OpenTOTP is yet another time-based, one-time passwords (OTPs) generator/verifier inspired by RFC 6238.

Related tags

Security related resourcesopentotp
Overview

OpenTOTP

OpenTOTP is yet another time-based, one-time passwords (OTPs) generator/verifier inspired by RFC 6238.

It generates and validates OTPs based on:

  1. Shared secret
  2. Current UTC time

OpenTOTP uses HMAC-SHA256 to generate OTPs, encodes them using any alphabet (predefined set of output characters) you may need, and truncates OTPs to the expected length.

To ensure generated passwords can be used one-time only, applications that use this package must either mark successfully verified OTPs as already used ones (and temporarily store them in a database until OTP expires) so used OTPs can be rejected, or can use optional, one-time nonce value while generating OTP.

As defined in RFC 6238, the OpenTOTP verification mechanism allows for an OTP drift so a specified number of older/newer OTP values are also accepted as valid ones. This helps to increase the chance of successful verification when the current UTC time on the client and server sides are slightly different.

Note that the shared secret value can be customized in any manner, effectively limiting the validation scope of an OTP, for instance:

  • Per application (shared secret = application-level secret)
  • Per user/session (shared secret = user/session unique random secret)
  • Per transaction (shared secret = transaction unique random secret)

Needless to say, the shared secret must be kept secret. Once its confidentiality or integrity is breached, the intruder can impersonate the user.

Installation

  1. You can install the OpenTOTP from PyPI: 
    python -m pip install opentotp

Quick start

  1. Generate OTP (using default settings)

    python -m opentotp generate

  2. Verify OTP

    python -m opentotp verify OTP_VALUE

Command line usage

  1. Generate OTP using custom secret

    TOTP_SECRET=`python -c "import os; print(os.urandom(32).hex())"`
python -m opentotp --secret ${TOTP_SECRET} generate

  2. Generate OTP using verbose mode

    python -m opentotp -v generate

  3. Generate OTP that changes every 30 seconds

    python -m opentotp --otp-change-interval 30 generate

  4. Generate OTP that uses only Arabic numerals as the output alphabet

    python -m opentotp --alphabet "0123456789" generate

  5. Verify if OTP is correct

    # Sample OTP value: yfPXifub
python -m opentotp --secret "REPLACE_WITH_SECRET_USED_TO_GENERATE_OTP" verify yfPXifub

  6. When verifying, also accept 4 older/newer OTPs

    # Sample OTP value: yfPXifub
python -m opentotp --otp-change-interval 30 --otp-drift 4 verify yfPXifub

Command line parameters

usage: opentotp.py [-h] [--timestamp TIMESTAMP] [--secret SECRET] [--alphabet ALPHABET] [--otp-length OTP_LENGTH] [--otp-change-interval OTP_CHANGE_INTERVAL] [--otp-drift OTP_DRIFT]
                   [--nonce NONCE] [--version] [-v | -q]
                   {generate,verify} ...

Generate or verify Time-based One-Time Passwords (TOTPs) based on shared secret and current UTC timestamp.

  To generate new OTP:
       python -m opentotp generate

  To verify OTP: 
       python -m opentotp verify OTP_VALUE

optional arguments:
  -h, --help            show this help message and exit
  --timestamp TIMESTAMP
                        Custom UTC Epoch timestamp to use
  --secret SECRET       Shared secret value
  --alphabet ALPHABET   Custom encoding (output) alphabet
  --otp-length OTP_LENGTH
                        Length of OTP
  --otp-change-interval OTP_CHANGE_INTERVAL
                        OTP change interval [in seconds]
  --otp-drift OTP_DRIFT
                        A number of previous/next OTPs to accept
  --nonce NONCE         A one-time-only NONCE value to prevent replay-attacks
  --version             show program's version number and exit
  -v, --verbose         Include configuration parameters in result screen
  -q, --quiet           Quiet mode. Print OTP only or return result of verification (TRUE or FALSE)

sub-commands:
  {generate,verify}     OpenTOTP mode of operation
    generate            Generate new OTP
    verify              Verify if provided OTP is correct

Module usage

Sample code snippet

#!/usr/bin/env python3

from opentotp import OpenTOTP
from uuid import uuid4

otp = OpenTOTP(secret=uuid4().hex,
               alphabet="0123456789",
               otp_length=6,
               otp_change_interval=30,
               otp_drift=3)

otp_value = otp.generate()
result = otp.verify(otp_value)

print("------------------------------------------")
print(f"OTP: {otp_value}")
print(f"OTP verification status: {'SUCCESS' if result else 'FAILURE'}")
print("------------------------------------------")

Docker usage

For some, this may be the fastest and cleanest way to try OpenTOTP:

  1. Build docker image and run the container

    git clone https://github.com/prevenitylabs/opentotp.git opentotp
cd opentotp
docker build -t opentotp .
docker run --rm opentotp --help

  2. Generate OTP

    docker run --rm opentotp generate

  3. Verify OTP

    docker run --rm opentotp -v verify OTP_VALUE
Owner
GitHub Repository
Generate malicious files using recently published homoglyphic-attack (CVE-2021-42694)

CVE-2021-42694 Generate malicious files using recently published homoglyph-attack vulnerability, which was discovered at least in C, C++, C#, Go, Pyth

js-on 17 Dec 11, 2022
LittleBrother is a simple parental control application monitoring specific processes on Linux hosts to monitor and limit the play time of children.

Parental Control Application LittleBrother Overview LittleBrother is a simple parental control application monitoring specific processes (read "games"

40 Dec 21, 2022
CVE-2021-26084 Remote Code Execution on Confluence Servers

CVE-2021-26084 CVE-2021-26084 Remote Code Execution on Confluence Servers. Dork Fofa: app="ATLASSIAN-Confluence" Usage Show help information. python P

FQ Hsu 63 Dec 30, 2022
wsvuls - website vulnerability scanner detect issues [ outdated server software and insecure HTTP headers.]

WSVuls Website vulnerability scanner detect issues [ outdated server software and insecure HTTP headers.] What's WSVuls? WSVuls is a simple and powerf

Anouar Ben Saad 47 Sep 22, 2022
Open source vulnerability DB and triage service.

OSV - Open Source Vulnerabilities OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source

Google 893 Jan 04, 2023
Herramienta para descargar eventos de Sucuri WAF hacia disco.

Descarga los eventos de Sucuri Script para descargar los eventos del Sucuri Web Application Firewall (WAF) en el disco como archivos CSV. Requerimient

CSIRT-RD 2 Nov 29, 2021
A deobfuscator for multiple python obfuscators

PY4COC A deobfuscator for multiple python obfuscators, supports exe's packed with pyinstaller too. How to use python3 py4coc.py exe file or py file o

svenskithesource 16 Dec 03, 2022
Scans for Log4j versions effected by CVE-2021-44228

check_mkExtension to check for log4j2 CVE-2021-44228 This Plugin wraps around logpresso/CVE-2021-44228-Scanner (Apache License 2.0) How it works Run i

inett GmbH 4 Jun 30, 2022
Genpyteal - Experiment to rewrite Python into PyTeal using RedBaron

genpyteal Converts Python to PyTeal. Your mileage will vary depending on how muc

Jason Livesay 9 Oct 19, 2022
This project is all about building an amazing application that will help users manage their passwords and even generate new passwords for them

An amazing application that will help us manage our passwords and even generate new passwords for us.

1 Jan 23, 2022
Steal Files on a Windows Machine

File-Stealer Steal Files on a Windows Machine About This Script will steal certain Files on a Windows Machine and sends them to a FTP Server. Preview

Marcel 5 Nov 17, 2022
labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface

labsecurity labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface. Warning

Dylan Meca 16 Dec 08, 2022
FTP-Exploits is a tool made in python that contains 4 diffrent types of ftp exploits that can be used in Penetration Testing.

FTP-exploits FTP-exploits is a tool which is used for Penetration Testing that can run many kinds of exploits on port 21(FTP) Commands and Exploits Ex

1 Dec 26, 2021
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

sshuttle: where transparent proxy meets VPN meets ssh As far as I know, sshuttle is the only program that solves the following common case: Your clien

9.4k Jan 04, 2023
CVE-2021-26855: PoC (Not a HoneyPoC for once!)

Exch-CVE-2021-26855 ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker b

ZephrFish 24 Nov 14, 2022
CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection

CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection Usage usage: cve-2021-26084_confluence_rce.py [-h] --url URL [--cmd CMD] [--shell] CVE-2021-2

r0cky 92 Jul 20, 2022
Fast python tool to test apache path traversal CVE-2021-41773 in a List of url

CVE-2021-41773 Fast python tool to test apache path traversal CVE-2021-41773 in a List of url Usage :- create a live urls file and use the flag "-l" p

Zahir Tariq 12 Nov 09, 2022
IDA plugin for quickly copying disassembly as encoded hex bytes

HexCopy IDA plugin for quickly copying disassembly as encoded hex bytes. This whole plugin just saves you two extra clicks... but if you are frequentl

OALabs 46 Oct 30, 2022
An IDA pro python script to decrypt Qbot malware string

Qbot-Strings-Decrypter An IDA pro python script to decrypt Qbot malware strings.

stuckinvim 6 Sep 01, 2022
Bypass 4xx HTTP response status codes.

Forbidden Bypass 4xx HTTP response status codes. To see all the test cases, check the source code - follow the NOTE comments. Script uses multithreadi

Ivan Šincek 165 Dec 28, 2022