Hosted by Darren Kitchen and Shannon Morse. New episodes Tuesdays.
Put together by a band of IT ninjas, security professionals and hardcore gamers, Hak5 isn't your typical tech show. We take on hacking in the old-school sense, covering everything from network security, open source and forensics, to DIY modding and the homebrew scene. Then we wrap it all up with a... Read More
This time on the show, an online brute force attack against Android successfully defeats 4-digit PIN codes in about 16 hours using the USB Rubber Ducky without wiping user data. Plus, BackBox Linux - is this a pen-testing OS for every day use? All that and more, this time on Hak5.
Android Brute Force Attack with USB Rubber Ducky
Brute forcing Android PIN authentication with a USB Rubber Ducky. Thus far it works perfectly on a Galaxy Nexus running the latest Android 4.2.1. I've also tested it with a Galaxy Note 2 running 4.2.1 and it has run as expected.
I'm very surprised that with the stock Android OS and recommended settings of setting a PIN code this was possible. I had expected the phone to reset or format after 100 attempts or something like that.
With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you're looking at a best case scenario of exhausting the key space in about 16.6 hours. Not bad all things considered. If you're the NSA or the Mafia that's totally reasonable, I'd say. Thankfully the USB Rubber Ducky never gets tired, bored or has to pee.
Rather than post the nearly 600K duckyscript I'll just post the bit of bash I used to create it. You could modify it to do 5 digit, but that would take 166 hours. 10 digit would take 1902.2 years. ;-)
echo DELAY 5000 > android_brute-force_0000-9999.txt; echo {0000..9999} | xargs -n 1 echo STRING | sed '0~5 s/$/\nWAIT/g' | sed '0~1 s/$/\nDELAY 1000\nENTER\nENTER/g' | sed 's/WAIT/DELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER\nDELAY 5000\nENTER/g' >> android_brute-force_0000-9999.txt
BackBox Linux
Daniel says: Have you heard of Back Box? It's an Ubuntu based OS with a focus on pen testing with an XFCE desktop. But, unlike backtrack it is actually functional as a day to day OS. I've been using it as my main OS for 5 months now and I truthfully believe it doesn't receive enough attention.
Download Back Box Linux
9 days ago
Employers want social media passwords, US gets a #CPO, and #TheOnion! All that and more this time on #ThreatWire! http://t.co/SrZpicvnt6
11 days ago
#Installing #Solar panels, #Google #Chrome #extensions, and more on @Hak5! http://t.co/QppYLgZpi5
11 days ago
Legalizing #Internet eavesdropping, #LivingSocial is #hacked, and more on this weeks #ThreatWire! http://t.co/xyIxzy8kes
11 days ago
@thescribe I didn't! They were disabled and enabled throughout the segment. Each one has a different icon. - @Snubs
11 days ago
@myraitnetwork thank you!
27 days ago
#PGP #Encrypt your email, back up your #Gmail Account with #Ubuntu, text #messaging your #WiFi #Pineapple On #Hak5! http://t.co/KSZeO4GEPU
