def handle_usim_fakehss(options, rand_bin):
u = USIM(options.debug)
if not u:
print "Error opening USIM"
exit(1)
if options.debug:
u.dbg = 2
if rand_bin == None:
rand_bin = stringToByte("00112233445566778899aabbccddeeff")
IV = 16 * '\x00'
OP_bin = stringToByte("00000000000000000000000000000000") # Operator Key
KI_bin = stringToByte("00000000000000000000000000000000") # K
SQN_bin= stringToByte("000023403500") # SQN 591410432
# AMF ??
#"7D3D6804DB5480003F7A47FB35FA7285"
#"808182888485868788898A8B8C8D8E8F" K
#"97A167DED889B6DFA92D985D77E5C088" OP
#calculate OPc
KI = binascii.unhexlify(byteToString(KI_bin))
aesCrypt = AES.new(KI, mode=AES.MODE_CBC, IV=IV)
data = binascii.unhexlify(byteToString(OP_bin))
## OCc = encAES(OP) xor OP
OPc = xor_strings(data, aesCrypt.encrypt(data))
OPc_bin = stringToByte(OPc)
print "OP: \t%s" % b2a_hex(OP_bin)
print "KI: \t%s" % b2a_hex(KI_bin)
print "OPc:\t%s" % b2a_hex(OPc_bin)
imsi = u.get_imsi()
print "USIM card with IMSI %s" % imsi
print "AUTS:\t%s" % b2a_hex(rand_bin)
def test_authentication(self):
if self._auth > 2:
return 1
#
# prepare dummy 128 bits auth challenge
if not hasattr(self, 'RAND'):
self.RAND = 16*b'\x44'
if not hasattr(self, 'SQN'):
# default SQN is 0, coded on 48 bits
self.SQN = 0
# management field, unneeded, left blank
AMF = b'\0\0'
#
# compute Milenage functions
XRES, CK, IK, AK = self.Milenage.f2345( self.K, self.RAND )
MAC_A = self.Milenage.f1(self.K, self.RAND, sqn_to_str(self.SQN), AMF)
AUTN = xor_buf(sqn_to_str(self.SQN), AK) + AMF + MAC_A
#
# run auth data on the USIM
self.U = USIM()
ret = self.U.authenticate(stringToByte(self.RAND), stringToByte(AUTN), '3G')
self.U.disconnect()
self._auth += 1
#
# check results (and pray)
if ret == None:
print('[-] authenticate() failed, something wrong happened')
del self.RAND
return 1
#
elif len(ret) == 1:
print('[-] sync failure during authenticate() with SQN %i, unmasking counter' % self.SQN)
auts = byteToString(ret[0])
ak = self.Milenage.f5star(self.K, self.RAND)
self.SQN = str_to_sqn(xor_buf(auts, ak)[:6])
print('[+] SQN counter value in USIM: %i' % self.SQN)
self.SQN += 1<<5
print('[+] retrying authenticate() with SQN: %i' % self.SQN)
del self.RAND
return self.test_authentication()
#
elif len(ret) in (3, 4):
# RES, CK, IK(, Kc)
if ret[0:3] == map(stringToByte, [XRES, CK, IK]):
print('[+] 3G auth successful with SQN: %i\nincrement it from now' % self.SQN)
print('[+] USIM secrets:\nOPc: %s\nK: %s' % (hexlify(self.OPc), hexlify(self.K)))
else:
print('[-] 3G auth accepted on the USIM, but not matching auth vector generated: strange!')
