How Hackers Bypass Two-Factor Authentication (2FA)?!
Вставка
- Опубліковано 23 лют 2024
- // Membership //
Want to learn all about cyber-security and become an ethical hacker? Join this channel now to gain access into exclusive ethical hacking videos by clicking this link: / @loiliangyang
// Courses //
Full Ethical Hacking Course: www.udemy.com/course/full-web...
Full Web Ethical Hacking Course: www.udemy.com/course/full-web...
Full Mobile Hacking Course: www.udemy.com/course/full-mob...
// Books //
Kali Linux Hacking: amzn.to/3IUXaJv
Linux Basics for Hackers: amzn.to/3EzRPV6
The Ultimate Kali Linux Book: amzn.to/3m7cutD
// Social Links //
Website: www.loiliangyang.com
Facebook: / loiliangyang
Instagram: / loiliangyang
LinkedIn: / loiliangyang
// Disclaimer //
Hacking without permission is illegal. This channel is strictly educational for learning about cyber-security in the areas of ethical hacking and penetration testing so that we can protect ourselves against the real hackers. - Наука та технологія
What side are you on as Metaspyclub divides the wealthy from the poor?
i just got my twitter back thanks to metaspyclub
if you need assistance just look up metaspyclub
i got back my Gmail thanks to metaspyclub
Wait, what is happening?
so at the end it was actually a sql injection
Exactly
Which is kind of an amateur move.
@@patwhocares7009”amateur” but effective, like keyloggers
@@patwhocares7009 exaclty cuz his channel is sh*t it just teaches some nonsense stuff for beginners additionally it won’t benefit anyone
Yeah, if we can execute this level of injection then, the company is a lost cause 😂, its always thing with WAF
This is a great example of how a vulnerable website can be compromised even when security controls are implemented. Interpreting query based information is a prominent skill, especially in a database that store large sets of data. 👏
security controls where not implemented. Sqlinjection is a very known issue.
I hate Security Control ob websites blocking Security Control for more malware Protection
It would be very unusual these days to find a front end application directly executing SQL against the back end database without going through some kind of API that abstracts and limits. This might have worked 15 years ago . .
Essentially this has little to do with 2FA authentication and everything to do with hacking into a database.
100% agree, it is misleading.
Exactly what ever any of these hacker channels showing is all bullshit it might of worked 15 years ago like you said but not today and if this stuff was true do you really think UA-cam would let him post it I don’t think so 😂 not how this people can think that other people are so stupid is beyond me
I’m new into this field working on my certs and things and I appreciate y’all’s feedbacks on videos like these !
Some do have deprecated technology.😊
@@admiral44Enforce two step and put uBlock origin on every clients machine
nice video for children, man! really appreciated!
but first, IRL on production u usually won't get so verbose 5xx errors (if devops/developers are not too crazy ofc to open bugs for end user :-))) so your SQLi will be "blind SQLi", LOL! ;-)
second, more and more systems nowdays use "prepared statements" for SQL, reliably isolate query itself from query parameters, which gives backend's code immunity to SQLi, sad (for hackers) but true.
How can you store sensitive data without encrypted? As a backend developer, this doesn't make any sense.
First, this is a lab and it is meant to be vulnerable. Secondly, most of the time you cannot encrypt the database itself, as this typically causes data corruption. You can store encrypted strings though and pass the encrypted strings with secure protocols (which is the safest bet). Even if it was a ciphered string, you can use tools like rainbow tables or john or even google-fu to decipher weak passwords like "password". The whole point of this is to show an example of a vulnerability. It is possible that an inexperienced developer, or recent update, broke encryption or stored the plain-text values. There are even more complicated versions of attacks but this is a good understanding of the basics of what a cyber security specialist looks for. Often times the puzzle is much more complicated and you really need to know your stuff in order to fully test something.
