Cleanup and built a barebones command line interface

2018-12-01 20:30:08 -05:00 · 2018-12-01 20:30:08 -05:00 · 5a410e565f
parent a29ae1f57d
commit 5a410e565f
3 changed files with 58 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -1,6 +1,9 @@
 ## Duo One Time Password Generator

-This is a little script I put together after I reverse engineered the Duo 2FA Mobile App and figured out how their auth flow works. This can be ported into probably a useful desktop app or chrome extention and can probably be used to write bots for MIT Services that require auth.
+This is a little script I put together after I reverse engineered the Duo 2FA 
+Mobile App and figured out how their auth flow works. This can be ported into 
+probably a useful desktop app or chrome extention and can probably be used to 
+write bots for MIT Services that require auth.

 ### Usage

@ -10,18 +13,20 @@ Install stuff,
 pip install -r requirements.txt
 ```

-Just grab the QR Code URL that starts with `duo://` and execute,
+Just grab the QR Code URL and copy the string after value
+
+https://api-XXX.duosecurity.com/frame/qr?value={VALUE}

 ```
-python duo_bypass.py duo://urlhere
+./duo_activate.py {VALUE}
 ```

-### How does this work?
+If everything worked you can then generate a code by running:

-It's pretty simple so I won't explain. The hard part was to read DUO's obfuscated code, because obfuscation makes things so secure.
+```
+./duo_gen.py
+```

-Why didn't I sniff? Because HTTPS and because they apparantly ignore trusted CA's on the Android Device and also the fact that I was too lazy to get a USB cable from my room and also that I didn't want to download a gigabyte of emulator.
+Warning: These are HOTP tokens and generate codes increments a counter.  If you 
+get too far out of sync with the server it will stop accepting your codes.

-When I almost got all of it I realized I could have probably decompiled their Windows app, coz .NET and and coz they didn't obfuscate that. rip me.
-
-Anyway, it's 9 AM and I should sleep.
--- a/duo_activate.py
+++ b/duo_activate.py
@ -1,3 +1,5 @@
+#!/usr/bin/env python2.7
+
 import pyotp
 import requests
 import base64
@ -9,21 +11,37 @@ if len(sys.argv) < 2:
    print "Usage: python duo_bypass.py <url to duo qr>"; exit()

 qr_url = sys.argv[1]
-data = unquote(qr_url.split('=')[1])
+data = qr_url #unquote(qr_url.split('=')[1])

 hostb64 = data.split('-')[1]

+print "hostb64", hostb64
+
 host = base64.b64decode(hostb64 + '='*(-len(hostb64) % 4))
-code = data.split('-')[0].replace('duo://', '')
+code = data.split('-')[0]
+
+print "host", host
+print "code", code

 url = 'https://{host}/push/v2/activation/{code}'.format(host=host, code=code)
 r = requests.post(url)
 response = json.loads(r.text)

+print "url", url
+print "r", r
+print "response", response
 secret = base64.b32encode(response['response']['hotp_secret'])

+print "secret", secret
+
 print "10 Next OneTime Passwords!"
 # Generate 10 Otps!
 hotp = pyotp.HOTP(secret)
 for _ in xrange(10):
    print hotp.at(_)
+
+f = open('duotoken.hotp', 'w')
+f.write(secret + "\n")
+f.write("0")
+f.close()
+
--- a/duo_gen.py
+++ b/duo_gen.py
@ -0,0 +1,24 @@
+#!/usr/bin/env python2.7
+
+import pyotp
+import requests
+import base64
+import json
+import sys
+from urllib2 import unquote
+
+f = open("duotoken.hotp","r+");
+secret = f.readline()[0:-1]
+offset = f.tell()
+count = int(f.readline())
+
+print "secret", secret
+print "count", count
+
+hotp = pyotp.HOTP(secret)
+print "Code:", hotp.at(count)
+
+f.seek(offset)
+f.write(str(count + 1))
+f.close()
+