X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/0de8e3874d6524379550a50a4d9c29faf2d239ea..1b12afbd9fd2f6b3de278a1419d0e095cb9181ce:/client/scripts/mifare_autopwn.lua diff --git a/client/scripts/mifare_autopwn.lua b/client/scripts/mifare_autopwn.lua index 77f36ae4..b1f3d357 100644 --- a/client/scripts/mifare_autopwn.lua +++ b/client/scripts/mifare_autopwn.lua @@ -28,6 +28,8 @@ Output files from this operation: -- Some utilities ------------------------------- local DEBUG = false +local MIFARE_AUTH_KEYA = 0x60 +local MIFARE_AUTH_KEYB = 0x61 --- -- A debug printout-function function dbg(args) @@ -66,7 +68,7 @@ end function mfcrack() core.clearCommandBuffer() -- Build the mifare-command - local cmd = Command:new{cmd = cmds.CMD_READER_MIFARE, arg1 = 1} + local cmd = Command:new{cmd = cmds.CMD_READER_MIFARE, arg1 = 1, arg2 = 0, arg3 = MIFARE_AUTH_KEYA} local retry = true while retry do @@ -78,12 +80,11 @@ function mfcrack() if errormessage then return nil, errormessage end -- Try again..set arg1 to 0 this time. - cmd = Command:new{cmd = cmds.CMD_READER_MIFARE, arg1 = 0} + cmd = Command:new{cmd = cmds.CMD_READER_MIFARE, arg1 = 0, arg2 = 0, arg3 = MIFARE_AUTH_KEYA} end return nil, "Aborted by user" end - function mfcrack_inner() while not core.ukbhit() do local result = core.WaitForResponseTimeout(cmds.CMD_ACK,1000) @@ -113,7 +114,7 @@ function mfcrack_inner() elseif isOK == 0xFFFFFFFD then return nil, "Card is not vulnerable to Darkside attack (its random number generator is not predictable). You can try 'script run mfkeys' or 'hf mf chk' to test various known keys." elseif isOK == 0xFFFFFFFC then - return nil, "The card's random number generator is vulnerable but behaves somewhat weird (Mifare clone?). You can try 'script run mfkeys' or 'hf mf chk' to test various known keys." + return nil, "The card's random number generator behaves somewhat weird (Mifare clone?). You can try 'script run mfkeys' or 'hf mf chk' to test various known keys." elseif isOK ~= 1 then return nil, "Error occurred" end @@ -133,7 +134,7 @@ function mfcrack_inner() local uid,nt,pl = get(4),get(4),get(8) local ks,nr = get(8),get(4) - local status, key = core.nonce2key(uid,nt, nr, pl,ks) + local status, key = core.nonce2key(uid, nt, nr, pl, ks) if not status then return status,key end if status > 0 then @@ -187,10 +188,9 @@ end -- The main entry point function main(args) - local verbose, exit,res,uid,err,_,sak local seen_uids = {} - + local print_message = true -- Read the parameters for o, a in getopt.getopt(args, 'hd') do if o == "h" then help() return end @@ -198,6 +198,10 @@ function main(args) end while not exit do + if print_message then + print("Waiting for card or press any key to stop") + print_message = false + end res, err = wait_for_mifare() if err then return oops(err) end -- Seen already? @@ -206,7 +210,7 @@ function main(args) if not seen_uids[uid] then -- Store it seen_uids[uid] = uid - print("Card found, commencing crack", uid) + print("Card found, commencing crack on UID", uid) -- Crack it local key, cnt res,err = mfcrack() @@ -217,12 +221,13 @@ function main(args) -- two bytes, then six bytes actual key data -- We can discard first and second return values _,_,key = bin.unpack("H2H6",res) - print("Key ", key) + print("Found valid key: "..key); -- Use nested attack nested(key,sak) -- Dump info dump(uid) + print_message = true end end end