Wordpress Two-Factor Authentication Brute-forcer
This utility brute-forces two-factor protected Wordpress dashboards by iterating through every possible 6-digit Google Authenticator TOTP token.
WPBiff is meant to be used together with Main-in-the-Middle based attacks against NTP.
WPBiff is able to brute-force Wordpress login pages protected by the following two-factor authentication plugins:
- Google Authenticator by Henrik Schack
- WP Google Authenticator by Julien Liabeuf
The latest package is available on PyPI
$ pip install wpbiff
This utility runs on Python 2.6 and 2.7
In order to carry out successful attack against a two-factor protected Wordpress blog, you must satisfy the following two pre-requisites.
The first requirement is that you must have the login username and password to
the Wordpress dashboard on /wp-admin. The credentials can be acquired by
phishing, key logging or password reuse.
Secondly, you must be able to control the internal clock of the target server.
I recommend Delorean to fixate the server time to a certain point. You must
fixate an arbitrary date with the -d flag with Delorean and use the
very same time stamp with WPBiff in parallel.
For more information on remote clock tampering, please refer to this blog entry
The following section explains the basic usage of WPBiff. You can also use
the -h switch any time to get help.
| -d, --date DATE | |
| Pinned date (Format: "YYYY-MM-DD hh:mm") [required] | |
| -u, --username USER | |
| Wordpress username [required] | |
| -p, --password PASS | |
| Wordpress password [required] | |
| -a, --user-agent | |
| HTTP User-Agent header (default: Firefox) | |
| -t, --token TOKEN | |
| Initial value of token (default: 000000) | |
| -m, --max-token TOKEN | |
| Maximum token value (default: 999999) | |
Use the --plugin switch to choose between the Wordpress plugin type providing
two-factor authentication for the target. Choose ga for
Google Authenticator and wpga for WP Google Authenticator.
Assume NTP traffic can be intercepted between your target and the upstream NTP server. By tampering with this traffic, you can "pin" the target's clock to a certain time and date.
Launch Delorean NTP server to serve a fixed time and date
$ ./delorean.py -d "2015-10-30 11:22"
Redirect NTP traffic from your target to the fake NTP server.
Finally launch WPBiff as the following
$ wpbiff -u admin -p admin -d "2015-10-30 11:22" --plugin ga "http://www.example.com"
This session will brute force Wordpress on www.example.com with the login username
admin and password admin.
Once the process finishes, WPBiff dumps the valid token and the session cookies for accessing the Wordpress dashboard.
If the clock on the target Wordpress site reverts to the same time and date every minute (e.g. ntpdate runs minutely), three parallel instances of WBiff is capable to find the TOTP token in about an hour.
| Test | WPBiff 1 | WPBiff 2 | WPBiff 3 |
|---|---|---|---|
| Session 1 | 57m | 141m | n.a. |
| Session 2 | 51m | 46m | n.a. |
| Session 3 | 102m | 83m | n.a. |
Where WPBiff 1, 2 and 3 were covering different ranges within all possible combinations of 6-digit tokens
ubuntu@wpbiff1:~$ wpbiff -t 000000 -m 333333 ... ubuntu@wpbiff2:~$ wpbiff -t 333334 -m 666666 ... ubuntu@wpbiff3:~$ wpbiff -t 666667 -m 999999 ...
- Blog entry with detailed walkthrough
- Source code on GitHub
- Package on PyPI
- Gabor Szathmari - @gszathmari
- Delorean: NTP Main-in-the-Middle tool