def handle_usim(options, rand_bin, autn_bin):
u = USIM()
if not u:
print "Error opening USIM"
exit(1)
if options.debug:
u.dbg = 2
imsi = u.get_imsi()
print "Testing USIM card with IMSI %s" % imsi
print "\nUMTS Authentication"
ret = u.authenticate(rand_bin, autn_bin, ctx='3G')
if len(ret) == 1:
print "AUTS:\t%s" % b2a_hex(byteToString(ret[0]))
else:
print "RES:\t%s" % b2a_hex(byteToString(ret[0]))
print "CK:\t%s" % b2a_hex(byteToString(ret[1]))
print "IK:\t%s" % b2a_hex(byteToString(ret[2]))
if len(ret) == 4:
print "Kc:\t%s" % b2a_hex(byteToString(ret[3]))
print "\nGSM Authentication"
ret = u.authenticate(rand_bin, autn_bin, ctx='2G')
if not len(ret) == 2:
print "Error during 2G authentication"
exit(1)
print "SRES:\t%s" % b2a_hex(byteToString(ret[0]))
print "Kc:\t%s" % b2a_hex(byteToString(ret[1]))
def handle_usim(options, rand_bin, autn_bin): u = USIM() if not u: print "Error opening USIM" exit(1) if options.debug: u.dbg = 2; imsi = u.get_imsi() ret = u.authenticate(rand_bin, autn_bin, ctx='3G') if len(ret) == 1: print "AUTS:\t%s" % b2a_hex(byteToString(ret[0])) else: print "RES:\t%s" % b2a_hex(byteToString(ret[0])) print "CK:\t%s" % b2a_hex(byteToString(ret[1])) print "IK:\t%s" % b2a_hex(byteToString(ret[2])) if len(ret) == 4: print "Kc:\t%s" % b2a_hex(byteToString(ret[3]))
def test_authentication(self):
if self.auth_test >= 2:
return 1
u = USIM()
# prepare auth challenge
self.RAND = urand(16) # challenge is 128 bits
if not hasattr(self, 'SQN'):
self.SQN = 0 # default SQN is 0, coded on 48 bits
AMF = 2*'\0' # management field, unneeded, left blank
# compute Milenage functions
XRES, CK, IK, AK = self.Milenage.f2345( self.K, self.RAND )
MAC_A = self.Milenage.f1(self.K, self.RAND, sqn_to_str(self.SQN), AMF)
AUTN = xor_string(sqn_to_str(self.SQN), AK) + AMF + MAC_A
# run auth data on the USIM
ret = u.authenticate(stringToByte(self.RAND), stringToByte(AUTN), '3G')
# check results (and pray)
if ret == None:
print('[-] authenticate() failed; something wrong happened, '\
'maybe during card programmation ?')
elif len(ret) == 1:
print('[-] sync failure during authenticate(); unmasking counter')
auts = byteToString(ret[0])
ak = self.Milenage.f5star(self.K, self.RAND)
self.SQN = str_to_sqn(xor_string(auts, ak)[:6])
print('[+] auth counter value in USIM: %i' % self.SQN)
self.SQN += 1
print('[+] retrying authenticate() with SQN: %i' % self.SQN)
u.disconnect()
self.test_authentication()
elif len(ret) in (3, 4):
# RES, CK, IK(, Kc)
if ret[0:3] == map(stringToByte, [XRES, CK, IK]):
print('[+] 3G auth successful with SQN: %i\n' \
'increment it from now' % self.SQN)
print('[+] USIM secrets:\nOPc: %s\nK: %s' \
% (hexlify(self.OPc), hexlify(self.K)))
else:
print('[-] 3G auth accepted on the USIM, ' \
'but not matching auth vector generated: strange!')
