Mifare Cracker

by

  1. The MIFARE Classic family is the most widely used contactless smart card ICs operating in the 13.56 MHz frequency range with read/write capability.
  2. Cloning a MIFARE Classic 1k Mathieu Bridon You will need writable NFC tags, compatible with MIFARE Classic 1k. Make sure their sector 0 is writable. I used those (just the tags). Try dumping the tag. Place the original on the reader, then try dumping it: $.

However, bad news for hackers, crackers or transit users who want to save few bucks, the Dutch researchers also publish manuscript “Making the Best of Mifare Classic” which contains countermeasures which can help to prevent state restoration attacks and to detect attempted cloning of cards. Mifare Classic Offline Cracker: key recovery tool for MC cards: mfoc-0.10.7+git38-17.15.x8664.rpm: Mifare Classic Offline Cracker: key recovery tool for MC cards: openSUSE Oss aarch64 Official: mfoc-0.10.7+git38-1.5.aarch64.rpm: Mifare Classic Offline Cracker: key recovery tool for MC cards: openSUSE Oss armv7hl Official: mfoc-0.10.7+git38-1.5. Code-cracker - An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties #opensource. A PkZip encryption cracker. Pybozocrack:: A silly & effective MD5 cracker in Python. Pyrit: 0.5.0: The famous WPA precomputed cracker: rainbowcrack: 1.8: Password cracker based on the faster time-memory trade-off. With MySQL and Cisco PIX Algorithm patches. Rarcrack: 0.2: This program uses bruteforce algorithm to find correct. I want to install MFOC (MiFare classic Offline Cracker). I have found this site that references me to the git hub project and cloned it. But I have no idea how to install/run this. Could you help me?

When I first started using the Proxmark, it all sounded like it was going to be easy, you wave a card at the device, the Proxmark works it’s magic and then you can emulate or clone the card.

Wrong, wrong, wrong. For most cards I’ve encountered anyway.

It’s really not that straight forward, there are different cards with different functionality, some have defaults that make it simple to clone them (if the defaults haven’t been changed), some have good security and there are currently no methods to clone them – unless you’ve already got access keys. Maybe some of the security isn’t that strong but the card type isn’t popular enough to have had people scrutinise it.

I have so far had experience with a few different card types, the only relatively easily cloneable one being the Mifare Classic 1K. Understanding how to clone this card felt like a bit of a trek, but once I got there it didn’t seem like such a big deal. Hopefully this step by step guide means others won’t need to do the trek.

A quick note on cloning a card

Cards typically have their own unique ID (UID). They get written when the card is created and that area of memory is then made read only, so it can’t be changed. If you want a clone of the card then you want both the UID and the data on the card to be copied across to the new card, but this isn’t normally possible due to the UID being read only.

Enter the “UID changeable”, aka “Chinese backdoor” (seriously) cards, which allow you to change their UID. It’s useful to have one of these before progressing.

A good start is to update the device………

Install from the command line (I’m using a Mac here):

Connecting to the proxmark:

Change to your proxmark client directory:

List modems, e.g. /dev/cu.usbmodem14101 :

Connect to the modem show from the last command:

The cloning process

You should now have a proxmark command prompt, so with a card on the proxmark, assuming it’s a high frequency card, you can:

Which result in a response along the lines of:

In this case it’s a Mifare 1k card. This also shows us the UID (ba2ea6ab) of the card , which we’ll need later. From there we can find keys in use by checking against a list of default keys (hopefully one of these has been used):

This should show us the key we require looking something like:

This shows a key of ffffffffffff, which we can plug into the next command, which dumps keys to file:

This dumps keys from the card into the file dumpkeys.bin.

Mifare Offline Cracker

Now to dump the contents of the card:

This dumps data from the card into dumpdata.bin

At this point we’ve got everything we need from the card, we can take it off the reader.

To copy that data onto a new card, place the (Chinese backdoor) card on the proxmark:

This restores the dumped data onto the new card. Now we just need to give the card the UID we got from the original hf search command:

We’re done, the new card should work.

This whole process can be completed in a minute or two, so it’s not a quick read of the card by any means.

Why do we need keys

When most modern cards are placed next to a card reader there’s a handshake to ensure the card has the expected keys. This handshake moves the card through a number of states and only when the handshake successfully completes will the card allow access to all data stored on it. This is the reason that you can’t simply clone most cards, you need the correct key to complete the handshake and allow access to the contents of the card.

A defensive lesson

Some cards use default keys, while this makes it easy to clone a card, it also makes it pretty poor from a defensive point of view. It’s like using default admin credentials for a database, it makes an attackers life easy.

The lights on the Proxmark

I have to admit pretty much ignoring them. When I use it, it’s always connected to the laptop, so I’ve got the console output to see what it’s doing. There was a point where I tried to understand them, I found a guide, they were starting to make sense. Then I updated the device and that changed what the lights did completely. I’ve ignored them ever since.

Fix a broken card

We had a situation where we wanted to clone a Mifare Desfire card but didn’t have an identical card to copy it to – we only had a Mifare Classic 1K. We also couldn’t read the complete card as we didn’t have the key to authenticate, so all we could usefully get was the UID. Some research suggested a small chance that just using the UID might be enough to get past a secure door if there was a (very) sloppy implementation. We copied that UID (10 bytes) to a Mifare Classic 1K card (which uses a 7 byte UID). The difference in UID size was another indication that this was very unlikely to work. it didn’t work. Doing this left our Mifare Classic card in a state where the Proxmark wouldn’t even read it, so to fix that we did:

Automation

In your proxmark/client/scripts directory, you’ll notice lots of Lua scripts. Some of these may be useful to you, so it’s worth a quick look to see what they do. They’ll also be useful if you plan to automate some of your use of the Proxmark. Looking at the scripts should help understand what you can do.

Andprox

There is a potentially useful app called Andprox which allows you to run a Proxmark on your mobile fun. All of the commands you can run on the Proxmark from a laptop can also be done from Andprox, with the exception of Lua scripts.

Mifare-cracker.exe

The only issue I had with Andprox was that the connection from my mobile to the Proxmark kept dropping. My assumption was that it may not have been getting enough power from my mobile (Nexus 5X – yes, I really need a new mobile)

Tips

RFID is close range, recommendation is that you hold card 1cm above the Proxmark. Typically I just put the card on the Proxmark, sometimes just the position on the device is important, turn it over, move it round a bit. If that fails a lot then I’ll try holding it a little higher.

Useful links:

Cheatsheet:https://scund00r.com/all/rfid/2018/06/05/proxmark-cheatsheet.html

Commands (and the github repo): https://github.com/Proxmark/proxmark3/wiki/commands

Mifare Classic help:https://store.ryscc.com/blogs/news/35894145-emulating-a-mifare-classic-1k-tag-with-the-proxmark3

Mifare Classic Universal Toolkit (MFCUK):https://github.com/nfc-tools/mfcuk

Mifare Classic Offline Cracker (MFOC):https://github.com/nfc-tools/mfoc

NFC Writer:https://play.google.com/store/apps/details?id=com.tagstand.writer&hl=en_GB

None of this makes me an expert, so far I’ve got a basic understanding, at least enough to get something working!

You can pick up a proxmark from here: Elechouse Proxmark3 Kit RDV2 Got a comment or correction (I’m not perfect) for this post? Please leave a comment below.

Easy tutorial about hacking our first MIFAR/RFID Tag. RFID is a technology widely used in our lives, from our building access badges, to payment facilities, or even our gates’ remotes. As we’ve seen in the previous post here, some of them are utilizing little to no security mechanisms, like MIFARE. Today we will start working on a really basic series of hacks.

What you will need

Hardware

What’s covered can be done with a simple RFID card reader found on Amazon for ~30€ (~35$). Mine was the ACS ACR122Usimply because it was the most mentioned one on a few forums and blog posts I had read at the time. Consequently, it would make things easier for support if any issues arise.

With the previous post, we saw that tags a have a specific block of memory reserved to the manufacturer, including an UID (Unique IDentifier). If you want to try and clone a tag, you will need to be able to spoof this UID, so I also ordered a few tags ( blank cards and key-fobs ) with an UID rewritable.

Mifare Cracker Exe Download

Software

Any *NIX distribution will do the trick (Windows too eventually), but after a bit of trial and error, I figured out working on RFID and NFC works better with security oriented distributions like Kali or ParrotSec. They already include all the tools and libraries needed to do the job.

I also found out working in Virtual Machines (VMs) can sometimes be a pain. The host always keep a bit of control over the USB ports (via probes). This is annoying bc our card reader needs full access to those ports at any time. Without full access time-outs during read/write operations will occur and can permanently damage a tag.
NB: For those of you getting an error when trying to run any NFC related operations on an ACR122. The following command removes the USB module off your OS and “reset” the USB port so your reader can freely access it.
sudo rmmod pn533_usb

The best combination/setup (aka the one I struggled the less with) was the following:

  • ParrotSec 4.19 (as a guest OS)
  • Super user rights (most NFC commands will require it, just saving you some time here)
  • The latest libusb (just a C library to handle generic USB peripherals, should be present on any decent distribution anyway)
  • The latest libcrypto (belongs to the OpenSSL package, but can be used for various cryptographic operations, like cracking keys *wink wink*)

Basic exploitation

NFC-LIST

Let’s start with nfc-list which will try to connect to the reader and read any tags in range:

When done, the device is detected and active, interface is opened, and there is an ISO/IEC 14443A compliant tag in range. This tag is a barbaric term for a MIFARE card. Our first relevant information, this MIFARE tag’s UID is 7BE88C21.

Mifare Offline Cracker Gui (mfocgui) V2.9

MFOC – MiFare classic Offline Cracker

The easiest and most basic tool to use against MIFARE tags, is MFOC. It tries different keys against a MIFARE tags. Once MFOC finds a correct key the tool can “guess” the other keys and dump the memory of the tag. (Figure 2.2)

In Figure 2.2, I have launched a MFOC attack, asking the tool to dump the memory of the tag into a file using the -O <file> option.
Just like nfc-list, MFOC will detect the tag on the reader as a MIFARE Classic 1K, gives us the UID, and then starts trying the keys from his own dictionary against every sector of the tag.
The output of MFOC is quite simple:
– the key FFFFFFFFFFFF is not used by any sector
– the key A0A1A2A3A4A5 is used as a key A onto all sectors from 0 to 15
– the key B0B1B2B3B4B5 is used as a key B onto sectors 0 to 11
As MFOC runs, we obtain keys A & B for 12 sectors; now the A keys for the last 4 sectors, and the missing 4 keys are able to fully read.

Mifare Cracker

Enter MFOC’s phase 2:

In figure 2.3, MFOC is using the sector 00 as an exploit sector simply because both A & B keys are known for this tag (hence any sector from 0 to 11 could be used as an exploit sector). MFOC is then sending probes onto the “uncracked” sectors and will compare the answer’s delay with a positive one onto sector 00, similar to how a time-based blind SQL injection works.
With the last 4 uncracked sectors have unveiled their B keys, MFOC is able to authenticate. Now we have both A & B keys. Now we will dump the memory of the entire tag in the file location specified, as seen in Figure 2.4.

Reading the Tag dump:

A simple hexadecimal tool like hexeditor can be used read and edit the dump file, as seen in Figure 2.5:

In Figure 2.5 above, the red area is actually a whole sector as we detailed in the first article, and on line 2B0 you can see the A key, A0A1A2A3A4A5, and B key, B0B1B2B3B4B5, which is separated by the 8 access bits 78 77 88 69 of the concerned sector.

NFC-MFCLASSIC

The tag I worked on is the building access tag for my apartment. Lucky for me all sectors were using a default key and the dump only took me ~20-25 seconds. From here I copied my building badge. I did this to see if my building’s scanner could tell the difference between the original tag and a clone (UID included).

This brings us to a new tool nfc-mfclassic. This tool will allow us to write dump files on the new tag and is quite simple to use. A quick look at the man page is all that is needed. This tells us all we need to know. We can write dumps on a new tag with a w options, but a W (notice the uppercase) will not only write the whole dump’s data but will also rewrite the UID.
Let’s try to write the dump we just created with mfoc onto the new tag ordered on Amazon, using the A keys stored in the dump file itself (Figure 2.6):

As we wrote to the tag, it tells us the previous UID of the tag was 949E0139, and that 64 blocks of data have been written on it. Using nfc-list again to read a tag will show us the UID of the new tag has been changed and is now identical to my original building’s tag (Figure 2.7).

Conclusion

In conclusion, we’ve identified how to use a few basic NFC and MIFARE commands to read and detect a tag. With the few more MFOC commands we were able to crack a generic NFC key. Eventually, we dump the content of the tag’s memory if it was using default keys. This makes up more than 75% of the tags I have tried so far. With this information,the knowledge of cloning different MIFARE classic tags. A few things you might be asking yourself…

  • What to do if no default keys are used?
  • What if you want to edit the content of the data and give you access somewhere you shouldn’t be ?

That, my friends, will be for the next article of this RFID series. Stay tuned. 😉