duopwn

A security assessment tool for Duo MFA implementations that uses the Duo Auth API to test various authentication mechanisms. For authorized penetration testing use only.

Features

• User enumeration through preauth endpoint
• Device ID retrieval for enrolled users
• Multiple auth factor support:
  • Push notifications
  • Phone calls
  • SMS passcodes
  • OTP/passcodes
• Auth status checking with transaction IDs
• Lockout testing with configurable attempts
• Rate limiting for stealthy operations
• Proxy support for anonymization
• Asynchronous requests for faster operations
• Batch operations for efficient testing
• Session management for complex scenarios
• Response caching to reduce API calls
• Comprehensive logging with configurable verbosity

Installation

Option 1: Install from source

git clone https://github.com/yourusername/duopwn.git
cd duopwn
pip install -e .

Option 2: Install directly with pip

pip install git+https://github.com/yourusername/duopwn.git

Option 3: Quick start without installation

git clone https://github.com/yourusername/duopwn.git
cd duopwn
pip install -r requirements.txt
python duopwn.py --help

Usage

Basic command structure:

python duopwn.py -U <api-hostname> -i <integration-key> -s <secret-key> -A <action> [options]

Examples

1. Enumerate users from a list:

python duopwn.py -U api-xyz.duosecurity.com -i IKEY -s SKEY -l users.txt

2. Force a push notification:

python duopwn.py -U api-xyz.duosecurity.com -i IKEY -s SKEY -u username -A auth -d DEVICE_ID -f push

3. Test account lockout:

python duopwn.py -U api-xyz.duosecurity.com -i IKEY -s SKEY -u username -A lockout --attempts 5

4. Check auth status:

python duopwn.py -U api-xyz.duosecurity.com -i IKEY -s SKEY -u username -A auth_status -t TXID

Available Actions

• ping: Test API connectivity
• check: Verify integration key
• enroll: Start enrollment process
• enroll_status: Check enrollment status
• preauth: Check user enrollment and get device info
• auth: Initiate authentication
• auth_status: Check authentication status
• lockout: Test account lockout mechanisms
• batch: Perform operations on multiple users efficiently

Options

• -U, --url: Duo API hostname
• -i, --ikey: Integration key
• -s, --skey: Secret key
• -u, --user: Single username
• -l, --list: File containing usernames
• -d, --device: Device ID (from preauth)
• -f, --factor: Auth factor (push/phone/sms/passcode)
• -p, --passcode: OTP/passcode value
• -t, --txid: Transaction ID for status checks
• --attempts: Number of attempts for lockout testing
• --proxy: Proxy URL (e.g., http://127.0.0.1:8080, socks5://127.0.0.1:9050)
• --rate-limit: Requests per second (default: 1.0)
• --async: Use asynchronous requests for batch operations
• --no-cache: Disable response caching
• -v, --verbose: Increase verbosity (use -v or -vv)

Legal Disclaimer

This tool is for authorized penetration testing and security research only. Users must ensure they have explicit permission to test the target Duo implementation. Unauthorized testing may violate applicable laws.

Examples of New Features

Using Batch Mode with Async Requests

duopwn -U api-xyz.duosecurity.com -i IKEY -s SKEY -A batch -l users.txt --async --rate-limit 2.0

Using Proxy for Anonymization

duopwn -U api-xyz.duosecurity.com -i IKEY -s SKEY -u username -A preauth --proxy socks5://127.0.0.1:9050

Using Verbose Logging

duopwn -U api-xyz.duosecurity.com -i IKEY -s SKEY -u username -A auth -d DEVICE_ID -f push -vv

Project Structure

The project has been refactored into a modular structure:

duopwn/
├── __init__.py      # Package initialization
├── __main__.py      # Entry point for python -m duopwn
├── actions.py       # Action-specific functions
├── api.py           # API interaction functions
├── cli.py           # Command-line interface
└── utils.py         # Utility functions and classes

This modular structure makes the code more maintainable, testable, and extensible.

References

• Duo Auth API Documentation
• Abusing Duo Authentication Misconfigurations