Merge pull request #2 from nilsstreedain/dev

v2.0

README.md

@@ -1,44 +1,33 @@
-# duo-workaround
-Script to generate valid HOTP key from DUO Security credentials allowing use of 3rd party and open source authentication applications such as Google Authenticator. An automatic installer, along with a online version is currently in progress.
-
-## Install:
-An automatic install script is in progress, for the time being, this manual process is required.
-1. Install dependencies using apt-get or homebrew
-    - jq
-    - coreutils
-    - qrencode
-    - oath-toolkit
-2. Place the `duo-workaround` script in the `/usr/local/bin/` folder.
-3. Make sure the file is executable with the following terminal command:
-```bash
-chmod +x /usr/local/bin/duo-workaround
-```
-
-
-## Setup:
-1. Install `duo-workaround`
-2. Navigate to your DUO Security Portal
-3. Login with your current DUO 2fa method
-4. On your device management screen, select `+ Add another device`
-<img width="423" alt="Screenshot 2022-09-26 at 12 51 56 AM" src="https://user-images.githubusercontent.com/25465133/192222493-d9040d55-7271-4140-ba12-af4480781c26.png">
-
-5. Select `Tablet`
-<img width="423" alt="Screenshot 2022-09-26 at 12 47 44 AM" src="https://user-images.githubusercontent.com/25465133/192221693-85f10e11-51c1-4b0b-8107-dbecd83d9bee.png">
-
-6. Select `Android`
-<img width="423" alt="Screenshot 2022-09-26 at 12 48 00 AM" src="https://user-images.githubusercontent.com/25465133/192221770-be4ccbd6-232d-43ed-8d3a-2c6086950aa0.png">
-
-7. Select `I have DUO Mobile installed`
-<img width="423" alt="Screenshot 2022-09-26 at 12 48 22 AM" src="https://user-images.githubusercontent.com/25465133/192221856-f8c09525-feec-46bc-b434-a5b0bad01f9d.png">
-
-8. Right Click the QR Code and copy the image URL
-<img width="423" alt="Screenshot 2022-09-26 at 12 49 43 AM" src="https://user-images.githubusercontent.com/25465133/192222277-08102469-a447-4960-b17d-e6dd36bc5397.png">
-
-9. In terminal type the following and press 'Enter' (replace the URL with the URL you copied)
-```bash
-duo-workaround 'https://api-12345678.duosecurity.com/frame...'
-```
-![SCR-20220926-1hx](https://user-images.githubusercontent.com/25465133/192225295-545c1a31-fcf9-4a2d-b212-281c2f4ce324.png)
-
-10. Open your HOTP app of choice (Such as Google Authenticator) and scan the QR Code.
-11. Done! The OTP codes within you HOTP app should be in sync with DUO. You may need to press the refresh button to update the code.
+# duo-bypass
+duo-bypass is a tool allowing you to use any valid two factor authentication app (that supports HOTP) in place of Cisco's proprietary proprietary DUO software.
+
+## Is it secure?
+Absolutely, DUO uses the same HOTP standards as every other 2FA app in the security space. They just encapsulate that standard in their own software to lock you down to their app. This tool tells DUO that you are the DUO app allowing you to activate a 2FA key in whatever app you choose.
+Alternatively, if you are uncomfortable placing your DUO credentials in a web interface, there is a script-based version of the tool.
+
+## Why not just use DUO?
+There are many reasons you may want to avoid using the DUO app from usability to ideological. I've listed a few below:
+- You already use a 2FA app like Google Authenticator and don't want another.
+- You prefer using open-source or non-proprietary software
+- You are uncomfortable with the data collection that takes place within the DUO Mobile application.
+- You would like to have DUO 2FA access on a computer and not just a mobile device that may die.
+- You have multiple mobile devices you would like to secure with a single could-based 2FA solution.
+- You would like to have 2FA autofill with supported apps to not ever have to deal with DUO notifications or codes.
+
+## How to setup duo-bypass (web version):
+1. Navigate you your organization's DUO Security Portal.
+2. Login with your current DUO 2FA method.
+3. In the Security Portal, select + Add another device.
+![image](https://user-images.githubusercontent.com/25465133/194498066-8efc5f3a-b040-4e98-aa38-f00409f549b3.png)
+4. Select Tablet.
+![image](https://user-images.githubusercontent.com/25465133/194498084-d56055ac-03b3-4642-b599-c6eaafe0232f.png)
+5. Select Android.
+![image](https://user-images.githubusercontent.com/25465133/194498097-88926758-0bb5-4f4b-a116-42f5ae9eed3d.png)
+6. Select I have DUO Mobile installed.
+![image](https://user-images.githubusercontent.com/25465133/194498114-24fe669f-7412-4f6e-a249-05ce8468d59a.png)
+7. Right click on the provided QR code and copy the image URL.
+![image](https://user-images.githubusercontent.com/25465133/194498153-b2f1ce24-9c7a-437a-9bb6-5803c80f2deb.png)
+8. Navigate to the duo-bypass tool.
+9. Paste the image URL into the duo-bypass tool and select bypass.
+10. Scan the QR code into your chossen 2FA application. If the app does not support a QR code, copy the key below the QR code into your app.
+11. Generate/test your first bypass code and you're done! (You can also now rename the device in DUO if you would like)

duo-bypass.js

@@ -0,0 +1,45 @@
+function b32encode(s) {
+	var l = Math.ceil((s.length << 3) / 5) * 5;
+	var c, b;
+	var o = '';
+	var a = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+
+	// Loop over each bit of the string & parse 8 bit chars into 5 bit segments
+	for (var i = 0; i < l; i++) {
+		if ((i & 7) == 0)                           // Get new char every 8 bits
+			c = s.charCodeAt(i >> 3);        	    // "i & 7" = "i % 8"
+
+		b = (b << 1) | (c >> 7 - (i & 7));			// Concatenate bits together
+
+		if (i % 5 == 4)                             // Grab segment every 5 bits
+			o += a[b & 0x1F];                       // "b & 0x1F" last 5 bits
+	}
+	return o;
+}
+
+async function duoBypass() {
+	// Parse API parameters from DUO QR code image URL
+	const apiParams = urlInput.value.split('=').pop().split('-');
+
+	// Post new device to DUO API
+	const response = await fetch(`https://${atob(apiParams[1])}/push/v2/activation/${apiParams[0]}?customer_protocol=1`, {
+		method: 'POST',
+		headers: {'User-Agent': 'okhttp/2.7.5',},
+		body: {"jailbroken":"false","architecture":"arm64","region":"US","app_id":"com.duosecurity.duomobile","full_disk_encryption":"true","passcode_status":"true","platform":"Android","app_version":"3.49.0","app_build_number":"323001","version":"11","manufacturer":"unknown","language":"en","model":"Pixel 3a","security_patch_level":"2021-02-01"}
+	});
+
+	// Create QR code from DUO API response
+	response.json().then(data => {
+		const key = b32encode(data.response.hotp_secret);
+		const url = `otpauth://hotp/${data.response.customer_name}?secret=${key}&issuer=DUO`;
+		new QRCode(document.getElementById('qrcode'), url);
+		document.getElementById('key').innerText = key;
+	});
+}
+
+function setPage(o, n, e) {
+	document.getElementById(o).style.display = 'none';
+	document.getElementById(n).style.display = 'inline-block';
+	document.getElementById('curr').removeAttribute('id');
+	e.id = 'curr';
+}

index.html

@@ -0,0 +1,70 @@
+<!DOCTYPE html>
+<html lang="en">
+	<head>
+		<title>Nils Streedain</title>
+		<link rel="preload" href="resources/typeface.woff2" as="font" type="font/woff2" crossorigin>
+		<link rel="stylesheet" href="main.css">
+		<script type="application/javascript" src="resources/qrcode.min.js" defer></script>
+		<script type="application/javascript" src="duo-bypass.js" defer></script>
+	</head>
+	<body>
+		<nav>
+			<a id="curr" onclick="setPage('faq', 'tool', this)">duo-bypass</a>
+			<a onclick="setPage('tool', 'faq', this)">FAQ</a>
+			<a href="https://github.com/nilsstreedain/duo-bypass" target="_blank">GitHub</a>
+		</nav>
+		<main>
+			<div id="tool">
+				<div id="left">
+					<h1>duo-bypass</h1>
+					<p>duo-bypass allows you to generate 2FA codes in any standard 2FA application (supporting HOTP) for use with Cisco's DUO Mobile.
+					<p>Paste the DUO 2FA QR code image URL below and select <b>Bypass</b>.</p>
+					<input type="text" id="urlInput"></input>
+					<button id="bypass" onclick="duoBypass()">Bypass</button>
+					<p>Scan the QR code into your chosen 2FA application. If your application does not support QR codes, copy and paste the key below:</p>
+					<p id="key"></p>
+				</div>
+				<div id="qrcode"></div>
+			</div>
+			<div id="faq">
+				<h1>Welcome to duo-bypass!</h1>
+				<p>duo-bypass is a tool allowing you to use any valid two factor authentication app (that supports HOTP) in place of Cisco's proprietary proprietary DUO software.</p>
+				<h2>Is it secure?</h2>
+				<p>Absolutely, DUO uses the same HOTP standards as every other 2FA app in the security space. They just encapsulate that standard in their own software to lock you down to their app. This tool tells DUO that you are the DUO app allowing you to activate a 2FA key in whatever app <b>you</b> choose.</p>
+				<p>Alternatively, if you are uncomfortable placing your DUO credentials in a web interface, there is a <a href="https://github.com/nilsstreedain/duo-bypass">script-based</a> version of the tool.</p>
+				<h2>Why not just use DUO?</h2>
+				<p>There are many reasons you may want to avoid using the DUO app from usability to ideological. I've listed a few below:</p>
+				<ul>
+					<li>You already use a 2FA app like Google Authenticator and don't want another.</li>
+					<li>You prefer using open-source or non-proprietary software</li>
+					<li>You are uncomfortable with the data collection that takes place within the DUO Mobile application.</li>
+					<li>You would like to have DUO 2FA access on a computer and not just a mobile device that may die.</li>
+					<li>You have multiple mobile devices you would like to secure with a single could-based 2FA solution.</li>
+					<li>You would like to have 2FA autofill with supported apps to not ever have to deal with DUO notifications or codes.</li>
+				</ul>
+				<h2>How to setup duo-bypass:</h2>
+				<ol>
+					<li>Navigate you your organization's DUO Security Portal.</li>
+					<li>Login with your current DUO 2FA method.</li>
+					<li>In the Security Portal, select <b>+ Add another device</b>.</li>
+					<img src="resources/faq1.png">
+					<li>Select <b>Tablet</b>.</li>
+					<img src="resources/faq2.png">
+					<li>Select <b>Android</b>.</li>
+					<img src="resources/faq3.png">
+					<li>Select <b>I have DUO Mobile installed</b>.</li>
+					<img src="resources/faq4.png">
+					<li>Right click on the provided QR code and copy the image URL.</li>
+					<img src="resources/faq5.png">
+					<li>Navigate to the <a href="index.html">duo-bypass</a> tool.</li>
+					<li>Paste the image URL into the duo-bypass tool and select <b>bypass</b>.</li>
+					<li>Scan the QR code into your chossen 2FA application. If the app does not support a QR code, copy the key below the QR code into your app.</li>
+					<li>Generate/test your first bypass code and you're done! (You can also now rename the device in DUO if you would like)</li>
+				</ol>
+			</div>
+		</main>
+		<footer>
+			<p><a href="https://github.com/nilsstreedain/duo-bypass" target="_blank">GitHub</a> - by <a href="https://www.nilsstreedain.com" target="_blank">Nils Streedain</a></p>
+		</footer>
+	</body>
+</html>

main.css

@@ -0,0 +1,134 @@
+:root {
+	--accent: #80c368;
+	--white: #FFF;
+	--lGray: #f4f4f4;
+	--mGray: #ebebeb;
+	--dGray: #878787;
+	--pad: 30px;
+}
+
+@font-face {
+	font-family: typeface;
+	src: url(resources/typeface.woff2) format(woff2),
+		url(resources/typeface.woff) format(woff);
+}
+
+body {
+	margin: calc(3 * var(--pad)) 5%;
+	background-color: var(--lGray);
+	font-family: typeface;
+}
+
+nav {
+	position: fixed;
+	top: 0;
+	width: 100%;
+	padding: 0 5%;
+	left: 0;
+	height: 57px;
+	background-color: var(--lGray);
+	border-bottom: 3px solid var(--mGray);
+}
+
+nav a {
+	border: none;
+	float: left;
+	display: flex;
+	height: 100%;
+	align-items: center;
+	justify-content: center;
+	padding: 0 22px;
+	font-weight: bold;
+	text-decoration: none;
+	color: var(--dGray);
+}
+
+#curr {
+	color: var(--accent);
+	border-bottom: 3px solid var(--accent);
+}
+
+#curr, nav a:hover {
+	background-color: var(--mGray);
+}
+
+main {
+	padding: var(--pad);
+	border-radius: 10px;
+	box-shadow: 0 4px 8px 0 var(--mGray);
+	background-color: var(--white);
+}
+
+ol img {
+	width: 500px;
+	padding-bottom: 10px;
+	border-radius: 15px;
+}
+
+#tool {
+	display: inline-block;
+	width: 100%;
+}
+
+#left {
+	width: calc(100% - 256px - var(--pad));
+	float: left;
+}
+
+#left input, #left button {
+	border-radius: 5px;
+	height: var(--pad);
+	padding: 0;
+	margin: 0 0 10px 0;
+	font-size: 1em;
+	font-family: typeface;
+}
+
+input {
+	width: calc(100% - 120px);
+	border: 1px solid var(--mGray);
+}
+
+button {
+	width: 100px;
+	border: none;
+}
+
+button, footer {
+	background-color: var(--accent);
+	color: var(--white);
+}
+
+form button:active {
+	background-color: var(--dGray);
+	color: var(--mGray);
+}
+
+#qrcode {
+	float: right;
+	width: 256px;
+	height: 256px;
+}
+
+#key {
+	overflow-wrap: break-word;
+}
+
+#faq {
+	display: none;
+}
+
+footer {
+	position: fixed;
+	display: flex;
+	left: 0;
+	bottom: 0;
+	width: 100%;
+	height: 60px;
+	align-items: center;
+	justify-content: center;
+}
+
+footer a {
+	color: var(--white);
+}

script/README.md

@@ -0,0 +1,44 @@
+# duo-bypass (script)
+Script to generate valid HOTP key from DUO Security credentials allowing use of 3rd party and open source authentication applications such as Google Authenticator. An automatic installer, along with a online version is currently in progress.
+
+## Install:
+An automatic install script is in progress, for the time being, this manual process is required.
+1. Install dependencies using apt-get or homebrew
+    - jq
+    - coreutils
+    - qrencode
+    - oath-toolkit
+2. Place the `duo-bypass` script in the `/usr/local/bin/` folder.
+3. Make sure the file is executable with the following terminal command:
+```bash
+chmod +x /usr/local/bin/duo-bypass
+```
+
+
+## Setup:
+1. Install `duo-bypass`
+2. Navigate to your DUO Security Portal
+3. Login with your current DUO 2fa method
+4. On your device management screen, select `+ Add another device`
+<img width="423" alt="Screenshot 2022-09-26 at 12 51 56 AM" src="https://user-images.githubusercontent.com/25465133/192222493-d9040d55-7271-4140-ba12-af4480781c26.png">
+
+5. Select `Tablet`
+<img width="423" alt="Screenshot 2022-09-26 at 12 47 44 AM" src="https://user-images.githubusercontent.com/25465133/192221693-85f10e11-51c1-4b0b-8107-dbecd83d9bee.png">
+
+6. Select `Android`
+<img width="423" alt="Screenshot 2022-09-26 at 12 48 00 AM" src="https://user-images.githubusercontent.com/25465133/192221770-be4ccbd6-232d-43ed-8d3a-2c6086950aa0.png">
+
+7. Select `I have DUO Mobile installed`
+<img width="423" alt="Screenshot 2022-09-26 at 12 48 22 AM" src="https://user-images.githubusercontent.com/25465133/192221856-f8c09525-feec-46bc-b434-a5b0bad01f9d.png">
+
+8. Right Click the QR Code and copy the image URL
+<img width="423" alt="Screenshot 2022-09-26 at 12 49 43 AM" src="https://user-images.githubusercontent.com/25465133/192222277-08102469-a447-4960-b17d-e6dd36bc5397.png">
+
+9. In terminal type the following and press 'Enter' (replace the URL with the URL you copied)
+```bash
+duo-bypass 'https://api-12345678.duosecurity.com/frame...'
+```
+![SCR-20220926-1hx](https://user-images.githubusercontent.com/25465133/192225295-545c1a31-fcf9-4a2d-b212-281c2f4ce324.png)
+
+10. Open your HOTP app of choice (Such as Google Authenticator) and scan the QR Code.
+11. Done! The OTP codes within you HOTP app should be in sync with DUO. You may need to press the refresh button to update the code.

duo-workaround → script/duo-bypass

@@ -22,6 +22,5 @@ SECRET=$(jq -j .hotp_secret <<< $RESPONSE | base32)
 SECRET=${SECRET//[=]/}
 
 # Generate OTPAUTH QR Code and Bypass Codes
-qrencode "otpauth://hotp/${CUSTOMER}?secret=${SECRET}&issuer=DUO&counter=1" -t ANSI
-echo "Key: ${SECRET}\n\nWarning: Only HOTP (not just TOTP) applications are supported, such as Google Authenticator.\nUse the following one time codes to bypass DUO if you lose access to your device:"
-oathtool $SECRET -b -w 10
+qrencode "otpauth://hotp/${CUSTOMER}?secret=${SECRET}&issuer=DUO" -t ANSI
+echo "Key: ${SECRET}\n\nWarning: Only HOTP (not just TOTP) applications are supported, such as Google Authenticator."