--- /dev/null
+desc = [[\r
+\r
+ .-----------------------------------------------------------------.\r
+ / .-. .-. \\r
+| / \ BruteSim / \ |\r
+| |\_. | (bruteforce simulation for multiple tags) | /| |\r
+|\| | /| by |\ | |/|\r
+| `---' | Kenzy Carey | `---' |\r
+| | | |\r
+| |-----------------------------------------------------| |\r
+\ | | /\r
+ \ / \ /\r
+ `---' `---'\r
+]]\r
+author = [[ Kenzy Carey ]]\r
+usage = [[\r
+\r
+USAGE:\r
+script run brutesim -r rfid_tag -f facility_code -b base_card_number -c count -t timeout -d direction\r
+option argument description\r
+------ -------- -----------\r
+-r *see below RFID Tag: the RFID tag to emulate\r
+-f 0-999 Facility Code: The facility code (dfx: country id, 14a: type)\r
+-b 0-65535 Base Card Number: base card number to start from\r
+-c 1-65536 Count: number of cards to try\r
+-t .0-99999, pause Timeout: timeout between cards (use the word 'pause' to wait for user input)\r
+-d up, down Direction: direction to move through card numbers\r
+-h Show this\r
+\r
+*SUPPORTED TAGS: pyramid, awid, fdx, jablotron, noralsy, presco, visa2000, 14a, hid\r
+\r
+EXAMPLE: \r
+script run brutesim -r pyramid -f 10 -b 1000 -c 10 -t 1 -d down\r
+(the above example would bruteforce pyramid tags, starting at 10:1000, ending at 10:991, and waiting 1 second between each card)\r
+]]\r
+\r
+-- I wrote this as i was doing a PACS audit. This is far from complete, but is easily expandable.\r
+-- The idea was based on proxbrute, but i needed more options, and support for different readers.\r
+-- I dont know LUA, so I used Brian Redbeards lf_bulk_program.lua script as a starting point, sorry if its kludgy.\r
+ \r
+getopt = require('getopt') -- Used to get get command line arguments\r
+bit32 = require('bit32') -- Used to convert FC/CN to hex\r
+\r
+local function isempty(s) -- Check if a string is empty\r
+ return s == nil or s == ''\r
+end\r
+\r
+local function main(args)\r
+\r
+ print("") -- Print a blank line to make things look cleaner\r
+\r
+ for o, a in getopt.getopt(args, 'r:f:b:c:t:d:h') do -- Populate command like arguments\r
+ if o == 'r' then rfidtag = a end\r
+ if o == 'f' then facility = a end\r
+ if o == 'b' then baseid = a end\r
+ if o == 'c' then count = a end\r
+ if o == 't' then timeout = a end\r
+ if o == 'd' then direction = a end\r
+ if o == 'h' then return print(usage) end\r
+ end\r
+\r
+ if isempty(rfidtag) then -- Check to see if -r argument was passed \r
+ print("You must supply the flag -r (rfid tag)")\r
+ print(usage)\r
+ return\r
+ end\r
+ -- Check what RFID Tag we are using\r
+ if rfidtag == 'pyramid' then -- For eaach RFID Tag:\r
+ consolecommand = 'lf pyramid sim' -- Set the console command\r
+ rfidtagname = 'Farpointe/Pyramid' -- Set the display name\r
+ facilityrequired = 1 -- Set if FC is required\r
+ elseif rfidtag == 'awid' then\r
+ consolecommand = 'lf awid sim'\r
+ rfidtagname = 'AWID'\r
+ facilityrequired = 1\r
+ elseif rfidtag == 'fdx' then -- I'm not sure why you would need to bruteforce this ¯\_(ツ)_/¯ \r
+ consolecommand = 'lf fdx sim'\r
+ rfidtagname = 'FDX-B'\r
+ facilityrequired = 1\r
+ elseif rfidtag == 'jablotron' then\r
+ consolecommand = 'lf jablotron sim'\r
+ rfidtagname = 'Jablotron'\r
+ facilityrequired = 0\r
+ elseif rfidtag == 'noralsy' then\r
+ consolecommand = 'lf noralsy sim'\r
+ rfidtagname = 'Noralsy'\r
+ facilityrequired = 0\r
+ elseif rfidtag == 'presco' then\r
+ consolecommand = 'lf presco sim d'\r
+ rfidtagname = 'Presco'\r
+ facilityrequired = 0\r
+ elseif rfidtag == 'visa2000' then\r
+ consolecommand = 'lf visa2000 sim'\r
+ rfidtagname = 'Visa2000'\r
+ facilityrequired = 0\r
+ elseif rfidtag == '14a' then\r
+ consolecommand = 'hf 14a sim'\r
+ if facility == "1" then rfidtagname = 'MIFARE Classic' -- Here we use the -f option to read the 14a type instead of the facility code\r
+ elseif facility == "2" then rfidtagname = 'MIFARE Ultralight'\r
+ elseif facility == "3" then rfidtagname = 'MIFARE Desfire'\r
+ elseif facility == "4" then rfidtagname = 'ISO/IEC 14443-4'\r
+ elseif facility == "5" then rfidtagname = 'MIFARE Tnp3xxx'\r
+ else \r
+ print("Invalid 14a type (-f) supplied. Must be 1-5")\r
+ print(usage)\r
+ return\r
+ end\r
+ facilityrequired = 0 -- Disable the FC required check, as we used it for type instead of FC\r
+ elseif rfidtag == 'hid' then\r
+ consolecommand = 'lf hid sim'\r
+ rfidtagname = 'HID'\r
+ facilityrequired = 1\r
+ else -- Display error and exit out if bad RFID tag was supplied\r
+ print("Invalid rfid tag (-r) supplied")\r
+ print(usage)\r
+ return\r
+ end\r
+ \r
+ if isempty(baseid) then -- Display error and exit out if no starting id is set\r
+ print("You must supply the flag -b (base id)")\r
+ print(usage)\r
+ return\r
+ end\r
+\r
+ if isempty(count) then -- Display error and exit out of no count is set\r
+ print("You must supply the flag -c (count)")\r
+ print(usage)\r
+ return\r
+ end\r
+ \r
+ if facilityrequired == 1 then -- If FC is required\r
+ facilitymessage = " - Facility Code: " -- Add FC to status message\r
+ if isempty(facility) then -- If FC was left blank, display warning and set FC to 0 \r
+ print("Using 0 for the facility code as -f was not supplied")\r
+ facility = 0 \r
+ end\r
+ else -- If FC is not required\r
+ facility = "" -- Clear FC\r
+ facilitymessage = "" -- Remove FC from status message\r
+ end\r
+ \r
+ if isempty(timeout) then -- If timeout was not supplied, show warning and set timeout to 0\r
+ print("Using 0 for the timeout as -t was not supplied")\r
+ timeout = 0 \r
+ end\r
+ \r
+ if isempty(direction) then -- If direction was not supplied, show warning and set direction to down\r
+ print("Using down for direction as -d was not supplied")\r
+ direction = 'down' \r
+ end\r
+ \r
+ if tonumber(count) < 1 then\r
+ print("Count -c must be set to 1 or higher")\r
+ return\r
+ else\r
+ count = count -1 -- Make our count accurate by removing 1, because math\r
+ end \r
+ \r
+ if direction == 'down' then -- If counting down, set up our for loop to count down\r
+ endid = baseid - count\r
+ fordirection = -1\r
+ elseif direction == 'up' then -- If counting up, set our for loop to count up\r
+ endid = baseid + count\r
+ fordirection = 1\r
+ else -- If invalid direction was set, show warning and set up our for loop to count down\r
+ print("Invalid direction (-d) supplied, using down")\r
+ endid = baseid - count\r
+ fordirection = -1\r
+ end\r
+ \r
+ -- The code below was blatantly stolen from Brian Redbeard's lf_bulk_program.lua script \r
+ function toBits(num,bits)\r
+ bits = bits or math.max(1, select(2, math.frexp(num)))\r
+ local t = {}\r
+ for b = bits, 1, -1 do\r
+ t[b] = math.fmod(num, 2)\r
+ num = math.floor((num - t[b]) / 2)\r
+ end\r
+ return table.concat(t)\r
+ end\r
+\r
+ local function evenparity(s)\r
+ local _, count = string.gsub(s, "1", "")\r
+ local p = count % 2\r
+ if (p == 0) then\r
+ return(false)\r
+ else\r
+ return(true)\r
+ end\r
+ end\r
+ \r
+ local function isempty(s)\r
+ return s == nil or s == ''\r
+ end\r
+\r
+ local function cardHex(i,f)\r
+ fac = bit32.lshift(f,16)\r
+ id = bit32.bor(i, fac)\r
+ stream=toBits(id,26)\r
+ high = evenparity(string.sub(stream,0,12)) and 1 or 0\r
+ low = not evenparity(string.sub(stream,13)) and 1 or 0\r
+ bits = bit32.bor(bit32.lshift(id,1), low)\r
+ bits = bit32.bor(bits, bit32.lshift(high,25))\r
+ preamble = bit32.bor(0, bit32.lshift(1,5))\r
+ bits = bit32.bor(bits, bit32.lshift(1,26))\r
+ return ("%04x%08x"):format(preamble,bits)\r
+ end\r
+ -- End stolen code \r
+ \r
+ \r
+ print("") -- Display status message\r
+ print("BruteForcing "..rfidtagname..""..facilitymessage..""..facility.." - CardNumber Start: "..baseid.." - CardNumber End: "..endid.." - TimeOut: "..timeout)\r
+ print("")\r
+ for cardnum = baseid,endid,fordirection do -- Loop through for each count (-c)\r
+ if rfidtag == 'hid' then cardnum = cardHex(cardnum, facility) end -- If rfid tag is set to HID, convert card to HEX using the stolen code above \r
+ core.console(consolecommand..' '..facility..' '..cardnum) -- Send command to proxmark\r
+ if timeout == 'pause' then -- If timeout is set to pause, wait for user input\r
+ print("Press enter to continue ...")\r
+ io.read()\r
+ else -- Otherwise sleep for timeout duration\r
+ os.execute("sleep "..timeout.."")\r
+ end\r
+ end\r
+ core.console('hw ping') -- Ping the proxmark to stop emulation and see if its still responding\r
+ \r
+end -- Go bye bye\r
+\r
+\r
+main(args) -- Do the thing\r
projects / proxmark3-svn / commitdiff