RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-02-12 18:25:07 +08:00
Code Issues Projects Releases Packages Wiki Activity

Add Mifare Ultralight bruteforce support to hf_bruteforce lua script

Browse source
This commit is contained in:
Daniel Underhay 2020-03-11 18:23:37 +11:00
parent 52618303f3
commit fa1103bbc3
3 changed files with 56 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
CHANGELOG.md
View file

@ -3,6 +3,8 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased] ## [unreleased][unreleased]
- Change `script run hf_bruteforce -s start_id -e end_id -t timeout -x mifare_card_type` - The hf_bruteforce card script now requires Mifare type (mfc or mfu) (@dunderhay)
- Updated `hf_bruteforce.lua` script - added support for brute forcing Mifare Ultralight EV1 cards (@dunderhay)
- Added `hf mf personlize` - personalize the UID of a Mifare Classic EV1 card (@pwpiwi) - Added `hf mf personlize` - personalize the UID of a Mifare Classic EV1 card (@pwpiwi)
- Change - hint texts added to all lf clone commands (@iceman1001) - Change - hint texts added to all lf clone commands (@iceman1001)
- Change `lf keri demod` - adjusted the internal id. (@mwalker33) - Change `lf keri demod` - adjusted the internal id. (@mwalker33)
@ -36,7 +38,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
- Added `commands.md` - document with all proxmark client commands. Generated with XX_internal_command_dump_markdown_XX. (@iceman1001) - Added `commands.md` - document with all proxmark client commands. Generated with XX_internal_command_dump_markdown_XX. (@iceman1001)
- Change `lf pac clone` - new option `c <card id>` to allow cloning PAC/Stanley tag from card ID (@danshuk) - Change `lf pac clone` - new option `c <card id>` to allow cloning PAC/Stanley tag from card ID (@danshuk)
- Change `lf pac read` - decoded PAC/Stanley card ID (@danshuk) - Change `lf pac read` - decoded PAC/Stanley card ID (@danshuk)
- Change mifare classic keytable output refactored and uses colors (@iceman1001) - Change mifare classic keytable output refactored and uses colors (@iceman1001)
- Fix `hf mf nested` - now writes the correct blockno (@iceman1001) - Fix `hf mf nested` - now writes the correct blockno (@iceman1001)
- Change `lf t55xx dump` - now supports saving to JSON (@iceman1001) - Change `lf t55xx dump` - now supports saving to JSON (@iceman1001)
- Change `hf mf chk | fchk` faster authentication by lower timeout limit. (@pwpiwi) - Change `hf mf chk | fchk` faster authentication by lower timeout limit. (@pwpiwi)
@ -606,8 +608,8 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
- Updated the Reveng 1.31 sourcecode to 1.40 from Reveng project homepage (@iceman1001) - Updated the Reveng 1.31 sourcecode to 1.40 from Reveng project homepage (@iceman1001)
- Added possibility to write direct to a Legic Prime Tag (MIM256/1024) without using values from the `BigBuffer` -> `hf legic writeRaw <addr> <value>` (@icsom) - Added possibility to write direct to a Legic Prime Tag (MIM256/1024) without using values from the `BigBuffer` -> `hf legic writeRaw <addr> <value>` (@icsom)
- Added possibility to decrease DCF values at address 0x05 & 0x06 on a Legic Prime Tag - Added possibility to decrease DCF values at address 0x05 & 0x06 on a Legic Prime Tag
DCF-value will be pulled from the BigBuffer (address 0x05 & 0x06) so you have to DCF-value will be pulled from the BigBuffer (address 0x05 & 0x06) so you have to
load the data into the BigBuffer before with `hf legic load <path/to/legic.dump>` & then load the data into the BigBuffer before with `hf legic load <path/to/legic.dump>` & then
write the DCF-Values (both at once) with `hf legic write 0x05 0x02` (@icsom) write the DCF-Values (both at once) with `hf legic write 0x05 0x02` (@icsom)
- Added script `legic.lua` for display and edit Data of Legic-Prime Tags (@icsom) - Added script `legic.lua` for display and edit Data of Legic-Prime Tags (@icsom)
- Added the experimental HITAG_S support (@spenneb) - Added the experimental HITAG_S support (@spenneb)

68
client/luascripts/hf_bruteforce.lua
View file

@ -1,27 +1,34 @@
-- Run me like this: proxmark3 /dev/rfcomm0 -l ./hf_bruteforce.lua -- Run me like this (connected via USB): ./pm3 -l hf_bruteforce.lua
-- Run me like this (connected via Blueshark addon): ./client/proxmark3 /dev/rfcomm0 -l ./hf_bruteforce.lua
local getopt = require('getopt') local getopt = require('getopt')
copyright = '' copyright = ''
author = 'Keld Norman' author = 'Daniel Underhay (updated), Keld Norman(original)'
version = 'v1.0.0' version = 'v2.0.0'
desc = [[
]]
example = [[
-- (the above example would bruteforce card number, starting at 1, ending at 10, and waiting 1 second between each card)
script run hf_bruteforce -s 1 -e 10 -t 1000
]]
usage = [[ usage = [[
script run hf_bruteforce -s start_id -e end_id -t timeout -d direction pm3 --> script run hf_bruteforce -s start_id -e end_id -t timeout -x mifare_card_type
Arguments: Arguments:
-h this help -h this help
-s 0-0xFFFFFFFF start id -s 0-0xFFFFFFFF start id
-e 0-0xFFFFFFFF end id -e 0-0xFFFFFFFF end id
-t 0-99999, pause timeout (ms) between cards (use the word 'pause' to wait for user input) -t 0-99999, pause timeout (ms) between cards (use the word 'pause' to wait for user input)
-x mfc, mfu mifare type: mfc for Mifare Classic (default) or mfu for Mifare Ultralight EV1
Example:
pm3 --> script run hf_bruteforce -s 0x11223344 -e 0x11223346 -t 1000 -x mfc
Bruteforce a 4 byte UID Mifare classic card number, starting at 11223344, ending at 11223346.
pm3 --> script run hf_bruteforce -s 0x11223344556677 -e 0x11223344556679 -t 1000 -x mfu
Bruteforce a 7 byte UID Mifare Ultralight card number, starting at 11223344556677, ending at 11223344556679.
]] ]]
@ -60,41 +67,49 @@ local function help()
print(usage) print(usage)
end end
--- ---
-- Exit message --- Print user message
local function exitMsg(msg) local function msg(msg)
print( string.rep('--',20) ) print( string.rep('--',20) )
print('')
print(msg) print(msg)
print('')
print( string.rep('--',20) ) print( string.rep('--',20) )
print()
end end
--- ---
-- Start -- Start
local function main(args) local function main(args)
print( string.rep('--',20) )
print( string.rep('--',20) )
print()
local timeout = 0 local timeout = 0
local start_id = 0 local start_id = 0
local end_id = 0xFFFFFFFF local end_id = 0xFFFFFFFFFFFFFF
local mftype = 'mfc'
for o, a in getopt.getopt(args, 'e:s:t:h') do for o, a in getopt.getopt(args, 'e:s:t:x:h') do
if o == 's' then start_id = a end if o == 's' then start_id = a end
if o == 'e' then end_id = a end if o == 'e' then end_id = a end
if o == 't' then timeout = a end if o == 't' then timeout = a end
if o == 'x' then mftype = a end
if o == 'h' then return print(usage) end if o == 'h' then return print(usage) end
end end
-- template -- template
local command = 'hf 14a sim t 1 u %08X' local command = ''
print(' Bruteforcing MFC card numbers from 00000000 to FFFFFFFF using delay: '..timeout) if mftype == 'mfc' then
print('') command = 'hf 14a sim t 1 u %14X'
print( string.rep('--',20) ) msg('Bruteforcing Mifare Classic card numbers')
elseif mftype == 'mfu' then
command = 'hf 14a sim t 2 u %14X'
msg('Bruteforcing Mifare Ultralight card numbers')
else
return print(usage)
end
if command == '' then return print(usage) end
for n = start_id, end_id do for n = start_id, end_id do
local c = string.format( command, n ) local c = string.format( command, n )
print(' Running: "'..c..'"') print('Running: "'..c..'"')
core.console(c) core.console(c)
core.console('msleep '..timeout); core.console('msleep '..timeout);
core.console('hw ping') core.console('hw ping')
@ -102,4 +117,3 @@ local function main(args)
end end
main(args) main(args)

10
doc/cheatsheet.md
View file

@ -290,6 +290,16 @@ pm3 --> hf mfu eload u hf-mfu-XXXX-dump.eml
pm3 --> hf mfu sim t 7 u hf-mfu-XXXX-dump.eml pm3 --> hf mfu sim t 7 u hf-mfu-XXXX-dump.eml
``` ```
Bruteforce Mifare Classic card numbers from 11223344 to 11223346
```
pm3 --> script run hf_bruteforce -s 0x11223344 -e 0x11223346 -t 1000 -x mfc
```
Bruteforce Mifare Ultralight EV1 card numbers from 11223344556677 to 11223344556679
```
pm3 --> script run hf_bruteforce -s 0x11223344556677 -e 0x11223344556679 -t 1000 -x mfu
```
## Wiegand manipulation ## Wiegand manipulation
^[Top](#top) ^[Top](#top)