• Stars
    star
    119
  • Rank 297,930 (Top 6 %)
  • Language
    PHP
  • Created over 9 years ago
  • Updated 12 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Two Factor Authentication web portal written in PHP

TwoFactorAuth

Author: Arno0x0x - @Arno0x0x

TwoFactorAuth is a web authentication portal providing two factor authentication (2FA). The first factor is a password, the second factor is an OTP (One Time Password) generated by an application like Google Authenticator or anything compatible.

TwoFactorAuth is written in PHP and should be pretty easy to integrate with an existing PHP application. It also features a Nginx auth_request module compatible script that integrates easily. See below for Nginx integration.

The aim of TwoFactorAuth is to provide a secure (2FA) authentication of users and, once authentication is passed, let your application handle everything else such as user's authorisations, profile etc...

The app is distributed under the terms of the GPLv3 licence.

Dependencies

TwoFactorAuth requires PHP5. The following required libraries are included with TwoFactorAuth :

  • The Google Authenticator PHP Class writen by Michael Kliewe, to generate GAuth secret and OTP validation. Beware that I've modified this class to rely on a local library for QRCode generation rather than GoogleChart URL, so don't install the source library, use the one provided with TwoFactorAuth only.

  • The PHP QRCode library written by Dominik Dzienia, for 2D QRCode generation.

  • NoSCRF written by Thibaut Despoulain, for CSRF attack prevention.

Both these libraries are included in the TwoFactorAuth package so you don't have to install them :-)

TwoFactorAuth also relies on some PHP5 libraries that you'll have to install on your own:

  • The GD library (on debian like systems: sudo apt-get install php5-gd)
  • The SQLite3 library (on debian like systems: sudo apt-get install php5-sqlite)

Features

TwoFactorAuth uses a SQLite3 database for its users database. The database type can be easily changed by overiding the /twofactorauth/lib/DBManager.php class to use any other database.

Main features are :

  • User's database management (restricted to users with the "admin" privilege) : add a user / delete a user / delete the whole database / change any user's password / renew any user's GAuth secret / show any user's secret as a QRCode
  • Each user can also manage his own account : change his password / renew his GAuth secret / show his current secret as a QRCode
  • Nginx auth_request module integration (optionnal)

Screenshots

The login page :

login page

The home page after login :

home page

The user management page :

user page

The QRCode display :

qrcode page

The administration page :

admin page

Adding a user :

addUser page

How does it work ?

After a user is created, a QRCode is displayed representing the random GAuth secret generated for this user. This QRCode must be scanned with the Google Authenticator application. This should be done only once for each user, unless the user lost/changed his phone and needs to re-enter his QRCode. Once a QRCode has been scanned with the Google Authenticator application, a OTP token is being generated every 30s:

qrcode

This token must be entered on the login page along with the user's password:

Once a user has logged in, a PHP session is created, which name can be configured (optionnal) to match the one of your own PHP application if required. This session holds the following variables:

  • $_SESSION["authenticated"] : a boolean (true or false) indicating that the user has been successfully authenticated
  • $_SESSION["isAdmin"] : a boolean (true or false) indicating whether or not this use has TwoFactorAuth admin rights
  • $_SESSION["username"] : a string containing the authenticated username. This username can be reused by your own app for further authorization checks and profile handling

Installation

  1. Unzip the TwoFactorAuth package in your web server's directory and ensure all files and folders have appropriate user:group ownership, depending on your installation (might be something like www-data:www-data).

  2. Edit the configuration file config.php at the root path of TwoFactorAuth directory, and make it match your needs and personnal settings. See the configuration section below.

  3. Next, open a browser and simply navigate the TwoFactorAuth base url (exact path will vary depending on where you installed the TwoFactorAuth application) : http://www.example.com/twofactorauth/ . This page will finalize the installation process by creating the SQLite3 user database, and the user table schema and allow you to define the first default user with administration rights.

From that point, main features are available on the home page :

Configuration

Edit the /twofactorauth/config.php file to match your needs. Most settings can be kept to their default values. However, pay attention to the following settings :

  • QRCODE_TITLE : This is the title that will appear on top of the OTP token in the Google Athenticator app. Set it to your own application name, or maybe server name, whatever relevant and sensible to your users

  • SESSION_NAME : This is the PHP session name (also used for the session cookie). You can set it to your own application session name if you plan to re-use it for further user authorization and profile

  • AUTH_SUCCEED_REDIRECT_URL : The login page supports a URL parameter "from" (ex: "http://www.example.com/twofactorauth/login/login.php?from=/myapp"). Upon successful login, the login page will redirect the user to the path specified in the "from" parameter (NB: it can only be a path local to the FQDN, no cross-site). However, if the "from" parameter is not present in the URL, the login page will redirect the user to the URL specified in AUTH_SUCCEED_REDIRECT_URL

Security aspects

The user database must be protected against remote access. To achieve this, you can either :

  • Before the installation: change the USER_SQL_DATABASE_FILE setting in the config.php and set it to a path that is not served by your web server or
  • After the installation: prevent remote access to the db/ directory using a web server specific directive (.htaccess with Apache, or location specific 'deny all;' with Nginx)

[OPTIONNAL] NGINX auth_request integration

The Nginx auth_request module allows authentication of each request against an internal subrequest specified as a URL. The subrequest must answer with the proper HTTP status code:

  • HTTP 401 if the authentication failed
  • HTTP 200 if the authentication succeeded

This mechanism is a perfect replacement for the auth_basic authentication and allows for custom made mechanism, written in any language. It also allows a whole website (not per application) authentication mechanism.

WARNING: Whenever you save changes to TwoFactorAuth's config.php, always check for error messages at /twofactorauth/login/login.php to ensure you did not make typos in the file. If PHP cannot parse the file, Nginx will consider all users to be authenticated!

TwoFactorAuth provides such a script: /twofactorauth/nginx/auth.php.

You'll have to edit your Nginx configuration file. Assuming the TwoFactorAuth application was deployed in a location named /twofactorauth/ on your webserver, add the following line under the "server" directive:

auth_request /twofactorauth/nginx/auth.php;

error_page 401 = @error401;

location @error401 {
	return 302 $scheme://$host/twofactorauth/login/login.php?from=$uri;
}

location = /twofactorauth/nginx/auth.php {
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            include fastcgi.conf;
            fastcgi_param  CONTENT_LENGTH "";
}

location /twofactorauth/db/ {
	deny all;
}

location /twofactorauth/login/ {
	auth_request off;

	location ~ \.php$ {
			fastcgi_pass unix:/var/run/php5-fpm.sock;
			include fastcgi.conf;
	}
}

Credits

Many thanks to Dominique Climenti (kyos.ch) for his help fixing few bugs (installation procedure, cookie setting when server is run on a non-standard port, login form security improvement) as well as discovering an XSS vulnerability (!). Many thanks to David Carliez (Toreon) too for discovering and help fixing a stored XSS. This is now all fixed.

Todo

Although I already had some useful feedback and fixed some bugs, there might still be some bugs or security concerns to fix. If you have a feature request, feel free to contact me on my twitter page.

bitcoin Like this tool ? Tip me with bitcoins ! address

More Repositories

1

DNSExfiltrator

Data exfiltration over DNS request covert channel
JavaScript
802
star
2

EmbedInHTML

Embed and hide any file in an HTML file
HTML
462
star
3

PowerShellScripts

Collection of PowerShell scripts
PowerShell
434
star
4

ShellcodeWrapper

Shellcode wrapper with encryption for multiple target languages
Python
410
star
5

WSC2

A WebSocket C2 Tool
Python
366
star
6

CSharpScripts

Collection of C# scripts
C#
326
star
7

NtlmRelayToEWS

ntlm relay attack to Exchange Web Services
Python
325
star
8

DivertTCPconn

A TCP packet diverter for Windows platform
C
275
star
9

DBC2

DBC2 (DropboxC2) is a modular post-exploitation tool, composed of an agent running on the victim's machine, a controler, running on any machine, powershell modules, and Dropbox servers as a means of communication.
PowerShell
269
star
10

DNSDelivery

DNSDelivery provides delivery and in memory execution of shellcode or .Net assembly using DNS requests delivery channel.
PowerShell
148
star
11

TCPRelayInjecter

Tool for injecting a "TCP Relay" managed assembly into unmanaged processes
C++
119
star
12

WebDavC2

A WebDAV PROPFIND C2 tool
Python
116
star
13

ObfuscateCactusTorch

When CactusTorch meets WebDavDelivery and obfuscation
Python
64
star
14

TCPRelayInjecter2

Tool for injecting a "TCP Relay" managed assembly into an unmanaged process
C#
62
star
15

ReflectiveDnsExfiltrator

Data exfiltration using reflective DNS resolution covert channel
JavaScript
54
star
16

WebDavDelivery

A WebDAV PROPFIND covert channel to deliver payloads
Visual Basic
53
star
17

TermGate

A web application for running shell commands interactively on your server
PHP
21
star
18

BluecoatURLFilteringBypass

Bluecoat proxies URL filtering bypass PoC
JavaScript
14
star
19

MOBACMapsSources

Mobile Atlas Creator Additionnal map sources
11
star
20

NmapScripts

Collection of Nmap scripts
Lua
11
star
21

MultibyteEncodedShellcode

An AV evasion technique using multibyte xor encoding of shellcode
9
star
22

Docker-Dnscat2

Dockerfile and ressources for Dnscat2
Shell
8
star
23

GimmeTheFile

Proof of concept for bypassing corporate web proxies filtering and antiviruses
PHP
8
star
24

DeliverXLLviaHTML

Deliver encrypted XLL embeded in HTML file
7
star
25

Docker-Socator

Dockerfile and ressources for Socat + Tor
Shell
7
star
26

ShellScripts

Collection of shell scripts
Shell
6
star
27

HttpProxy

A simple HttpProxy for NodeJS
JavaScript
6
star
28

Docker-Cryptpad

Dockerfile and ressources for CryptPad application
JavaScript
5
star
29

Docker-DBC2

Dockerfile and ressources for DBC2
1
star
30

Docker-Koadic

Dockerfile and ressources for Koadic
1
star