Member-only story
Bypassing VPN MFA During a Pentest via Duo Inline Self-Enrollment
Recently my team and I had an external engagement against an organization, for privacy lets call them example.org, where the main goal was to test and exploit the external perimeter. This organization hosted several public facing websites, including an Outlook Web App portal and a GlobalProtect VPN Portal both of which would become relevant later. For this engagement, I will walk you through the steps we took and some of the interesting configurations we were able to exploit. Some details will be adjusted and not everything will be shared to retain organization privacy. Since the focus of this post is on the Duo portion, I will be summarizing or skipping most of the supporting info for the test, and focusing on the misconfiguration that let us gain access what would have otherwise been a secure front door.
Pentest Time
At the start of the engagement we used linkedin2username to pull a potential username list of a few hundred company users, identifying the correct username structure via found email addresses online. With that in hand we set up Metasploit’s OWA password brute force module and started up the attack. It is also important to note that this OWA was attached to the org’s domain, which indicated any compromised user might also be a domain user with access to the VPN.
