PDA

View Full Version : brute-force attack project


trivedipy
09-22-2011, 05:13 AM
hi guys,
I have to develop a prototype for a device to perform a 'brute-force' attack upon a keypad entry system.The device may assume a keypad of 3 columns and 4 rows. It may also assume a pass-code of 4-6 key-presses. The device will be required to press the keys and record (sound) the result - to differentiate valid guesses from invalid.

The device may sequentially try various keystrokes in order to determine the correct 'combination'. It is this guessing (trial-and-error) which makes it a 'brute force' technique.

We are told that we can buy a lock with 9 keys-keypad on it and then use a solenoid to press and try different combinations.
Can anyone help us with what the block diagram will be and how the circuit will be? We are told to use a pic controller for this project. We can offer rewards as well.

strantor
09-22-2011, 06:04 AM
hi guys,
I have to develop a prototype for a device to perform a 'brute-force' attack upon a keypad entry system.The device may assume a keypad of 3 columns and 4 rows. It may also assume a pass-code of 4-6 key-presses. The device will be required to press the keys and record (sound) the result - to differentiate valid guesses from invalid.

The device may sequentially try various keystrokes in order to determine the correct 'combination'. It is this guessing (trial-and-error) which makes it a 'brute force' technique.

We are told that we can buy a lock with 9 keys-keypad on it and then use a solenoid to press and try different combinations.
Can anyone help us with what the block diagram will be and how the circuit will be? We are told to use a pic controller for this project. We can offer rewards as well.
How is this "trial and error"? does the "attacked" keypad give you audible feedback if you are "close"? does it make a different sound when you get one of the numbers correct, and then a different sound if you get two numbers correct, like "hey, your guesses are getting closer! don't give up yet!"? or does it just beep (or do nothing) when you get it wrong? and do you have to press *, then the 4-6 digit code, then #? if so, you would have to go through every 4 digit combination (10,000 different combinations) then every 5 digit combination (100,000) then every 6 digit combination (1,000,000) so if some idiot made their comination 999999, then your little solenoid filled "brute force" box would have to sit there and pound out 1,110,000 combinations. how long would that take? I can just see it there for weeks on end going "tikkatikkatikkatick" and then you have to worry about your quarry coming home and seeing this hideous kludge attached to his front door keypad.

John P
09-22-2011, 06:19 AM
It seems to me Strantor is asking the right questions. If the device truly has to get a random 6-digit number, it will need to be quite a rugged little machine!

trivedipy
09-22-2011, 06:40 AM
How is this "trial and error"? does the "attacked" keypad give you audible feedback if you are "close"? does it make a different sound when you get one of the numbers correct, and then a different sound if you get two numbers correct, like "hey, your guesses are getting closer! don't give up yet!"? or does it just beep (or do nothing) when you get it wrong? and do you have to press *, then the 4-6 digit code, then #? if so, you would have to go through every 4 digit combination (10,000 different combinations) then every 5 digit combination (100,000) then every 6 digit combination (1,000,000) so if some idiot made their comination 999999, then your little solenoid filled "brute force" box would have to sit there and pound out 1,110,000 combinations. how long would that take? I can just see it there for weeks on end going "tikkatikkatikkatick" and then you have to worry about your quarry coming home and seeing this hideous kludge attached to his front door keypad.

Hey Strantor, Thanks for getting back so quickly. Basically we don't have to worry about how long the device would take to get the right combination. We need to hook up the device to a keypad entry system which just make the beep sound for the correct combination and do nothing when you get it wrong. The device then detects this beep sound produced by the keypad and stop trying further combinations. Assume a 4 to 6 digit long password. We can use the ready made keypad entry system so we only need to worry about the device for now. The device should use the solenoids to press keys on the keypad and a PIC controller to drive the solenoids. Any help would be greatly appreciated.

strantor
09-22-2011, 07:18 AM
ok then, here is a link to a standard type of keypad you will find in security systems:
http://www.storm-interface.com/product_attachments/1000Series.pdf
look at the dimensions, 19mm between keys centers. that means your solenoids can't be bigger than 19mm across. that's a tall order. they are normally fat squatty things. this is the closes one I could find, at .77in across (19.5mm) http://www.newark.com/ledex/195205-230/solenoid-tubular-push-continuous/dp/20M1816?in_merch=Popular%20Solenoids&MER=PPSO_N_P_Solenoids_None
you'll need 11 of them (assuming you need to push # and *, that's pretty normal).
you'll need 12V to drive them, and count on including a few deep cycle marine batteries in your project because these draw 7W each and they'll be clicking away for weeks. next you'll need some NPN transistors (or N-channel MOSFETs) to switch them and diodes across them. other than that, the code should be simple.