print('card returned:\n%s' % ret)
del self.RAND
return 0
#
else:
print('[-] undefined auth error')
del self.RAND
return 1
def __init__(self, cardtype = GSM_USIM, atr = None): if cardtype == GSM_USIM: self.card = USIM(atr) self.usim = True else: self.card = SIM(atr) self.usim = False
def test_authentication(self):
if self._auth > 2:
return 1
#
# prepare dummy 128 bits auth challenge
if not hasattr(self, 'RAND'):
self.RAND = 16*b'\x44'
if not hasattr(self, 'SQN'):
# default SQN is 0, coded on 48 bits
self.SQN = 0
# management field, unneeded, left blank
AMF = b'\0\0'
#
# compute Milenage functions
XRES, CK, IK, AK = self.Milenage.f2345( self.K, self.RAND )
MAC_A = self.Milenage.f1(self.K, self.RAND, sqn_to_str(self.SQN), AMF)
AUTN = xor_buf(sqn_to_str(self.SQN), AK) + AMF + MAC_A
#
# run auth data on the USIM
self.U = USIM()
ret = self.U.authenticate(stringToByte(self.RAND), stringToByte(AUTN), '3G')
self.U.disconnect()
self._auth += 1
#
# check results (and pray)
if ret == None:
print('[-] authenticate() failed, something wrong happened')
del self.RAND
return 1
#
elif len(ret) == 1:
print('[-] sync failure during authenticate() with SQN %i, unmasking counter' % self.SQN)
auts = byteToString(ret[0])
ak = self.Milenage.f5star(self.K, self.RAND)
self.SQN = str_to_sqn(xor_buf(auts, ak)[:6])
print('[+] SQN counter value in USIM: %i' % self.SQN)
self.SQN += 1<<5
print('[+] retrying authenticate() with SQN: %i' % self.SQN)
del self.RAND
return self.test_authentication()
#
elif len(ret) in (3, 4):
# RES, CK, IK(, Kc)
if ret[0:3] == map(stringToByte, [XRES, CK, IK]):
print('[+] 3G auth successful with SQN: %i\nincrement it from now' % self.SQN)
print('[+] USIM secrets:\nOPc: %s\nK: %s' % (hexlify(self.OPc), hexlify(self.K)))
else:
print('[-] 3G auth accepted on the USIM, but not matching auth vector generated: strange!')
print('card returned:\n%s' % ret)
del self.RAND
return 0
#
else:
print('[-] undefined auth error')
del self.RAND
return 1
def handle_usim(options, rand_bin, autn_bin):
u = USIM()
if not u:
print "Error opening USIM"
exit(1)
if options.debug:
u.dbg = 2
imsi = u.get_imsi()
ret = u.authenticate(rand_bin, autn_bin, ctx='3G')
if len(ret) == 1:
print "AUTS:\t%s" % b2a_hex(byteToString(ret[0]))
else:
print "RES:\t%s" % b2a_hex(byteToString(ret[0]))
print "CK:\t%s" % b2a_hex(byteToString(ret[1]))
print "IK:\t%s" % b2a_hex(byteToString(ret[2]))
if len(ret) == 4:
print "Kc:\t%s" % b2a_hex(byteToString(ret[3]))
def handle_usim(options, rand_bin, autn_bin): u = USIM() if not u: print "Error opening USIM" exit(1) if options.debug: u.dbg = 2; imsi = u.get_imsi() ret = u.authenticate(rand_bin, autn_bin, ctx='3G') if len(ret) == 1: print "AUTS:\t%s" % b2a_hex(byteToString(ret[0])) else: print "RES:\t%s" % b2a_hex(byteToString(ret[0])) print "CK:\t%s" % b2a_hex(byteToString(ret[1])) print "IK:\t%s" % b2a_hex(byteToString(ret[2])) if len(ret) == 4: print "Kc:\t%s" % b2a_hex(byteToString(ret[3]))
def handle_usim(options, rand_bin, autn_bin):
u = USIM()
if not u:
print "Error opening USIM"
exit(1)
if options.debug:
u.dbg = 2
imsi = u.get_imsi()
print "Testing USIM card with IMSI %s" % imsi
print "\nUMTS Authentication"
ret = u.authenticate(rand_bin, autn_bin, ctx='3G')
if len(ret) == 1:
print "AUTS:\t%s" % b2a_hex(byteToString(ret[0]))
else:
print "RES:\t%s" % b2a_hex(byteToString(ret[0]))
print "CK:\t%s" % b2a_hex(byteToString(ret[1]))
print "IK:\t%s" % b2a_hex(byteToString(ret[2]))
if len(ret) == 4:
print "Kc:\t%s" % b2a_hex(byteToString(ret[3]))
print "\nGSM Authentication"
ret = u.authenticate(rand_bin, autn_bin, ctx='2G')
if not len(ret) == 2:
print "Error during 2G authentication"
exit(1)
print "SRES:\t%s" % b2a_hex(byteToString(ret[0]))
print "Kc:\t%s" % b2a_hex(byteToString(ret[1]))
def test_identification(self):
u = UICC()
self.ICCID = u.get_ICCID()
u.disconnect()
u = USIM()
self.IMSI = u.get_imsi()
print('[+] USIM identification:\nICCID: %s\nIMSI: %s' \
% (self.ICCID, self.IMSI))
u.disconnect()
if not self.ICCID or not self.IMSI:
print('[-] identification error')
return 1
return 0
def test_identification(self):
u = UICC()
iccid = u.get_ICCID()
u.disconnect()
u = USIM()
imsi = u.get_imsi()
u.disconnect()
#
if not iccid or not imsi:
raise(Exception('identification test error'))
return 1
else:
print('[+] USIM identification:\nICCID: %s\nIMSI: %s' % (iccid, imsi))
return 0
def __init__(self, cardtype=GSM_USIM, atr=None):
if cardtype == GSM_USIM:
self.card = USIM(atr)
self.usim = True
# Detect ISIM / USIM applications
self.card.get_AID()
AID = self.card.AID
for a in AID:
if a[0:7] == [0xA0, 0x00, 0x00, 0x00, 0x87, 0x10, 0x04]:
self.has_isim = True
elif a[0:7] == [0xA0, 0x00, 0x00, 0x00, 0x87, 0x10, 0x02]:
self.has_usim = True
else:
self.card = SIM(atr)
self.usim = False
def test_authentication(self):
if self.auth_test >= 2:
return 1
u = USIM()
# prepare auth challenge
self.RAND = urand(16) # challenge is 128 bits
if not hasattr(self, 'SQN'):
self.SQN = 0 # default SQN is 0, coded on 48 bits
AMF = 2 * '\0' # management field, unneeded, left blank
# compute Milenage functions
XRES, CK, IK, AK = self.Milenage.f2345(self.K, self.RAND)
MAC_A = self.Milenage.f1(self.K, self.RAND, sqn_to_str(self.SQN), AMF)
AUTN = xor_string(sqn_to_str(self.SQN), AK) + AMF + MAC_A
# run auth data on the USIM
ret = u.authenticate(stringToByte(self.RAND), stringToByte(AUTN), '3G')
# check results (and pray)
if ret == None:
print('[-] authenticate() failed; something wrong happened, '\
'maybe during card programmation ?')
elif len(ret) == 1:
print('[-] sync failure during authenticate(); unmasking counter')
auts = byteToString(ret[0])
ak = self.Milenage.f5star(self.K, self.RAND)
self.SQN = str_to_sqn(xor_string(auts, ak)[:6])
print('[+] auth counter value in USIM: %i' % self.SQN)
self.SQN += 1
print('[+] retrying authenticate() with SQN: %i' % self.SQN)
u.disconnect()
self.test_authentication()
elif len(ret) in (3, 4):
# RES, CK, IK(, Kc)
if ret[0:3] == map(stringToByte, [XRES, CK, IK]):
print('[+] 3G auth successful with SQN: %i\n' \
'increment it from now' % self.SQN)
print('[+] USIM secrets:\nOPc: %s\nK: %s' \
% (hexlify(self.OPc), hexlify(self.K)))
else:
print('[-] 3G auth accepted on the USIM, ' \
'but not matching auth vector generated: strange!')
print('card returned:\n%s' % ret)
u.disconnect()
return 0
def test_authentication(self):
if self.auth_test >= 2:
return 1
u = USIM()
# prepare auth challenge
self.RAND = urand(16) # challenge is 128 bits
if not hasattr(self, 'SQN'):
self.SQN = 0 # default SQN is 0, coded on 48 bits
AMF = 2*'\0' # management field, unneeded, left blank
# compute Milenage functions
XRES, CK, IK, AK = self.Milenage.f2345( self.K, self.RAND )
MAC_A = self.Milenage.f1(self.K, self.RAND, sqn_to_str(self.SQN), AMF)
AUTN = xor_string(sqn_to_str(self.SQN), AK) + AMF + MAC_A
# run auth data on the USIM
ret = u.authenticate(stringToByte(self.RAND), stringToByte(AUTN), '3G')
# check results (and pray)
if ret == None:
print('[-] authenticate() failed; something wrong happened, '\
'maybe during card programmation ?')
elif len(ret) == 1:
print('[-] sync failure during authenticate(); unmasking counter')
auts = byteToString(ret[0])
ak = self.Milenage.f5star(self.K, self.RAND)
self.SQN = str_to_sqn(xor_string(auts, ak)[:6])
print('[+] auth counter value in USIM: %i' % self.SQN)
self.SQN += 1
print('[+] retrying authenticate() with SQN: %i' % self.SQN)
u.disconnect()
self.test_authentication()
elif len(ret) in (3, 4):
# RES, CK, IK(, Kc)
if ret[0:3] == map(stringToByte, [XRES, CK, IK]):
print('[+] 3G auth successful with SQN: %i\n' \
'increment it from now' % self.SQN)
print('[+] USIM secrets:\nOPc: %s\nK: %s' \
% (hexlify(self.OPc), hexlify(self.K)))
else:
print('[-] 3G auth accepted on the USIM, ' \
'but not matching auth vector generated: strange!')
print('card returned:\n%s' % ret)
u.disconnect()
return 0
uicc.SELECT_FILE(0, 4, [0x3F, 0x00])
uicc.SELECT_FILE(0, 4, [0x7F, 0x20])
uicc.SELECT_FILE(0, 4, [0x6F, 0x30])
print ('PLMNsel EF File selected.')
# go to PLMNsel address and update binary string for HPLMN
ret = uicc.UPDATE_BINARY(0, 0, PLMNsel)
print('Writing PLMN selector: %s' % ret)
if __name__ == '__main__':
print 'INET USIM card update PLMNsel with value: '
u = USIM()
imsi = u.get_imsi()
print '====>> IMSI: ' + imsi
plmnsel_before = u.get_plmnsel()
print '====>> Current PLMNsel: ' , plmnsel_before
program_files(u)
plmnsel_after = u.get_plmnsel()
print '====>> Modified PLMNsel: ' , plmnsel_after
u.disconnect()
print 'INET USIM card PLMNsel update completed'
class personalize(object):
'''
Class to program sysmo-USIM-SJS1 card
takes the ADM code of the card (str of digits)
and a 3 digit serial number as argument to personalize the USIM card.
Makes use of the fixed parameters in this file header:
ICCID_pre, IMSI_pre, Ki_pre, OP,
HPLMN, PLMNsel, SPN
'''
def __init__(self, ADM, serial_number='000'):
# prepare data to write into the card
if not len(serial_number) == 3 or not serial_number.isdigit():
raise (Exception('serial: 3-digits required'))
self.ICCID = ICCID_pre + serial_number
self.ICCID += str(compute_luhn(self.ICCID))
self.IMSI = IMSI_pre + serial_number
self.K = Ki_pre + serial_number
self.Milenage = Milenage(OP)
self.OPc = make_OPc(self.K, OP)
# verify parameters
if len(self.K) != 16 or len(self.OPc) != 16:
raise (Exception('K / OPc: 16-bytes buffer required'))
#
# write data on the card
u = UICC()
program_files(u, ADM, self.ICCID, self.IMSI, self.K, self.OPc)
u.disconnect()
#
if self.test_identification() != 0:
return
#
self._auth = 0
if self.test_authentication() != 0:
return
#
# and print results
print(
'[+] sysmoUSIM-SJS1 card personalization done and tested successfully:'
)
print('ICCID ; IMSI ; K ; OPc')
print('%s;%s;0x%s;0x%s' %
(self.ICCID, self.IMSI, hexlify(self.K), hexlify(self.OPc)))
def test_identification(self):
u = UICC()
iccid = u.get_ICCID()
u.disconnect()
u = USIM()
imsi = u.get_imsi()
u.disconnect()
#
if not iccid or not imsi:
raise (Exception('identification test error'))
return 1
else:
print('[+] USIM identification:\nICCID: %s\nIMSI: %s' %
(iccid, imsi))
return 0
def test_authentication(self):
if self._auth > 2:
return 1
#
# prepare dummy 128 bits auth challenge
if not hasattr(self, 'RAND'):
self.RAND = 16 * b'\x44'
if not hasattr(self, 'SQN'):
# default SQN is 0, coded on 48 bits
self.SQN = 0
# management field, unneeded, left blank
AMF = b'\0\0'
#
# compute Milenage functions
XRES, CK, IK, AK = self.Milenage.f2345(self.K, self.RAND)
MAC_A = self.Milenage.f1(self.K, self.RAND, sqn_to_str(self.SQN), AMF)
AUTN = xor_buf(sqn_to_str(self.SQN), AK) + AMF + MAC_A
#
# run auth data on the USIM
self.U = USIM()
ret = self.U.authenticate(stringToByte(self.RAND), stringToByte(AUTN),
'3G')
self.U.disconnect()
self._auth += 1
#
# check results (and pray)
if ret == None:
print('[-] authenticate() failed, something wrong happened')
del self.RAND
return 1
#
elif len(ret) == 1:
print(
'[-] sync failure during authenticate() with SQN %i, unmasking counter'
% self.SQN)
auts = byteToString(ret[0])
ak = self.Milenage.f5star(self.K, self.RAND)
self.SQN = str_to_sqn(xor_buf(auts, ak)[:6])
print('[+] SQN counter value in USIM: %i' % self.SQN)
self.SQN += 1 << 5
print('[+] retrying authenticate() with SQN: %i' % self.SQN)
del self.RAND
return self.test_authentication()
#
elif len(ret) in (3, 4):
# RES, CK, IK(, Kc)
if ret[0:3] == map(stringToByte, [XRES, CK, IK]):
print(
'[+] 3G auth successful with SQN: %i\nincrement it from now'
% self.SQN)
print('[+] USIM secrets:\nOPc: %s\nK: %s' %
(hexlify(self.OPc), hexlify(self.K)))
else:
print(
'[-] 3G auth accepted on the USIM, but not matching auth vector generated: strange!'
)
print('card returned:\n%s' % ret)
del self.RAND
return 0
#
else:
print('[-] undefined auth error')
del self.RAND
return 1
class personalize(object):
'''
Class to program sysmo-USIM-SJS1 card
takes the ADM code of the card (str of digits)
and a 3 digit serial number as argument to personalize the USIM card.
Makes use of the fixed parameters in this file header:
ICCID_pre, IMSI_pre, Ki_pre, OP,
HPLMN, PLMNsel, SPN
'''
def __init__(self, ADM, serial_number='000'):
# prepare data to write into the card
if not len(serial_number) == 3 or not serial_number.isdigit():
raise(Exception('serial: 3-digits required'))
self.ICCID = ICCID_pre + serial_number
self.ICCID += str(compute_luhn(self.ICCID))
self.IMSI = IMSI_pre + serial_number
self.K = Ki_pre + serial_number
self.Milenage = Milenage(OP)
self.OPc = make_OPc(self.K, OP)
# verify parameters
if len(self.K) != 16 or len(self.OPc) != 16:
raise(Exception('K / OPc: 16-bytes buffer required'))
#
# write data on the card
u = UICC()
program_files(u, ADM, self.ICCID, self.IMSI, self.K, self.OPc)
u.disconnect()
#
if self.test_identification() != 0:
return
#
self._auth = 0
if self.test_authentication() != 0:
return
#
# and print results
print('[+] sysmoUSIM-SJS1 card personalization done and tested successfully:')
print('ICCID ; IMSI ; K ; OPc')
print('%s;%s;0x%s;0x%s' % (self.ICCID, self.IMSI, hexlify(self.K), hexlify(self.OPc)))
def test_identification(self):
u = UICC()
iccid = u.get_ICCID()
u.disconnect()
u = USIM()
imsi = u.get_imsi()
u.disconnect()
#
if not iccid or not imsi:
raise(Exception('identification test error'))
return 1
else:
print('[+] USIM identification:\nICCID: %s\nIMSI: %s' % (iccid, imsi))
return 0
def test_authentication(self):
if self._auth > 2:
return 1
#
# prepare dummy 128 bits auth challenge
if not hasattr(self, 'RAND'):
self.RAND = 16*b'\x44'
if not hasattr(self, 'SQN'):
# default SQN is 0, coded on 48 bits
self.SQN = 0
# management field, unneeded, left blank
AMF = b'\0\0'
#
# compute Milenage functions
XRES, CK, IK, AK = self.Milenage.f2345( self.K, self.RAND )
