Unlock an Android phone (or device) by bruteforcing the lockscreen PIN.
Turn your Kali Nethunter phone into a bruteforce PIN cracker for Android devices!
How it works
It uses a USB OTG cable to connect the locked phone to the Nethunter device. It emulates a keyboard, automatically tries PINs, and waits after trying too many wrong guesses.
[Nethunter phone] <--> [USB cable] <--> [USB OTG adaptor] <--> [Locked Android phone]
The USB HID Gadget driver provides emulation of USB Human Interface Devices (HID). This enables an Android Nethunter device to emulate keyboard input to the locked phone. It's just like plugging a keyboard into the locked phone and pressing keys.
This takes just over 16.6 hours with a Samsung S5 to try all possible 4 digit PINs, but with the optimised PIN list it should take you much less time.
You will need
A locked Android phone
A Nethunter phone (or any rooted Android with HID kernel support)
USB OTG (On The Go) cable/adapter (USB male Micro-B to female USB A), and a standard charging cable (USB male Micro-B to male A).
That's all!
Benefits
Turn your NetHunter phone into an Android PIN cracking machine
Unlike other methods, you do not need ADB or USB debugging enabled on the locked phone
The locked Android phone does not need to be rooted
You don't need to buy special hardware, e.g. Rubber Ducky, Teensy, Cellebrite, XPIN Clip, etc.
You can easily modify the backoff time to crack other types of devices
It works!
Features
Crack PINs of any length from 1 to 10 digits
Use config files to support different phones
Optimised PIN lists for 3,4,5, and 6 digit PINs
Bypasses phone pop-ups including the Low Power warning
Detects when the phone is unplugged or powered off, and waits while retrying every 5 seconds
Configurable delays of N seconds after every X PIN attempts
Log file
Installation
TBC
Executing the script
If you installed the script to /sdcard/, you can execute it with the following command.
bash ./android-pin-bruteforce
Note that Android mounts /sdcard with the noexec flag. You can verify this with mount.
Usage
Android-PIN-Bruteforce (0.1) is used to unlock an Android phone (or device) by bruteforcing the lockscreen PIN.
Find more information at: https://github.com/urbanadventurer/Android-PIN-Bruteforce
Commands:
crack Begin cracking PINs
resume Resume from a chosen PIN
rewind Crack PINs in reverse from a chosen PIN
diag Display diagnostic information
version Display version information and exit
Options:
-f, --from PIN Resume from this PIN
-a, --attempts Starting from NUM incorrect attempts
-m, --mask REGEX Use a mask for known digits in the PIN
-t, --type TYPE Select PIN or PATTERN cracking
-l, --length NUM Crack PINs of NUM length
-c, --config FILE Specify configuration file to load
-p, --pinlist FILE Specify a custom PIN list
-d, --dry-run Dry run for testing. Does n't send any keys.
-v, --verbose Output verbose logs
Usage:
android-pin-bruteforce <command> [options]
Supported Android Phones/Devices
This has been successfully tested with various phones including the Samsung S5, S7, Motorola G4 Plus and G5 Plus.
It can unlock Android versions 6.0.1 through to 10.0. The ability to perform a bruteforce attack doesn't depend on the Android version in use. It depends on how the device vendor developed their own lockscreen.
Check the Phone Database for more details https://github.com/urbanadventurer/Android-PIN-Bruteforce/wiki/Phone-Database
PIN Lists
Optimised PIN lists are used by default unless the user selects a custom PIN list.
Cracking PINs of different lengths
Use the --length commandline option.
Use this command to crack a 3 digit PIN, ./android-pin-bruteforce crack --length 3
Use this command to crack a 6 digit PIN ./android-pin-bruteforce crack --length 6
Where did the optimised PIN lists come from?
The optimised PIN lists were generated by extracting numeric passwords from database leaks then sorting by frequency. All PINs that did not appear in the password leaks were appended to the list.
The optimised PIN lists were generated from Ga$$Pacc DB Leak (21GB decompressed, 688M Accounts, 243 Databases, 138920 numeric passwords).
Cracking with Masks
Masks use regular expressions with the standard grep extended format.
./android-pin-bruteforce crack --mask "...[45]" --dry-run
To try all years from 1900 to 1999, use a mask of 19..
To try PINs that have a 1 in the first digit, and a 1 in the last digit, use a mask of 1..1
To try PINs that end in 4 or 5, use ...[45]
Configuration for different phones
Device manufacturers create their own lock screens that are different to the default or stock Android. To find out what keys your phone needs, plug a keyboard into the phone and try out different combinations.
Load a different configuration file, with the --config FILE commandline parameter.
Example: ./android-pin-bruteforce --config ./config.samsung.s5 crack
You can also edit the config file by customising the timing and keys sent.
The following configuration variables can be used to support a different phone's lockscreen.
Test sending keys from the NetHunter phone
Test sending keys from the terminal
Use ssh from your laptop to the NetHunter phone, and use this command to test sending keys:
In this example, the enter key is sent.
echo "enter" | /system/xbin/hid-keyboard /dev/hidg0 keyboard
In this example, ctrl-escape is sent.
echo "left-ctrl escape" | /system/xbin/hid-keyboard /dev/hidg0 keyboard
Note: Sending combinations of keys in config file variables is different. Currently only ctrl_escape is supported.
In this example, keys a, b, c are sent.
echo a b c | /system/xbin/hid-keyboard /dev/hidg0 keyboard
for read more click here @https://t.me/crackvaultde
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