strantor
09-22-2011, 07:27 AM
you would save yourself a lot of heartache if you ditch the solenoids, bust the face off the keypad to get at the keypad matrix wires and send signals straight from your micro into the security circuit. but I wouldn't know. and just to make your day, some security systems have a timeout period if you get the code wrong too many times, it won't accept keystrokes for X amount of time. you need to know how many times it takes to lockout and how long the lockout is (that is, if it's not a random amount of time) so your micro can account for that, otherwise your micro could send the correct password during a lockout period and then after weeks of waiting, the thing has cycled through all 1.1 million combinations and it still hasn't unlocked. and factoring in this delay means instead of weeks, it could take months or years to get it open. also make sure you know the format. I've mentioned the *......# format already because its most common, but there are others. if you don't know the format then you have try all the formats which could take you into the billions of combinations.

trivedipy
09-22-2011, 08:29 AM
ok then, here is a link to a standard type of keypad you will find in security systems:
http://www.storm-interface.com/product_attachments/1000Series.pdf
look at the dimensions, 19mm between keys centers. that means your solenoids can't be bigger than 19mm across. that's a tall order. they are normally fat squatty things. this is the closes one I could find, at .77in across (19.5mm) http://www.newark.com/ledex/195205-230/solenoid-tubular-push-continuous/dp/20M1816?in_merch=Popular%20Solenoids&MER=PPSO_N_P_Solenoids_None
you'll need 11 of them (assuming you need to push # and *, that's pretty normal).
you'll need 12V to drive them, and count on including a few deep cycle marine batteries in your project because these draw 7W each and they'll be clicking away for weeks. next you'll need some NPN transistors (or N-channel MOSFETs) to switch them and diodes across them. other than that, the code should be simple.

Thank you very much for your help on this. Solenoids seems to be bit costly to me, so do you think there is any way to make such a device without using solenoids?

strantor
09-22-2011, 08:57 AM
Thank you very much for your help on this. Solenoids seems to be bit costly to me, so do you think there is any way to make such a device without using solenoids?
yeah, like I said:

bust the face off the keypad to get at the keypad matrix wires and send signals straight from your micro into the security circuit.
It would be waaay faster. in the grand scheme of things, solenoids are really slow, beastly metallic fingers chugging in and out one at a time. if you interfaced your circuit directly with the security circuit, you could send thousands of passcodes per second.

kubeek
09-22-2011, 09:20 AM
if you interfaced your circuit directly with the security circuit, you could send thousands of passcodes per second.Probably not, if the lock isnīt completely stupid it will have some delay after the wrong entry.

strantor
09-22-2011, 09:27 AM
Probably not, if the lock isnīt completely stupid it will have some delay after the wrong entry.

Yes, I've already pointed that out, but I think we're ignoring all real-world aspects for this little exercise in futility

kubeek
09-22-2011, 09:49 AM
I donīt think this is an excersise in futility, I recently saw a nice video of about the same thing used to brute force unlock an Ipad or something similar. I think it used solenoids to tap on the touchscreen and probably some camera to check if it is unlocked yet. Wish I could find it..

THE_RB
09-22-2011, 11:50 PM
Probably not, if the lock isnīt completely stupid it will have some delay after the wrong entry.

Agreed! I designed one with a timeout that doubled, so first wrong entry got you a 15 second timeout, followed by 30 secs, 60 secs, 2 mins, 4 mins etc. From memory I think I capped it at about half an hour timeout max. With 6 hexadecimal digits giving about 16million combinations.

Good luck brute forcing that lock!

tgotwalt1158
09-23-2011, 12:16 AM
It is not practical! No keypad can withstand of the destructive force of millions of mechanical key strokes required to decipher an unknown code with the help of brute force decoding technique. Tell them this and ask for any alternate practical project!

wayneh
09-23-2011, 03:43 PM
I have to develop a prototype for a device to perform a 'brute-force' attack upon a keypad entry system.
Why? Who's forcing you?

How do we know you're not trying to get us to pick locks for you? (Not that I'm much worried about the success of this approach.) ;)

nsaspook
09-23-2011, 04:07 PM
A lock bypass is the only practical thing to do.

http://www.theboxotruth.com/docs/bot5_3.htm

THE_RB
09-24-2011, 07:57 AM
Nah, you need those Hollywood keypad door locks where any damage to the keypad (like shooting it or smashing it) causes the door to open. ;)