print('card returned:\n%s' % ret)
u.disconnect()
return 0
def handle_usim(options, rand_bin, autn_bin):
u = USIM()
if not u:
print "Error opening USIM"
exit(1)
if options.debug:
u.dbg = 2
imsi = u.get_imsi()
ret = u.authenticate(rand_bin, autn_bin, ctx='3G')
if len(ret) == 1:
print "AUTS:\t%s" % b2a_hex(byteToString(ret[0]))
else:
print "RES:\t%s" % b2a_hex(byteToString(ret[0]))
print "CK:\t%s" % b2a_hex(byteToString(ret[1]))
print "IK:\t%s" % b2a_hex(byteToString(ret[2]))
if len(ret) == 4:
print "Kc:\t%s" % b2a_hex(byteToString(ret[3]))
def test_authentication(self):
if self.auth_test >= 2:
return 1
u = USIM()
# prepare auth challenge
self.RAND = urand(16) # challenge is 128 bits
if not hasattr(self, 'SQN'):
self.SQN = 0 # default SQN is 0, coded on 48 bits
AMF = 2 * '\0' # management field, unneeded, left blank
# compute Milenage functions
XRES, CK, IK, AK = self.Milenage.f2345(self.K, self.RAND)
MAC_A = self.Milenage.f1(self.K, self.RAND, sqn_to_str(self.SQN), AMF)
AUTN = xor_string(sqn_to_str(self.SQN), AK) + AMF + MAC_A
# run auth data on the USIM
ret = u.authenticate(stringToByte(self.RAND), stringToByte(AUTN), '3G')
# check results (and pray)
if ret == None:
print('[-] authenticate() failed; something wrong happened, '\
'maybe during card programmation ?')
elif len(ret) == 1:
print('[-] sync failure during authenticate(); unmasking counter')
auts = byteToString(ret[0])
ak = self.Milenage.f5star(self.K, self.RAND)
self.SQN = str_to_sqn(xor_string(auts, ak)[:6])
print('[+] auth counter value in USIM: %i' % self.SQN)
self.SQN += 1
print('[+] retrying authenticate() with SQN: %i' % self.SQN)
u.disconnect()
self.test_authentication()
elif len(ret) in (3, 4):
# RES, CK, IK(, Kc)
if ret[0:3] == map(stringToByte, [XRES, CK, IK]):
print('[+] 3G auth successful with SQN: %i\n' \
'increment it from now' % self.SQN)
print('[+] USIM secrets:\nOPc: %s\nK: %s' \
% (hexlify(self.OPc), hexlify(self.K)))
else:
print('[-] 3G auth accepted on the USIM, ' \
'but not matching auth vector generated: strange!')
print('card returned:\n%s' % ret)
u.disconnect()
return 0
class personalize(object):
'''
Class to program sysmo-USIM-SJS1 card
takes the ADM code of the card (str of digits)
and a 3 digit serial number as argument to personalize the USIM card.
Makes use of the fixed parameters in this file header:
ICCID_pre, IMSI_pre, Ki_pre, OP,
HPLMN, PLMNsel, SPN
'''
def __init__(self, ADM, serial_number='000'):
# prepare data to write into the card
if not len(serial_number) == 3 or not serial_number.isdigit():
raise (Exception('serial: 3-digits required'))
self.ICCID = ICCID_pre + serial_number
self.ICCID += str(compute_luhn(self.ICCID))
self.IMSI = IMSI_pre + serial_number
self.K = Ki_pre + serial_number
self.Milenage = Milenage(OP)
self.OPc = make_OPc(self.K, OP)
# verify parameters
if len(self.K) != 16 or len(self.OPc) != 16:
raise (Exception('K / OPc: 16-bytes buffer required'))
#
# write data on the card
u = UICC()
program_files(u, ADM, self.ICCID, self.IMSI, self.K, self.OPc)
u.disconnect()
#
if self.test_identification() != 0:
return
#
self._auth = 0
if self.test_authentication() != 0:
return
#
# and print results
print(
'[+] sysmoUSIM-SJS1 card personalization done and tested successfully:'
)
print('ICCID ; IMSI ; K ; OPc')
print('%s;%s;0x%s;0x%s' %
(self.ICCID, self.IMSI, hexlify(self.K), hexlify(self.OPc)))
def test_identification(self):
u = UICC()
iccid = u.get_ICCID()
u.disconnect()
u = USIM()
imsi = u.get_imsi()
u.disconnect()
#
if not iccid or not imsi:
raise (Exception('identification test error'))
return 1
else:
print('[+] USIM identification:\nICCID: %s\nIMSI: %s' %
(iccid, imsi))
return 0
def test_authentication(self):
if self._auth > 2:
return 1
#
# prepare dummy 128 bits auth challenge
if not hasattr(self, 'RAND'):
self.RAND = 16 * b'\x44'
if not hasattr(self, 'SQN'):
# default SQN is 0, coded on 48 bits
self.SQN = 0
# management field, unneeded, left blank
AMF = b'\0\0'
#
# compute Milenage functions
XRES, CK, IK, AK = self.Milenage.f2345(self.K, self.RAND)
MAC_A = self.Milenage.f1(self.K, self.RAND, sqn_to_str(self.SQN), AMF)
AUTN = xor_buf(sqn_to_str(self.SQN), AK) + AMF + MAC_A
#
# run auth data on the USIM
self.U = USIM()
ret = self.U.authenticate(stringToByte(self.RAND), stringToByte(AUTN),
'3G')
self.U.disconnect()
self._auth += 1
#
# check results (and pray)
if ret == None:
print('[-] authenticate() failed, something wrong happened')
del self.RAND
return 1
#
elif len(ret) == 1:
print(
'[-] sync failure during authenticate() with SQN %i, unmasking counter'
% self.SQN)
auts = byteToString(ret[0])
ak = self.Milenage.f5star(self.K, self.RAND)
self.SQN = str_to_sqn(xor_buf(auts, ak)[:6])
print('[+] SQN counter value in USIM: %i' % self.SQN)
self.SQN += 1 << 5
print('[+] retrying authenticate() with SQN: %i' % self.SQN)
del self.RAND
return self.test_authentication()
#
elif len(ret) in (3, 4):
# RES, CK, IK(, Kc)
if ret[0:3] == map(stringToByte, [XRES, CK, IK]):
print(
'[+] 3G auth successful with SQN: %i\nincrement it from now'
% self.SQN)
print('[+] USIM secrets:\nOPc: %s\nK: %s' %
(hexlify(self.OPc), hexlify(self.K)))
else:
print(
'[-] 3G auth accepted on the USIM, but not matching auth vector generated: strange!'
)
print('card returned:\n%s' % ret)
del self.RAND
return 0
#
else:
print('[-] undefined auth error')
del self.RAND
return 1
print "## auth=false; status=2 - trying to send imsi+auts"
s.send("3"+imsi+auts)
else:
print "## auth=false; status!=2 - trying to send imsi only"
s.send("1"+imsi)
recvmsg = s.recv(1024)
status = recvmsg[0:1]
rand = recvmsg[16:48]
print "RAND: "+rand
autn = recvmsg[48:80]
print "AUTN: "+autn
rand_bin = stringToByte(a2b_hex(rand))
autn_bin = stringToByte(a2b_hex(autn))
ret = u.authenticate(rand_bin, autn_bin, ctx='3G')
if len(ret) == 1:
print "######## auth=false; status!=2; len(ret)=1 - trying to authenticate -> got auts"
auts = b2a_hex(byteToString(ret[0]))
print "AUTS: " + auts
status = 2
else:
print "######## auth=false; status!=2, len(ret)>1 - tyring to authenticate -> got triple"
res = b2a_hex(byteToString(ret[0]))
print "RES: " + res
ck = b2a_hex(byteToString(ret[1]))
print "CK: " + ck
ik = b2a_hex(byteToString(ret[2]))
print "IK :" + ik
authenticated = True
print "## auth=false; status=2 - trying to send imsi+auts"
s.send("3" + imsi + auts)
else:
print "## auth=false; status!=2 - trying to send imsi only"
s.send("1" + imsi)
recvmsg = s.recv(1024)
status = recvmsg[0:1]
rand = recvmsg[16:48]
print "RAND: " + rand
autn = recvmsg[48:80]
print "AUTN: " + autn
rand_bin = stringToByte(a2b_hex(rand))
autn_bin = stringToByte(a2b_hex(autn))
ret = u.authenticate(rand_bin, autn_bin, ctx='3G')
if len(ret) == 1:
print "######## auth=false; status!=2; len(ret)=1 - trying to authenticate -> got auts"
auts = b2a_hex(byteToString(ret[0]))
print "AUTS: " + auts
status = 2
else:
print "######## auth=false; status!=2, len(ret)>1 - tyring to authenticate -> got triple"
res = b2a_hex(byteToString(ret[0]))
print "RES: " + res
ck = b2a_hex(byteToString(ret[1]))
print "CK: " + ck
ik = b2a_hex(byteToString(ret[2]))
print "IK :" + ik
authenticated = True
class personalize(object):
'''
Class to program sysmo-USIM-SJS1 card
takes the ADM code of the card (str of digits)
and a 3 digit serial number as argument to personalize the USIM card.
