github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 22:03:42 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #1928 from cha0tic87/master

Browse source 
Adding bruteforcing functionality to HID facility code
This commit is contained in:
Iceman 2023-03-04 19:17:31 +01:00 committed by GitHub
commit 5cf0bf7620
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 77 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

126
client/src/cmdlfhid.c Normal file → Executable file
View file

@ -475,26 +475,27 @@ static int CmdHIDClone(const char *Cmd) {
static int CmdHIDBrute(const char *Cmd) { static int CmdHIDBrute(const char *Cmd) {
CLIParserContext *ctx; CLIParserContext *ctx;
CLIParserInit(&ctx, "lf hid brute", CLIParserInit(&ctx, "lf hid brute",
"Enables bruteforce of HID readers with specified facility code.\n" "Enables bruteforce of HID readers with specified facility code or card number. This is an attack against the reader.\n"
"This is a attack against reader. if cardnumber is given, it starts with it and goes up / down one step\n" "If the field being bruteforced is provided, it starts with it and goes up / down one step while maintaining other supplied values.\n"
"if cardnumber is not given, it starts with 1 and goes up to 65535", "If the field being bruteforced is not provided, it will iterate through the full range while maintaining other supplied values.",
"lf hid brute -w H10301 --fc 224\n" "lf hid brute -w H10301 --field fc --fc 224 --cn 6278\n"
"lf hid brute -w H10301 --fc 21 -d 2000\n" "lf hid brute -w H10301 --field cn --fc 21 -d 2000\n"
"lf hid brute -v -w H10301 --fc 21 --cn 200 -d 2000\n" "lf hid brute -v -w H10301 --field cn --fc 21 --cn 200 -d 2000\n"
"lf hid brute -v -w H10301 --fc 21 --cn 200 -d 2000 --up\n" "lf hid brute -v -w H10301 --field fc --fc 21 --cn 200 -d 2000 --up\n"
); );
void *argtable[] = { void *argtable[] = {
arg_param_begin, arg_param_begin,
arg_lit0("v", "verbose", "verbose output"), arg_lit0("v", "verbose", "verbose output"),
arg_str1("w", "wiegand", "<format>", "see " _YELLOW_("`wiegand list`") " for available formats"), arg_str1("w", "wiegand", "<format>", "see " _YELLOW_("`wiegand list`") " for available formats"),
arg_u64_0(NULL, "fc", "<dec>", "facility code"), arg_str1(NULL, "field", "<str>", "field to bruteforce. can be " _YELLOW("`fc`") " for facility code, or " _YELLOW("`cn`") " for card number"),
arg_u64_0(NULL, "cn", "<dec>", "card number to start with"), arg_u64_0(NULL, "fc", "<dec>", "facility code"),
arg_u64_0("i", "issue", "<dec>", "issue level"), arg_u64_0(NULL, "cn", "<dec>", "card number"),
arg_u64_0("o", "oem", "<dec>", "OEM code"), arg_u64_0("i", "issue", "<dec>", "issue level"),
arg_u64_0("d", "delay", "<dec>", "delay betweens attempts in ms. Default 1000ms"), arg_u64_0("o", "oem", "<dec>", "OEM code"),
arg_lit0(NULL, "up", "direction to increment card number. (default is both directions)"), arg_u64_0("d", "delay", "<dec>", "delay betweens attempts in ms. (default is 1000)"),
arg_lit0(NULL, "down", "direction to decrement card number. (default is both directions)"), arg_lit0(NULL, "up", "direction to increment field value. (default is both directions)"),
arg_lit0(NULL, "down", "direction to decrement field value. (default is both directions)"),
arg_param_end arg_param_end
}; };
CLIExecWithReturn(ctx, Cmd, argtable, false); CLIExecWithReturn(ctx, Cmd, argtable, false);
@ -512,22 +513,26 @@ static int CmdHIDBrute(const char *Cmd) {
return PM3_EINVARG; return PM3_EINVARG;
} }
wiegand_card_t cn_hi, cn_low; wiegand_card_t card_hi, card_low;
memset(&cn_hi, 0, sizeof(wiegand_card_t)); memset(&card_hi, 0, sizeof(wiegand_card_t));
cn_hi.FacilityCode = arg_get_u32_def(ctx, 3, 0); char field[3] = {0};
cn_hi.CardNumber = arg_get_u32_def(ctx, 4, 0); int field_len = 0;
cn_hi.IssueLevel = arg_get_u32_def(ctx, 5, 0); CLIParamStrToBuf(arg_get_str(ctx, 3), (uint8_t *)field, sizeof(field), &field_len);
cn_hi.OEM = arg_get_u32_def(ctx, 6, 0);
uint32_t delay = arg_get_u32_def(ctx, 7, 1000); card_hi.FacilityCode = arg_get_u32_def(ctx, 4, 0);
card_hi.CardNumber = arg_get_u32_def(ctx, 5, 0);
card_hi.IssueLevel = arg_get_u32_def(ctx, 6, 0);
card_hi.OEM = arg_get_u32_def(ctx, 7, 0);
uint32_t delay = arg_get_u32_def(ctx, 8, 1000);
int direction = 0; int direction = 0;
if (arg_get_lit(ctx, 8) && arg_get_lit(ctx, 9)) { if (arg_get_lit(ctx, 9) && arg_get_lit(ctx, 10)) {
direction = 0; direction = 0;
} else if (arg_get_lit(ctx, 8)) {
direction = 1;
} else if (arg_get_lit(ctx, 9)) { } else if (arg_get_lit(ctx, 9)) {
direction = 1;
} else if (arg_get_lit(ctx, 10)) {
direction = 2; direction = 2;
} }
@ -535,34 +540,38 @@ static int CmdHIDBrute(const char *Cmd) {
if (verbose) { if (verbose) {
PrintAndLogEx(INFO, "Wiegand format... %i", format_idx); PrintAndLogEx(INFO, "Wiegand format... %i", format_idx);
PrintAndLogEx(INFO, "OEM.............. %u", cn_hi.OEM); PrintAndLogEx(INFO, "OEM.............. %u", card_hi.OEM);
PrintAndLogEx(INFO, "ISSUE............ %u", cn_hi.IssueLevel); PrintAndLogEx(INFO, "ISSUE............ %u", card_hi.IssueLevel);
PrintAndLogEx(INFO, "Facility code.... %u", cn_hi.FacilityCode); PrintAndLogEx(INFO, "Facility code.... %u", card_hi.FacilityCode);
PrintAndLogEx(INFO, "Card number...... %" PRIu64, cn_hi.CardNumber); PrintAndLogEx(INFO, "Card number...... %" PRIu64, card_hi.CardNumber);
PrintAndLogEx(INFO, "Delay............ " _YELLOW_("%d"), delay); PrintAndLogEx(INFO, "Delay............ " _YELLOW_("%d"), delay);
if (strcmp(field, "fc") == 0) {
PrintAndLogEx(INFO, "Field............ " _YELLOW_("fc"));
} else if (strcmp(field, "cn") == 0) {
PrintAndLogEx(INFO, "Field............ " _YELLOW_("cn"));
}
switch (direction) { switch (direction) {
case 0: case 0:
PrintAndLogEx(INFO, "Direction........ " _YELLOW_("BOTH")); PrintAndLogEx(INFO, "Direction........ " _YELLOW_("both"));
break; break;
case 1: case 1:
PrintAndLogEx(INFO, "Direction........ " _YELLOW_("UP")); PrintAndLogEx(INFO, "Direction........ " _YELLOW_("up"));
break; break;
case 2: case 2:
PrintAndLogEx(INFO, "Direction........ " _YELLOW_("DOWN")); PrintAndLogEx(INFO, "Direction........ " _YELLOW_("down"));
break; break;
default: default:
break; break;
} }
} }
PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "");
PrintAndLogEx(INFO, "Started brute-forcing HID Prox reader"); PrintAndLogEx(INFO, "Started bruteforcing HID Prox reader");
PrintAndLogEx(INFO, "Press " _GREEN_("<Enter>") " or pm3-button to abort simulation"); PrintAndLogEx(INFO, "Press " _GREEN_("<Enter>") " or pm3-button to abort simulation");
PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "");
// copy values to low. // copy values to low.
cn_low = cn_hi; card_low = card_hi;
// main loop // main loop
// iceman: could add options for bruteforcing OEM, ISSUE or FC as well..
bool exitloop = false; bool exitloop = false;
bool fin_hi, fin_low; bool fin_hi, fin_low;
fin_hi = fin_low = false; fin_hi = fin_low = false;
@ -579,26 +588,42 @@ static int CmdHIDBrute(const char *Cmd) {
} }
// do one up // do one up
if (direction != 2) { if (direction != 2 && fin_hi != true) {
if (cn_hi.CardNumber < 0xFFFF) { if (sendTry(format_idx, &card_hi, delay, verbose) != PM3_SUCCESS) {
if (sendTry(format_idx, &cn_hi, delay, verbose) != PM3_SUCCESS) { return PM3_ESOFT;
return PM3_ESOFT; }
if (strcmp(field, "fc") == 0) {
if (card_hi.FacilityCode < 0xFF) {
card_hi.FacilityCode++;
} else {
fin_hi = true;
}
} else if (strcmp(field, "cn") == 0) {
if (card_hi.CardNumber < 0xFFFF) {
card_hi.CardNumber++;
} else {
fin_hi = true;
} }
cn_hi.CardNumber++;
} else {
fin_hi = true;
} }
} }
// do one down // do one down
if (direction != 1) { if (direction != 1 && fin_low != true) {
if (cn_low.CardNumber > 0) { if (sendTry(format_idx, &card_low, delay, verbose) != PM3_SUCCESS) {
cn_low.CardNumber--; return PM3_ESOFT;
if (sendTry(format_idx, &cn_low, delay, verbose) != PM3_SUCCESS) { }
return PM3_ESOFT; if (strcmp(field, "fc") == 0) {
if (card_low.FacilityCode > 0) {
card_low.FacilityCode--;
} else {
fin_low = true;
}
} else if (strcmp(field, "cn") == 0) {
if (card_low.CardNumber > 0) {
card_low.CardNumber--;
} else {
fin_low = true;
} }
} else {
fin_low = true;
} }
} }
@ -620,7 +645,8 @@ static int CmdHIDBrute(const char *Cmd) {
} while (exitloop == false); } while (exitloop == false);
PrintAndLogEx(INFO, "Brute forcing finished"); PrintAndLogEx(NORMAL, "");
PrintAndLogEx(INFO, "Bruteforcing finished");
return PM3_SUCCESS; return PM3_SUCCESS;
} }
@ -630,7 +656,7 @@ static command_t CommandTable[] = {
{"reader", CmdHIDReader, IfPm3Lf, "attempt to read and extract tag data"}, {"reader", CmdHIDReader, IfPm3Lf, "attempt to read and extract tag data"},
{"clone", CmdHIDClone, IfPm3Lf, "clone HID tag to T55x7"}, {"clone", CmdHIDClone, IfPm3Lf, "clone HID tag to T55x7"},
{"sim", CmdHIDSim, IfPm3Lf, "simulate HID tag"}, {"sim", CmdHIDSim, IfPm3Lf, "simulate HID tag"},
{"brute", CmdHIDBrute, IfPm3Lf, "bruteforce card number against reader"}, {"brute", CmdHIDBrute, IfPm3Lf, "bruteforce facility code or card number against reader"},
{"watch", CmdHIDWatch, IfPm3Lf, "continuously watch for cards. Reader mode"}, {"watch", CmdHIDWatch, IfPm3Lf, "continuously watch for cards. Reader mode"},
{NULL, NULL, NULL, NULL} {NULL, NULL, NULL, NULL}
}; };