Quantcast
Viewing all articles
Browse latest Browse all 5854

THC-SmartBrute - Finds undocumented and secret commands implemented in a smartcard


This tool finds undocumented and secret commands implemented in a smartcard. An instruction is divided into Class (CLA), Instruction-Number (INS) and the parameters or arguments P1, P2, P3. THC-SMARTBRUTE iterates through all the possible values of CLA and INS to find a valid combination.

Furthermore it tries to find out what parameters are valid for a given class and instruction number.

Requirements

You need a PC/SC compatible smartcard reader that is supported by the PCSC-LITE library.
A list of supported devices can be found here
THC-SMARTBRUTE was developped with the XXX smartcard reader.

Command line arguments
--verbose
prints a lot of debugging messages to stderr *FIXME*
--undoconly
only prints found instruction if its not element of the standard
instruction list
--fastresults
before iterating through all possible combinates of class and
instruction-number typical class/instruction-values are verified for
availability.
After that the classes 0x00, 0x80 and 0xA0 (GSM) are tried first.
--help
prints out the usage
--chv1 pin1
a VERIFY CHV1 instruction with pin1 as argument is executed
--chv2 pin2
a VERIFY CHV2 instruction with pin2 as argument is executed

--brutep1p2
finds valid parameter p1 and p2 combinations for the instruction
the user defined with --cla and --ins .
For parameter p1 the value 0x00 is assumed.

--brutep3
find valid p3 values for given --cla, --ins, --p1 and --p2

--cla CLASS
sets the instruction class to CLASS
--ins INS
sets the instruction-number to INS
--p1 P1
sets parameter p1 to P1
--p2 P2
sets parameter p2 to P2
--p3 P3
sets parameter p3 to P3

Examples
1. ~$ ./thc-smartbrute
run thcsmartbrute without any arguments to brute force for valid instructions
2. ~$ ./thc-smartbrute --undoconly
find valid instructions but only print out non-standard instructions

3. ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --brutep1p2
find the first two arguments for the GSM instruction SELECT FILE

4. ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --p1 0x00 --p2 0x00 --brutep3
find the 3rd argument for the already found first two arguments
for the GSM instruction SELECT FILE


Image may be NSFW.
Clik here to view.

Viewing all articles
Browse latest Browse all 5854

Trending Articles