]> git.zerfleddert.de Git - proxmark3-svn/commitdiff
allow mf1k reader attack from file full of UIDs
authormarshmellow42 <marshmellowrf@gmail.com>
Sat, 25 Jun 2016 03:43:53 +0000 (23:43 -0400)
committermarshmellow42 <marshmellowrf@gmail.com>
Sat, 25 Jun 2016 03:43:53 +0000 (23:43 -0400)
also add UID to stats.txt collection.

client/cmdhfmf.c
client/nonce2key/nonce2key.c

index c565a7cf222bac705e1cb21a1b4d7227b6eba719..05202ac5fb34f5a599554813056a1f2e0ab9f764 100644 (file)
@@ -1016,7 +1016,82 @@ int CmdHF14AMfChk(const char *Cmd)
        return 0;\r
 }\r
 \r
-int usage_hf14_mf1ksim(void){\r
+void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) {\r
+       #define ATTACK_KEY_COUNT 8\r
+       uint64_t key = 0;\r
+       typedef struct {\r
+                       uint64_t keyA;\r
+                       uint32_t security;\r
+                       uint64_t keyB;\r
+       } st_t;\r
+       st_t sector_trailer[ATTACK_KEY_COUNT];\r
+       memset(sector_trailer, 0x00, sizeof(sector_trailer));\r
+\r
+       uint8_t stSector[ATTACK_KEY_COUNT];\r
+       memset(stSector, 0x00, sizeof(stSector));\r
+       uint8_t key_cnt[ATTACK_KEY_COUNT];\r
+       memset(key_cnt, 0x00, sizeof(key_cnt));\r
+\r
+       for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
+               if (ar_resp[i].ar2 > 0) {\r
+                       //PrintAndLog("Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
+                       if (mfkey32(ar_resp[i], &key)) {\r
+                               PrintAndLog("Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+\r
+                               for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
+                                       if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {\r
+                                               if (ar_resp[i].keytype==0) {\r
+                                                       //keyA\r
+                                                       sector_trailer[ii].keyA = key;\r
+                                                       stSector[ii] = ar_resp[i].sector;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               } else {\r
+                                                       //keyB\r
+                                                       sector_trailer[ii].keyB = key;\r
+                                                       stSector[ii] = ar_resp[i].sector;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               }\r
+                                       }\r
+                               }\r
+                       }\r
+               }\r
+       }\r
+       //set emulator memory for keys\r
+       if (setEmulatorMem) {\r
+               for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
+                       if (key_cnt[i]>0) {\r
+                               //PrintAndLog   ("block %d, keyA:%04x%08x, keyb:%04x%08x",stSector[i]*4+3, (uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));\r
+                               uint8_t memBlock[16];\r
+                               memset(memBlock, 0x00, sizeof(memBlock));\r
+                               char cmd1[36];\r
+                               memset(cmd1,0x00,sizeof(cmd1));\r
+                               snprintf(cmd1,sizeof(cmd1),"%04x%08xFF078069%04x%08x",(uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));\r
+                               PrintAndLog("Setting Emulator Memory Block %02d: [%s]",stSector[i]*4+3, cmd1);\r
+                               if (param_gethex(cmd1, 0, memBlock, 32)) {\r
+                                       PrintAndLog("block data must include 32 HEX symbols");\r
+                                       return;\r
+                               }\r
+                               \r
+                               UsbCommand c = {CMD_MIFARE_EML_MEMSET, {(stSector[i]*4+3), 1, 0}};\r
+                               memcpy(c.d.asBytes, memBlock, 16);\r
+                               clearCommandBuffer();\r
+                               SendCommand(&c);                        \r
+                       }\r
+               }\r
+       }\r
+       //moebius attack\r
+       for (uint8_t i = ATTACK_KEY_COUNT; i<ATTACK_KEY_COUNT*2; i++) {\r
+               if (ar_resp[i].ar2 > 0) {\r
+                       if (tryMfk32_moebius(ar_resp[i], &key)) {\r
+                               PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+                       }\r
+               }\r
+       }\r
+}\r
+\r
+int usage_hf14_mf1ksim(void) {\r
        PrintAndLog("Usage:  hf mf sim  [h] u <uid (8,14 hex symbols)> n <numreads> i x");\r
        PrintAndLog("options:");\r
        PrintAndLog("      h    this help");\r
@@ -1025,157 +1100,181 @@ int usage_hf14_mf1ksim(void){
        PrintAndLog("      i    (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");\r
        PrintAndLog("      x    (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
        PrintAndLog("      e    (Optional) set keys found from 'reader attack' to emulator memory");\r
+       PrintAndLog("      f    (Optional) get UIDs to use for 'reader attack' from file 'f <filename.txt>'");\r
        PrintAndLog("samples:");\r
        PrintAndLog("           hf mf sim u 0a0a0a0a");\r
        PrintAndLog("           hf mf sim u 11223344556677");\r
-       //PrintAndLog("           hf mf sim u 112233445566778899AA");   \r
+       PrintAndLog("           hf mf sim u 112233445566778899AA");     \r
        return 0;\r
 }\r
 \r
-int CmdHF14AMf1kSim(const char *Cmd)\r
