Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Support for TOTP (Google Authenticator) secret bruteforcing #613
Please add supporto for TOTP secret bruteforcing.
Actually the main part of the algoritm is simply an hmac('secret_seed', 'int_of_time_frames_since_epoch')
A very good descriptionf of the algorithm can be found here:
The attack should guess the secret given a known past One Time Password and its time frame:
Given 061817 and 1479986013 (which is 49332867 thirty seconds windows since epoch), hashcat should be able to recover NBSWY3DP that is the base32 value of 'hello'.
While most implementation use strong, randomly generated secrets it happened to me a few times that someone implemented it with short, small charset secrets (8-10chars, lowercase only et similar)