OTP Bruteforce 2022

Bruteforcing a 6 digit 2FA for most popular websites in 2022 it’s an hard challenge since most security layers are in field nowadays to prevent a braindead attack such like a BF
Currently we have:

  • IP rate lock limit;
  • Block of further attempts after X codes submitted to form;
  • After 60 seconds the code expires, so you have to requests a new one.

So, how to do that? Could we get this by simply bypass these security layers? Can we get access again to our social medias profile despite our phone is broken and we can’t retrieve a 2FA? That’s it. BF would be a great solution, since a combination made by just numbers is easiest to guess rather than a mixed combination of letters and numbers, which would probably take years to bruteforce. Today I’m trying to make a pentesting tool which attempts for a 6 digit crack:

  • Pros: IP rotation, fast response (test 10 codes /second)
    not perfect since it’s a homemade script, but it opens a window of opportunity to retrieve the correct code;

  • Cons: blocked by AV at runtime becouse it’s using the Windows API “VirtualAlloc” to run. Defender doesn’t like this.

https://github.com/Reversing26/OTP_Bruteforce Here is where I’ve hosted my repository. A feedback would be appreciated.

1 Like

Only the github page is not found…