-{\r
-       #define ATTACK_KEY_COUNT 8\r
+int CmdHF14AMf1kSim(const char *Cmd) {\r
        uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
        uint8_t exitAfterNReads = 0;\r
        uint8_t flags = 0;\r
        int uidlen = 0;\r
        uint8_t pnr = 0;\r
        bool setEmulatorMem = false;\r
+       bool attackFromFile = false;\r
+       FILE *f;\r
+       char filename[FILE_PATH_SIZE];\r
+       memset(filename, 0x00, sizeof(filename));\r
+       int len = 0;\r
+       char buf[64];\r
+       uint8_t uidBuffer[64];\r
+\r
+       uint8_t cmdp = 0;\r
+       bool errors = false;\r
+\r
+       while(param_getchar(Cmd, cmdp) != 0x00) {\r
+               switch(param_getchar(Cmd, cmdp)) {\r
+               case 'e':\r
+               case 'E':\r
+                       setEmulatorMem = true;\r
+                       cmdp++;\r
+                       break;\r
+               case 'f':\r
+               case 'F':\r
+                       len = param_getstr(Cmd, cmdp+1, filename);\r
+                       if (len < 1) {\r
+                               PrintAndLog("error no filename found");\r
+                               return 0;\r
+                       }\r
+                       attackFromFile = true;\r
+                       cmdp+=2;\r
+                       break;\r
+               case 'h':\r
+               case 'H':\r
+                       return usage_hf14_mf1ksim();\r
+               case 'i':\r
+               case 'I':\r
+                       flags |= FLAG_INTERACTIVE;\r
+                       cmdp++;\r
+                       break;\r
+               case 'n':\r
+               case 'N':\r
+                       exitAfterNReads = param_get8(Cmd, pnr+1);\r
+                       cmdp += 2;\r
+                       break;\r
+               case 'u':\r
+               case 'U':\r
+                       param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);\r
+                       switch(uidlen) {\r
+                               case 20: flags = FLAG_10B_UID_IN_DATA;  break; //not complete\r
+                               case 14: flags = FLAG_7B_UID_IN_DATA; break;\r
+                               case  8: flags = FLAG_4B_UID_IN_DATA; break;\r
+                               default: return usage_hf14_mf1ksim();\r
+                       }\r
+                       cmdp +=2;\r
+                       break;\r
+               case 'x':\r
+               case 'X':\r
+                       flags |= FLAG_NR_AR_ATTACK;\r
+                       cmdp++;\r
+                       break;\r
+               default:\r
+                       PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+                       errors = true;\r
+                       break;\r
+               }\r
+               if(errors) break;\r
+       }\r
+       //Validations\r
+       if(errors) return usage_hf14_mf1ksim();\r
 \r
-       char cmdp = param_getchar(Cmd, pnr);\r
+       // attack from file implies nr ar attack...\r
+       if (!(flags & FLAG_NR_AR_ATTACK) && attackFromFile) flags |= FLAG_NR_AR_ATTACK;\r
        \r
-       if (cmdp == 'h' || cmdp == 'H') return usage_hf14_mf1ksim();\r
+       UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};\r
+       UsbCommand resp;\r
 \r
-       if (cmdp == 'u' || cmdp == 'U') {\r
-               param_gethex_ex(Cmd, pnr+1, uid, &uidlen);\r
-               switch(uidlen){\r
-                       //case 20: flags = FLAG_10B_UID_IN_DATA;        break; //not complete\r
-                       case 14: flags = FLAG_7B_UID_IN_DATA; break;\r
-                       case  8: flags = FLAG_4B_UID_IN_DATA; break;\r
-                       default: return usage_hf14_mf1ksim();\r
+       //get uid from file\r
+       if (attackFromFile) {\r
+               int count = 0;\r
+               // open file\r
+               f = fopen(filename, "r");\r
+               if (f == NULL) {\r
+                       PrintAndLog("File %s not found or locked", filename);\r
+                       return 1;\r
                }\r
-               pnr +=2;\r
-       }\r
-\r
-       cmdp = param_getchar(Cmd, pnr);\r
-       if (cmdp == 'n' || cmdp == 'N') {\r
-               exitAfterNReads = param_get8(Cmd, pnr+1);\r
-               pnr += 2;\r
-       }\r
+               while(!feof(f)){\r
+                       memset(buf, 0, sizeof(buf));\r
+                       memset(uidBuffer, 0, sizeof(uidBuffer));\r
 \r
-       cmdp = param_getchar(Cmd, pnr);\r
-       if (cmdp == 'i' || cmdp == 'I' ) {\r
-               flags |= FLAG_INTERACTIVE;\r
-               pnr++;\r
-       }\r
+                       if (fgets(buf, sizeof(buf), f) == NULL) {                       \r
+                               if (count > 0) break;\r
+                               \r
+                               PrintAndLog("File reading error.");\r
+                               fclose(f);\r
+                               return 2;\r
+                       }\r
+                       \r
+                       if (strlen(buf) < uidlen) {\r
+                               if(strlen(buf) && feof(f))\r
+                                       break;\r
+                               PrintAndLog("File content error. Block data must include %d HEX symbols", uidlen);\r
+                               fclose(f);\r
+                               return 2;\r
+                       }\r
+                       \r
+                       for (uint8_t i = 0; i < uidlen; i += 2) {\r
+                               sscanf(&buf[i], "%02x", (unsigned int *)&uidBuffer[i / 2]);\r
+                       }\r
+                       \r
+                       PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) ",\r
+                                       flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
+                                               flags & FLAG_7B_UID_IN_DATA     ? sprint_hex(uid,7): \r
+                                                       flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"\r
+                                       , exitAfterNReads, flags, flags);\r
+\r
+                       memcpy(c.d.asBytes, uid, sizeof(uid));\r
+                       clearCommandBuffer();\r
+                       SendCommand(&c);\r
 \r
-       cmdp = param_getchar(Cmd, pnr);\r
-       if (cmdp == 'x' || cmdp == 'X') {\r
-               flags |= FLAG_NR_AR_ATTACK;\r
-               pnr++;\r
-       }\r
+                       if(flags & FLAG_INTERACTIVE) {\r
+                               PrintAndLog("Press pm3-button to abort simulation");\r
+                               while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+                                       //We're waiting only 1.5 s at a time, otherwise we get the\r
+                                       // annoying message about "Waiting for a response... "\r
+                               }\r
+                               //got a response\r
+                               if (flags & FLAG_NR_AR_ATTACK) {\r
+                                       nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
+                                       memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
+                                       readerAttack(ar_resp, setEmulatorMem);\r
+                               }\r
+                       }\r
 \r
-       cmdp = param_getchar(Cmd, pnr);\r
-       if (cmdp == 'e' || cmdp == 'E') {\r
-               setEmulatorMem = true;\r
-       }\r
+                       count++;\r
+               }\r
+               fclose(f);\r
+       } else {\r
 \r
-       PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) ",\r
+               PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) ",\r
                                flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
-                                       flags & FLAG_7B_UID_IN_DATA     ? sprint_hex(uid,7): "N/A"\r
-                               , exitAfterNReads, flags,flags);\r
+                                       flags & FLAG_7B_UID_IN_DATA     ? sprint_hex(uid,7): \r
+                                               flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"\r
+                               , exitAfterNReads, flags, flags);\r
 \r
+               memcpy(c.d.asBytes, uid, sizeof(uid));\r
+               clearCommandBuffer();\r
+               SendCommand(&c);\r
 \r
-       UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};\r
-       memcpy(c.d.asBytes, uid, sizeof(uid));\r
-       clearCommandBuffer();\r
-       SendCommand(&c);\r
-\r
-       if(flags & FLAG_INTERACTIVE) {\r
-               UsbCommand resp;\r
-               PrintAndLog("Press pm3-button to abort simulation");\r
-               while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
-                       //We're waiting only 1.5 s at a time, otherwise we get the\r
-                       // annoying message about "Waiting for a response... "\r
-               }\r
-               //got a response\r
-               if (flags & FLAG_NR_AR_ATTACK) {\r
-                       nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
-                       uint64_t key = 0;\r
-                       memcpy (ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
-                       typedef struct {\r
-                                       uint64_t keyA;\r
-                                       uint32_t security;\r
-                                       uint64_t keyB;\r
-                       } st_t;\r
-                       st_t sector_trailer[ATTACK_KEY_COUNT];\r
-                       memset(sector_trailer, 0x00, sizeof(sector_trailer));\r
-\r
-                       uint8_t stSector[ATTACK_KEY_COUNT];\r
-                       memset(stSector, 0x00, sizeof(stSector));\r
-                       uint8_t key_cnt[ATTACK_KEY_COUNT];\r
-                       memset(key_cnt, 0x00, sizeof(key_cnt));\r
-\r
-                       for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
-                               if (ar_resp[i].ar2 > 0) {\r
-                                       //PrintAndLog("Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
-                                       if (mfkey32(ar_resp[i], &key)) {\r
-                                               PrintAndLog("Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
-\r
-                                               for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
-                                                       if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {\r
-                                                               if (ar_resp[i].keytype==0) {\r
-                                                                       //keyA\r
-                                                                       sector_trailer[ii].keyA = key;\r
-                                                                       stSector[ii] = ar_resp[i].sector;\r
-                                                                       key_cnt[ii]++;\r
-                                                                       break;\r
-                                                               } else {\r
-                                                                       //keyB\r
-                                                                       sector_trailer[ii].keyB = key;\r
-                                                                       stSector[ii] = ar_resp[i].sector;\r
-                                                                       key_cnt[ii]++;\r
-                                                                       break;\r
-                                                               }\r
-                                                       }\r
-                                               }\r
-                                       }\r
-                               }\r
-                       }\r
-                       //set emulator memory for keys\r
-                       if (setEmulatorMem) {\r
-                               for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
-                                       if (key_cnt[i]>0) {\r
-                                               //PrintAndLog   ("block %d, keyA:%04x%08x, keyb:%04x%08x",stSector[i]*4+3, (uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));\r
-                                               uint8_t memBlock[16];\r
-                                               memset(memBlock, 0x00, sizeof(memBlock));\r
-                                               char cmd1[36];\r
-                                               memset(cmd1,0x00,sizeof(cmd1));\r
-                                               snprintf(cmd1,sizeof(cmd1),"%04x%08xFF078069%04x%08x",(uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));\r
-                                               PrintAndLog("Setting Emulator Memory Block %02d: [%s]",stSector[i]*4+3, cmd1);\r
-                                               if (param_gethex(cmd1, 0, memBlock, 32)) {\r
-                                                       PrintAndLog("block data must include 32 HEX symbols");\r
-                                                       return 1;\r
-                                               }\r
-                                               \r
-                                               UsbCommand c = {CMD_MIFARE_EML_MEMSET, {(stSector[i]*4+3), 1, 0}};\r
-                                               memcpy(c.d.asBytes, memBlock, 16);\r
-                                               clearCommandBuffer();\r
-                                               SendCommand(&c);                        \r
-                                       }\r
-                               }\r
+               if(flags & FLAG_INTERACTIVE) {\r
+                       PrintAndLog("Press pm3-button to abort simulation");\r
+                       while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+                               //We're waiting only 1.5 s at a time, otherwise we get the\r
+                               // annoying message about "Waiting for a response... "\r
                        }\r
-                       //moebius attack\r
-                       for (uint8_t i = ATTACK_KEY_COUNT; i<ATTACK_KEY_COUNT*2; i++) {\r
-                               if (ar_resp[i].ar2 > 0) {\r
-                                       if (tryMfk32_moebius(ar_resp[i], &key)) {\r
-                                               PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
-                                       }\r
-                               }\r
+                       //got a response\r
+                       if (flags & FLAG_NR_AR_ATTACK) {\r
+                               nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
+                               memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
+                               readerAttack(ar_resp, setEmulatorMem);\r
                        }\r
                }\r
        }\r
-       \r
+\r
        return 0;\r
 }\r
 \r
index fcf34a737ce9cb37d35753f6466b32e718dba6fa..942ef78bac82595cf7a2eafd70bdb80120a8fb6f 100644 (file)
@@ -192,7 +192,7 @@ bool mfkey32(nonces_t data, uint64_t *outputkey) {
                PrintAndLog("Could not create file name stats.txt");
                return 1;
        }
-       fprintf(fout, "mfkey32,%d,%d,%s,%04x%08x,%.0Lf\r\n",counter,data.sector,(data.keytype) ? "B" : "A", (uint32_t)(outkey>>32) & 0xFFFF,(uint32_t)(outkey&0xFFFFFFFF),(long double)t1);
+       fprintf(fout, "mfkey32,%d,%08x,%d,%s,%04x%08x,%.0Lf\r\n", counter, data.cuid, data.sector, (data.keytype) ? "B" : "A", (uint32_t)(outkey>>32) & 0xFFFF,(uint32_t)(outkey&0xFFFFFFFF),(long double)t1);
        fclose(fout);
        return isSuccess;
 }
@@ -243,7 +243,7 @@ bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey) {
                PrintAndLog("Could not create file name stats.txt");
                return 1;
        }
-       fprintf(fout, "moebius,%d,%d,%s,%04x%08x,%0.Lf\r\n",counter,data.sector, (data.keytype) ? "B" : "A", (uint32_t) (outkey>>32),(uint32_t)(outkey&0xFFFFFFFF),(long double)t1);
+       fprintf(fout, "moebius,%d,%08x,%d,%s,%04x%08x,%0.Lf\r\n", counter, data.cuid, data.sector, (data.keytype) ? "B" : "A", (uint32_t) (outkey>>32),(uint32_t)(outkey&0xFFFFFFFF),(long double)t1);
        fclose(fout);
        return isSuccess;
 }
Impressum, Datenschutz