DIzzIE
14th March 2007, 09:33
BREAKING INTO HOTEL SAFES
BY: DIzzIE (2003)
Assumed procedure in identifying digits (the ‘code’) inputted using a numerical keypad.
1. Your first view of the keypad will usually yield no information regarding the code (aside from any obvious stray marks, such as fresh slivers of nail polish, jelly, etc.) Thus the ‘fresh’ keypad will resemble the one in Figure 1 (below).
http://www.rorta.net/textfiles/safeimg1.jpg
2. The blunt choice would be to test all the digits; all the possible combinations, in an attempt to brute force the code. If the code length is not known beforehand (perhaps by researching the manual/website of the manufacturer and finding the maximum possible key length, or by social engineering said code length), then the attempt at brute forcing the combination must simply be aborted due to the fact that the number of possible combinations stretches out to infinity (10^(key length)).
3. Thus, what one must attempt to do is to attempt to significantly lower the number of possibilities by attempting to identify which digits have been used, and which haven’t.
4. This can be accomplished by ‘dusting’ for fingerprints using a standard fingerprint identification kit, or the more available pencil method.
5. Obtain a standard sharpened pencil and with a knife proceed to scrape the graphite (unto a napkin or sheet of paper) until a sizable powdered pile has been scraped.
6. Take the napkin with the powdered graphite up to the keypad; gently blow the powdered graphite in the direction of the keypad.
7. Assuming that the target inputted the code recently, and that the fingers were relatively oily/moist, the powdered graphite will stick to the keys that the target pressed.
8. For this example, let us say that the graphite stuck to four number keys (Figure 2).
http://www.rorta.net/textfiles/safeimg2.jpg
9. Now we must make a series of assumptions:
~The digits in the combination are unique; in other words sets which have repeating digits such as 36698 are nonexistent.
~Each key was pressed only once; in other words the length of the code is determined by the number of keys identified by the graphite
~The keypad has not been sabotaged; in other words the target did not purposefully attempt to mislead the brute forcer by falsifying the keys that were pressed.
10. Given the above assumptions, and the fact that our graphite adhered to four keys, the number of possible key combinations is determined by (key length)!, or 4! (24).
11. It will take 1-2seconds to input a single combination, hit the Enter key, and, if incorrect, the Clear key. Thus, 24 combinations will take 48 seconds.
12. Chances are that the target selected a simple combination, such as going down a column and one over, or perhaps across…
13. Obviously the three assumptions allow quite a ‘leap of faith’ and are by no means foolproof. Thus if the shortest possible amount of combinations (24) does not succeed in opening the safe (nonetheless it was worth a try), we are back to square one, for without knowing the key length, and having tried the 24 non-repeating four digit combinations, we are led to believe that in those four identified numbers there were in fact repeats, thus the number of possible combinations would be (number of keys)^(key length), or 4^(key length).
14. At this point it is suggested that an alternative method be attempted, such as looking for a combination on scraps of paper around the safe/room (check behind paintings, behind the safe, in drawers, etc.). Or, attempt to invite a room service attendant into ‘your’ room with the master override keycard, which will open ‘your’ safe.
Enjoy! :ph34r:
BY: DIzzIE (2003)
Assumed procedure in identifying digits (the ‘code’) inputted using a numerical keypad.
1. Your first view of the keypad will usually yield no information regarding the code (aside from any obvious stray marks, such as fresh slivers of nail polish, jelly, etc.) Thus the ‘fresh’ keypad will resemble the one in Figure 1 (below).
http://www.rorta.net/textfiles/safeimg1.jpg
2. The blunt choice would be to test all the digits; all the possible combinations, in an attempt to brute force the code. If the code length is not known beforehand (perhaps by researching the manual/website of the manufacturer and finding the maximum possible key length, or by social engineering said code length), then the attempt at brute forcing the combination must simply be aborted due to the fact that the number of possible combinations stretches out to infinity (10^(key length)).
3. Thus, what one must attempt to do is to attempt to significantly lower the number of possibilities by attempting to identify which digits have been used, and which haven’t.
4. This can be accomplished by ‘dusting’ for fingerprints using a standard fingerprint identification kit, or the more available pencil method.
5. Obtain a standard sharpened pencil and with a knife proceed to scrape the graphite (unto a napkin or sheet of paper) until a sizable powdered pile has been scraped.
6. Take the napkin with the powdered graphite up to the keypad; gently blow the powdered graphite in the direction of the keypad.
7. Assuming that the target inputted the code recently, and that the fingers were relatively oily/moist, the powdered graphite will stick to the keys that the target pressed.
8. For this example, let us say that the graphite stuck to four number keys (Figure 2).
http://www.rorta.net/textfiles/safeimg2.jpg
9. Now we must make a series of assumptions:
~The digits in the combination are unique; in other words sets which have repeating digits such as 36698 are nonexistent.
~Each key was pressed only once; in other words the length of the code is determined by the number of keys identified by the graphite
~The keypad has not been sabotaged; in other words the target did not purposefully attempt to mislead the brute forcer by falsifying the keys that were pressed.
10. Given the above assumptions, and the fact that our graphite adhered to four keys, the number of possible key combinations is determined by (key length)!, or 4! (24).
11. It will take 1-2seconds to input a single combination, hit the Enter key, and, if incorrect, the Clear key. Thus, 24 combinations will take 48 seconds.
12. Chances are that the target selected a simple combination, such as going down a column and one over, or perhaps across…
13. Obviously the three assumptions allow quite a ‘leap of faith’ and are by no means foolproof. Thus if the shortest possible amount of combinations (24) does not succeed in opening the safe (nonetheless it was worth a try), we are back to square one, for without knowing the key length, and having tried the 24 non-repeating four digit combinations, we are led to believe that in those four identified numbers there were in fact repeats, thus the number of possible combinations would be (number of keys)^(key length), or 4^(key length).
14. At this point it is suggested that an alternative method be attempted, such as looking for a combination on scraps of paper around the safe/room (check behind paintings, behind the safe, in drawers, etc.). Or, attempt to invite a room service attendant into ‘your’ room with the master override keycard, which will open ‘your’ safe.
Enjoy! :ph34r: