Wednesday, January 15, 2014

Brute forcing Android PIN’s with an Arduino and Authentication Weakness

Sticking with the theme this week, I have been bored and haven’t been able to sleep well. I decided to try my hand at brute forcing the PIN on my Samsung Galaxy S3.  Annoyingly enough the Android operating system thought people would do this and after 5 failed attempts you have to wait 30 seconds. Luckily, that doesn't change so automating will be easy. I have seen Hak5’s rubber ducky do this attack as it simply emulates a keyboard. So I decided to try it with my Arduino, and it works just fine.  If you went from 0000 - 9999 that would take roughly 16 hours, the odds are you would get it before then.

I also tried to play with other authentication types on my phone. The most interesting was the pattern type which now forces you to create a backup PIN. If this is set and you can’t get the pattern you can brute force the backup PIN all day and it doesn't have the 30 second delay. After 5 failed swipe attempts you get the option to enter your backup PIN. See the image below. That makes for much faster brute forcing.

The Arduino Sketch below first tries the top 20 PIN’s and then starts its brute force cycle. Yes, it will repeat those 20 eventually but we will try those first, just in case.

For this attack to work you will need an Arduino Leonardo, or an Arduino that can act as a HID (Human Interface Device), an USB OTG (on-the-go) cable and a target device. I always set my HID sketches to work with a switch as I do not want to race the clock trying to upload a new sketch.
In all seriousness this would be a last resort type of thing for me, it’s going to take a long time. I would try to narrow it down somehow, like eliminate the 0 range such as 0000-0999. Do most people start with a zero maybe not?

Finally, the backup PIN brute force in my opinion is a real issue; you could brute force that fairly quickly. 

Tuesday, January 14, 2014

Because I was bored

In my quest to continue to learn more about python I decided to try my hand at making a GUI application. I then thought why not a simple SMTP tool. Why? You ask, honestly some nights are long and boring.   I also wanted to write something cross platform so I chose wxPython. This was nothing more than a see if I can do it type of exercise. It was an experience, and lining things up wasn't fun. The other thing I wanted to do was compile it to an executable which I used PyInstaller. Shockingly because of all the added items with a GUI, the final binary turned out to be 7.5MB that's huge. This was still a fun little tool to build, and I learned a lot doing it. 

The tool is straight forward, simply put in the relevant information and hit OK to send. You will need an email server with open relay to put in to the server and port information. I use Sendmail or Postfix either work just fine. Don’t ask me how to do it, Google It

Here is an image and the code is below. I am not liable for how you use this tool and you are only allowed to use it against targets which you have permission. 

Code Below: