We can all agree that having single-factor remote access gateways (VPN, Citrix, Remote Apps, etc.) exposed on the internet is a poor decision and a large security risk. These portals, can allow for a direct connection into the internal corporate environment. Once there, an attacker can begin to identify internal vulnerabilities, move laterally, escalate privileges, persist, and hoover out all the data they want. Fortunately, these portals are increasingly behind a multi-factor solution (phone call, hard/soft token, certificate, etc.). While this does help to reduce the attack surface from a direct brute force (username and password), there are often overlooked options or misconfigurations that can allow an attacker to bypass this solution or directly disrupt business operations. In this talk we’ll be covering methods that we’ve used to bypass MFA solutions to obtain internal network access from the internet.