THC-SmartBrute - Finds Undocumented and Secret Commands Implemented In a Smart Card

THC-SmartBrute - Finds Undocumented and Secret Commands Implemented In a Smart Card

THC-SmartBrute is a tool for finding undocumented and secret commands implemented in a smart card.

An instruction is divided into Class (CLA), Instruction-Number (INS) and the parameters or arguments P1, P2, P3. THC-SMARTBRUTE iterates through all the possible values of CLA and INS to find a valid combination.

Furthermore, it tries to find out what parameters are valid for a given class and instruction number.

Requirements:

  • You need a PC/SC compatible smart card reader that is supported by the PCSC-LITE library.
A list of supported devices can be found on the following page:

Compiling

Install the PCSC-LITE library first (Download)
Edit Makefile to your needs and run make.
~$ ./configure
~$ make
~$ make install

Usage:

./thcsmartbrute [Options]

--verbose
        prints a lot of debugging messages to stderr *FIXME*
--undoconly
        only prints found instruction if its not element of the standard
        instruction list
--fastresults
        before iterating through all possible combinates of class and
        instruction-number typical class/instruction-values are verified for
        availability.
        After that the classes 0x00, 0x80 and 0xA0 (GSM) are tried first.
simmode 
        work in sim mode
tmode mode 
        sets the transfer mode to T0 or T1
skipcriticalk 
        skip potential critical smartcard instructions
--help
        prints out the usage
--chv1 pin1
        a VERIFY CHV1 instruction with pin1 as argument is executed
--chv2 pin2
        a VERIFY CHV2 instruction with pin2 as argument is executed

--brutep1p2
        finds valid parameter p1 and p2 combinations for the instruction
        the user defined with --cla and --ins .
        For parameter p1 the value 0x00 is assumed.

--brutep3
        find valid p3 values for given --cla, --ins, --p1 and --p2

--cla CLASS
        sets the instruction class to CLASS
--ins INS
        sets the instruction-number to INS
--p1 P1
        sets parameter p1 to P1
--p2 P2
        sets parameter p2 to P2
--p3 P3
        sets parameter p3 to P3

Examples:

~$ ./thc-smartbrute
        run thcsmartbrute without any arguments to brute force for valid instructions
~$ ./thc-smartbrute --undoconly
        find valid instructions but only print out non-standard instructions
~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --brutep1p2
        find the first two arguments for the GSM instruction SELECT FILE
~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --p1 0x00 --p2 0x00 --brutep3
        find the 3rd argument for the already found first two arguments for the GSM instruction                SELECT FILE


Google Chrome may block the download (it is false positive).

No comments

Powered by Blogger.