THC-SmartBrute - Finds Undocumented and Secret Commands Implemented In a Smart Card

THC-SmartBrute is a tool for finding undocumented and secret commands implemented in a smart card.

An instruction is divided into Class (CLA), Instruction-Number (INS) and the parameters or arguments P1, P2, P3. THC-SMARTBRUTE iterates through all the possible values of CLA and INS to find a valid combination.

Furthermore, it tries to find out what parameters are valid for a given class and instruction number.

Requirements:

• You need a PC/SC compatible smart card reader that is supported by the PCSC-LITE library.

A list of supported devices can be found on the following page:

• http://ift.tt/1s5KUdQ

Compiling

Install the PCSC-LITE library first (Download)

Edit Makefile to your needs and run make.

  ~$ ./configure
~$ make
~$ make install
  

Usage:

  ./thcsmartbrute [Options]

--verbose
        prints a lot of debugging messages to stderr *FIXME*
--undoconly
        only prints found instruction if its not element of the standard
        instruction list
--fastresults
        before iterating through all possible combinates of class and
        instruction-number typical class/instruction-values are verified for
        availability.
        After that the classes 0x00, 0x80 and 0xA0 (GSM) are tried first.
simmode 
        work in sim mode
tmode mode 
        sets the transfer mode to T0 or T1
skipcriticalk 
        skip potential critical smartcard instructions
--help
        prints out the usage
--chv1 pin1
        a VERIFY CHV1 instruction with pin1 as argument is executed
--chv2 pin2
        a VERIFY CHV2 instruction with pin2 as argument is executed

--brutep1p2
        finds valid parameter p1 and p2 combinations for the instruction
        the user defined with --cla and --ins .
        For parameter p1 the value 0x00 is assumed.

--brutep3
        find valid p3 values for given --cla, --ins, --p1 and --p2

--cla CLASS
        sets the instruction class to CLASS
--ins INS
        sets the instruction-number to INS
--p1 P1
        sets parameter p1 to P1
--p2 P2
        sets parameter p2 to P2
--p3 P3
        sets parameter p3 to P3
  

Examples:

  ~$ ./thc-smartbrute  

        run thcsmartbrute without any arguments to brute force for valid instructions

  ~$ ./thc-smartbrute --undoconly  

        find valid instructions but only print out non-standard instructions

  ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --brutep1p2  

        find the first two arguments for the GSM instruction SELECT FILE

  ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --p1 0x00 --p2 0x00 --brutep3  

        find the 3rd argument for the already found first two arguments for the GSM instruction                SELECT FILE

Download thc-smartbrute

You might also like:

• FuzzDB - Comprehensive Set Of Known Attack Sequences
• SecLists - The Pentesters Companion
• Cansina - Web Content Discovery Tool
• Iodine - Tunnelling IPv4 Traffic Over DNS
• Kvasir - Penetration Testing Data Management Tool
• PoshSec Framework - Graphical Interface For Powershell Scripts, Modules, & Cmdlets
• NetStalker - Rule-Based Network Traffic Monitoring & Filtering Tool
• FruityWiFi - Wireless Network Auditing Tool
• AxCrypt - File Encryption Software For Windows
• Ghiro - Automated Digital Image Forensics Tool
• Mellivora - A CTF (Capture The Flag) Engine
• Lynis - Security Auditing Tool For Unix/Linux Systems
• FoxOne - Server Reconnaissance Scanner
• wEAPe - Wireless EAP Extractor
• Broken Web Applications Project - A Virtual Machine For Web Application Security Researchers
• SpearPhisher - Web Application To Send and Track Spear Phishing Campaigns
• OS X Auditor - Mac Forensics Tool
• SSLNuke - Tool For Intercepting & Decrypting Secure IRC Traffic
• Capture The Flag - A Security Wargame
• Binrev - Automate Reversing Windows Binaries For Pentesters
• x64dbg - An Open Source x64/x32 Debugger For Windows
• JBrute - An Open Source Security Tool To Audit Hashed Passwords
• ThreatFactor NSIA - An Open Source Website Scanner

from Effect Hacking full article here