chg: 'lf hid brute' - now uses UP/DOWN to specify direction only, more verbose and actually exits when done.

2024-09-20 15:26:13 +08:00 · 2020-02-29 09:27:55 +01:00 · 2020-02-29 09:27:55 +01:00 · c30bb354ac
parent a46227d96e
commit c30bb354ac
1 changed files with 96 additions and 25 deletions
--- a/client/cmdlfhid.c
+++ b/client/cmdlfhid.c
@ -83,16 +83,18 @@ static int usage_lf_hid_brute(void) {
    PrintAndLogEx(NORMAL, "This is a attack against reader. if cardnumber is given, it starts with it and goes up / down one step");
    PrintAndLogEx(NORMAL, "if cardnumber is not given, it starts with 1 and goes up to 65535");
    PrintAndLogEx(NORMAL, "");
-    PrintAndLogEx(NORMAL, "Usage:  lf hid brute [h] [v] w <format> [<field> (decimal)>] {...}");
+    PrintAndLogEx(NORMAL, "Usage:  lf hid brute [h] [v] w <format> [<field> (decimal)>] [up|down] {...}");
    PrintAndLogEx(NORMAL, "Options:");
    PrintAndLogEx(NORMAL, "       h                 :  This help");
-    PrintAndLogEx(NORMAL, "       w <format>        :  see `wiegand list` for available formats");
+    PrintAndLogEx(NORMAL, "       w <format>        :  see " _YELLOW_("`wiegand list`") "for available formats");
    PrintAndLogEx(NORMAL, "       f <facility-code> :  facility code");
    PrintAndLogEx(NORMAL, "       c <cardnumber>    :  card number to start with");
    PrintAndLogEx(NORMAL, "       i <issuelevel>    :  issue level");
    PrintAndLogEx(NORMAL, "       o <oem>           :  OEM code");
    PrintAndLogEx(NORMAL, "       d <delay>         :  delay betweens attempts in ms. Default 1000ms");
    PrintAndLogEx(NORMAL, "       v                 :  verbose logging, show all tries");
+    PrintAndLogEx(NORMAL, "       up                :  direction to increment card number. (default is both directions)");
+    PrintAndLogEx(NORMAL, "       down              :  direction to decrement card number. (default is both directions)");
    PrintAndLogEx(NORMAL, "");
    PrintAndLogEx(NORMAL, "Examples:");
    PrintAndLogEx(NORMAL, "       lf hid brute w H10301 f 224");
@ -368,13 +370,28 @@ static int CmdHIDBrute(const char *Cmd) {
    uint32_t  delay = 1000;
    uint8_t cmdp = 0;
    int format_idx = -1;
+    int direction = 0;
    char format[16] = {0};
-    wiegand_card_t datahi;
-    memset(&datahi, 0, sizeof(wiegand_card_t));
-    wiegand_card_t datalo;
-    memset(&datalo, 0, sizeof(wiegand_card_t));
+
+    wiegand_card_t cn_hi, cn_low;
+    memset(&cn_hi, 0, sizeof(wiegand_card_t));
    
    while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
+        
+        char s[10] = {0};
+        if (param_getstr(Cmd, cmdp, s, sizeof(s)) > 0) {
+            if (strlen(s) > 1) {
+                str_lower((char *)s);
+                if (str_startswith(s, "up")) {
+                    direction = 1;
+                } else if (str_startswith(s, "do")) {
+                    direction = 2;
+                }
+                cmdp++;
+                continue;
+            }
+        }
+
        switch (tolower(param_getchar(Cmd, cmdp))) {
            case 'h':
                return usage_lf_hid_brute();
@ -388,8 +405,7 @@ static int CmdHIDBrute(const char *Cmd) {
                cmdp += 2;
                break;
            case 'c':
-                datahi.CardNumber = param_get32ex(Cmd, cmdp + 1, 0, 10);
-                datalo.CardNumber = param_get32ex(Cmd, cmdp + 1, 0, 10);
+                cn_hi.CardNumber = param_get32ex(Cmd, cmdp + 1, 0, 10);
                cmdp += 2;
                break;
            case 'd':
@ -398,18 +414,15 @@ static int CmdHIDBrute(const char *Cmd) {
                cmdp += 2;
                break;
            case 'f':
-                datahi.FacilityCode =  param_get32ex(Cmd, cmdp + 1, 0, 10);
-                datalo.FacilityCode =  param_get32ex(Cmd, cmdp + 1, 0, 10);
+                cn_hi.FacilityCode =  param_get32ex(Cmd, cmdp + 1, 0, 10);
                cmdp += 2;
                break;
            case 'i':
-                datahi.IssueLevel = param_get32ex(Cmd, cmdp + 1, 0, 10);
-                datalo.IssueLevel = param_get32ex(Cmd, cmdp + 1, 0, 10);
+                cn_hi.IssueLevel = param_get32ex(Cmd, cmdp + 1, 0, 10);
                cmdp += 2;
                break;
            case 'o':
-                datahi.OEM = param_get32ex(Cmd, cmdp + 1, 0, 10);
-                datalo.OEM = param_get32ex(Cmd, cmdp + 1, 0, 10);
+                cn_hi.OEM = param_get32ex(Cmd, cmdp + 1, 0, 10);
                cmdp += 2;
                break;
            case 'v':
@ -422,13 +435,45 @@ static int CmdHIDBrute(const char *Cmd) {
                break;
        }
    }
+
+    if (format_idx == -1) {
+        PrintAndLogEx(ERR, "You must select a wiegand format. See " _YELLOW_("`wiegand list`") "for available formats\n");
+        errors = true;
+    }
+
    if (errors) return usage_lf_hid_brute();

