troll

Troll

Troll is a brute-forcing tool for finding and extracting as much data from smartcards as possible. It achieves this by trying out all possible file paths, and extracting the information from files it finds.

Setup

As troll is a rust program, the intended method for installing is to run cargo install, using rust’s build system, cargo. Note that troll links again pcsc-lite, and this must be installed as a system library.

Usage

Scanning

Troll operates in two stages: scanning and extraction. To scan a smart card, insert it into a PCSC-compatible reader, and run troll scan <outfile>. Then take the afternoon off and go for a stroll or something, because this will take a while. For a list of options, run troll help scan. In particular, the --pin option for logging in (this is more important during the extraction phase however), and --af for supplying the AF names on the card. Troll can also attempt to extract available AFs from EF.DIR, however many proprietary cards do not supply this. If not --af flag is supplied, troll will scan the default af only.

It may happen that troll encounters some recursive directory structures. Use the --filter flag to apply basic filtering rules to attempt to catch these. Be warned, however, that this may filter out legitimate files.

Extraction

The extraction phase is run with the command troll extract <infile> <outdir>. This phase is typically very fast, and will create a directory structure under <outdir> mirroring that on the smart card. Each file in this structure will have a short header, detailing the type of EF this file was, and the hex-encoded content of the file, as far as it could be extracted. If an error occurred during extraction (e.g. security status not satisfied), this will be noted. For a list of options, run troll help extract. Of particular importance is the --pin option, which allows elevation of the cards security status.

Run

A convenience method used to both scan and extract in one.