def handle_usim(options, rand_bin, autn_bin):
u = USIM()
if not u:
print "Error opening USIM"
exit(1)
if options.debug:
u.dbg = 2
imsi = u.get_imsi()
print "Testing USIM card with IMSI %s" % imsi
print "\nUMTS Authentication"
ret = u.authenticate(rand_bin, autn_bin, ctx='3G')
if len(ret) == 1:
print "AUTS:\t%s" % b2a_hex(byteToString(ret[0]))
else:
print "RES:\t%s" % b2a_hex(byteToString(ret[0]))
print "CK:\t%s" % b2a_hex(byteToString(ret[1]))
print "IK:\t%s" % b2a_hex(byteToString(ret[2]))
if len(ret) == 4:
print "Kc:\t%s" % b2a_hex(byteToString(ret[3]))
print "\nGSM Authentication"
ret = u.authenticate(rand_bin, autn_bin, ctx='2G')
if not len(ret) == 2:
print "Error during 2G authentication"
exit(1)
print "SRES:\t%s" % b2a_hex(byteToString(ret[0]))
print "Kc:\t%s" % b2a_hex(byteToString(ret[1]))
def __init__(self, cardtype = GSM_USIM, atr = None): if cardtype == GSM_USIM: self.card = USIM(atr) self.usim = True else: self.card = SIM(atr) self.usim = False
def handle_usim_fakehss(options, rand_bin):
u = USIM(options.debug)
if not u:
print "Error opening USIM"
exit(1)
if options.debug:
u.dbg = 2
if rand_bin == None:
rand_bin = stringToByte("00112233445566778899aabbccddeeff")
IV = 16 * '\x00'
OP_bin = stringToByte("00000000000000000000000000000000") # Operator Key
KI_bin = stringToByte("00000000000000000000000000000000") # K
SQN_bin= stringToByte("000023403500") # SQN 591410432
# AMF ??
#"7D3D6804DB5480003F7A47FB35FA7285"
#"808182888485868788898A8B8C8D8E8F" K
#"97A167DED889B6DFA92D985D77E5C088" OP
#calculate OPc
KI = binascii.unhexlify(byteToString(KI_bin))
aesCrypt = AES.new(KI, mode=AES.MODE_CBC, IV=IV)
data = binascii.unhexlify(byteToString(OP_bin))
## OCc = encAES(OP) xor OP
OPc = xor_strings(data, aesCrypt.encrypt(data))
OPc_bin = stringToByte(OPc)
print "OP: \t%s" % b2a_hex(OP_bin)
print "KI: \t%s" % b2a_hex(KI_bin)
print "OPc:\t%s" % b2a_hex(OPc_bin)
imsi = u.get_imsi()
print "USIM card with IMSI %s" % imsi
print "AUTS:\t%s" % b2a_hex(rand_bin)
def test_authentication(self):
if self._auth > 2:
return 1
#
# prepare dummy 128 bits auth challenge
if not hasattr(self, 'RAND'):
self.RAND = 16*b'\x44'
if not hasattr(self, 'SQN'):
# default SQN is 0, coded on 48 bits
self.SQN = 0
# management field, unneeded, left blank
AMF = b'\0\0'
#
# compute Milenage functions
XRES, CK, IK, AK = self.Milenage.f2345( self.K, self.RAND )
MAC_A = self.Milenage.f1(self.K, self.RAND, sqn_to_str(self.SQN), AMF)
AUTN = xor_buf(sqn_to_str(self.SQN), AK) + AMF + MAC_A
#
# run auth data on the USIM
self.U = USIM()
ret = self.U.authenticate(stringToByte(self.RAND), stringToByte(AUTN), '3G')
self.U.disconnect()
self._auth += 1
#
# check results (and pray)
if ret == None:
print('[-] authenticate() failed, something wrong happened')
del self.RAND
return 1
#
elif len(ret) == 1:
print('[-] sync failure during authenticate() with SQN %i, unmasking counter' % self.SQN)
auts = byteToString(ret[0])
ak = self.Milenage.f5star(self.K, self.RAND)
self.SQN = str_to_sqn(xor_buf(auts, ak)[:6])
print('[+] SQN counter value in USIM: %i' % self.SQN)
self.SQN += 1<<5
print('[+] retrying authenticate() with SQN: %i' % self.SQN)
del self.RAND
return self.test_authentication()
#
elif len(ret) in (3, 4):
# RES, CK, IK(, Kc)
if ret[0:3] == map(stringToByte, [XRES, CK, IK]):
print('[+] 3G auth successful with SQN: %i\nincrement it from now' % self.SQN)
print('[+] USIM secrets:\nOPc: %s\nK: %s' % (hexlify(self.OPc), hexlify(self.K)))
else:
print('[-] 3G auth accepted on the USIM, but not matching auth vector generated: strange!')
