Author Topic: [PAPER] Lockpicking Pushbutton Combination lockboxes (bruteforce)  (Read 20659 times)

0 Members and 1 Guest are viewing this topic.

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
/////////////////////////////////////////////////////////////////////////////////
/// Paper by: DeepCopy
/// Date: 2/17/14
/// Title: Lockpicking Pushbutton Combination lockboxes
/// Example Unit: Supra C3 Pro
////////////////////////////////////////////////////////////////////////////////

Preface

First off this post is by an EvilZone member, for EvilZone.ORG anyone may copy and paste with the stipulation that the credits along the top, as well as the any credit or reference to EZ I put. This is a simple request and I hope you can abide by it.

Introduction

First off, what prompted me to post this tutorial? I was at work and I noticed these lock boxes that are usually used by real estate agents for keys into buildings all over the building where I work and one of the maintenance guys were telling me that the fire department forgot their combo to their lockbox which houses keys to the entire building. That got me thinking, well how hard could it be? Thus I started researching it. The model I was looking at is a wall mounted SUPRA pushbutton combination lock. The durability is pretty decent but can be broken into with a hammer but will render it useless. In my research I learned some key things:

1. Numbers cannot be repeating (ie no 0000 0001 0002)
2. It doesn't matter the order in which they are pressed (ie 1234={1342, 1423, 2134, 2341, 2413, etc}
3. The standard combo is only 4 digits

Armed with this information I learned there are only 210 possible combinations in which you could enter. So with a 4 digit code, entering 210 possible combinations wouldn't be that time consuming and could have it open in a matter of minutes to a few hours.

So What?

Well what possible reason could one have for getting into these boxes? Well the main reason people will be looking into this because they genuinely forgot their combo. However in my research I found that no one wanted to publicly post the 210 possible digits because of the malicious intent that could be used (ie get a master key that is meant for the fire department) So that is the main reason for this, to publicly post these numbers for anyone looking into this.

What are these combo lockboxes?



There are also ones that you can mount onto buildings and they tend to be used for fire departments, city services, etc. However a lot of realtors use them as well so they don't have to track the keys down for a property. Also used by homeowners to house their spare set of keys, allured by the false sense of security.

Other scenarios


Now keep in mind MOST of these are also customizable. That means they can change the code when they feel like it, as well as change the number from 4 digits to 1-9 (10 would be stupid because then someone would just have to press all of them and it would open) So keep in mind that if someone does modify it, it may not be 4 digits. I'll break it down like this:

1-digit = 10 combinations
2-digit = 45 combinations
3-digit = 120 combinations
4-digit = 210 combinations
5-digit = 252 combinations
6-digit = 210 combinations
7-digit = 120 combinations
8-digit = 45 combinations
9-digit = 10 combinations
10-digit = 1 combination

Total Combinations: 1023

So with that in mind, even if you're unsure how many digits the combo is, there are only 1023 possible combinations for these lock boxes. The most possible digits are 3, 4, 5, 6 and I always like to try the address first ;)

But since 4-digit is the default and most popular, without further ado, PUBLICLY here is the list post the 210 possible combinations

Code: [Select]
1234, 1235, 1236, 1237, 1238, 1239, 1230, 1245, 1246, 1247, 1248, 1249, 1240, 1256, 1257, 1258, 1259, 1250, 1267, 1268, 1269, 1260, 1278, 1279, 1270, 1289, 1280, 1290, 1345, 1346, 1347, 1348, 1349, 1340, 1356, 1357, 1358, 1359, 1350, 1367, 1368, 1369, 1360, 1378, 1379, 1370, 1389, 1380, 1390, 1456, 1457, 1458, 1459, 1450, 1467, 1468, 1469, 1460, 1478, 1479, 1470, 1489, 1480, 1490, 1567, 1568, 1569, 1560, 1578, 1579, 1570, 1589, 1580, 1590, 1678, 1679, 1670, 1689, 1680, 1690, 1789, 1780, 1790, 1890

2345, 2346, 2347, 2348, 2349, 2340, 2356, 2357, 2358, 2359, 2350, 2367, 2368, 2369, 2360, 2378, 2379, 2370, 2389, 2380, 2390, 2456, 2457, 2458, 2459, 2450, 2467, 2468, 2469, 2460, 2478, 2479, 2470, 2489, 2480, 2490, 2567, 2568, 2569, 2560, 2578, 2579, 2570, 2589, 2580, 2590, 2678, 2679, 2670, 2689, 2680, 2690, 2789, 2780, 2790, 2890

3456, 3457, 3458, 3459, 3450, 3467, 3468, 3469, 3460, 3478, 3479, 3470, 3489, 3480, 3490, 3567, 3568, 3569, 3560, 3578, 3579, 3570, 3589, 3580, 3590, 3678, 3679, 3670, 3689, 3680, 3690, 3789, 3780, 3790, 3890

4567, 4568, 4569, 4560, 4578, 4579, 4570, 4589, 4580, 4590, 4678, 4679, 4670, 4689, 4680, 4690, 4789, 4780, 4790, 4890

5678, 5679, 5670, 5689, 5680, 5690, 5789, 5780, 5790, 5890

6789, 6780, 6790, 6890

7890

You're welcome internet.

Bonus little trick

I read this from a guy named fred, so credits go to him (however did not work in my case)

With an older SUPRA combo lockbox where the "clear" slider/button is slimmer than the "open" button you can follow the following steps to quickly get into the lockbox:

1. Press Clear
2. Press #1
3. Press and hold the "open" button
4. Slide the "clear" button
5. If the clear button stays down, skip number and try again, however if it clicks and pops back up, write down or remember the number
6. Repeat Step 1, however instead of Pressing #1 continue to the next number

After you went through all the numbers, enter the ones that clicked and popped voila

Conclusion

Well that about wraps this paper up, now that this information will be public, maybe I wont have to look through hundreds of pages trying to figure out needed information for these and will ease the minds of others who forgot their combos, or possibly those who wish to break into these and steal master keys to commit crimes, wtf do I care, this is the internet.

Please leave credits to DeepCopy of EvilZone.ORG in this writeup and a linkback to my original post is always common courtesy. Thanks for reading
« Last Edit: February 18, 2014, 05:11:01 am by DeepCopy »
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry

Offline c64

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 0
    • View Profile
Re: [PAPER] Lockpicking Pushbutton Combination lockboxes (bruteforce)
« Reply #1 on: February 20, 2014, 04:03:04 am »
Thanks for the read. Would be interesting to know if anyone's gathered any statistics on commonly used combinations, like people have done in the past with common passwords.  Doubtful I know, but I think I'll have a look around anyway.


Presumably with 4 digit combinations someone's year of birth would be a very likely combination, a little bit of information gathering and/or social engineering might whittle down those combinations to just one.

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: [PAPER] Lockpicking Pushbutton Combination lockboxes (bruteforce)
« Reply #2 on: February 20, 2014, 06:51:04 am »
Thanks for the read. Would be interesting to know if anyone's gathered any statistics on commonly used combinations, like people have done in the past with common passwords.  Doubtful I know, but I think I'll have a look around anyway.


Presumably with 4 digit combinations someone's year of birth would be a very likely combination, a little bit of information gathering and/or social engineering might whittle down those combinations to just one.

With what I believe the address is common (for realators especially) and birth years wont always work (for example 1990s, 1981, 1989, 1971, 1979, etc. Or 2000-2012) as there can be none of the same numbers

Also a lot of older SUPRA's are defaulted to SDI (as numbers)

Also with the research I've done, not very many people were open about it. Any potential information was behind closed doors such as VIP boards and PM/email systems due to the keys these things usually store. Master keys can be VERY bad in the wrong hands.

What I think a fun project could be is a little mini robot the you mount on it, flip a switch and will go through each possible combination. Since there's only 1023 possible combinations, that would only take ~17 minutes assuming it could test at 1 attempt per second. Seems like a very nifty tool to bruteforce some master keys out of these things.
« Last Edit: February 20, 2014, 06:57:07 am by DeepCopy »
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline Stackprotector

  • Administrator
  • Titan
  • *
  • Posts: 2515
  • Cookies: 205
    • View Profile
Re: [PAPER] Lockpicking Pushbutton Combination lockboxes (bruteforce)
« Reply #4 on: February 20, 2014, 08:22:46 pm »
Great man!! Will try to do some research on these lock as well. Because I love code locks.
~Factionwars

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: [PAPER] Lockpicking Pushbutton Combination lockboxes (bruteforce)
« Reply #5 on: February 21, 2014, 01:30:01 am »
http://www.forbes.com/sites/andygreenberg/2013/07/22/pin-punching-robot-can-crack-your-phones-security-code-in-less-than-24-hours/


Good article, makes me wish I had their blueprints and access to a 3D printer. Could market a locksmith tool to crack these open. However it would be different than that the way they work is you input the code, press down on the open and pull when it goes, and if it doesn't open, then it needs to hit the clear button. With what I have in mind it will stop once it has it open. Would be a much easier robot and you could just program the formula to rin through the possible cominations and voila.
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry