080.
    • For victim, it will ask the target to enter the SMS code. It is a fake page and actually no OTP is automatically generated. 
    • Now in order to generate an OTP, you have already got the victim’s mobile number which is associated with telegram.
    • Simultaneously open the official telegram web client and login through victim’s mobile number that you have got. An OTP will be sent by the official telegram organization to the victim and he will consider that nothing wrong is happening in the background.
    This is the official interface of telegram web client where attacker will request credentials from

    This is where the victim will enter the OTP which is received by the victim
    • When victim enters its OTP in our page that is generated through the tool and presses next it will again be shown into your console in code parameter.
    One Time Password entered by the victim
    Code received by the attacker
    • Now you can enter that verification code for your session and you will be login to the victim’s telegram.

    Following the same process, you can perform same procedure for all the other phishing pages mentioned in this tool.

    You can also use any URL Link shortner like bitly or cuttly or you can upgrade your ngrok plan to make it more difficult for victim to detect that something phishing is going in the background.

    CONCLUSION

    As you can see how OTP can be bypassed. It is therefore suggested to use Time based OTP which is more secure than traditional OTP or token delivery method. As you see above, it merely take some seconds for the attacker to hijack your account. Until you take any action, it is even possible that attacker will make you an anonymous person for your own account. It is therefore suggested to use Multi Factor Authentication, because as many layers of security you have, it will become more difficult for attacker to break those layers. Lesser layers of security or weaker credentials will take as much time as you need to make a coffee to hijack your account.