THC-SmartBrute - Finds undocumented and secret commands implemented in a smartcard

This tool finds undocumented and secret commands implemented in a smartcard. An instruction is divided into Class (CLA), Instruction-Number (INS) and the parameters or arguments P1, P2, P3. THC-SMARTBRUTE iterates through all the possible values of CLA and INS to find a valid combination.

Furthermore it tries to find out what parameters are valid for a given class and instruction number.

Requirements

You need a PC/SC compatible smartcard reader that is supported by the PCSC-LITE library.

A list of supported devices can be found here

THC-SMARTBRUTE was developped with the XXX smartcard reader.

Command line arguments

--verbose
        prints a lot of debugging messages to stderr *FIXME*
--undoconly
        only prints found instruction if its not element of the standard
        instruction list
--fastresults
        before iterating through all possible combinates of class and
        instruction-number typical class/instruction-values are verified for
        availability.
        After that the classes 0x00, 0x80 and 0xA0 (GSM) are tried first.
--help
        prints out the usage
--chv1 pin1
        a VERIFY CHV1 instruction with pin1 as argument is executed
--chv2 pin2
        a VERIFY CHV2 instruction with pin2 as argument is executed

--brutep1p2
        finds valid parameter p1 and p2 combinations for the instruction
        the user defined with --cla and --ins .
        For parameter p1 the value 0x00 is assumed.

--brutep3
        find valid p3 values for given --cla, --ins, --p1 and --p2

--cla CLASS
        sets the instruction class to CLASS
--ins INS
        sets the instruction-number to INS
--p1 P1
        sets parameter p1 to P1
--p2 P2
        sets parameter p2 to P2
--p3 P3
        sets parameter p3 to P3

Examples

1. ~$ ./thc-smartbrute
        run thcsmartbrute without any arguments to brute force for valid instructions
2. ~$ ./thc-smartbrute --undoconly
        find valid instructions but only print out non-standard instructions

3. ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --brutep1p2
        find the first two arguments for the GSM instruction SELECT FILE

4. ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --p1 0x00 --p2 0x00 --brutep3
        find the 3rd argument for the already found first two arguments 
        for the GSM instruction SELECT FILE

Download THC-SmartBrute

Read More

[THC-Hydra v7.6] Fast Parallel Network Logon Cracker

 Hydra is a parallelized network logon cracker which supports numerous protocols to attack, new modules are easy to add, beside that, it is flexible and very fast.

Features

• IPv6 Support
• Graphic User Interface
• Internationalized support (RFC 4013)
• HTTP proxy support
• SOCKS proxy support

The tool supports the following protocols:

Samba, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more.

Release 7.6
* Added a wizard script for hydra based on a script by Shivang Desai <shivang.ice.2010@gmail.com>
* Added module for Siemens S7-300 (submitted by Alexander Timorin and Sergey Gordeychik, thanks!)
* HTTP HEAD/GET: MD5 digest auth was not working, fixed (thanks to Paul Kenyon)
* SMTP Enum: HELO is now always sent, better 500 error detection
* hydra main:
   - fixed a bug in the IPv6 address parsing when a port was supplied
   - added info message for pop3, imap and smtp protocol usage
* hydra GTK: missed some services, added
* dpl4hydra.sh:
   - added Siemens S7-300 common passwords to default password list
   - more broad searching in the list
* Performed code indention on all C files :-)
* Makefile patch to ensure .../etc directory is there (thanks to vonnyfly)

Download THC-Hydra v7.6

Read More

[THC-Hydra v7.5] Fast network logon cracker

CHANGELOG for 7.5
===================

        * Moved the license from GPLv3 to AGPLv3 (see LICENSE file)
        * Added module for Asterisk Call Manager
        * Added support for Android where some functions are not available
        * hydra main:
           - reduced the screen output if run without -h, full screen with -h
           - fix for ipv6 and port parsing with service://[ipv6address]:port/OPTIONS
           - fixed -o output (thanks to www417)
           - warning if HYDRA_PROXY is defined but the module does not use it
           - fixed an issue with large input files and long entries

        * hydra library:
           - SSL connections are now fixed to SSLv3 as some SSL servers fail otherwise, report if this gives you problems
           - removed support for old OPENSSL libraries
        * HTTP Form module:
           - login and password values are now encoded if special characters are present
           - ^USER^ and ^PASS^ are now also supported in H= header values
           - if you the colon as a value in your option string, you can now escape it with \: - but do not encode a \ with \\
        * Mysql module: protocol 10 is now supported
        * SMTP, POP3, IMAP modules: Disabled the TLS in default. TLS must now be defined as an option "TLS" if required. This increases performance.
        * Cisco module: fixed a small bug (thanks to Vitaly McLain)
        * Postgres module: libraries on Cygwin are buggy at the moment, module is therefore disabled on Cygwin

 You can also take a look at the full CHANGES file

Download THC-Hydra v7.5

1. The source code of state-of-the-art Hydra: hydra-7.5.tar.gz
    (compiles on all UNIX based platforms - even MacOS X, Cygwin on Windows, ARM-Linux, Android, etc.)

 2. The source code of the stable tree of Hydra ONLY in case v7 gives you problems on unusual and old platforms: hydra-5.9.1-src.tar.gz

 3. The Win32/Cywin binary release: --- not anymore ---
    Install cygwin from http://www.cygwin.com  and compile it yourself. If you do not have cygwin installed - how do you think you will do proper securiy testing? duh ...

Read More