.png)
11 months ago
42 BOOK THIS SPACE FOR AD
ARTICLE ADI failed big in this one and I failed forward. Sharing my experience through this article.
Before starting the brute force for OTP I checked whether there is any rate-limiting intervention or not. And there wasn’t.
I also checked for the OTP entering limit: I entered the OTP 15 times and there weren’t any limitations to it. I did so by entering the wrong OTP 14 times and entering the correct one on the 15th attempt and the request was successful. This made me think that there was no OTP entering limit. But boy was I wrong!
Let me recount the story from the beginning.
I had a requirement to brute force a 6-digit OTP but I couldn’t do it in a straightforward manner.
This request had to have a checksum attached to it. The checksum was derived from a checksum logic.
Let me illustrate the concept with artificial POCs.
In the above request, changing the “otp” and sending the request leads to a checksum error. This means that the checksum is derived from the OTP. Also changing the “ref” and “a1” values leads to a checksum error (shown in the response). This meant that the checksum is derived from all the values.
So, this means, before brute forcing, we first need to find the checksum logic and the hashing algorithm in use, that is to say, we need to find how exactly the above values are made to go through which hashing algorithm to get the above-shown checksum.
Essentially, in order for us to bruteforce this request, we’re going to need two things: 6 digit OTP wordlist and a corresponding checksum (derived from the checksum logic).
The mission for now is to get the checksum logic.
The first step in such a scenario is to check which hashing algorithm is in use.
Take the above checksum and analyze it using publicly available tools. Use multiple hash analyzing tools or websites to be sure.
https://www.dcode.fr/hash-identifier
It seems like SHA-384 is in use.
Now, we go about finding the checksum logic. We do that by entering the above request values (and other values, if required) in an SHA-384 hash generator and getting the above-shown checksum. If you are very lucky, you might find the checksum logic to be very weak (no other values used apart from the one in the request, arrangement of the values in a sequential manner etc.)
In this case, the checksum logic is just the values present in the request ordered in a sequential manner. We get to know that by the hash value (checksum) match.
After acquiring the logic, it’s now time to initiate the brute force, but now comes a new hurdle.
We need to enter the checksum along with the OTP. For the checksum part, we need to generate a SHA384 checksum (derived from the checksum logic) for every OTP.
That means we need to brute force the below two values in sequence:
000000 with the checksum of check23000000
000001 with the checksum of check23000001
000002 with the checksum of check23000002
000003 with the checksum of check23000003
…
That also means that I need to generate a wordlist of the checksum logic ranging from check23000000 to check23999999
Basically, I needed to write — — 10 ^ 6 (1 and 6 zeroes) — — a 1000000 (a million) entries of the checksum logic.
Enter Python.
Generating a wordlist of logics manually would have taken me weeks if not days. I needed to automate the process through scripting.
Just a little background: For a while, I’ve been reading the book Automate the Boring Stuff with Python by Al Sweigart. Because of this, I was able to understand the syntax of Python. I recommend this book to anyone who wants to start up with scripting/programming without getting overwhelmed.
Now, I needed a script to generate the checksum logic wordlist for me. I took the help of ChatGPT for this. And after personalizing the code, below was the script I had: (script.py)
To the unwitting, copy-pasting the below code in the text editor and saving it with the extension of .py will create a Python script file for you.
logic_string = "CHECK23000000"with open("output.txt","w") as file:
for i in range(1000000):
code = str(i).zfill(6)
new_string = logic_string.replace("000000", code)
file.write(new_string + "\n")
The above code basically, takes the 000000 part of the defined string (logic_string), replaces it with values ranging from 000000 to 999999 and outputs the values onto the file ouput.txt
To run this script, I opened the terminal in the Python directory. (Enter cmd in the path)
Enter the command: python.exe <file-path>
You can just drag and drop the file to the terminal to get the path.
Because of the above script, in about two seconds, the checksum logic wordlist was ready.
output.txt is the file created by the Python script.
For the 6-digit OTP wordlist, I used the danielmiessler’s repo.
Now, having both the wordlists at our disposal, we can initiate the brute forcing with Intruder. The Attack type to be set is Pitchfork since we need to iterate through both the wordlists simultaneously. Payload set 1 is going to be the 6-digit wordlist. Payload set 2 is going to be the checksum logic wordlist (Note that, loading the 14MB wordlist might take a while). Now remember that we need to enter the SHA384 hash as a checksum, not the checksum logic itself. So we’re going to run the Payload set 2 through the Payload Processor for converting the checksum logic to a hash value.
Once all the configurations are done. Start the attack.
See, how different OTP has different checksum to it.
Upon this brute-forcing reaching the correct OTP, I was expecting a successful response (I was performing the A-B testing). But to my dismay, I did not. There was indeed an OTP limit and it was somewhere between the 20th and 50th attempts, as I was still getting a successful response after the 20th but not before the 50th attempt.
It’s quite strange that so many attempts were allowed but still, the odds were strongly against a successful brute force attempt as I had only about 50 attempts to guess the correct one out of a million OTPs.
This was a grand failure for me but it was fun. The highlight of the episode was the Python script creating the wordlist in seconds. Really cherished that moment.
Thank you for reading!!!
Bengali (Bangladesh) · 
English (United States) ·