Multi-factor authentication attack and bypass framework for authorised red team engagements. OTP brute-force with rate-limit bypass, MFA fatigue (push bombing), TOTP seed extraction, session token interception and evilginx-style reverse-proxy phishing.
📱
MFA Fatigue / Push Bombing
Automated Authenticator push spamming with timing control to maximize approval-fatigue success rate.
🔢
OTP Brute-Force
TOTP and HOTP brute-force with rate-limit fingerprinting and adaptive throttling to avoid lockout.
🕸️
Reverse-Proxy Phishing
Evilginx-compatible AiTM session token capture for Microsoft 365, Google Workspace and Okta.
🌱
TOTP Seed Extraction
Identifies and extracts TOTP seeds from authenticator app backups, QR codes and provisioning endpoints.
📡
SMS Intercept Analysis
Tests SMS-OTP SIM-swap exposure and SS7 forwarding vulnerability surface for scope-approved targets.
📄
MFA Bypass Report
Documents bypass method, success rate and remediation — ready for inclusion in the engagement report.