It’s funny to see how some people over think and over complicate what hackers are actually doing
Always ready for your video
Video Suggestions:
1. Video About wireshark And wifite
2. Video on how to hack any pdf's password with "rockyou" wordlist
3. Make a video about anonymity with kali "whoami"
4. A video on how to dual boot Kali Linux
5. A video a on BYOB Botnet
6. Full tutorial about Burpsuite
Are u just consistently pressing send in burp suite or a value then send?
very well from your good and nice techings Mr. loi can you tell we is there a way to download from payment websites without any paying thanks
Hi, Mr. Hackerloi! I am one of your UA-cam writings and I come to help your video and are very good. Congratulations to the stather. Have one of your video with the title: How Hackers Hack With An Image Trojan? I tested on my computer with your class cripto did not give enough to cost me a crypt base and how to set up
Look who raised him. I'm not surprised he's stuck like Chuck 😂😂
Very cool. Thanks.😁😁😁
thx for sharing information
if you have access to DB why you don't just turn off 2fa on the user account?
In my opinion, it will be suspicious for user, cause he previously has a protection and now It`s just disappear
Because the goal is to be as inconspicuous and effective as possible. Removing a gate entirely would raise red flags and call attention to the intrusion.
Because he can only read the database, not modify it.. I think
Amazing one 🥰
Excelent police work and freedom you gave. That boy looks genuinely sorry and regrets what he did
This is probably outdated as most platforms now are using like separate app.
For example in FB/Messenger if I have login credentials to lets say my brother FB account, but I am trying to log in from my PC/Phone, he will have to confirm on his device.
So eve if he has to put some PIN/QR it will only be possible from his device.
My bank is using similar approach. If I try to log in from any other device< i will get pop up on my phone where I have to confirm and allow new device to connect.
Can we see safe folders image after remote access by Kali Linux pls pls reply sir
Does this affect the use of hard tokens from a USB device and/or Yubikey etc? Are these stored in the same DB as well? I always thought hard tokens were the safer way to go instead of a google authenticator. Always enjoy and appreciate the videos!
It depends on what do you mean by "hard tokens". Specifically speaking of Yubikeys, it supports multiple type of authentication methods, so storing TOTP accounts on Yubikey is not that much different from Google Authenticator or any application authenticator, you would just have a physical presence of your 6-digit codes with Yubikey. But since Yubikey's storage is write-only, you can't see your secrets in plain form after it is imported to Yubikey, so you just see the 6-digit codes that the secret is corresponding to, which naturally makes Yubikey safer.
However, Yubikeys also provides a hardware-based OTP (HOTP), so in that scenario, the server just "validates" the token generated by the Yubikey (instead of checking the same 6-digit value that the same secret stored in DB corresponding to, as in TOTP) which it makes the one of the most secure authentication methods as of today. Unfortunately, not all websites which supports 2FA allows registering a security key (or passwordless sign-in), they sometimes support TOTP as the only 2FA option as in the example website shown in this video.
Also, even hardware authenticators are used, when the server's database is exposed once, it might be a risk still because since the database basically contains your user data, even if hacker couldn't sign in your account they can still access your leaked info without signing in, so I believe it doesn't even matter much anyway which 2FA method you choose in that scenario like this. Not saying that hardware authenticators doesn't change anything, they are obviously always more secure than other options!
And since most-popular websites are protected enough to prevent easy attacks like SQL injection, getting full access to the database is very less likely in today (it probably would work in ancient websites like in 10+ years ago), so don't be confused by this video. Even with a time-based tokens (TOTP), you are usually still safer than having no 2FA, it is just not that super-safe when compared to hardware-based tokens.
Hope this is helpful!
They work exactly the same way in case you use TOTP. You just store the shared key on the hardware instead of the phone.
Thank you so much Master
Por favor, adicione faixa de áudio nos seus vídeos. Vai ajudar muito a gente entender melhor.
Well, a replay attack can be used to login without password or 2FA as well.
I'm just interested in the py to extract the key from the QR code
I don't understand why the double )) in the union payload @5:54 ?
What if the valve is stored in the server's cache?
Dude how many camera you have?
Can make another video about android RAT because most of the old so they don't work
any promo code for your courses ? :)
thank you sensai
Learnings from this video:
1. How to bypass 2fa
2. hacker loi is very handsome
Thank you Mr. Hacker Loi.
And boom Harker loi...
Yo, you doing some crazy work ngl ☝️🔥
no
@@peterparker175 cry more bruv
Some of y'all haven't even watched the video but already liking it
Bc we know it's going to be quality content.
Freedom, funny how that works.
@Hello_-_-_-_ and indeed, it was great
@@abdou.the.heretic true talk
yes, you can like it, and after watching you can decide to keep it or revoke it. some ads and autoplay feature will navigate you elsewhere on video end, so it is a best practice to like earlier.
who would design a backend like that ? sounds like high school project to me :-)
The video is all over the place
Sir pls next video on how to find and bypass admin panel of any website.
YOU CAN ONLY DO THAT FOR A WEBSITE WITH HTTP NOT HTTPS
damn i will be using this sometime
So to bypass 2fa you'd need a sql injection? That's not a 2fa bypass sir, that's just a misleading title. It's already game over when you can extract arbitrary data from the database.
Please make a video with how a hacker bypass my 2FA provided by my Yubikey. :) Thanks!
They do not need your Yubikey if they can get the TOTP key stored on it from the server.
@@valkaielod I don't talk about a TOTP code provided by Yubikey. I talk about 2FA provided by hardware key Yubikey itself (aka they need my key to plug in to their USB port and touch the key). How can they bypass this?
@@aburilusbroadcast That is FIDO2. They can't bypass it unless there is a vulnerability in the chip and they have access to it. Or they exploit the web application.
@@aburilusbroadcast It seems like YT ate my comment. Bypassing the FIDO2 auth used in that scenario is not trivial at all. You either need a vulnerability in the chip YK uses or compromising the server side.
To setup 2FA, first you need to have the password? if you already have the hackerwhateverpassword, the account is already compromised?
The first part of video was an example of how 2FA generally works. Qr code image gives us a secret token that we can use to bypass 2FA, then in the video shows that with SQL injection we get this token from the database
Hacking is not in it self not illegal, only when you do it in the wrong way. like destory stuff.
Please say more on /etc/apt/sources.list Unable to locate package Not even to update kali Linux download nothing in here seems working
wow got here 31min after posted
Actually, most TOTP implementations give you a few seconds leeway
That’s happening because the developer didn’t use an orm.
Can we do it for Gmail.
Question:-
Is it possible to brute force the 6 digit authentication code with graphic cards or with anything else in Cybersecurity ?
@@yt_brij Proxies exists
usually the passcodes refresh and change every minute
yes you can but they expire after like 1 minute
This has nothing to do with 2FA, this is just sql injection. If the company is boneheaded enough to store sensitive information undirectly without hashing it you can query everything including yes 2FA. Enterprise setups are not as easy as this.
Helo sir I also want to learn programming and can u plz teach me plz sir I beg u.
Mind-blowing
no
@@peterparker175 well I don't know about you. But it is to me
what is a good countermeasure besides fixing vulnerabilities? Store TOTP in another DB or encrypt it?
Simple, do not send sql info and do not trust input from a user always sanitize so even if, for some reason, they tried sql injection, it will fail. This is amateur stuff when you know nothing about programming and just started. And this is just clickbait.
Your search parameter is vulnerable =) In other cases, you will bypass my socks :D Yeah, this is an example, sure. :)
hello can you help me skip the website
Newsflash: If you can access the database there is very little reason to even bother accessing the website frontend.
Hello, I'm seeking assistance with a matter of significance to me. I recently added an external hardware component to my motherboard known as a DMA (Direct Memory Access). In the device manager, it is listed as such. However, it is crucial for me to conceal and present it as a different device to appear legitimate. Specifically, I aim to mask it from the system.
I'm in need of a firmware solution that can spoof this DMA card, essentially hiding it by integrating it into the firmware to mimic a standard PC component. The objective is to make the DMA indistinguishable from other regular hardware components Furthermore, I am looking for a firmware tailored uniquely for my use, ensuring exclusivity. Unfortunately, I lack experience in this domain, making comprehensive assistance invaluable to me.
In this example, you had the password and email, and the 2fa wasn't needed, you set up the 2fa after you had access to the account? Im confused.
😂
Because the whole video is about bypassing 2fa through extracting the token key
just strip and report with xss
I can't login my Facebook account due to , 2factor automatic app . Can you help me 😭
Your voice reminds me of the Yakuza missions from GTA III!
It was just a joke, no hacking me! 😅
First thing you learn is never trust user input and never ever show the query (maybe in debug mode when you are the only one that can see it, but never ever in production) . What kind of losers programmed this and what idiots approved it for production? These are mistakes i did when i first started 25 years ago as a rookie.
how can this work on modern systems?
This will not work unitl a 0day is found
It'll never work.
This works on ubisoft?
When you explain you assume we know some of the stuff …. You should explain like we never heard of it ……
Hay I been watching you video all of them I just finished all your videos I love them great tips how do you bypass a text verification code if your number is candle when you switch providers because I can't get into my one app account without having my old phone number which I don't have
Are you ready to get this situation solved right away ???…. I have an expert for it..😅
I was also in similar situation but the same expert helped me out… He is *Tischler tech*
This guy helped me get mine back. I never believed this could be possible but thanks a lot to him.. *Tischler tech* dedication and might in doing this looks unreal but it works🎉..
*Tischler tech* is a cyber security expert. Only him can look into this situation and get it back…
He has over 9k followers???.
has anyone ever tried to hack loi liang yang?
Can you help me bypass my own 2FA for Facebook? I lost google authenticator when I had my mobile phone stolen.
Are you ready to get this situation solved right away ???…. I have an expert for it..😅
I was also in similar situation but the same expert helped me out… He is *Tischler tech*
*Tischler tech* is a cyber security expert. Only him can look into this situation and get it back.
He has over 9k followers???.
I wanna bypass my outlook email 2FA any suggestions?
Won't work this security is set to LOW
All passwords in a database should be encrypted...
Title: Union based SQL Injection 😂
You're just making clickbait at this point, aren't you? Like websites with 2FA would have database vulnerabilities.
No encryptions, no email validations, no input validation, even my little boy can hack it
Cool
and thats why u have to encode important info on your database all the time
how to hack any bluetooth devices or speakers ?
i got nothing here...i just watched
Dude is a legend. Like vid or be hack3d
Why is there a massive microphone
don't worry guyz it won't work on gmail😉
Why
@@elite_camper SQL injection exploits database vulnerabilities by inserting malicious SQL code; Gmail's 2FA, a user authentication method, operates independently of database interaction, rendering SQL injection ineffective.😭
Assword123
@@elite_camper You don't know why? Really you don't know?
@@elite_camper SQL injection exploits database vulnerabilities by inserting malicious SQL code; Gmail's 2FA, a user authentication method, operates independently of database interaction, rendering SQL injection ineffective.😭
Bro please 🥲 next video make with social media 2 factor authentication bypass please 😢😭
Are you ready to get this situation solved right away ???…. I have an expert for it..😅
I was also in similar situation but the same expert helped me out… He is *Tischler tech*
*Tischler tech* is a cyber security expert. Only him can look into this situation and get it back.
He has over 9k followers???.
Just SQL inject? 😅
Bhai ye back hod hai gad uuu
I want to revoke the admin access in windows. And have a seperate profile where there is no business for admin. Help me find the how to guide
Use this💀
This guy thinks the codes exist in a db... All of this completely false. It's calculated, that's inherent to the security protocol that it be related to absolute time as a concept. You won't get anywhere near it, especially trying to pretend it's in a db. Not great for your hacker mojo.
I'm coming for you Hacker Loi
muhahahaha i will use this
4:28 Then you're into pretense? OK, I'm done with this video!
but here i am
Shit like this doesn't work these days lol any reputable website this wont work on. Maybe 10 years ago
Promo SM 🌈
How to break iphone lock 🔐🔒😅
Use hardware keys. Problem solved.
Guys who have a solution to recovery a gmail password account , i need to make my gmail account back , if someone know how pls let me know , and thank you
Please remove two factor in my Facebook account please 😢
I was also in similar situation but the same expert helped me out… He is *Tischler tech*
*Tischler tech* is a cyber security expert. Only him can look into this situation and get it back..
Certified *Tischler tech* cyber security expert is the best 😊
He has over 9k followers???.
👍👍👍👍👍👍👍👍👍👍👍👍
This guy is not a person it's CPu
Yo can you hack into my Gmail? I forgot the password and I literally can't get into it lmao 😅