From 85ca342567213617ea4cd3b9f930638b017d515d Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Mon, 27 Feb 2023 13:02:16 -0700 Subject: [PATCH 1/6] Add bruteforce functionality to HID facility code --- client/src/cmdlfhid.c | 124 +++++++++++++++++++++++++----------------- 1 file changed, 75 insertions(+), 49 deletions(-) mode change 100644 => 100755 client/src/cmdlfhid.c diff --git a/client/src/cmdlfhid.c b/client/src/cmdlfhid.c old mode 100644 new mode 100755 index 4cfa41ef8..fa6399b9e --- a/client/src/cmdlfhid.c +++ b/client/src/cmdlfhid.c @@ -475,26 +475,27 @@ static int CmdHIDClone(const char *Cmd) { static int CmdHIDBrute(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "lf hid brute", - "Enables bruteforce of HID readers with specified facility code.\n" - "This is a attack against reader. if cardnumber is given, it starts with it and goes up / down one step\n" - "if cardnumber is not given, it starts with 1 and goes up to 65535", - "lf hid brute -w H10301 --fc 224\n" - "lf hid brute -w H10301 --fc 21 -d 2000\n" - "lf hid brute -v -w H10301 --fc 21 --cn 200 -d 2000\n" - "lf hid brute -v -w H10301 --fc 21 --cn 200 -d 2000 --up\n" + "Enables bruteforce of HID readers while maintaining specific parameter values.\n" + "If the field being bruteforced is provided, it starts with it and goes up / down one step while maintaining other supplied values.\n" + "If the field being bruteforced is not provided, it will iterate through the full range while maintaining other supplied values.", + "lf hid brute -w H10301 -f fc --fc 224 --cn 6278\n" + "lf hid brute -w H10301 -f cn --fc 21 -d 2000\n" + "lf hid brute -v -w H10301 -f cn --fc 21 --cn 200 -d 2000\n" + "lf hid brute -v -w H10301 -f fc --fc 21 --cn 200 -d 2000 --up\n" ); void *argtable[] = { arg_param_begin, arg_lit0("v", "verbose", "verbose output"), arg_str1("w", "wiegand", "", "see " _YELLOW_("`wiegand list`") " for available formats"), + arg_str1("f", "field", "", "field to bruteforce"), arg_u64_0(NULL, "fc", "", "facility code"), - arg_u64_0(NULL, "cn", "", "card number to start with"), + arg_u64_0(NULL, "cn", "", "card number"), arg_u64_0("i", "issue", "", "issue level"), arg_u64_0("o", "oem", "", "OEM code"), - arg_u64_0("d", "delay", "", "delay betweens attempts in ms. Default 1000ms"), - arg_lit0(NULL, "up", "direction to increment card number. (default is both directions)"), - arg_lit0(NULL, "down", "direction to decrement card number. (default is both directions)"), + arg_u64_0("d", "delay", "", "delay betweens attempts in ms. (default is 1000)"), + arg_lit0(NULL, "up", "direction to increment field value. (default is both directions)"), + arg_lit0(NULL, "down", "direction to decrement field value. (default is both directions)"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); @@ -512,22 +513,26 @@ static int CmdHIDBrute(const char *Cmd) { return PM3_EINVARG; } - wiegand_card_t cn_hi, cn_low; - memset(&cn_hi, 0, sizeof(wiegand_card_t)); + wiegand_card_t card_hi, card_low; + memset(&card_hi, 0, sizeof(wiegand_card_t)); + + char field[3] = {0}; + int field_len = 0; + CLIParamStrToBuf(arg_get_str(ctx, 3), (uint8_t *)field, sizeof(field), &field_len); - cn_hi.FacilityCode = arg_get_u32_def(ctx, 3, 0); - cn_hi.CardNumber = arg_get_u32_def(ctx, 4, 0); - cn_hi.IssueLevel = arg_get_u32_def(ctx, 5, 0); - cn_hi.OEM = arg_get_u32_def(ctx, 6, 0); + card_hi.FacilityCode = arg_get_u32_def(ctx, 4, 0); + card_hi.CardNumber = arg_get_u32_def(ctx, 5, 0); + card_hi.IssueLevel = arg_get_u32_def(ctx, 6, 0); + card_hi.OEM = arg_get_u32_def(ctx, 7, 0); - uint32_t delay = arg_get_u32_def(ctx, 7, 1000); + uint32_t delay = arg_get_u32_def(ctx, 8, 1000); int direction = 0; - if (arg_get_lit(ctx, 8) && arg_get_lit(ctx, 9)) { + if (arg_get_lit(ctx, 9) && arg_get_lit(ctx, 10)) { direction = 0; - } else if (arg_get_lit(ctx, 8)) { - direction = 1; } else if (arg_get_lit(ctx, 9)) { + direction = 1; + } else if (arg_get_lit(ctx, 10)) { direction = 2; } @@ -535,34 +540,38 @@ static int CmdHIDBrute(const char *Cmd) { if (verbose) { PrintAndLogEx(INFO, "Wiegand format... %i", format_idx); - PrintAndLogEx(INFO, "OEM.............. %u", cn_hi.OEM); - PrintAndLogEx(INFO, "ISSUE............ %u", cn_hi.IssueLevel); - PrintAndLogEx(INFO, "Facility code.... %u", cn_hi.FacilityCode); - PrintAndLogEx(INFO, "Card number...... %" PRIu64, cn_hi.CardNumber); + PrintAndLogEx(INFO, "OEM.............. %u", card_hi.OEM); + PrintAndLogEx(INFO, "ISSUE............ %u", card_hi.IssueLevel); + PrintAndLogEx(INFO, "Facility code.... %u", card_hi.FacilityCode); + PrintAndLogEx(INFO, "Card number...... %" PRIu64, card_hi.CardNumber); PrintAndLogEx(INFO, "Delay............ " _YELLOW_("%d"), delay); + if (strcmp(field, "fc") == 0) { + PrintAndLogEx(INFO, "Field............ " _YELLOW_("fc")); + } else if (strcmp(field, "cn") == 0) { + PrintAndLogEx(INFO, "Field............ " _YELLOW_("cn")); + } switch (direction) { case 0: - PrintAndLogEx(INFO, "Direction........ " _YELLOW_("BOTH")); + PrintAndLogEx(INFO, "Direction........ " _YELLOW_("both")); break; case 1: - PrintAndLogEx(INFO, "Direction........ " _YELLOW_("UP")); + PrintAndLogEx(INFO, "Direction........ " _YELLOW_("up")); break; case 2: - PrintAndLogEx(INFO, "Direction........ " _YELLOW_("DOWN")); + PrintAndLogEx(INFO, "Direction........ " _YELLOW_("down")); break; default: break; } } PrintAndLogEx(NORMAL, ""); - PrintAndLogEx(INFO, "Started brute-forcing HID Prox reader"); + PrintAndLogEx(INFO, "Started bruteforcing HID Prox reader"); PrintAndLogEx(INFO, "Press " _GREEN_("") " or pm3-button to abort simulation"); PrintAndLogEx(NORMAL, ""); // copy values to low. - cn_low = cn_hi; + card_low = card_hi; // main loop - // iceman: could add options for bruteforcing OEM, ISSUE or FC as well.. bool exitloop = false; bool fin_hi, fin_low; fin_hi = fin_low = false; @@ -578,27 +587,43 @@ static int CmdHIDBrute(const char *Cmd) { return sendPing(); } - // do one up - if (direction != 2) { - if (cn_hi.CardNumber < 0xFFFF) { - if (sendTry(format_idx, &cn_hi, delay, verbose) != PM3_SUCCESS) { - return PM3_ESOFT; + // do one up + if (direction != 2 && fin_hi != true) { + if (sendTry(format_idx, &card_hi, delay, verbose) != PM3_SUCCESS) { + return PM3_ESOFT; + } + if (strcmp(field, "fc") == 0) { + if (card_hi.FacilityCode < 0xFF) { + card_hi.FacilityCode++; + } else { + fin_hi = true; + } + } else if (strcmp(field, "cn") == 0) { + if (card_hi.CardNumber < 0xFFFF) { + card_hi.CardNumber++; + } else { + fin_hi = true; } - cn_hi.CardNumber++; - } else { - fin_hi = true; } } // do one down - if (direction != 1) { - if (cn_low.CardNumber > 0) { - cn_low.CardNumber--; - if (sendTry(format_idx, &cn_low, delay, verbose) != PM3_SUCCESS) { - return PM3_ESOFT; + if (direction != 1 && fin_low != true) { + if (sendTry(format_idx, &card_low, delay, verbose) != PM3_SUCCESS) { + return PM3_ESOFT; + } + if (strcmp(field, "fc") == 0) { + if (card_low.FacilityCode > 0) { + card_low.FacilityCode--; + } else { + fin_low = true; + } + } else if (strcmp(field, "cn") == 0) { + if (card_low.CardNumber > 0) { + card_low.CardNumber--; + } else { + fin_low = true; } - } else { - fin_low = true; } } @@ -620,7 +645,8 @@ static int CmdHIDBrute(const char *Cmd) { } while (exitloop == false); - PrintAndLogEx(INFO, "Brute forcing finished"); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(INFO, "Bruteforcing finished"); return PM3_SUCCESS; } @@ -630,8 +656,8 @@ static command_t CommandTable[] = { {"reader", CmdHIDReader, IfPm3Lf, "attempt