No Rate Limit Attack (OTP Bypassing)

Published on 02 Jul 2021. Written by Vaibhav Kumar

Newbie to ethical hacking wanna try on Bypassing the OTP. Then you choose the right project. In this article, I will tell you to bypass OTP with no rate limit attack,

What is no rate limit attack? In no rate limit, we pass many requests to the server or we can say brute force attack of OTP until the right OTP strikes the server is called no rate limit attack.

Read more..

SLNOTE
BURP SUITE ON!

Set up the proxy:

It is to configure your browser proxy with the burp suite and burp suite proxy listener, for this you need to change your browser settings by going into preferences and then in the proxy setting.

So the proxy host address is by default 127.0.0.1. And the port is 8080 by default for both protocols (HTTP and HTTPS)
NOTE: If it is not running then burp is not able to open default proxy.

To check that you are connected to burp or not, open up the browser and type http://burp.in to check whether the browser is connected to burp or not.

So, now open the burp suite and turn intercept mode on, and it will capture the packet, which sends over as a request packet to the server, so pass the request through the intruder and go into to payloads and start the attack of multiple OTPs and now see that the website allow the multiple login accounts :

SLLATEST
NEED TO KNOW: 

If the website does not allow the multiple OTP then it will block your IP address so now we attack with different IP addresses, for that you have to download the script in the burp suite. The script is available on GitHub you can get it from the link below - https://github.com/TheKingOfDuck/burpFakeIP.git

Using this link download the script for the fake IP’s and then open the burp settings and browse the pc and paste the script in the settings.

This script allows you to do brute force attacks from the different IP addresses, by which there is no danger of blocking off your IP addresses.

After this step, the attack begins and starts to transfer the login request to the server of the website .. you can take up to thousands of OTP for brute force attack. While attacking the server, catch up all the OTP and match with the real OTP and if the right OTP comes, it will be shown on the burp suite.

So, this is the rate limit attack !!!!

Points to remember:

To check the website is allowing you to do many login attempts, just start the brute force, if the website security is not allowing you to login attempts it will automatically stop the brute force attack in between 3/6 times. This attack is only possible when there is a no rate limit bug present in the website.

In Fact, you can report this bug to the website’s company and they will reward you with a bounty.

But also with the help of this attack, you are able to bypass 2FA (Two-factor authentication), and take over anyone’s account. 

And even you can take access to the admin panel.

SLDYK
Kit required to develop No Rate Limit Attack (OTP Bypassing):

• Burp suite

Technologies you will learn by working on No Rate Limit Attack (OTP Bypassing):

• Ethical hacking

Any Questions?