Proxmark3 Mifare Classic 1k (Crack/Dump/Duplicate) The darkside attack (for weak mifare) can be processed with a low cost hardware like the ARC122U, with mfcuk/mfoc over the libnfc. Nowadays, this attack is not covering a lot of Mifare classic card anymore. The Proxmark is the best choice. The MiFare RFID hack, writes Geeta Dayal, used a few tools not in the arsenal of your average code-duffer. How they hacked it: The MiFare RFID crack explained A look at the research behind the.
Quick summary of operations to crack/dump/duplicate a Mifare classic 1k with the proxmark3.
The darkside attack (for weak mifare) can be processed with a low cost hardware like the ARC122U, with mfcuk/mfoc over the libnfc.
Nowadays, this attack is not covering a lot of Mifare classic card anymore. The Proxmark3, with a price under $100, is the best choice.
For the Proxmark3, the weak PRNG method is easy to find but the sniff/hardnested method for hard PRNG is more tricky.
For the Proxmark3, the weak PRNG method is easy to find but the sniff/hardnested method for hard PRNG is more tricky.
You have the whole process here.
Hardware
Proxmark3 original or clone.
Chinese/Magic cards with block 0 / uid writeable.
… search on well-known China e-commerce/marketplace websites.
Software
https://github.com/iceman1001/proxmark3/releases
Proxmark3 original or clone.
Chinese/Magic cards with block 0 / uid writeable.
… search on well-known China e-commerce/marketplace websites.
Software
https://github.com/iceman1001/proxmark3/releases
Infos
1) First of all – try generic keys…
like this somekeys.txt, took from Mifare Classic Tool (android)
If you are lucky, you have a key… need to check now against B.
If you don’t have B, jump to the “Crack others keys” of each section 2.
If you have B, you have all the keys A/B and you can jump to section 3.
If you have B, you have all the keys A/B and you can jump to section 3.
2*) Method for weak
Crack others keys
2*) Method for hard
Sniff
The fun part… you have to fix the card to the proxmark3 (duct tape) connected to a laptop and set the proxmark3 in sniff mode.
If you have a y-usb cable, you can also power the proxmark3 with an usb power pack and connect it back to your desktop to get the traces.
The best way to sniff all the transaction is to put the proxmark3 between the card and the reader.
Push it against the reader, well aligned… and repeat it 3-4 times to get at least one good sniffed transaction.
The fun part… you have to fix the card to the proxmark3 (duct tape) connected to a laptop and set the proxmark3 in sniff mode.
If you have a y-usb cable, you can also power the proxmark3 with an usb power pack and connect it back to your desktop to get the traces.
The best way to sniff all the transaction is to put the proxmark3 between the card and the reader.
Push it against the reader, well aligned… and repeat it 3-4 times to get at least one good sniffed transaction.
Mifare Classic protocol
Trace example
Check key against A/B
You can possibly bypass next step if the key is the same on A/B.
Crack others keys
replace 60 with the numeric value of the Hexadecimal between double parenthesis in the example – ours is ‘3C’.
replace 60 with the numeric value of the Hexadecimal between double parenthesis in the example – ours is ‘3C’.
Keys to dumpkeys.bin (perl):
3) From keys to write
Verify:
Dump the card to dumpdata.bin
Prepare .eml
Shingeki no kyojin season 1 episode 20 english sub. Load in blank Magic/Chinese card
; }
open FH, '>dumpkeys.bin';
binmode FH;
foreach my $odd (0,1) {
for (my $i=$odd;$i<=$#a;$i+=2) {
my $s = $a[$i];
while (length($s)) {
print FH pack('C', oct('0x'.substr($s,0,2)));
$s = substr($s, 2);
}
}
}
close FH;
Run it and you get a proper dumpkeys.bin to run ‘hf mf dump’ which relies on it.
open FH, '>dumpkeys.bin';
binmode FH;
foreach my $odd (0,1) {
for (my $i=$odd;$i<=$#a;$i+=2) {
my $s = $a[$i];
while (length($s)) {
print FH pack('C', oct('0x'.substr($s,0,2)));
$s = substr($s, 2);
}
}
}
close FH;
Run it and you get a proper dumpkeys.bin to run ‘hf mf dump’ which relies on it.
3) From keys to write
Verify:
Dump the card to dumpdata.bin
Prepare .eml
Load in blank Magic/Chinese card
Now that we own the keys of a Mifare Classic card, we can move onto cloning them.Just as a quick reminder, the steps to crack the keys were:proxmark3 hf mf mifareproxmark3 hf mf nested 1 0 A XXXXXXXXXXXX dIf you take a look inside the current folder where the client is running, you’ll find a binary file called “ dumpkeys.bin”. Basically, it’s like a dump of the contents of the card but only the trail blocks, where keys are stored.A really simple attack to an electronic wallet implementation using this type of cards is to dump the contents aka “money” and then use the credit and, after that, restore the contents, filling it with our “stored” money inside a binary file. In some poor implementations, this could work! In other implementations, you can even take “the money” from a card, and “paste it” into another one. Remember that the only block in a mifare card that you cannot modify is the block 0 in sector 0, where the UID of the cards is burnt in the Factory. So, if “the money” is related to it, the attack won’t work.A couple of years ago, a “ Magic Chinese Card” appeared. This card, that is also known as “UID Changeable Card” is a special card, in which you can manipulate the UID and the full sector 0.
Some of these cards have a special feature, which we called “a backdoor”, you can use this card, modify its contents (yeap! Block 0 too!) without even knowing the keys! So if you forgot the keys, you can send some special frames to it to overwrite it whenever you need! So basically, FULL clones are possible!Using proxmark after cracking the keys, you can execute:proxmark3 hf mf dumpand you’ll get a file, just next the other one, with this name: dumpdata.binThe other commands that you will finally use will be:restore – Restore MIFARE classic binary file to BLANK tagcsetuid – Set UID for magic Chinese cardThe first one will restore the data into the same card and the other, in case you own an UID changeable card, will set the uid to match the original one. In case the other card has got the same keys as the original card, a partial clone will be there.Take a look at the other commands, just type: “hf mf” and look for commands for the Magic Card. You will understand them after Reading this post. Tip: the only difference is that you will need the info inside the simulator memory, not a file, but this is really easy to achieve: just take a look at the options while using the “nested” attack ?Well, we covered a lot of stuff around the Mifare Classic World using Proxmark.
You can also take a look at the LibNFC project, you will be able to do kind of the same stuff here, using some standard readers with some limitationsIf you’re following our posts and practicing, just mail us and we will be very happy to help you!See you on the next post!—This post was from Nahuel Grisolia who is a Information Security Professional. He has delivered trainings and talks in conferences around the world such as BugCON (Mexico), H2HC (Brazil), Ekoparty (Argentina), OWASP events (Argentina), TROOPERS (Germany), PHDays (Russia), and Ground Zero Summit (India).
He is specialized in Web Application Security, Penetration Testing and Hardware Hacking.