How to unlock PIN protected Android device using ADB and HID method | Brute force | Rubber Ducky

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to my video where i will demonstrate how to unlock pin protected lock screen android device this video is about the possibilities about the options how to unlock such a smartphone we will focus only on android pin not iphones and we will cover mainly pin another pattern or passcode protected device this video is a result of my research how to unlock such smartphone using various techniques and i've been posting on my social media and i received dozens if not hundreds of requests to create such tutorials how this can be done on your locked smartphone also there is no 100 guaranteed technique that would unlock your protected android what is the purpose well you forgot your pin you found your old smartphone and you would like to retrieve the data that are stored but you don't recall the pin code someone in your family deceased someone close to you your friend and still you would like to retrieve the photos the videos the memories this is also one of the popular requests i've been receiving on my social and last not least is for forensic analysis you need to unlock a smartphone to retrieve the data this is only for educational purposes don't try to get inside unlocked smartphone without explicit permission of its owner now let's continue with the possibilities how to unlock such protected smartphone there are a few the first one using an exploit exploit that bypasses lock screen protection or escalates privileges to root then using trial and error which could be automated into a brute force and the last one if you don't care about the data you can factor a reset from recovery there are not many options not many possibilities so the only one that we will focus in this video is a brute force of course using brute force has its limitations actually there are two to my knowledge the first one is a timeout there is no way to bypass timeout without exploit what does it mean after five wrong pin attempts 30 seconds cooldown another five wrong another 30 seconds and then after each wrong pin there is 30 seconds cooldown until you reach 41 attempts then there is 60 second cooldown after each wrong pin these timeouts are for stock android at least to my knowledge if you are using a custom ui custom miui then there might be some differences if we put this in actual numbers how long it would take to unlock a different pin protection if you have four digits pin it means there are ten thousands of possible combinations it would take to go through all of them using the script i will shortly introduced 167 hours which is approximately 70. and by increasing number of digits the time spent on cracking exponentially increases so if you use eight digit pin code it would take 190 years second limitation is factor reset this is not set by default it needs to be set by a user from setting and it means that after 15 wrong attempts the device will erase all the data so there are two limitations again timeout and factory reset let's focus on the brute force brute force can be performed using two options the first one is using adb where usb debugging needs to be enabled and the second one using hid human interface device a rubber ducky let's start with adb what are the requirements smartphone needs to have enabled usb debugging an option the smartphone that we want to crack or brute force the pin needs to be authorized by connected computer or another android the problem is that if we receive smartphone that is already locked there is no way to enable usb debugging and authorized smartphone because of that i believe this technique is not really useful still i will show you one tool vbrooter that is available on github all the links will be posted in the video description still using adb there is no way how to bypass timeouts except for one android version which is android 8.0 it was introduced a new feature that it was possible to change pin pattern password of the lock screen using new adb command and that feature contained a bug which would result in bypassing timeouts but only for android 8.0 i tested that for android 8.1 8.0 and 10 and this feature or this bot is not present anymore i prepared a quick demonstration i have two smartphones this is the main one that will perform the brute force i'm using otg cable this is android 8.8.0 i will unlock the smartphone using my pin 0 0 26 and i will start the beep router on my android it means that it goes through all the pin combinations starting from zero zero zero zero until it reaches zero zero twenty six there are no throttles on the pin you see the errors this means that there should be timeout cooldown but that was the problem in here it was not implemented correctly because of that we can unlock our smartphone by using all the combinations in a short time period still other versions of android are not supported and you still need to have usb debugging enabled because of that i believe this is obsolete we will focus on hid using either rubber ducky or android what does it mean hid human interface device it means that connected smartphone or usb to a targeted device that is locked and pin protected behaves as a keyboard and this keyboard will send exact keys and these keys are actually ping codes there is no need to enabled usb debugging or device being good scenes if you connect the keyboard to your device to your tablet or smartphone it will work requirements for this technique is either have a rooted android smartphone that has enabled hid or a rubber ducky usb how to enable hid for android i prepared already two videos that are available on my youtube channel then we need otg cable that is connected to our main and targeted smartphone for hid brute force we will use android pin and brute force tool that is available on github it's for free and super handy it has a lot of pros and cons for example you can test various pins from length of digit from length 1 to 10. it uses optimized pin list for four five and six digit pins this is based on the most popular top pins being used based on the statistics the text all the time out and if you unplug your smartphone scenes if you're trying to crack the pen it will take a lot of hours and you need to recharge your device if you unplug charge a smartphone plug back in and continues where it stopped there's one problem since it's hid connected keyboard in this case it cannot receive any events from a smartphone so it doesn't know when the pin was correct or not so it would still continue guessing and entering other pins in the row in the list because of that we need to manually grab the attempt from the logs and compare it with a pin that is in a pin list i'll demonstrate it later on how to install the tool get clone change mode for execution and just trigger it there are various options when you try to create the four length pin this is the command after you get clone it's necessary to edit config file that contains in one of the last lines hid keyboard a global value that has a path to hid binary for a keyboard this needs to be replaced for yours and here's a quick example main smartphone executes this script where we try to guess the pin with four digits and after five attempts there is a timeout and the script waits until timeout is done i also prepared a longer demonstration on this topic where i will perform guessing a more sophisticated pin actually it will it will went through 44 pins first five attempts timeout another five percent timeout and until we reach attempt 41 it would increase to 60 seconds until right now we will guess the correct pin and as you can see there is no lock of the correct pin we only see that there was attempt number 45. based on this attempt number of attempt we will we have to search the pin and the list of optimized pins and we also see the time how long it took in this case it was around 25 minutes how to prevent this scenario if you believe you might be at target use longer pins either six to eight digits and as you saw it will take years to crack that also don't use easy to guess paint codes or you can also switch to passwords one more option sad factor research after 15 wrong attempts i don't use this technique because if you have a kit in your home it might not end up really well for you we're heading to conclusion when you have a locked smartphone there are not many possibilities how to unlock such smartphone you need to either have a exploit or you have to brute force the pin there's no other option this technique was only against pin no password since password might be more complex you would need a wordless tracking pattern it's not that simple because our script needs to be customized for various displays and needs to perform clicks and swipes at particular parts of the screen also if you use password it's much more secure using brute force it's a long lasting operation but there is no other option how to unlock such protected smartphone because of that you need to be really patient thank you very much for your time i hope you never need to use this technique bye guys
Info
Channel: Android Infosec
Views: 2,178,234
Rating: undefined out of 5
Keywords: usb rubber ducky, rubber ducky, hid attack, kali linux, nethunter android, hid attack android, androidmalware, badusb, human interface device, ethical hacking, brute force attack, usb rubber duckie, brute force, usb rubber ducky tutorial, android hacking, mobile security, mobile hacking, how to install kali nethunter, cheap usb rubber ducky, usb rubber ducky payloads, termux basic commands, termux, unlock android, how to unlock android, android script, nethunter
Id: x5Rt93jshC8
Channel Id: undefined
Length: 10min 58sec (658 seconds)
Published: Tue May 04 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.