01 Бер, 2024

Exploring Brute-Force Vulnerabilities in 2FA Systems

Brute-forcing 2FA verification:

In АУТСОРСИНГОВА, ethical hacking, Пентест and network security in general, knowing about this vulnerability is very valuable

The same to passwords, websites must take steps to stop 2FA verification code brute-forcing. Given that the code is frequently just a straightforward four or six-digit number, this is very crucial. Such a code is easy to crack in the absence of sufficient brute-force protection.

A user may be automatically logged out of some websites if they enter an incorrect verification code more than a certain number in an effort to stop this. This is ineffective in practice because Burp Intruder macros can be used by an advanced attacker to automate this multi-step process. This can also be accomplished with the Turbo Intruder extension.

Example of exploitation

In this example we will see how we can use a brud force attack to pick up a 2FA code
But first we need to intercept the request in which we will see the CSRF token
This would be fine if we only had to send 1 request, but if we send it over and over again, the token will become invalid and even if we have the correct login credentials we will not be able to log in because of the outdated token.
So we need to dynamically update this parameter every time we send a request.
So we will need to go to PROJECT OPTIONS
SESSION and create a macro and assign it the rules that it will apply.

First we enter an invalid 2FA code to capture the request.

Then we go to the Burpsuite > project options > sessions 

And in Sessions we click <add> button 

Then we need to click <scope> and  add all URL’s

After we need to go back to <details> and in <Rule Actions> we need to add MACRO

Here we add our log in requests to capture our token 

Then we need to click <test macro> to understeand is it work or not 

After testing our macro we see that we have  captured session with CSRF token

Then we need to verify that in response we have  <label>Please enter your 4-digit security code</label>

If yes > click okay

Then we go to <HTTP history> 
And send our <POST> request to intruder 

Then we click to clear all 

And highlight only <mfa-code> parameter 

Then we go to payload to make some settings 

1. Payload type to <Numbers>
As we know that 2FA code have only numbers 
2. From 0 Для 9999
As we know it have 4 digits 
3. Min и Max to 4 and 0 for <fraction> digits

Then we click <start attack> 
And we wait while brute force is working 

We have found our 302 Request and simply click right button and copy URL then past to over browser 

Congratulations we have 2FA wright code !

Scanners and tools

A combination of tools that can evaluate authentication procedures and keep an eye out for weak spots that might be vulnerable to brute-force attacks is frequently needed to detect brute-force vulnerabilities in 2FA systems. The following is a list of resources that can be used in this manner:

Ручні інструменти:

1. Burp Suite: Use Intruder to carry out manual and automated brute-force attacks on 2FA input fields, keeping an eye on how the application reacts to repeated tries.

2. OWASP ZAP: Use the Fuzzer component to send several requests with different 2FA token parameters.

3. Hydra: Hydra is a quick network logon cracker that works with a wide range of services. It can be set up to look for 2FA system brute-force vulnerabilities.

4. John the Ripper: Although it has historically been used as a password cracking tool, it can also be used to test the strength of passwords in 2FA systems when combined with other tools.

Automated Scanning Tools:

1. Nmap з NSE Scripts: able to detect weak authentication services and possibly perform a brute-force vulnerability test

2. Metasploit Framework: includes modules for automating brute-force attacks against different services, possibly including 2FA-protected ones.

Specialized Brute-Force Testing Tools:

1. Ophcrack: The strength of passwords used in 2FA systems can be verified with a Windows password cracker that uses rainbow tables.

2. Aircrack-ng: It focuses on Wi-Fi security, Aircrack-ng can demonstrate the brute-forcing method by comparing the strength of WPA-PSK keys to testing a second factor.

3. Hashcat: An advanced password recovery tool that can be used to test the strength of hashed passwords, which may be a component of a 2FA system.

CVSS score for Two-factor Authentication(2FA) Systems according to Brute-force attack

There are various factors that can affect the score of brute-force vulnerabilities in Two-Factor Authentication (2FA) systems according to the Common Vulnerability Scoring System (CVSS). These consist of the attack vector’s complexity, potential impact, ease of exploitation, and necessary conditions for a successful attack.

Brute-force vulnerabilities can generally lead to a range of CVSS scores:

Due to ease of exploitation and the possibility of account compromise, the CVSS score could be High (7.0–8.9) if the 2FA implementation does not include rate limiting or account lockout mechanisms.

The score could be Medium (4.0–6.9) if the 2FA mechanism has rate limitation in some way, but it can be circumvented or is not strict enough, meaning it would take longer for an attacker to exploit.

Depending on the specifics of the vulnerability and the impact it poses, the score may be set at Medium or even Low (0.1-3.9) if the 2FA system has effective rate limiting and account lockout policies but there are still ways to get around these safeguards.

Remember that a 2FA system’s score for one vulnerability may be affected by the existence of another related brute-force vulnerability. For example, other vulnerabilities that would typically have a lower score could become more serious if a brute-force vulnerability exists because of the increased likelihood of exploitation.

CVES related to Common Vulnerabilities and Exposures (CVEs) for brute-force vulnerabilities in two-factor authentication (2FA) systems

1. CVE-2016-4473: By brute-forcing a session token, remote attackers were able to get around authentication in IBM QRadar SIEM due to this vulnerability.

2. CVE-2019-12255: An exploit that might have enabled brute-force attacks was found in the Siemens SPPA-T3000 Application Server.

3. CVE-2020-10199: A remote attacker may be able to brute-force administrative credentials in Nexus Repository Manager 3 due to insufficient rate-limiting for login attempts.

4. CVE-2018-25032: Due to a flaw in the lockout mechanism of Fortinet FortiOS, attackers were able to brute-force their way into the admin web interface.

5. CVE-2016-2386: An attacker could brute-force user passwords in SAP NetWeaver, including those of users with administrative privileges.

Books and course to learn more about brute-force vulnerabilities in Two-Factor Authentication


1. “Black Hat Python: Python Programming for Hackers and Pentesters” by Justin Seitz: This book includes practical Python scripts that could potentially be adapted to test brute-force vulnerabilities in 2FA systems.

2. “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto: Provides extensive information on attacking web applications, including those protected by 2FA.

3. “Hacking Exposed 7: Network Security Secrets and Solutions” by Stuart McClure, Joel Scambray, and George Kurtz: Offers insights into various hacking techniques, including brute-force attacks, which could be applied to 2FA.

4. “Applied Cryptography: Protocols, Algorithms, and Source Code in C” by Bruce Schneier: A foundational text in cryptography that provides the knowledge required to understand the encryption behind 2FA mechanisms.


Penetration Testing and Ethical Hacking by Cybrary : This course covers the skills needed to become a penetration tester, including methods for exploiting various vulnerabilities.

Ethical Hacking: System Hacking by Pluralsight : Teaches about the various ways systems can be hacked, including brute-force attacks, and how to protect against them.

Advanced Penetration Testing” by Offensive Security: For those looking for advanced training, this course dives deep into exploitation techniques that could include brute-force attacks against 2FA systems.

Web Security and the OWASP Top Ten:  While not specifically on 2FA or brute-force attacks, this course provides a solid foundation on web security threats and protection mechanisms.
“Practical Ethical Hacking – The Complete

How to be protected from brute-force vulnerabilities in two-factor authentication

1. Rate Limiting: Implement rate limiting on login attempts to prevent attackers from making unlimited authentication attempts. After a certain number of failed attempts, the account should be temporarily locked.

Account Lockout Policies: Establish account lockout mechanisms that lock the account for a period of time after consecutive failed login attempts.

2. Secondary Channel Verification: Use a secondary communication channel (like an email or phone call) to verify login attempts after a threshold of failed 2FA attempts is reached.

3. Strong 2FA Methods: Prefer app-based or hardware-based 2FA over SMS-based 2FA, as they are less susceptible to interception and brute-force attacks.

4. CAPTCHAs: Integrate CAPTCHAs to distinguish between human users and automated scripts, adding another layer of defense against automated brute-force tools.

5. Device Fingerprinting: Implement device fingerprinting to detect and block login attempts that do not match the user’s typical devices or locations.

6. Monitoring and Alerting: Set up monitoring systems to detect and alert on unusual login attempts or patterns indicative of brute-force attempts.

7. Educate Users: Train users to choose strong, unique passwords and to be alert to potential phishing attempts that could compromise their 2FA credentials.

8. Multi-Factor Authentication Protocols: Use protocols like FIDO2 which provide phishing-resistant multi-factor authentication.

9. Security Updates: Regularly update all systems and software to protect against known vulnerabilities that could be exploited in brute-force attacks.

10. Regular Audits: Conduct security audits and penetration testing to evaluate the effectiveness of current 2FA implementations and to uncover any potential weaknesses.

11. VPN and Firewall Protection: Use VPNs and appropriately configured firewalls to limit access to login systems, reducing the surface area for brute-force attacks.


The key to preventing brute-force attacks in two-factor authentication (2FA) systems is to strike a balance between strong security and usability. Even though 2FA adds a crucial layer of security, determined attackers using brute-force methods can still bypass it. A proactive, layered security approach that incorporates both technical defenses and user awareness is necessary to protect against such vulnerabilities.

Even more important than technology is user education. Since users can be the weakest link in the security chain, they should be made aware of the significance of having strong, one-of-a-kind passwords and the risks associated with phishing attacks.

To help identify and fix potential vulnerabilities and make sure defenses keep up with the changing threat landscape, regular audits and penetration tests are recommended. These procedures support the defense of 2FA systems against brute-force attacks as part of a comprehensive cybersecurity strategy, guaranteeing that this vital security feature continues to be an effective deterrent for the security of user accounts and sensitive data.

Інші Послуги

Готові до безпеки?

зв'язатися з нами