+    if (verbose) {
+        PrintAndLogEx(INFO, "Wiegand format#.. %i", format_idx);
+        PrintAndLogEx(INFO, "OEM#............. %u", cn_hi.OEM);
+        PrintAndLogEx(INFO, "ISSUE#........... %u", cn_hi.IssueLevel);
+        PrintAndLogEx(INFO, "Facility#........ %u", cn_hi.FacilityCode);
+        PrintAndLogEx(INFO, "Card#............ %u", cn_hi.CardNumber);
+        switch( direction) {
+            case 0:
+                PrintAndLogEx(INFO, "Brute-forcing direction: " _YELLOW_("BOTH"));
+                break;
+            case 1: 
+                PrintAndLogEx(INFO, "Brute-forcing direction: " _YELLOW_("UP"));
+                break;
+            case 2:
+                PrintAndLogEx(INFO, "Brute-forcing direction: " _YELLOW_("DOWN"));
+                break;
+            default: break;
+        }
+    }
    PrintAndLogEx(INFO, "Brute-forcing HID reader");
-    PrintAndLogEx(INFO, "Press pm3-button to abort simulation or run another command");
+    PrintAndLogEx(INFO, "Press pm3-button to abort simulation or press `enter` to exit");
+
+    // copy values to low.
+    cn_low = cn_hi;

    // main loop
-    for (;;) {
+    // iceman:  could add options for bruteforcing OEM, ISSUE or FC aswell..
+    bool exitloop = false;
+    bool fin_hi, fin_low;
+    fin_hi = fin_low = false;
+    do {

        if (!session.pm3_present) {
            PrintAndLogEx(WARNING, "Device offline\n");
@ -440,18 +485,44 @@ static int CmdHIDBrute(const char *Cmd) {
            return sendPing();
        }

-        // Do one up
-        if (datahi.CardNumber < 0xFFFF) {
-            datahi.CardNumber++;
-            if (sendTry(format_idx, &datahi, delay, verbose) != PM3_SUCCESS) return PM3_ESOFT;
+        // do one up
+        if (direction != 2) {
+            if (cn_hi.CardNumber < 0xFFFF) {
+                cn_hi.CardNumber++;
+                if (sendTry(format_idx, &cn_hi, delay, verbose) != PM3_SUCCESS) return PM3_ESOFT;
+            } else {
+                fin_hi = true;
+            }
        }
        
-        // Do one up
-        if (datalo.CardNumber > 1) {
-            datalo.CardNumber--;
-            if (sendTry(format_idx, &datalo, delay, verbose) != PM3_SUCCESS) return PM3_ESOFT;
+        // do one down
+        if (direction != 1) {
+            if (cn_low.CardNumber > 0) {
+                cn_low.CardNumber--;
+                if (sendTry(format_idx, &cn_low, delay, verbose) != PM3_SUCCESS) return PM3_ESOFT;
+            } else {
+                fin_low = true;
            }
        }
+
+        switch (direction) {
+            case 0: 
+                if (fin_hi && fin_low) {
+                    exitloop = true;
+                }
+                break;
+            case 1:
+                exitloop = fin_hi;
+                break;
+            case 2:
+                exitloop = fin_low;
+                break;
+            default: break;
+        }
+
+    } while (exitloop == false);
+
+    PrintAndLogEx(INFO, "Brute forcing finished");
    return PM3_SUCCESS;
 }