MAC_A = self.Milenage.f1(self.K, self.RAND, sqn_to_str(self.SQN), AMF)
AUTN = xor_buf(sqn_to_str(self.SQN), AK) + AMF + MAC_A
#
# run auth data on the USIM
self.U = USIM()
ret = self.U.authenticate(stringToByte(self.RAND), stringToByte(AUTN), '3G')
self.U.disconnect()
self._auth += 1
#
# check results (and pray)
if ret == None:
print('[-] authenticate() failed, something wrong happened')
del self.RAND
return 1
#
elif len(ret) == 1:
print('[-] sync failure during authenticate() with SQN %i, unmasking counter' % self.SQN)
auts = byteToString(ret[0])
ak = self.Milenage.f5star(self.K, self.RAND)
self.SQN = str_to_sqn(xor_buf(auts, ak)[:6])
print('[+] SQN counter value in USIM: %i' % self.SQN)
self.SQN += 1<<5
print('[+] retrying authenticate() with SQN: %i' % self.SQN)
del self.RAND
return self.test_authentication()
#
elif len(ret) in (3, 4):
# RES, CK, IK(, Kc)
if ret[0:3] == map(stringToByte, [XRES, CK, IK]):
print('[+] 3G auth successful with SQN: %i\nincrement it from now' % self.SQN)
print('[+] USIM secrets:\nOPc: %s\nK: %s' % (hexlify(self.OPc), hexlify(self.K)))
else:
print('[-] 3G auth accepted on the USIM, but not matching auth vector generated: strange!')
print('card returned:\n%s' % ret)
del self.RAND
return 0
#
else:
print('[-] undefined auth error')
del self.RAND
return 1
if __name__ == '__main__':
def __init__(self):
'''
connect smartcard and defines class CLA code for communication
uses "pyscard" library services
'''
print "Checking ATR Value"
iso = ISO7816()
iso.ATR_scan()
print "List Card Information"
u = USIM()
imsi = u.get_imsi()
acc = u.get_acc()
spdi = u.get_spdi()
spdi2 = u.get_spdi_readBinary()
iccid = u.get_ICCID()
plmnsel = u.get_plmnsel()
fplmn = u.get_fplmn()
print " "
print "------------------------------------"
print "------------- Results --------------"
print "------------------------------------"
print "IMSI: " + imsi
print "ACCs: ", acc
print "SPDI: ", spdi
print "RES:\t%s" % b2a_hex(byteToString(ret[0]))
print "CK:\t%s" % b2a_hex(byteToString(ret[1]))
print "IK:\t%s" % b2a_hex(byteToString(ret[2]))
if len(ret) == 4:
print "Kc:\t%s" % b2a_hex(byteToString(ret[3]))
#ret = u.authenticate(rand_bin, autn_bin, ctx='2G')
#if not len(ret) == 2:
# print "Error during 2G authentication"
# exit(1)
#print "SRES:\t%s" % b2a_hex(byteToString(ret[0]))
#print "Kc:\t%s" % b2a_hex(byteToString(ret[1]))
if __name__ == "__main__":
u = USIM()
u.debug = 2
imsi = u.get_imsi()
s = socket.socket()
host = socket.gethostname()
#host = '192.168.2.254'
port = 12345
s.connect((host, port))
authenticated = False
status = 0
while True:
print "\n"
if authenticated == False:
if status == 2:
else: print "RES:\t%s" % b2a_hex(byteToString(ret[0])) print "CK:\t%s" % b2a_hex(byteToString(ret[1])) print "IK:\t%s" % b2a_hex(byteToString(ret[2])) if len(ret) == 4: print "Kc:\t%s" % b2a_hex(byteToString(ret[3])) #ret = u.authenticate(rand_bin, autn_bin, ctx='2G') #if not len(ret) == 2: # print "Error during 2G authentication" # exit(1) #print "SRES:\t%s" % b2a_hex(byteToString(ret[0])) #print "Kc:\t%s" % b2a_hex(byteToString(ret[1])) if __name__ == "__main__": u = USIM() u.debug = 2 imsi = u.get_imsi() s = socket.socket() host = socket.gethostname() #host = '192.168.2.254' port = 12345 s.connect((host, port)) authenticated = False status = 0 while True: print "\n" if authenticated == False: if status == 2: