]> cvs.zerfleddert.de Git - proxmark3-svn/commitdiff
Add files via upload 486/head
authorKenzy Carey <33557606+KenzyCarey@users.noreply.github.com>
Fri, 17 Nov 2017 22:42:52 +0000 (14:42 -0800)
committerGitHub <noreply@github.com>
Fri, 17 Nov 2017 22:42:52 +0000 (14:42 -0800)
client/scripts/brutesim.lua [new file with mode: 0644]

diff --git a/client/scripts/brutesim.lua b/client/scripts/brutesim.lua
new file mode 100644 (file)
index 0000000..326966c
--- /dev/null
@@ -0,0 +1,229 @@
+desc = [[\r
+\r
+  .-----------------------------------------------------------------.\r
+ /  .-.                                                         .-.  \\r
+|  /   \                    BruteSim                           /   \  |\r
+| |\_.  |     (bruteforce simulation for multiple tags)       |    /| |\r
+|\|  | /|                      by                             |\  | |/|\r
+| `---' |                 Kenzy Carey                         | `---' |\r
+|       |                                                     |       |\r
+|       |-----------------------------------------------------|       |\r
+\       |                                                     |       /\r
+ \     /                                                       \     /\r
+  `---'                                                         `---'\r
+]]\r
+author = [[ Kenzy Carey ]]\r
+usage = [[\r
+\r
+USAGE:\r
+script run brutesim -r rfid_tag -f facility_code -b base_card_number -c count -t timeout -d direction\r
+option         argument                description\r
+------         --------                -----------\r
+-r             *see below              RFID Tag: the RFID tag to emulate\r
+-f             0-999                   Facility Code: The facility code (dfx: country id, 14a: type)\r
+-b             0-65535                 Base Card Number: base card number to start from\r
+-c             1-65536                 Count: number of cards to try\r
+-t             .0-99999, pause         Timeout: timeout between cards (use the word 'pause' to wait for user input)\r
+-d             up, down                Direction: direction to move through card numbers\r
+-h                                     Show this\r
+\r
+*SUPPORTED TAGS: pyramid, awid, fdx, jablotron, noralsy, presco, visa2000, 14a, hid\r
+\r
+EXAMPLE: \r
+script run brutesim -r pyramid -f 10 -b 1000 -c 10 -t 1 -d down\r
+(the above example would bruteforce pyramid tags, starting at 10:1000, ending at 10:991, and waiting 1 second between each card)\r
+]]\r
+\r
+-- I wrote this as i was doing a PACS audit. This is far from complete, but is easily expandable.\r
+-- The idea was based on proxbrute, but i needed more options, and support for different readers.\r
+-- I dont know LUA, so I used Brian Redbeards lf_bulk_program.lua script as a starting point, sorry if its kludgy.\r
+       \r
+getopt = require('getopt')                                                     -- Used to get get command line arguments\r
+bit32 = require('bit32')                                                       -- Used to convert FC/CN to hex\r
+\r
+local function isempty(s)                                                      -- Check if a string is empty\r
+       return s == nil or s == ''\r
+end\r
+\r
+local function main(args)\r
+\r
+       print("")                                                               -- Print a blank line to make things look cleaner\r
+\r
+       for o, a in getopt.getopt(args, 'r:f:b:c:t:d:h') do                     -- Populate command like arguments\r
+               if o == 'r' then rfidtag = a end\r
+               if o == 'f' then facility = a end\r
+               if o == 'b' then baseid = a end\r
+               if o == 'c' then count = a end\r
+               if o == 't' then timeout = a end\r
+               if o == 'd' then direction = a end\r
+               if o == 'h' then return print(usage) end\r
+       end\r
+\r
+       if isempty(rfidtag) then                                                -- Check to see if -r argument was passed \r
+               print("You must supply the flag -r (rfid tag)")\r
+               print(usage)\r
+               return\r
+       end\r
+                                                                               -- Check what RFID Tag we are using\r
+       if rfidtag == 'pyramid' then                                            -- For eaach RFID Tag:\r
+               consolecommand = 'lf pyramid sim'                               -- Set the console command\r
+               rfidtagname = 'Farpointe/Pyramid'                               -- Set the display name\r
+               facilityrequired = 1                                            -- Set if FC is required\r
+       elseif rfidtag == 'awid' then\r
+               consolecommand = 'lf awid sim'\r
+               rfidtagname = 'AWID'\r
+               facilityrequired = 1\r
+       elseif rfidtag == 'fdx' then                                            -- I'm not sure why you would need to bruteforce this ¯\_(ツ)_/¯ \r
+               consolecommand = 'lf fdx sim'\r
+               rfidtagname = 'FDX-B'\r
+               facilityrequired = 1\r
+       elseif rfidtag == 'jablotron' then\r
+               consolecommand = 'lf jablotron sim'\r
+               rfidtagname = 'Jablotron'\r
+               facilityrequired = 0\r
+       elseif rfidtag == 'noralsy' then\r
+               consolecommand = 'lf noralsy sim'\r
+               rfidtagname = 'Noralsy'\r
+               facilityrequired = 0\r
+       elseif rfidtag == 'presco' then\r
+               consolecommand = 'lf presco sim d'\r
+               rfidtagname = 'Presco'\r
+               facilityrequired = 0\r
+       elseif rfidtag == 'visa2000' then\r
+               consolecommand = 'lf visa2000 sim'\r
+               rfidtagname = 'Visa2000'\r
+               facilityrequired = 0\r
+       elseif rfidtag == '14a' then\r
+               consolecommand = 'hf 14a sim'\r
+               if facility == "1" then rfidtagname = 'MIFARE Classic'          -- Here we use the -f option to read the 14a type instead of the facility code\r
+               elseif facility == "2" then rfidtagname = 'MIFARE Ultralight'\r
+               elseif facility == "3" then rfidtagname = 'MIFARE Desfire'\r
+               elseif facility == "4" then rfidtagname = 'ISO/IEC 14443-4'\r
+               elseif facility == "5" then rfidtagname = 'MIFARE Tnp3xxx'\r
+               else \r
+                       print("Invalid 14a type (-f) supplied. Must be 1-5")\r
+                       print(usage)\r
+                       return\r
+               end\r
+               facilityrequired = 0                                            -- Disable the FC required check, as we used it for type instead of FC\r
+       elseif rfidtag == 'hid' then\r
+               consolecommand = 'lf hid sim'\r
+               rfidtagname = 'HID'\r
+               facilityrequired = 1\r
+       else                                                                    -- Display error and exit out if bad RFID tag was supplied\r
+               print("Invalid rfid tag (-r) supplied")\r
+               print(usage)\r
+               return\r
+       end\r
+       \r
+       if isempty(baseid) then                                                 -- Display error and exit out if no starting id is set\r
+               print("You must supply the flag -b (base id)")\r
+               print(usage)\r
+               return\r
+       end\r
+\r
+       if isempty(count) then                                                  -- Display error and exit out of no count is set\r
+               print("You must supply the flag -c (count)")\r
+               print(usage)\r
+               return\r
+       end\r
+       \r
+       if facilityrequired == 1 then                                           -- If FC is required\r
+               facilitymessage = " - Facility Code: "                          -- Add FC to status message\r
+               if isempty(facility) then                                       -- If FC was left blank, display warning and set FC to 0 \r
+                       print("Using 0 for the facility code as -f was not supplied")\r
+                       facility = 0                                            \r
+               end\r
+       else                                                                    -- If FC is not required\r
+               facility = ""                                                   -- Clear FC\r
+               facilitymessage = ""                                            -- Remove FC from status message\r
+       end\r
+       \r
+       if isempty(timeout) then                                                -- If timeout was not supplied, show warning and set timeout to 0\r
+               print("Using 0 for the timeout as -t was not supplied")\r
+               timeout = 0 \r
+       end\r
+       \r
+       if isempty(direction) then                                              -- If direction was not supplied, show warning and set direction to down\r
+               print("Using down for direction as -d was not supplied")\r
+               direction = 'down' \r
+       end\r
+       \r
+       if tonumber(count) < 1 then\r
+               print("Count -c must be set to 1 or higher")\r
+               return\r
+       else\r
+               count = count -1                                                -- Make our count accurate by removing 1, because math\r
+       end                                                     \r
+       \r
+       if direction == 'down' then                                             -- If counting down, set up our for loop to count down\r
+               endid = baseid - count\r
+               fordirection = -1\r
+       elseif direction == 'up' then                                           -- If counting up, set our for loop to count up\r
+               endid = baseid + count\r
+               fordirection = 1\r
+       else                                                                    -- If invalid direction was set, show warning and set up our for loop to count down\r
+               print("Invalid direction (-d) supplied, using down")\r
+               endid = baseid - count\r
+               fordirection = -1\r
+       end\r
+       \r
+                                                                               -- The code below was blatantly stolen from Brian Redbeard's lf_bulk_program.lua script         \r
+       function toBits(num,bits)\r
+               bits = bits or math.max(1, select(2, math.frexp(num)))\r
+               local t = {}\r
+               for b = bits, 1, -1 do\r
+                       t[b] = math.fmod(num, 2)\r
+                       num = math.floor((num - t[b]) / 2)\r
+               end\r
+               return table.concat(t)\r
+       end\r
+\r
+       local function evenparity(s)\r
+               local _, count = string.gsub(s, "1", "")\r
+               local p = count % 2\r
+               if (p == 0) then\r
+                       return(false)\r
+               else\r
+                       return(true)\r
+               end\r
+       end\r
+       \r
+       local function isempty(s)\r
+               return s == nil or s == ''\r
+       end\r
+\r
+       local function cardHex(i,f)\r
+               fac = bit32.lshift(f,16)\r
+               id = bit32.bor(i, fac)\r
+               stream=toBits(id,26)\r
+               high = evenparity(string.sub(stream,0,12)) and 1 or 0\r
+               low = not evenparity(string.sub(stream,13)) and 1 or 0\r
+               bits = bit32.bor(bit32.lshift(id,1), low)\r
+               bits = bit32.bor(bits, bit32.lshift(high,25))\r
+               preamble = bit32.bor(0, bit32.lshift(1,5))\r
+               bits = bit32.bor(bits, bit32.lshift(1,26))\r
+               return ("%04x%08x"):format(preamble,bits)\r
+       end\r
+                                                                                       -- End stolen code \r
+       \r
+       \r
+       print("")                                                                       -- Display status message\r
+       print("BruteForcing "..rfidtagname..""..facilitymessage..""..facility.." - CardNumber Start: "..baseid.." - CardNumber End: "..endid.." - TimeOut: "..timeout)\r
+       print("")\r
+       for cardnum = baseid,endid,fordirection do                                      -- Loop through for each count (-c)\r
+               if rfidtag == 'hid' then cardnum = cardHex(cardnum, facility) end       -- If rfid tag is set to HID, convert card to HEX using the stolen code above \r
+               core.console(consolecommand..' '..facility..' '..cardnum)               -- Send command to proxmark\r
+               if timeout == 'pause' then                                              -- If timeout is set to pause, wait for user input\r
+                       print("Press enter to continue ...")\r
+                       io.read()\r
+               else                                                                    -- Otherwise sleep for timeout duration\r
+                       os.execute("sleep "..timeout.."")\r
+               end\r
+       end\r
+       core.console('hw ping')                                                         -- Ping the proxmark to stop emulation and see if its still responding\r
+       \r
+end                                                                                    -- Go bye bye\r
+\r
+\r
+main(args)                                                                             -- Do the thing\r
Impressum, Datenschutz