A security assessment tool for Duo MFA implementations that uses the Duo Auth API to test various authentication mechanisms. For authorized penetration testing use only.
- User enumeration through preauth endpoint
- Device ID retrieval for enrolled users
- Multiple auth factor support:
- Push notifications
- Phone calls
- SMS passcodes
- OTP/passcodes
- Auth status checking with transaction IDs
- Lockout testing with configurable attempts
git clone https://github.com/yourusername/duopwn.git
cd duopwn
pip install -r requirements.txtBasic command structure:
python duopwn.py -U <api-hostname> -i <integration-key> -s <secret-key> -A <action> [options]- Enumerate users from a list:
python duopwn.py -U api-xyz.duosecurity.com -i IKEY -s SKEY -l users.txt- Force a push notification:
python duopwn.py -U api-xyz.duosecurity.com -i IKEY -s SKEY -u username -A auth -d DEVICE_ID -f push- Test account lockout:
python duopwn.py -U api-xyz.duosecurity.com -i IKEY -s SKEY -u username -A lockout --attempts 5- Check auth status:
python duopwn.py -U api-xyz.duosecurity.com -i IKEY -s SKEY -u username -A auth_status -t TXIDping: Test API connectivitycheck: Verify integration keyenroll: Start enrollment processenroll_status: Check enrollment statuspreauth: Check user enrollment and get device infoauth: Initiate authenticationauth_status: Check authentication statuslockout: Test account lockout mechanisms
-U, --url: Duo API hostname-i, --ikey: Integration key-s, --skey: Secret key-u, --user: Single username-l, --list: File containing usernames-d, --device: Device ID (from preauth)-f, --factor: Auth factor (push/phone/sms/passcode)-p, --passcode: OTP/passcode value-t, --txid: Transaction ID for status checks--attempts: Number of attempts for lockout testing
This tool is for authorized penetration testing and security research only. Users must ensure they have explicit permission to test the target Duo implementation. Unauthorized testing may violate applicable laws.