I appreciate this is tongue in cheeck but given that it should be possible for me to constantly scan his server and get each port change is there anything I can do with that? i.e. derive his 2FA private key
IANA cryptologist, but it should not be possible to derive the shared secret from the token, if I understand correctly this is discussed in the HOTP spec[0]
> Assuming an adversary is able to observe numerous protocol exchanges and collect sequences of successful authentication values. This adversary, trying to build a function F to generate HOTP values based on his observations, will not have a significant advantage over a random guess.
> Assuming an adversary is able to observe numerous protocol exchanges and collect sequences of successful authentication values. This adversary, trying to build a function F to generate HOTP values based on his observations, will not have a significant advantage over a random guess.
[0] https://tools.ietf.org/html/rfc4226#section-6