How Hackers Bypass Two-Factor Authentication (2FA)?!
Vložit
- čas přidán 23. 02. 2024
- // Membership //
Want to learn all about cyber-security and become an ethical hacker? Join this channel now to gain access into exclusive ethical hacking videos by clicking this link: / @loiliangyang
// Courses //
Full Ethical Hacking Course: www.udemy.com/course/full-web...
Full Web Ethical Hacking Course: www.udemy.com/course/full-web...
Full Mobile Hacking Course: www.udemy.com/course/full-mob...
// Books //
Kali Linux Hacking: amzn.to/3IUXaJv
Linux Basics for Hackers: amzn.to/3EzRPV6
The Ultimate Kali Linux Book: amzn.to/3m7cutD
// Social Links //
Website: www.loiliangyang.com
Facebook: / loiliangyang
Instagram: / loiliangyang
LinkedIn: / loiliangyang
// Disclaimer //
Hacking without permission is illegal. This channel is strictly educational for learning about cyber-security in the areas of ethical hacking and penetration testing so that we can protect ourselves against the real hackers. - Věda a technologie
Hey ppl, I'm a retired computer/IT person, Yet I still find Adrian Ruthnik so informative and straight forward. Thanks for your advise and helping the people...........Great work and love watching.
Y’all should stop calling everything “the bare minimum” when it’s literally not. Respect is the bare minimum, actually going out of your way to comfort and have an open ear for someone isn’t. Doing something like this is truly very nice and a great thing of him to do. I hope shit gets better for you and I salute Adrian Ruthnik for being mature when it’s needed!
I'm a Maldives born and living in UK and I cannot express enough how much I despise these scumbags. Literally whenever people ask me my nationality I just tell them I'm British because idiots like these give us a horrendous reputation, not to also mention they scam other Europeans too. It warms my heart to see stuff like this, please Adrian Ruthnik keep up the great work destroying these scammers!!!
Everyone should have a dedicated person like you Adrian Ruthnik .
Congratulations, Adrian Ruthnik I am relieved that you are out there fighting these thugs, We musttake every precaution to protect the elderly and the general public from these despicable con artists. Congratulations to You!! You deserve the Nobel Peace Prize for ensuring our security.
The efficiency of this Adrian Ruthnik is next level. To juggle walk throughs of various angles on the topic delivered to-camera, differnet content per topic from various folks underneath the umbrella of the track list of the larger big band concert itself is engaging and refined. To make a dense taccess like this so digestible is really something. Awesome work jack!!
My account also got hacked and I followed the method as explained in this video but I'm unable to proceed after recording the selfie video. Thank you Adrian Ruthnik . I'm really happy seeing his name everywhere in the comment. It really says a lot about his good work.
We need more immeasurably wise and compassionate humans like you on this planet. Thank you for sharing Adrian Ruthnik , Jon. I bet I'm not alone when I say this video found me at the perfect moment, and there are a lot of things here that I needed to hear right now.
Account of mine also got hacked and I followed the method as explained in this video but I'm unable to proceed after recording the selfie video. Thank you Adrian Ruthnik. It brings me immense joy to witness his name appearing frequently in comments, a clear indication of the commendable work he’s been doing.
It just kept glitching on me when I tried this video tutorial so firstly I would say thank you for the video and secondly, thank you Adrian Ruthnik meeting you was a blessing in disguise keep up with the good work I'm sure a lot of people will be needing your assistance iin the nearest future after seeing this
Having someone like you who’s not only a great innovator but also pulls his best to get the work done so beautifully needs nothing but appreciation. Adrian Ruthnik Thanks for the well off work you consistently bring your all and I truly appreciate that. Thank you for making corporate life so smooth. Proud to have you on our team. Great work as always.
What side are you on as Metaspyclub divides the wealthy from the poor?
i just got my twitter back thanks to metaspyclub
if you need assistance just look up metaspyclub
i got back my Gmail thanks to metaspyclub
Wait, what is happening?
Thank you, Adrian Ruthnik for consistently being so approachable and open-minded. Your friendly demeanor and willingness to listen and understand serve as a constant source of motivation. Your support and guidance have been especially meaningful to me during the recent account issue I encountered. Your willingness to assist and offer valuable advice speaks volumes about your character and the supportive environment you cultivate. I’m incredibly grateful to have someone like you. Your assistance played a crucial role in resolving the issue and getting my account back.
so at the end it was actually a sql injection
Exactly
Which is kind of an amateur move.
@@patwhocares7009”amateur” but effective, like keyloggers
@@patwhocares7009 exaclty cuz his channel is sh*t it just teaches some nonsense stuff for beginners additionally it won’t benefit anyone
Yeah, if we can execute this level of injection then, the company is a lost cause 😂, its always thing with WAF
It's amazing what you do Adrian Ruthnik We need a lot of people with your skills and set who have good intentions and spread love
It would be very unusual these days to find a front end application directly executing SQL against the back end database without going through some kind of API that abstracts and limits. This might have worked 15 years ago . .
Essentially this has little to do with 2FA authentication and everything to do with hacking into a database.
100% agree, it is misleading.
Exactly what ever any of these hacker channels showing is all bullshit it might of worked 15 years ago like you said but not today and if this stuff was true do you really think CZcams would let him post it I don’t think so 😂 not how this people can think that other people are so stupid is beyond me
I’m new into this field working on my certs and things and I appreciate y’all’s feedbacks on videos like these !
Some do have deprecated technology.😊
@@admiral44Enforce two step and put uBlock origin on every clients machine
This is a great example of how a vulnerable website can be compromised even when security controls are implemented. Interpreting query based information is a prominent skill, especially in a database that store large sets of data. 👏
security controls where not implemented. Sqlinjection is a very known issue.
I hate Security Control ob websites blocking Security Control for more malware Protection
nice video for children, man! really appreciated!
but first, IRL on production u usually won't get so verbose 5xx errors (if devops/developers are not too crazy ofc to open bugs for end user :-))) so your SQLi will be "blind SQLi", LOL! ;-)
second, more and more systems nowdays use "prepared statements" for SQL, reliably isolate query itself from query parameters, which gives backend's code immunity to SQLi, sad (for hackers) but true.
How can you store sensitive data without encrypted? As a backend developer, this doesn't make any sense.
First, this is a lab and it is meant to be vulnerable. Secondly, most of the time you cannot encrypt the database itself, as this typically causes data corruption. You can store encrypted strings though and pass the encrypted strings with secure protocols (which is the safest bet). Even if it was a ciphered string, you can use tools like rainbow tables or john or even google-fu to decipher weak passwords like "password". The whole point of this is to show an example of a vulnerability. It is possible that an inexperienced developer, or recent update, broke encryption or stored the plain-text values. There are even more complicated versions of attacks but this is a good understanding of the basics of what a cyber security specialist looks for. Often times the puzzle is much more complicated and you really need to know your stuff in order to fully test something.
As a Backend it should.
It’s funny to see how some people over think and over complicate what hackers are actually doing
Are u just consistently pressing send in burp suite or a value then send?
Always ready for your video
Video Suggestions:
1. Video About wireshark And wifite
2. Video on how to hack any pdf's password with "rockyou" wordlist
3. Make a video about anonymity with kali "whoami"
4. A video on how to dual boot Kali Linux
5. A video a on BYOB Botnet
6. Full tutorial about Burpsuite
Look who raised him. I'm not surprised he's stuck like Chuck 😂😂
This is probably outdated as most platforms now are using like separate app.
For example in FB/Messenger if I have login credentials to lets say my brother FB account, but I am trying to log in from my PC/Phone, he will have to confirm on his device.
So eve if he has to put some PIN/QR it will only be possible from his device.
My bank is using similar approach. If I try to log in from any other device< i will get pop up on my phone where I have to confirm and allow new device to connect.
if you have access to DB why you don't just turn off 2fa on the user account?
