3/18/2024 0 Comments Duo mobile app a proxyIf you do not have administrator credentials or SMB/WMI/etc is not available, you can deny access to the Duo API with a Man-in-the-middle (MITM) attack. This can be done simply by appending it with a single entry that maps the Duo API endpoint to localhost.Īt this point you should now be able to RDP into the system with just a username and password if Duo is set to fail open. After doing that, modify the current hosts file. Go ahead and back up the original hosts file. The next step is to edit the hosts file on the system. It can typically be found in C:\ProgramData\Duo Security\duo.txt If this must be done, avoid using an account that you know is enrolled with Duo as this may send a push message, text message, or email to their phone.Īn alternative to this is finding a Duo.txt log file which will list the API endpoint. If for some reason there is nothing in the DNS cache, it may be required to trigger an authentication request. Each unique Duo install will have a different API endpoint that it speaks to. The contents need to be reviewed to locate the Duo API DNS entry. I will typically pipe this to a file in case it is really big and I need to parse it. Once you are on the target via a method that does not require 2FA, run the command: ipconfig /displaydns I typically use CrackMapExec + Metasploit or wmiexec.py but there are many choices out there. Gain a shell with the method of your choice. Assumption: You have control over the DNS server of a system.Assumption: You cannot access the system.Assumption: You can gain a shell on the system.There are two ways that I will demonstrate how to bypass this: This is not acceptable for all but a few organizations and thus fail open is the most common choice. If a system has Duo 2FA configured to fail closed and they lose internet connectivity or have issues with DNS, they get completely locked out of their workstations/servers. This is actually very common, as it is the default setting. These attack methods are valid assuming that the target had configured their Duo implementation to “fail open”. Last time this happened I found an article by Alex Lomas on Pen Test Partners which detailed the methods that you can use to bypass this. This can be a real pain, especially when port 3389 is the only port open on the jump box that I need to be able to pivot to another network. One of the roadblocks I have ran into is that my client is protecting access to RDP on Windows with Duo. I typically use rdesktop or xfreerdp to connect to host once I have obtained credentials to do all sorts of things such as use Active Directory Users and Computers or SQL Management Studio. Often times while performing penetration tests it may be helpful to connect to a system via the Remote Desktop Protocol (RDP).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |