Hey @ustayready , I've got a GitHub module that I want to submit a PR for but I got to thinking...
Since GitHub users are more technically savvy than the average gmail user, I chose to not downgrade GitHub logins to SMS. This means that, in a best-case scenario, I've got 30 second to steal an entered 2FA token.
My GitHub modules instead logs in with the provided creds/OTP and stores the all 'Set-Cookie' values from a successful authentication. From there, timing is less of an issue. I can pop the session cookies into my browser some hours later and still get access to the target's github account.
My point: What do you think about baking this functionality into credsniper core as opposed to at the module level? Maybe default behaviour or by adding a --sessions option? I'm happy to do it, just asking if it's the sort of direction you'd be OK with taking for CredSniper
Hey @ustayready , I've got a GitHub module that I want to submit a PR for but I got to thinking...
Since GitHub users are more technically savvy than the average gmail user, I chose to not downgrade GitHub logins to SMS. This means that, in a best-case scenario, I've got 30 second to steal an entered 2FA token.
My GitHub modules instead logs in with the provided creds/OTP and stores the all 'Set-Cookie' values from a successful authentication. From there, timing is less of an issue. I can pop the session cookies into my browser some hours later and still get access to the target's github account.
My point: What do you think about baking this functionality into credsniper core as opposed to at the module level? Maybe default behaviour or by adding a
--sessionsoption? I'm happy to do it, just asking if it's the sort of direction you'd be OK with taking for CredSniper