Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-12-14 22:39:05

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

LF AWID BRUTEFORCE

I got at bit tired of things this evening,  and added a bruteforce mode for the LF AWID commands.

it is a simple bruteforce, which takes a facility-code and iterates all possible 16bit card-nums.
which it sends to the device as a sim command (lf awid sim)

 
When aborted by the keyboard,  it sends another usb command,  which the loops on the device side should pick up and stop the current simulation.   

However I don't have a awid reader to test it on. 

[edit]  added delay, cardnumber parameter


pm3 --> lf awid
help             This help
fskdemod         Realtime AWID FSK demodulator
sim              AWID tag simulator
clone            Clone AWID to T55x7
brute            Bruteforce card number against reader

pm3 --> lf awid brute h
Enables bruteforce of AWID reader with specified facility-code.
This is a attack against reader. if cardnumber is given, it starts with it and goes up / down one step
if cardnumber is not given, it starts with 1 and goes up to 65535

Usage:  lf awid brute [h] a <format> f <facility-code> c <cardnumber> d <delay>
Options:
       h                 :  This help
       a <format>        :  format length 26|50
       f <facility-code> :  8|16bit value facility code
       c <cardnumber>    :  (optional) cardnumber to start with, max 65535
       d <delay>         :  delay betweens attempts in ms. Default 1000ms

Samples:
       lf awid brute a 26 f 224
       lf awid brute a 50 f 2001 d 2000
       lf awid brute a 50 f 2001 c 200 d 2000
pm3 --> lf aw bru a 26 f 245
Bruteforceing AWID26
Press pm3-button to abort simulation or run another command
Trying FC: 245; CN: 1
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4794
Trying FC: 245; CN: 2
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4794
Trying FC: 245; CN: 3
Trying FC: 245; CN: 4
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4794
Trying FC: 245; CN: 5
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4798
Trying FC: 245; CN: 6
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4798
Trying FC: 245; CN: 7
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4798
Trying FC: 245; CN: 8
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4794
Trying FC: 245; CN: 9
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4794
Trying FC: 245; CN: 10
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4794

Last edited by iceman (2015-12-14 22:44:56)

Offline

#2 2015-12-15 15:30:28

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: LF AWID BRUTEFORCE

Great work, I will test out if I got my hands on awid access system big_smile

Offline

#3 2016-08-09 08:34:05

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: LF AWID BRUTEFORCE

after some chats with @crayon yesterday, where the suggestion of adding a variable delay instead of the fixed 1second.
The command also had a bug with parsing the stringlen check was too strict smile

I'm still having problems with the deviceside,  it doesn't receive all  new  sim commands nor the ping command to cancel inside the loop , ref: https://github.com/iceman1001/proxmark3 … ops.c#L401

Suggestions on how to fix it would be appreciated.

Also added the possibility to give a cardnumber,  if given the loop uses it and start checking one up/down until it reaches 0 and 65535.

Offline

Board footer

Powered by FluxBB