Makes use of the fixed parameters in this file header:
ICCID_pre, IMSI_pre, Ki_pre, OP,
HPLMN, PLMNsel, SPN
'''
def __init__(self, ADM, serial_number='000'):
# prepare data to write into the card
if not len(serial_number) == 3 or not serial_number.isdigit():
raise(Exception('serial: 3-digits required'))
self.ICCID = ICCID_pre + serial_number
self.ICCID += str(compute_luhn(self.ICCID))
self.IMSI = IMSI_pre + serial_number
self.K = Ki_pre + serial_number
self.Milenage = Milenage(OP)
self.OPc = make_OPc(self.K, OP)
# verify parameters
if len(self.K) != 16 or len(self.OPc) != 16:
raise(Exception('K / OPc: 16-bytes buffer required'))
#
# write data on the card
u = UICC()
program_files(u, ADM, self.ICCID, self.IMSI, self.K, self.OPc)
u.disconnect()
#
if self.test_identification() != 0:
return
#
self._auth = 0
if self.test_authentication() != 0:
return
#
# and print results
print('[+] sysmoUSIM-SJS1 card personalization done and tested successfully:')
print('ICCID ; IMSI ; K ; OPc')
print('%s;%s;0x%s;0x%s' % (self.ICCID, self.IMSI, hexlify(self.K), hexlify(self.OPc)))
def test_identification(self):
u = UICC()
iccid = u.get_ICCID()
u.disconnect()
u = USIM()
imsi = u.get_imsi()
u.disconnect()
#
if not iccid or not imsi:
raise(Exception('identification test error'))
return 1
else:
print('[+] USIM identification:\nICCID: %s\nIMSI: %s' % (iccid, imsi))
return 0
def test_authentication(self):
if self._auth > 2:
return 1
#
# prepare dummy 128 bits auth challenge
if not hasattr(self, 'RAND'):
self.RAND = 16*b'\x44'
if not hasattr(self, 'SQN'):
# default SQN is 0, coded on 48 bits
self.SQN = 0
# management field, unneeded, left blank
AMF = b'\0\0'
#
# compute Milenage functions
XRES, CK, IK, AK = self.Milenage.f2345( self.K, self.RAND )
MAC_A = self.Milenage.f1(self.K, self.RAND, sqn_to_str(self.SQN), AMF)
AUTN = xor_buf(sqn_to_str(self.SQN), AK) + AMF + MAC_A
#
# run auth data on the USIM
self.U = USIM()
ret = self.U.authenticate(stringToByte(self.RAND), stringToByte(AUTN), '3G')
self.U.disconnect()
self._auth += 1
#
# check results (and pray)
if ret == None:
print('[-] authenticate() failed, something wrong happened')
del self.RAND
return 1
#
elif len(ret) == 1:
print('[-] sync failure during authenticate() with SQN %i, unmasking counter' % self.SQN)
auts = byteToString(ret[0])
ak = self.Milenage.f5star(self.K, self.RAND)
self.SQN = str_to_sqn(xor_buf(auts, ak)[:6])
print('[+] SQN counter value in USIM: %i' % self.SQN)
self.SQN += 1<<5
print('[+] retrying authenticate() with SQN: %i' % self.SQN)
del self.RAND
return self.test_authentication()
#
elif len(ret) in (3, 4):
# RES, CK, IK(, Kc)
if ret[0:3] == map(stringToByte, [XRES, CK, IK]):
print('[+] 3G auth successful with SQN: %i\nincrement it from now' % self.SQN)
print('[+] USIM secrets:\nOPc: %s\nK: %s' % (hexlify(self.OPc), hexlify(self.K)))
else:
print('[-] 3G auth accepted on the USIM, but not matching auth vector generated: strange!')
print('card returned:\n%s' % ret)
del self.RAND
return 0
#
else:
print('[-] undefined auth error')
del self.RAND
return 1