to read and extract tag data"}, {"clone", CmdHIDClone, IfPm3Lf, "clone HID tag to T55x7"}, {"sim", CmdHIDSim, IfPm3Lf, "simulate HID tag"}, - {"brute", CmdHIDBrute, IfPm3Lf, "bruteforce card number against reader"}, - {"watch", CmdHIDWatch, IfPm3Lf, "continuously watch for cards. Reader mode"}, + {"brute", CmdHIDBrute, IfPm3Lf, "bruteforce HID tag while maintaining specific parameter values"}, + {"watch", CmdHIDWatch, IfPm3Lf, "continuously watch for cards"}, {NULL, NULL, NULL, NULL} }; From 702716b59750b26e00d08780e6b3256d98e759ef Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Mon, 27 Feb 2023 13:05:16 -0700 Subject: [PATCH 2/6] Fix formatting --- client/src/cmdlfhid.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/client/src/cmdlfhid.c b/client/src/cmdlfhid.c index fa6399b9e..de2e9dc29 100755 --- a/client/src/cmdlfhid.c +++ b/client/src/cmdlfhid.c @@ -476,7 +476,7 @@ static int CmdHIDBrute(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "lf hid brute", "Enables bruteforce of HID readers while maintaining specific parameter values.\n" - "If the field being bruteforced is provided, it starts with it and goes up / down one step while maintaining other supplied values.\n" + "If the field being bruteforced is provided, it starts with it and goes up / down one step while maintaining other supplied values.\n" "If the field being bruteforced is not provided, it will iterate through the full range while maintaining other supplied values.", "lf hid brute -w H10301 -f fc --fc 224 --cn 6278\n" "lf hid brute -w H10301 -f cn --fc 21 -d 2000\n" @@ -488,12 +488,12 @@ static int CmdHIDBrute(const char *Cmd) { arg_param_begin, arg_lit0("v", "verbose", "verbose output"), arg_str1("w", "wiegand", "", "see " _YELLOW_("`wiegand list`") " for available formats"), - arg_str1("f", "field", "", "field to bruteforce"), - arg_u64_0(NULL, "fc", "", "facility code"), - arg_u64_0(NULL, "cn", "", "card number"), - arg_u64_0("i", "issue", "", "issue level"), - arg_u64_0("o", "oem", "", "OEM code"), - arg_u64_0("d", "delay", "", "delay betweens attempts in ms. (default is 1000)"), + arg_str1("f", "field", "", "field to bruteforce"), + arg_u64_0(NULL, "fc", "", "facility code"), + arg_u64_0(NULL, "cn", "", "card number"), + arg_u64_0("i", "issue", "", "issue level"), + arg_u64_0("o", "oem", "", "OEM code"), + arg_u64_0("d", "delay", "", "delay betweens attempts in ms. (default is 1000)"), arg_lit0(NULL, "up", "direction to increment field value. (default is both directions)"), arg_lit0(NULL, "down", "direction to decrement field value. (default is both directions)"), arg_param_end From 21a1defa88840596614012ee5aa99c2f41c62043 Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Mon, 27 Feb 2023 13:06:38 -0700 Subject: [PATCH 3/6] Fix formatting --- client/src/cmdlfhid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/cmdlfhid.c b/client/src/cmdlfhid.c index de2e9dc29..d6349e9ad 100755 --- a/client/src/cmdlfhid.c +++ b/client/src/cmdlfhid.c @@ -488,7 +488,7 @@ static int CmdHIDBrute(const char *Cmd) { arg_param_begin, arg_lit0("v", "verbose", "verbose output"), arg_str1("w", "wiegand", "", "see " _YELLOW_("`wiegand list`") " for available formats"), - arg_str1("f", "field", "", "field to bruteforce"), + arg_str1("f", "field", "", "field to bruteforce"), arg_u64_0(NULL, "fc", "", "facility code"), arg_u64_0(NULL, "cn", "", "card number"), arg_u64_0("i", "issue", "", "issue level"), From 3bcac0cc64e8b7e918f70ccb2d4826e43c3b2cf7 Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Tue, 28 Feb 2023 07:24:24 -0700 Subject: [PATCH 4/6] Updated arguments and help text --- client/src/cmdlfhid.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/client/src/cmdlfhid.c b/client/src/cmdlfhid.c index d6349e9ad..424c043c4 100755 --- a/client/src/cmdlfhid.c +++ b/client/src/cmdlfhid.c @@ -488,7 +488,7 @@ static int CmdHIDBrute(const char *Cmd) { arg_param_begin, arg_lit0("v", "verbose", "verbose output"), arg_str1("w", "wiegand", "", "see " _YELLOW_("`wiegand list`") " for available formats"), - arg_str1("f", "field", "", "field to bruteforce"), + arg_str1(NULL, "field", "", "field to bruteforce. can be _YELLOW("`fc`") for facility code, or _YELLOW("`cn`") for card number"), arg_u64_0(NULL, "fc", "", "facility code"), arg_u64_0(NULL, "cn", "", "card number"), arg_u64_0("i", "issue", "", "issue level"), @@ -656,8 +656,8 @@ static command_t CommandTable[] = { {"reader", CmdHIDReader, IfPm3Lf, "attempt to read and extract tag data"}, {"clone", CmdHIDClone, IfPm3Lf, "clone HID tag to T55x7"}, {"sim", CmdHIDSim, IfPm3Lf, "simulate HID tag"}, - {"brute", CmdHIDBrute, IfPm3Lf, "bruteforce HID tag while maintaining specific parameter values"}, - {"watch", CmdHIDWatch, IfPm3Lf, "continuously watch for cards"}, + {"brute", CmdHIDBrute, IfPm3Lf, "bruteforce facility code or card number against reader"}, + {"watch", CmdHIDWatch, IfPm3Lf, "continuously watch for cards. Reader mode"}, {NULL, NULL, NULL, NULL} }; From cd5fa61683f742ea835c84d982fa6c0d2c00918a Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Tue, 28 Feb 2023 07:28:06 -0700 Subject: [PATCH 5/6] Update help text --- client/src/cmdlfhid.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/client/src/cmdlfhid.c b/client/src/cmdlfhid.c index 424c043c4..19c7a3ea0 100755 --- a/client/src/cmdlfhid.c +++ b/client/src/cmdlfhid.c @@ -475,13 +475,13 @@ static int CmdHIDClone(const char *Cmd) { static int CmdHIDBrute(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "lf hid brute", - "Enables bruteforce of HID readers while maintaining specific parameter values.\n" + "Enables bruteforce of HID readers with specified facility code or card number. This is an attack against the reader.\n" "If the field being bruteforced is provided, it starts with it and goes up / down one step while maintaining other supplied values.\n" "If the field being bruteforced is not provided, it will iterate through the full range while maintaining other supplied values.", - "lf hid brute -w H10301 -f fc --fc 224 --cn 6278\n" - "lf hid brute -w H10301 -f cn --fc 21 -d 2000\n" - "lf hid brute -v -w H10301 -f cn --fc 21 --cn 200 -d 2000\n" - "lf hid brute -v -w H10301 -f fc --fc 21 --cn 200 -d 2000 --up\n" + "lf hid brute -w H10301 --field fc --fc 224 --cn 6278\n" + "lf hid brute -w H10301 --field cn --fc 21 -d 2000\n" + "lf hid brute -v -w H10301 --field cn --fc 21 --cn 200 -d 2000\n" + "lf hid brute -v -w H10301 --field fc --fc 21 --cn 200 -d 2000 --up\n" ); void *argtable[] = { From f424667d0c00e3da4570754ae8922a6eb799783c Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Sat, 4 Mar 2023 10:40:19 -0700 Subject: [PATCH 6/6] Fix syntax --- client/src/cmdlfhid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/cmdlfhid.c b/client/src/cmdlfhid.c index 19c7a3ea0..d04de6cda 100755 --- a/client/src/cmdlfhid.c +++ b/client/src/cmdlfhid.c @@ -488,7 +488,7 @@ static int CmdHIDBrute(const char *Cmd) { arg_param_begin, arg_lit0("v", "verbose", "verbose output"), arg_str1("w", "wiegand", "", "see " _YELLOW_("`wiegand list`") " for available formats"), - arg_str1(NULL, "field", "", "field to bruteforce. can be _YELLOW("`fc`") for facility code, or _YELLOW("`cn`") for card number"), + arg_str1(NULL, "field", "", "field to bruteforce. can be " _YELLOW("`fc`") " for facility code, or " _YELLOW("`cn`") " for card number"), arg_u64_0(NULL, "fc", "", "facility code"), arg_u64_0(NULL, "cn", "", "card number"), arg_u64_0("i", "issue", "", "issue level"),