Brute force used to crack a key logger’s security code

The USB device seen plugged in on the right of this image was found in between the keyboard and USB port of the company computer belonging to a Senior Executive. [Brad Antoniewicz] was hired by the company to figure out what it is and what kind of damage it may have done. He ended up brute forcing an unlock code to access the device, but not before taking some careful steps along the way.

From the design and placement the hardware was most likely a key logger and after some searching around the Internet [Brad] and his colleagues ordered what they thought was the same model of device. They wanted one to test with before taking on the actual target. The logger doesn’t enumerate when plugged in. Instead it acts as a pass-through, keeping track of the keystrokes but also listening for a three-key unlock code. [Brad] wrote a program for the Teensy microcontroller which would brute force all of the combinations. It’s a good thing he did, because one of the combinations is a device erase code hardwired by the manufacturer. After altering the program to avoid that wipe code he successfully unlocked the malicious device. An explanation of the process is found in the video after the break.

[Read more...]

Brute forcing the password on a terribly insecure hard drive

While at work one day, [Marco] was approached by a colleague holding a portable USB hard drive. This hard drive – a Freecom ToughDrive – has a built-in security system requiring a password every time the drive is mounted. Somewhat predictably, the password on this hard drive had been lost, so [Marco] brute forced the password out of this drive.

The Freecom ToughDrive requires a password whenever the drive is plugged in, but only allows 5 attempts before it needs to be power cycled. Entering the passwords was easy to automate, but there was still the issue of unplugging the drive after five failed attempts. [Marco] called upon his friend [Alex] to build a small USB extension cable with a relay inserted into the 5 V line. An easy enough solution after which the only thing needed was the time to crack the password.

The rig successfully guessed the password after 500 attempts, or after cycling the power 100 times. This number is incredibly low for getting a password via brute force, but then again the owner of the hard drive was somewhat predictable as to what passwords they used.

Brute force a password protected PDF using the BeagleBone

The biggest benefit to using the BeagleBone is it’s 700 MHz ARM processor. If you’re just messing around with basic I/O that power is going unused, but [Nuno Alves] is taking advantage of its power. He built a PDF password cracker based on the $85 development board.

We recently saw how easy it is to perform basic I/O using the BeagleBone. Those techniques are in play here, used to drive a character LCD and sample a button input from the breadboard circuit. [Nuno] even published separate posts for each of these peripheral features.

The password protected PDF file is passed to the device on a thumb drive. Since the BeagleBone is running embedded Linux you don’t need to mess around with figuring out how to read from the device. A click of the button starts the process. Currently the code just uses a brute force attack which can test more than 6000 four-character passwords per second.  This is quite slow for any password more than four or five characters long, but [Nuno] does mention the possibility of running several ARM processors in parallel, or using a dictionary (or rainbow table) to speed things up. Either way it’s an interesting project to try on the hardware. You can see his video demo of the device after the break.

[Read more...]

A chink in the armor of WPA/WPA2 WiFi security

Looks like your WiFi might not be quite as secure as you thought it was. A paper recently published by [Stefan Viehböck] details a security flaw in the supposedly robust WPA/WPA2 WiFi security protocol. It’s not actually that protocol which is the culprit, but an in-built feature called Wi-Fi Protected Setup. This is an additional security protocol that allows you to easily setup network devices like printers without the need to give them the WPA passphrase. [Stephan's] proof-of-concept allows him to get the WPS pin in 4-10 hours using brute force. Once an attacker has that pin, they can immediately get the WPA passphrase with it. This works even if the passphrase is frequently changed.

Apparently, most WiFi access points not only offer WPS, but have it enabled by default. To further muck up the situation, some hardware settings dashboards offer a disable switch that doesn’t actually do anything!

It looks like [Stephan] wasn’t the only one working on this exploit. [Craig] wrote in to let us know he’s already released software to exploit the hole.

Brute Force BIOS Hacking Using the Arduino

This clever hack uses an Arduino to do a brute force attack on a computer’s BIOS. In theory, this technique could be used for other programs, but it’s use would be limited since there’s no way to account for too many wrong passwords.

The Arduino generates and outputs the possible password emulating a USB keyboard. When this is done, the pixel in the middle of the screen is read. This is done by reading the analog red signal synced up with the corresponding horizontal and vertical pulses. As with any hack, there were some programming issues that had to be overcome (including one that locked up the keyboard emulator), but this was resolved, and the code is available if you wan to build your own.

Hardware for this build is simple, involving a LCD output, a button to stop everything, and a couple diodes to get the USB keyboard working correctly. This hack turned out quite nicely, and the code and schematics are included!

Cracking a manipulation-proof, million combination safe

So you spent the big bucks and got that fancy safe but if these guys can build a robot to brute-force the combination you can bet there are thieves out there who can pull it off too. [Kyle Vogt] mentioned that we featured the first iteration of his build back in 2006 but we can’t find that article. So read through his build log linked above and then check out the video of the new version after the break. It’s cracking the combination on a Sargent and Greenleaf 8500 lock. There’s an interesting set of motions necessary to open the safe. Turn the dial four revolutions to the first number, three revolutions to the second, two revolutions to the final number, then one revolution to zero the dial. After that you need to press the dial inward to activate the lever assembly. Finally, rotate the dial to 85 to retract the bolt which unlocks the safe.

The propaganda on this lock says it stood up to 20-hours of manual manipulation. But [Kyle] thinks his hardware can get it open in a few hours. His hardware looks extremely well-engineered and we’d bet some creative math can narrow down the time it takes to brute force the combo by not going in sequence.

[Read more...]

How to crack a Master lock

masterlock01

Long, long ago we covered a method to crack a Master lock in about 30 minutes or less. Here’s a revival of the same method but now the instructions to retrieve the combination are in info-graphic format created by [Mark Edward Campos].

If you didn’t get to try this the first time around, here’s how it works: A combination of a physical vulnerability, math, and brute force is used. First, the final number of the code can be obtained by pulling up on the latch while the dial is rotated. Because of the way the lock is built the correct number can be extrapolated using this trick. Secondly, a table of all possible first and second number combinations has been calculated for you.  Third, it’s your job to brute force the correct table of possibilities which includes only about one hundred combinations.

We’re not really into felony theft and hopefully you’re not either. But, we have a nasty habit of needing to use a combination lock that’s been in a drawer for a few years and having no idea of what the correct code might be.

Update: We’ve had a lot of comments about shimming as a better method. For your enjoyment we’ve embedded a video after the break that details how to shim a Master lock using a beer can. Just remember: friends don’t let friends drink and shim.

[Read more...]