{"id":231,"date":"2014-09-25T23:03:51","date_gmt":"2014-09-25T16:03:51","guid":{"rendered":"http:\/\/sybond.web.id\/blog\/?p=231"},"modified":"2015-02-23T13:12:21","modified_gmt":"2015-02-23T06:12:21","slug":"bruteforce-apdu-select-using-lua-script","status":"publish","type":"post","link":"https:\/\/sybond.web.id\/blog\/2014\/09\/25\/bruteforce-apdu-select-using-lua-script\/","title":{"rendered":"Bruteforce APDU SELECT using Cardpeek + Lua script"},"content":{"rendered":"

After a couple of hours trying to find free smartcard app on my tinkering time, finally I found this Cardpeek<\/a>. Simple yet light smartcard reader app.<\/p>\n

My objective is\u00a0to create simple APDU<\/a> “bruteforce” to the smart card by iterate some EF<\/a> values using standards APDU SELECT<\/a>.\u00a0By bruteforce means that the SELECT command is sent to the smartcard for any possible EF value.<\/p>\n

Finding this Cardpeek app + powered with Lua<\/a> script is enough for me. For now.<\/p>\n

The bruteforcing idea is to\u00a0create iteration of EF value using 2 bytes length, this assumed the smartcard is having 2 bytes EF structures. With this iterations hopefully some approved response (SW1-SW2 = 0x9000) is given by the smartcard, and do further exploit using known approved EF.<\/p>\n

Following is the Lua script I created to bruteforce SELECT APDU (or you can download directly here<\/a>):<\/p>\n

if card.connect() then\r\n\tCRoot=card.tree_startup(\"Processing Bruteforce..\")\r\n\tlog.print(log.INFO,\"Brute force SELECT start\")\r\n\tfor i=0x0000,0xFFFF,1 do\r\n\t\tcmd=bytes.new(8,0x00,0xA4,0x00,0x00,0x02,bit.SHR(i,8),bit.AND(i,0xFF))\r\n\t\tsw, resp = card.send(cmd)\r\n\t\tif (sw==0x9000) then\r\n\t\t\t-- Approved response on SELECT\t\t\t\r\n\t\t\tAPVnod=nodes.append(CRoot, {classname=\"record\",label=\"Approved CAPDU\",val=cmd})\r\n\t\t\tnodes.append(APVnod, {classname=\"item\",label=\"Received RAPDU data\",val=bytes.format(resp,\"%D\")})\r\n\t\t\t-- Trying to send BINARY READ for first 8 bytes\r\n\t\t\tsw, resp = card.send(bytes.new(8, \"00 B0 00 00 08\"))\r\n\t\tend\r\n\tend\r\n\tlog.print(log.INFO,\"Brute force SELECT end\")\r\ncard.disconnect()\r\nend<\/pre>\n
And I tested the script using Commuter Line Kartu Multi Trip<\/a>\u00a0card, and here is some interesting responses from\u00a0the\u00a0card \u00a0\ud83d\ude00<\/p>\n
\"\"<\/p>\n","protected":false},"excerpt":{"rendered":"
After a couple of hours trying to find free smartcard app on my tinkering time, finally I found this Cardpeek. Simple yet light smartcard reader app. My objective is\u00a0to create simple APDU “bruteforce” to the smart card by iterate some EF values using standards APDU SELECT.\u00a0By bruteforce means that the SELECT command is sent to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[78,8,10,11],"tags":[84,85,86],"_links":{"self":[{"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/posts\/231"}],"collection":[{"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/comments?post=231"}],"version-history":[{"count":24,"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/posts\/231\/revisions"}],"predecessor-version":[{"id":308,"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/posts\/231\/revisions\/308"}],"wp:attachment":[{"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/media?parent=231"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/categories?post=231"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sybond.web.id\/blog\/wp-json\/wp\/v2\/tags?post=231"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}