• RFID Cooking with Mifare Classic


    转自: http://www.backtrack-linux.org/wiki/index.php/RFID_Cooking_with_Mifare_Classic

    Contents

     [hide]

    RFID Cooking with Mifare Classic

    RFID Mayfare penetration testing

    DISCLAIMER: The information and reference implementation is provided:

    • For informational use only as part of academic or research study, especially in the field of informational security, cryptography and secure systems
    • As-is without any warranty, support or liability - any damages or consequences obtained as a result of consulting this information if purely on the side of the reader
    • NOT to be used in illegal circumstances (for example to abuse, hack or trick a system which the reader does not have specific authorizations to such as ticketing systems, public transport, University/ISIC cards, building access systems or whatsoever systems using Mifare Classic as core technology)

    NOTES:

    • This article contain no original research. All the research and implementation was made by other people and communities and is publicly available. We made this two cents just for fun and because we love BackTrack.
    • This is not A-Z guide so try harder!

    0x00 - Preface

    Some of you may have read that the proprietary symmetric key cryptographic algorithm of the MIFARE Classic card has been broken. The MIFARE Classic card is used in physical access control systems (PACS) and contact less payment systems (including tollway and public transportation systems). By some estimates, there are 500 million MIFARE cards deployed worldwide, and the majority of them are MIFARE Classic cards.

    Backtrack-5-touchatag-mini.jpg

    Mifare Classic is a inexpensive, entry-level chip, based on ISO/IEC 14443 Type A, 1kB or 4kB. Uses 13.56 Mhz contactless smartcard standard, proprietary CRYPTO1 with 48 bits keys. There is no protection against cloning or modifications. Anyone with 50 € reader can use this weakness against your infrastructure. At least one sector is always encrypted with default key. After cracking all keys, hackers are able to change name, students university number, expiration date... This cookbook is proof of concept how easy that can be done. Chosen ingredients: Backtrack | Touchatag starter package Tested on: BackTrack 4 R2, BackTrack 5 Final, (32bit)

    Dependencies

     root@bt:~# apt-get install flex libpcsclite-dev libusb-dev checkinstall
    

    0x01 - Hardware

    Touchatag - ACR122U

    Touchatag is ACS ACR122(U) NFC Reader USB RFID reader. The USB reader works at 13.56MHz (High Frequency RFID) and has a readout distance of about 4 cm (1 inch) when used with the Touchatag RFID tags. This product is made by Advanced Card Systems Limited and seems to be available in different layouts but hardware doesn't differ so much. They are all using a PN532 NFC Controller chip and a ST7 microcontroler unit.

    0x02 - Software

    ACR122U driver

    root@bt:~# wget http://www.acs.com.hk/drivers/eng/ACR122U_driver_Lnx_Mac10.5_10.6_1.02_P.zip 
    root@bt:~# unzip -d acr122u ACR122U_driver_Lnx_Mac10.5_10.6_1.02_P.zip 
    root@bt:~# cd acr122u 
    root@bt:~# tar -jxvf acsccid-1.0.2.tar.bz2
    root@bt:~# cd acsccid-1.0.2 
    root@bt:~# ./configure
    root@bt:~# make 
    root@bt:~# checkinstall -D -y --install
    

    Open Source Near Field Communication (NFC) Library /LIBNFC/

    Libnfc is the first free NFC SDK and Programmers API released under the GNU Lesser General Public License.

    root@bt:~# apt-get install -y debhelper libtool && wget http://libnfc.googlecode.com/files/libnfc-1.4.2.tar.gz 
    root@bt:~# tar xfvz libnfc-1.4.2.tar.gz &&cd libnfc-1.4.2 
    root@bt:~# svn checkout http://libnfc.googlecode.com/svn/tags/libnfc-1.4.2/debian 
    root@bt:~# dpkg-buildpackage -rfakeroot
    root@bt:~# dpkg -i ../libnfc*.deb
    

    Check your reader / target with nfc-list.

    root@bt:~# nfc-list 
    nfc-list use libnfc 1.4.2 (r891) 
    Connected to NFC device: ACS ACR122U 00 00 / ACR122U103 - PN532 v1.6 (0x07) 
    1 ISO14443A passive target(s) was found:
     ATQA(SENS_RES):00 02 
      UID (NFCID1): xx xx xx xx
      SAK (SEL_RES): 18
    

    If your reader is rejected because of the firmware (log message: „Firmware (x.y) is bogus!“) just disable version checking. All you need to do is change ifdDriverOptions (line 55 in Info.plist) to skip version checking like this:

    root@bt:~# nano /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist
    ifdDriverOptions
    0×0005

    Afterwards, restart the pcscd daemon and your Touchatag reader should be recognized and ready.

    MFOC -Mifare Classic Offline Cracker

    Mifare Classic Offline Cracker is a tool that can recover keys from Mifare Classic cards. Thanks to Norbert Szetei and Pavol Luptak for their attack's implementation. MFOC is utility to compute (crack) all keys (A and B) to all sectors, providing at least one of the keys is already known. Keys file is the file, where mfoc will store cracked keys. Format of that file is compatible with nfc-mfclassic, so you can then use it to dump the card into file, or write a dump onto the card.

    root@bt:~# wget http://nfc-tools.googlecode.com/files/mfoc-0.10.2.tar.gz && tar -xvzf mfoc-0.10.2.tar.gz 
    root@bt:~# cd mfoc-0.10.2 
    root@bt:~# autoreconf -vis 
    root@bt:~# ./configure 
    root@bt:~# make
    root@bt:~# checkinstall -D -y --install
    

    0x03 - Dumping & Cooking

    psscd coordinates the loading of drivers for card readers. It allows applications to access smart cards and readers without knowing details of the card or reader. It is a resource manager that coordinates communications with smart card readers and smart cards and cryptographic tokens that are connected to the system. I prefer start pcscd in foreground (no daemon) with pcscd -f. Then it's time to start mfoc. Use high number of probes, because default number of probes for a key recovery for one sector is 20. Whole cracking could take from 30 minutes to 30 hours.

    Mfoc-mifare-dump.png
    Mfoc-mifare-dump3.png
    Mfoc-mifare-dump1.png
    Mfoc-mifare-dump4.png
    Mfoc-mifare-dump5.png


    You can also use the -k key parameter, to add a key to the list of known keys, which is being tried against your card in the initial phase. The -k option somehow didn't work for me, so I always compile my known keys directly into mfoc.c Search for “Array with default Mifare Classic keys” Not sure about other countries, but in country where I live keys are the same. Once you have keys from all sectors, you should be able to use RFID-Fu against other cards, which is epic fail.

    root@bt:~# nfc-mfclassic --help 
    Usage: nfc-mfclassic r|w a|b <dump.mfd> [<keys.mfd>]
    r|w	- Perform read from (r) or write to (w) card 
    a|b	- Use A or B keys for action 
    <dump.mfd>	- MiFare Dump (MFD) used to write (card to MFD) or (MFD to card)
    <keys.mfd>	- MiFare Dump (MFD) that contain the keys (optional)
    Or: nfc-mfclassic x <dump.mfd> <payload.bin> 
     x	- Extract payload (data blocks) from MFD 
     <dump.mfd>	- MiFare Dump (MFD) that contains wanted payload 
     <payload.bin> - Binary file where payload will be extracted
    
    Mifare-write.png

    Keep in mind that card UID will be not affected (not changed) with this process. Buy some blank card or Proxmark III if that is what you want. If you are now thinking about dumping your electronic wallet right after recharge and when credit comes to zero, writing content back, then please don't do it. What can stop you from doing that? Well, probably only your conscience, but if the card gets blocked in 24 hours after first use then don't complain. Yes, there are online checking and billing systems out there for basic cards.

    0x04 – ISIC Issue

    With ISIC- International Student Identity Card attacker can abuse around ten service not only one. ISIC cards are widely used for entrance, transportation, dining payments and various others services or discounts. According to homepage there are 4.5 million cardholders in 120 countries. Cards should be replaced with more secure types ASAP. It is possible to do much more than that, but sufficient for demonstration let's play a little...

    Hexedit-mifare.png

    At some universities, there is only one entry security check – ISIC. As you can see this is trivial to bypass. We did many tests with public transportation systems and with university systems. Results are all the same – those systems are easily hackable.

    Rfid-kiosk.jpg

    0x06 – Conclusion

    Finally, when will people learn their lesson? Cryptographic algorithms should be public so that they can be scrutinized and tested. Secret algorithms aren’t more valuable because they are secret. Anyone needing a highly secure smart card should make sure there's layered security and not just depend on the chip's encryption.

    0x07 – What's next?

    • Since i have access to Proxmark III which is universal RFID hacking tool which can be used for 100% accurate cloning (even UID), i may once write second edition about c00king with Mifare Classic and HID Prox...
    • Arming BackTrack with GSM attack suite?

    0x08 – Thanks

    This cookbook was made with great help from h4f guys, many thanks to Vulcano and Back.

    0x09 – References & Links

    For further reading about this topic please see following:

    0x0A - About

    MI1 is a "full time security enthusiast" with university degree in the field of informatics. Recently focusing his passion to USRP and RFID stuff.

  • 相关阅读:
    HihoCoder1371
    Intern Day23
    腾讯移动客户端开发暑期实习一面笔试
    C++
    朱丹为什么是文艺青年
    金数据一个不错的调查平台
    单反手动对焦M档,AV,TV,P,A,A-DEP
    chrome不支持字体12px
    火狐解决字体模糊
    《程序员的自我修养》阅读笔记(四):
  • 原文地址:https://www.cnblogs.com/bigben0123/p/3101101.html
Copyright © 2020-2023  润新知