karo-solutions / duo-bypass Goto Github PK

This is a little script I put together after I reverse engineered the Duo 2FA Mobile App and figured out how their auth flow works. This can be ported into probably a useful desktop app or chrome extention and can probably be used to write bots for MIT Services that require auth.

Install stuff,

pip install -r requirements.txt

Copy the QR code image (or create a screenshot) and store it as qr.png into this folder.

Then run:

./duo_activate.py

In case the QR code cannot be decoded automatically, you will be asked for its text value, it is the format:
XXXXXXXXXX-YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY

The displayed code is the XXXXXXXXXX part of the QR code.
The displayed host is the base64 decoded YYYYYY[...] part of the QR code. It should be in the format: api-XXXXX.duosecurity.com.

If everything worked you can then generate a code by running:

./duo_gen.py

Warning: These are HOTP tokens and generate codes increments a counter. If you get too far out of sync with the server it will stop accepting your codes.

./duo_export.py

Export the duo hotp secret as a QR code for inclusion in third-party hotp apps like freeotp.