In my opinion, it will be suspicious for user, cause he previously has a protection and now It`s just disappear
Because the goal is to be as inconspicuous and effective as possible. Removing a gate entirely would raise red flags and call attention to the intrusion.
Because he can only read the database, not modify it.. I think
Very cool. Thanks.😁😁😁
Can we see safe folders image after remote access by Kali Linux pls pls reply sir
What if the valve is stored in the server's cache?
very well from your good and nice techings Mr. loi can you tell we is there a way to download from payment websites without any paying thanks
I'm just interested in the py to extract the key from the QR code
Well, a replay attack can be used to login without password or 2FA as well.
Amazing one 🥰
Learnings from this video:
1. How to bypass 2fa
2. hacker loi is very handsome
Excelent police work and freedom you gave. That boy looks genuinely sorry and regrets what he did
thx for sharing information
Hi, Mr. Hackerloi! I am one of your CZcams writings and I come to help your video and are very good. Congratulations to the stather. Have one of your video with the title: How Hackers Hack With An Image Trojan? I tested on my computer with your class cripto did not give enough to cost me a crypt base and how to set up
I don't understand why the double )) in the union payload @5:54 ?
Thank you so much Master
Does this affect the use of hard tokens from a USB device and/or Yubikey etc? Are these stored in the same DB as well? I always thought hard tokens were the safer way to go instead of a google authenticator. Always enjoy and appreciate the videos!
It depends on what do you mean by "hard tokens". Specifically speaking of Yubikeys, it supports multiple type of authentication methods, so storing TOTP accounts on Yubikey is not that much different from Google Authenticator or any application authenticator, you would just have a physical presence of your 6-digit codes with Yubikey. But since Yubikey's storage is write-only, you can't see your secrets in plain form after it is imported to Yubikey, so you just see the 6-digit codes that the secret is corresponding to, which naturally makes Yubikey safer.
However, Yubikeys also provides a hardware-based OTP (HOTP), so in that scenario, the server just "validates" the token generated by the Yubikey (instead of checking the same 6-digit value that the same secret stored in DB corresponding to, as in TOTP) which it makes the one of the most secure authentication methods as of today. Unfortunately, not all websites which supports 2FA allows registering a security key (or passwordless sign-in), they sometimes support TOTP as the only 2FA option as in the example website shown in this video.
Also, even hardware authenticators are used, when the server's database is exposed once, it might be a risk still because since the database basically contains your user data, even if hacker couldn't sign in your account they can still access your leaked info without signing in, so I believe it doesn't even matter much anyway which 2FA method you choose in that scenario like this. Not saying that hardware authenticators doesn't change anything, they are obviously always more secure than other options!
And since most-popular websites are protected enough to prevent easy attacks like SQL injection, getting full access to the database is very less likely in today (it probably would work in ancient websites like in 10+ years ago), so don't be confused by this video. Even with a time-based tokens (TOTP), you are usually still safer than having no 2FA, it is just not that super-safe when compared to hardware-based tokens.
Hope this is helpful!
They work exactly the same way in case you use TOTP. You just store the shared key on the hardware instead of the phone.
Por favor, adicione faixa de áudio nos seus vídeos. Vai ajudar muito a gente entender melhor.
thank you sensai
Thank you Mr. Hacker Loi.
So to bypass 2fa you'd need a sql injection? That's not a 2fa bypass sir, that's just a misleading title. It's already game over when you can extract arbitrary data from the database.
who would design a backend like that ? sounds like high school project to me :-)
To setup 2FA, first you need to have the password? if you already have the hackerwhateverpassword, the account is already compromised?
The first part of video was an example of how 2FA generally works. Qr code image gives us a secret token that we can use to bypass 2FA, then in the video shows that with SQL injection we get this token from the database
Dude how many camera you have?
That’s happening because the developer didn’t use an orm.
Actually, most TOTP implementations give you a few seconds leeway
And boom Harker loi...
Sir pls next video on how to find and bypass admin panel of any website.
YOU CAN ONLY DO THAT FOR A WEBSITE WITH HTTP NOT HTTPS
Yo, you doing some crazy work ngl ☝️🔥
no
@@peterparker175 cry more bruv
Hacking is not in it self not illegal, only when you do it in the wrong way. like destory stuff.
Please make a video with how a hacker bypass my 2FA provided by my Yubikey. :) Thanks!
They do not need your Yubikey if they can get the TOTP key stored on it from the server.
@@valkaielod I don't talk about a TOTP code provided by Yubikey. I talk about 2FA provided by hardware key Yubikey itself (aka they need my key to plug in to their USB port and touch the key). How can they bypass this?
@@aburilusbroadcast That is FIDO2. They can't bypass it unless there is a vulnerability in the chip and they have access to it. Or they exploit the web application.
@@aburilusbroadcast It seems like YT ate my comment. Bypassing the FIDO2 auth used in that scenario is not trivial at all. You either need a vulnerability in the chip YK uses or compromising the server side.
The video is all over the place
Question:-
Is it possible to brute force the 6 digit authentication code with graphic cards or with anything else in Cybersecurity ?
@@yt_brij Proxies exists
usually the passcodes refresh and change every minute
yes you can but they expire after like 1 minute
Amazing job! Adrian Ruthnik I wasn’t able to see my account name at first because the name was changed. Also I really valued this information but thanks Jon even tho it showed a lots of error at my ends you still tried in helping fixing it. Happy I got it back y’all.
Can make another video about android RAT because most of the old so they don't work
As a person and professional you couldn't get any better than Adrian Ruthnik is a very reliable person and an excellent professional in the IT field. He is the type of person you want to work that's passionate, hardworking and knowledgeable. You’re The Best 100%
Some of y'all haven't even watched the video but already liking it
Bc we know it's going to be quality content.
Freedom, funny how that works.
@Hello_-_-_-_ and indeed, it was great
@@abdou.the.heretic true talk
yes, you can like it, and after watching you can decide to keep it or revoke it. some ads and autoplay feature will navigate you elsewhere on video end, so it is a best practice to like earlier.
Your work speaks volumes of the kind of man you are. efficient, organized and result oriented well done , Adrian Ruthnik you're soo good at what you do
This has nothing to do with 2FA, this is just sql injection. If the company is boneheaded enough to store sensitive information undirectly without hashing it you can query everything including yes 2FA. Enterprise setups are not as easy as this.
Newsflash: If you can access the database there is very little reason to even bother accessing the website frontend.
hello can you help me skip the website
Hello, I'm seeking assistance with a matter of significance to me. I recently added an external hardware component to my motherboard known as a DMA (Direct Memory Access). In the device manager, it is listed as such. However, it is crucial for me to conceal and present it as a different device to appear legitimate. Specifically, I aim to mask it from the system.
I'm in need of a firmware solution that can spoof this DMA card, essentially hiding it by integrating it into the firmware to mimic a standard PC component. The objective is to make the DMA indistinguishable from other regular hardware components Furthermore, I am looking for a firmware tailored uniquely for my use, ensuring exclusivity. Unfortunately, I lack experience in this domain, making comprehensive assistance invaluable to me.
any promo code for your courses ? :)
Incredible efforts by Adrian Ruthnik I'll be transparent - distinguishing between legitimacy and legality can be tricky for many. Grateful for the assistance with my account - it's back in my hands. Keep up the commendable work, aiming to minimize the impact caused by the system. We could use more individuals like Jon in our world.
First thing you learn is never trust user input and never ever show the query (maybe in debug mode when you are the only one that can see it, but never ever in production) . What kind of losers programmed this and what idiots approved it for production? These are mistakes i did when i first started 25 years ago as a rookie.
Mind-blowing
no
@@peterparker175 well I don't know about you. But it is to me
how can this work on modern systems?
This will not work unitl a 0day is found
It'll never work.
Having you as my support has been one of the best things I’ve ever decided on, Adrian Ruthnik . Your assistance has made my tasks smoother and more manageable. I deeply appreciate the favor you’ve extended to me. Thank you, my friend. Your presence has made this entire process much more comfortable, and I am truly grateful for it. Working alongside you is a pleasure, and your dedication to your role serves as an inspiration to me. I will always remember the help and support you’ve provided me with.
wow got here 31min after posted
Big thanks Adrian Ruthnik for helping me out. God bless you brotha... I've tried following these steps from the device and location where the account was always logged into and I got a page that says we don't recognize your device. The tutorial video was not helpful tho but Big Ups Jon
Please say more on /etc/apt/sources.list Unable to locate package Not even to update kali Linux download nothing in here seems working
In this example, you had the password and email, and the 2fa wasn't needed, you set up the 2fa after you had access to the account? Im confused.
😂
Because the whole video is about bypassing 2fa through extracting the token key
Can we do it for Gmail.
has anyone ever tried to hack loi liang yang?
People dream of hiring such a talented expert like you. Keep up the hard work. Thank you so much for your dedication in this process. Thank you for your commitment to your job. Your outstanding performance helped our me alot. Thank you once again for your hard work and dedication.
Your search parameter is vulnerable =) In other cases, you will bypass my socks :D Yeah, this is an example, sure. :)
what is a good countermeasure besides fixing vulnerabilities? Store TOTP in another DB or encrypt it?
Simple, do not send sql info and do not trust input from a user always sanitize so even if, for some reason, they tried sql injection, it will fail. This is amateur stuff when you know nothing about programming and just started. And this is just clickbait.
When you explain you assume we know some of the stuff …. You should explain like we never heard of it ……
This works on ubisoft?
I can't login my Facebook account due to , 2factor automatic app . Can you help me 😭
damn i will be using this sometime
Adrian Ruthnik . I really appreciate your efforts and dedication towards the work. May God bless you to keep showing your worth and skills like this in the future
No encryptions, no email validations, no input validation, even my little boy can hack it
just strip and report with xss
I'm just a simple person from Switzerland, but I want to know how awesome it is what you did and what you do Adrian Ruthnik . I found it difficult to do the steps by myself, thanks to you for being a life saver. I'm really happy seeing his name everywhere in the comments. It says a lot about his good work
I wanna bypass my outlook email 2FA any suggestions?
Won't work this security is set to LOW
Helo sir I also want to learn programming and can u plz teach me plz sir I beg u.
Honestly, Adrian Ruthnik I'm amazed by your consistent ability to deliver exceptional work every single time. Your willingness to lend a helping hand during my time of need is deeply appreciated. Thank you for your support and kindness.. I take pride in your capability to overcome any challenge and consistently achieve outstanding results regardless of the circumstances.
In my case, I had no image of myself on it which clearly stated I am a step behind. Adrian Ruthnik was God’s sent. I appreciate your tireless efforts in assisting me with the account recovery. Your professionalism and commitment to finding a solution were evident at every step. Thank you for making the process efficient and effective.
You're just making clickbait at this point, aren't you? Like websites with 2FA would have database vulnerabilities.
I’ll forever be grateful to you for who you are, what you did. Thank you Adrian Ruthnik Thanking you for your support, love, and care to your duties. You are indeed a blessing me. Thank alot buddy i will always remember your good did towards me
Can you help me bypass my own 2FA for Facebook? I lost google authenticator when I had my mobile phone stolen.
Are you ready to get this situation solved right away ???…. I have an expert for it..😅
I was also in similar situation but the same expert helped me out… He is *Tischler tech*
*Tischler tech* is a cyber security expert. Only him can look into this situation and get it back.
He has over 9k followers???.
Title: Union based SQL Injection 😂
how to hack any bluetooth devices or speakers ?
i got nothing here...i just watched
Kindly let me to express my sincere gratitude for the exceptional support and dedication Adrian Ruthnik provided in helping me with business account. Your willingness to go above and beyond, investing additional time and effort, has been invaluable to me. The meticulous attention to detail and unwavering commitment you demonstrated throughout this process is truly commendable. Thank you from the bottom of my heart for your outstanding assistance.
All passwords in a database should be encrypted...