Merge pull request #1040 from will-caruana/master

More lists to brute foruce RFID cards

client/dictionaries/extras/iclass_other.dic

@@ -0,0 +1,79 @@
+0000000000000001
+0000000000000002
+0000000000000003
+0000000000000004
+0000000000000005
+0000000000000006
+0000000000000007
+0000000000000008
+0000000000000009
+000000000000000a
+000000000000000b
+000000000000000c
+000000000000000d
+000000000000000e
+000000000000000f
+1000000000000000
+2000000000000000
+3000000000000000
+4000000000000000
+5000000000000000
+6000000000000000
+7000000000000000
+8000000000000000
+9000000000000000
+A000000000000000
+B000000000000000
+C000000000000000
+D000000000000000
+E000000000000000
+F000000000000000
+aaaabbbbccccdddd
+1010101010101010
+0101010101010101
+1122334455667788
+2233445566778899
+33445566778899AA
+445566778899AABB
+5566778899AABBCC
+66778899AABBCCDD
+778899AABBCCDDEE
+8899AABBCCDDEEFF
+6969696969696969
+1212121212121212
+1234567887654321
+1111111122222222
+1313131313131313
+2000000020000000
+a0a1a2a3a4a5a6a7
+b0b1b2b3b4b5b6b7
+c0c1c2c3c4c5c6c7
+d0d1d2d3d4d5d6d7
+e0e1e2e3e4e5e6e7
+f0f1f2f3f4f5f6f7
+d3f7d3f7d3f7d3f7
+0102030405060708
+0001020304050607
+0f0e0d0c0b0a0908
+0123456789ABCDEF
+100f0e0d0c0b0a09
+4041424344454647
+3031323334353637
+605F5E5D5C5B5A59
+0000000000000000
+1111111111111111
+2222222222222222
+3333333333333333
+4444444444444444
+5555555555555555
+6666666666666666
+7777777777777777
+8888888888888888
+9999999999999999
+AAAAAAAAAAAAAAAA
+BBBBBBBBBBBBBBBB
+CCCCCCCCCCCCCCCC
+DDDDDDDDDDDDDDDD
+EEEEEEEEEEEEEEEE
+FFFFFFFFFFFFFFFF
+deadbeefdeadbeef

client/dictionaries/extras/readme.md

@@ -0,0 +1,67 @@
+These are text password lists that can be used to brute force RFID passwords. There are a lot better ways to find a password, but I haven't seen anyone talk about using normal password lists against RFID tags or publishing a list exclusively for this purpose.
+
+
+_byte_most_common_password.dic files are extracted from the top 10 million password list.
+
+_byte_words_uppercase files are extracted from a common English dictionary.
+
+Since most evidence (how ever small) shows that uppercase passwords are normally used with RFID these lists have been coverted to upper case added.
+
+Two sets for ascii numnber lists have also been in the event the password is an ascii number.
+
+
+**A better dictionary to use is:**
+
+https://github.com/RfidResearchGroup/proxmark3/tree/master/client/dictionaries
+
+These are shorter lists and known default keys. My lists are to be used after the dictionary lists have been exhausted, and after other possible attacks have failed.
+
+
+
+**Some examples on what my lists could be used for:**
+
+T55xx and the em4305 chips use a 4 character password
+
+Mifare Classic uses a 6 characters password (which will be added soon)
+
+iClass uses an 8 characters password
+
+Mifare Pluse uses a 16 characters password
+
+
+
+**Examples where my list could have helped find:**
+```
+50524F58 spells out PROX
+
+50415353 spells out PASS
+```
+These wouldn't be found in the most common password list, but they would be in the upercase dictionary. Again, the more efficent way to do this would have been to run the t55xx_default_pwds.dic from https://github.com/RfidResearchGroup/proxmark3/tree/master/client/dictionaries. If they had not published that great default password list, then we still would have been able to find these passwords without needing to try all possiblities which could take years.
+ 
+When looking at the Mifare Plus list in mfp_default_keys.dic, we see that there is some corresponding to ASCII with the passwords: 
+```
+404142434445464748494a4b4c4d4e4f = @ABCDEFGHIJKLMNO
+
+303132333435363738393a3b3c3d3e3f = 0123456789:;<=>?
+
+605F5E5D5C5B5A59605F5E5D5C5B5A59 = `_^]\[ZY`_^]\[ZY
+```
+Those would not appear in any of the above lists, but this just shows more evidence of an ASCII collocation.
+
+
+
+**iClass_Other.dic**
+
+When reviewing default passwords from other lists you start seeing common password schemes being using. For example:
+
+```
+a0a1a2a3a4a5 
+b0b1b2b3b4b5
+from mfc_default_keys.dic
+
+a0a1a2a3a4a5a6a7a0a1a2a3a4a5a6a7
+b0b1b2b3b4b5b6b7b0b1b2b3b4b5b6b7
+from mfp_default_keys.dic
+```
+
+As you can see there are some common themes in the above case its a0 then a1 ect. In these default password lists I took those themes and expanded them to fit the iClass key space. If you combine this with the other list https://github.com/RfidResearchGroup/proxmark3/blob/master/client/dictionaries/iclass_default_keys.dic It still only takes 1 second to run through all 86 keys.