print('card returned:\n%s' % ret)
del self.RAND
return 0
#
else:
print('[-] undefined auth error')
del self.RAND
return 1
def test_identification(self):
u = UICC()
self.ICCID = u.get_ICCID()
u.disconnect()
u = USIM()
self.IMSI = u.get_imsi()
print('[+] USIM identification:\nICCID: %s\nIMSI: %s' \
% (self.ICCID, self.IMSI))
u.disconnect()
if not self.ICCID or not self.IMSI:
print('[-] identification error')
return 1
return 0
def test_identification(self):
u = UICC()
iccid = u.get_ICCID()
u.disconnect()
u = USIM()
imsi = u.get_imsi()
u.disconnect()
#
if not iccid or not imsi:
raise(Exception('identification test error'))
return 1
else:
print('[+] USIM identification:\nICCID: %s\nIMSI: %s' % (iccid, imsi))
return 0
def __init__(self, cardtype=GSM_USIM, atr=None):
if cardtype == GSM_USIM:
self.card = USIM(atr)
self.usim = True
# Detect ISIM / USIM applications
self.card.get_AID()
AID = self.card.AID
for a in AID:
if a[0:7] == [0xA0, 0x00, 0x00, 0x00, 0x87, 0x10, 0x04]:
self.has_isim = True
elif a[0:7] == [0xA0, 0x00, 0x00, 0x00, 0x87, 0x10, 0x02]:
self.has_usim = True
else:
self.card = SIM(atr)
self.usim = False
def handle_usim(options, rand_bin, autn_bin):
u = USIM()
if not u:
print "Error opening USIM"
exit(1)
if options.debug:
u.dbg = 2
imsi = u.get_imsi()
ret = u.authenticate(rand_bin, autn_bin, ctx='3G')
if len(ret) == 1:
print "AUTS:\t%s" % b2a_hex(byteToString(ret[0]))
else:
print "RES:\t%s" % b2a_hex(byteToString(ret[0]))
print "CK:\t%s" % b2a_hex(byteToString(ret[1]))
print "IK:\t%s" % b2a_hex(byteToString(ret[2]))
if len(ret) == 4:
print "Kc:\t%s" % b2a_hex(byteToString(ret[3]))
def test_authentication(self):
if self.auth_test >= 2:
return 1
u = USIM()
# prepare auth challenge
self.RAND = urand(16) # challenge is 128 bits
if not hasattr(self, 'SQN'):
self.SQN = 0 # default SQN is 0, coded on 48 bits
AMF = 2 * '\0' # management field, unneeded, left blank
# compute Milenage functions
XRES, CK, IK, AK = self.Milenage.f2345(self.K, self.RAND)
MAC_A = self.Milenage.f1(self.K, self.RAND, sqn_to_str(self.SQN), AMF)
AUTN = xor_string(sqn_to_str(self.SQN), AK) + AMF + MAC_A
# run auth data on the USIM
ret = u.authenticate(stringToByte(self.RAND), stringToByte(AUTN), '3G')
# check results (and pray)
if ret == None:
print('[-] authenticate() failed; something wrong happened, '\
'maybe during card programmation ?')
elif len(ret) == 1:
print('[-] sync failure during authenticate(); unmasking counter')
auts = byteToString(ret[0])
ak = self.Milenage.f5star(self.K, self.RAND)
self.SQN = str_to_sqn(xor_string(auts, ak)[:6])
print('[+] auth counter value in USIM: %i' % self.SQN)
self.SQN += 1
print('[+] retrying authenticate() with SQN: %i' % self.SQN)
u.disconnect()
self.test_authentication()
elif len(ret) in (3, 4):
# RES, CK, IK(, Kc)
if ret[0:3] == map(stringToByte, [XRES, CK, IK]):
print('[+] 3G auth successful with SQN: %i\n' \
'increment it from now' % self.SQN)
print('[+] USIM secrets:\nOPc: %s\nK: %s' \
% (hexlify(self.OPc), hexlify(self.K)))
else:
print('[-] 3G auth accepted on the USIM, ' \
'but not matching auth vector generated: strange!')
print('card returned:\n%s' % ret)
u.disconnect()
return 0
print "RES:\t%s" % b2a_hex(byteToString(ret[0]))
print "CK:\t%s" % b2a_hex(byteToString(ret[1]))
print "IK:\t%s" % b2a_hex(byteToString(ret[2]))
if len(ret) == 4:
print "Kc:\t%s" % b2a_hex(byteToString(ret[3]))
#ret = u.authenticate(rand_bin, autn_bin, ctx='2G')
#if not len(ret) == 2:
# print "Error during 2G authentication"
# exit(1)
#print "SRES:\t%s" % b2a_hex(byteToString(ret[0]))
#print "Kc:\t%s" % b2a_hex(byteToString(ret[1]))
if __name__ == "__main__":
u = USIM()
u.debug = 2
imsi = u.get_imsi()
s = socket.socket()
host = socket.gethostname()
#host = '192.168.2.254'
port = 12345
s.connect((host, port))
authenticated = False
status = 0
while True:
print "\n"
if authenticated == False:
if status == 2: