Blog: Red Teaming

Multi-factor Authentication. Reset MFA you say?

Chris Pritchard 22 Mar 2021

MFA is a no brainer. It helps mitigate the risk of password re-use, overly simple passwords and more. Just don’t confuse it with 2 step verification…

Anyway, when we’re red teaming, MFA can make things more complicated. So why not social engineer your way around it?

Having worked on a helpdesk earlier in my career, I set about using that experience to get a user MFA account switched to me.

Starting the reset process

We had identified a user who had left the company over a month ago and thought they would be a great target to attempt a password reset with the helpdesk.

We had some useful OSINT info, their manager’s name etc, but not their work phone number.

I rang the helpdesk, explained I was having problems getting into my account, went through some basic checks, and eventually get a password reset. OK, nice.

But MFA is enabled.

Bypassing MFA

I knew from when I worked on a helpdesk, that I usually wanted to close the phone lines at exactly 5.30pm! Any calls going on just before 5.30 I wanted finished as soon as possible so I could go home.

I guessed that the target’s helpdesk closed at 5.30pm.

So, I timed my call to be just before the helpdesk closed; 3 minutes before. Just enough time to get the problem solved quickly, because the operator will probably want to close the phone line.

I ring back after the password reset, explain the MFA token is going to my old work phone which I no longer have, and ask how we solve this?

They ask me to confirm my old number. (I don’t know it). So, I pretend to look through my contacts list for my old work number. This eats up time and the clock is getting closer to 5.30…….

I think I’m right as the questions start coming thick and fast, they do want to go home! I say I *think* the old work phone number ended in “30”…….

Bingo….. They ask for the new work number and reset the MFA sign up process.

I keep them on the phone by saying I want to make sure it worked.

I do, it works. We’re in. We hunt around, get more credentials, this gets us further in the estate.

What went wrong?

The “30” was given away by the sign-in process. I enter a username, the new reset password, and it tells me the MFA token has been sent to +44 xxx xxx xxx30

That shouldn’t be enough information to get an MFA reset!

So, have a think about your reset process. Would it fail this test?

Could someone bypass it with very little info? Have you tested it recently?

Advice

Remind your helpdesk team to be even more alert at shift-changeover time. Consider whether you actually stop new inbound calls prior to the shift ending, so that there is time to close out current calls and reduce risk.

If helpdesk operators are overworked, they’re more likely to be susceptible to social engineering. They will rush and there is increased risk of processes being bypassed. Staff your helpdesk appropriately.

Train your helpdesk in social engineering techniques. Get a social engineer to come teach them the tricks of the trade. They’ll enjoy the experience and be better prepared to stand their ground in the face of the attacker.