RFID NFC - Mifare Pages
parent
026c16d0cf
commit
76ef76505e
|
@ -22,6 +22,7 @@
|
|||
7. On the Flipper Zero, once booted, press down, and left until you are on the 'Browser' screen. Scroll down until you see the 'update' directory and click on it.
|
||||
8. You should now see the contents you uploaded and an 'update' option. Hover over the 'update' option, click the center button on your Flipper, once again on the 'Run in App' option.
|
||||
|
||||
|
||||
### Firmware Update - WebUpdater
|
||||
|
||||
* [DarkFlippers/unleashed-firmware - Web Update](https://lab.flipper.net/?url=https://unleashedflip.com/fw_extra_apps/flipper-z-f7-update-unlshd-038e.tgz&channel=release-cfw&version=unlshd-038e)
|
||||
|
@ -39,6 +40,7 @@
|
|||
* [Flipper Zero: is this for you? Follow our 1st tests! - Penthertz](https://www.youtube.com/watch?v=W5YYObSBUno)
|
||||
* [Flipper Zero: french collection video on the Flipper Zero, tutorial and explain](https://www.youtube.com/playlist?list=PLq_UnUtYZ15eoAiElH4T2XEB29iwZSi5a)
|
||||
|
||||
|
||||
## Tutorials and Resources
|
||||
|
||||
* [Flipper Zero Hacking 101 - pingywon](https://flipper.pingywon.com/flipper/)
|
||||
|
@ -47,8 +49,8 @@
|
|||
* [Unleashed Firmware - Update firmware](https://github.com/DarkFlippers/unleashed-firmware/blob/dev/documentation/HowToInstall.md)
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [The Ultimate Guide / CheatSheet to Flipper Zero - Ilias Mavropoulos - 17/01/2024](https://infosecwriteups.com/the-ultimate-guide-cheatsheet-to-flipper-zero-d4c42d79d32c)
|
||||
* [djsime1/Awesome FlipperZero - 🐬 A collection of awesome resources for the Flipper Zero device](https://github.com/djsime1/awesome-flipperzero)
|
||||
* [Reading NFC cards - Flipper Docs](https://docs.flipper.net/nfc/read)
|
|
@ -0,0 +1,46 @@
|
|||
# iCopy-X
|
||||
|
||||
iCopy-X is a "super" automated handheld RFID copier based on Proxmark3. iCopy-X can read, crack, duplicate, sniff and simulate without the use of a PC.
|
||||
|
||||
* [iCopy-X-Community](https://github.com/iCopy-X-Community)
|
||||
* [iCopy-X-Community/icopyx-upstream](https://github.com/iCopy-X-Community/icopyx-upstream) - Collecting elements provided by the manufacturer
|
||||
* [iCopy-X-Community/icopyx-community-pm3](https://github.com/iCopy-X-Community/icopyx-community-pm3) - Scrap repo for various tests
|
||||
* [iCopy-X-Community/icopyx-teardown](https://github.com/iCopy-X-Community/icopyx-teardown)
|
||||
|
||||
|
||||
## Update
|
||||
|
||||
Latest firmware: `1.0.90 2022-08-16`
|
||||
|
||||
* [icopy-x.com/otasys](https://icopy-x.com/otasys/index.php)
|
||||
|
||||
|
||||
**Step 1**: Enter the device S/N (found under the “About” menu) on the website and download the upgrade package to your PC.
|
||||
|
||||
**Step 2**: Connect the iCopy-X to your computer using the supplied USB TYPE C cable and delete any files that end in “.ipk” from the root directory.
|
||||
|
||||
**Step 3**: Copy the newly downloaded upgrade package to the root directory.
|
||||
|
||||
**Step 4**: Press "Ok" on the second page of the "About" menu on the iCopy-X to start the automatic upgrade.
|
||||
|
||||
**TIP**: Ensure that the serial number has been entered correctly before starting as this could cause the upgrade to fail.
|
||||
|
||||
|
||||
## PC Mode
|
||||
|
||||
In PC-Mode, after connecting to the computer, open the client in the built-in U disk, you can directly use the Proxmark3 universal CMD to operate.
|
||||
|
||||
```ps1
|
||||
COM Port (Check Device Manager, numbers only): 4
|
||||
[=] Session log E:/CLIENT_X86/.proxmark3/logs/log_20240730.txt
|
||||
[+] loaded from JSON file E:/CLIENT_X86/.proxmark3/preferences.json
|
||||
[=] Using UART port /com4
|
||||
[=] Communicating with PM3 over USB-CDC
|
||||
[usb] pm3 -->
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [iCopy-X - Kickstarter - iCopy-X: Handheld Smart RFID Multi-Tool - Nikola T. Lab](https://www.kickstarter.com/projects/nikola-lab/icopy-x-0)
|
||||
* [icopy-x Official Website](https://icopy-x.com/)
|
|
@ -13,3 +13,4 @@
|
|||
## References
|
||||
|
||||
* [Raspberry Pi As Poor Man’s Hardware Hacking Tool - Arun-Magesh - December 14, 2018](https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool)
|
||||
* [Hardware Hacking with a Raspberry Pi - Configuring the PiFex - voidstarsec - JULY 2024](https://voidstarsec.com/blog/pifex-config)
|
|
@ -0,0 +1,73 @@
|
|||
# CAN Bus
|
||||
|
||||
The Controller Area Network (CAN) bus is a high-integrity serial communication protocol designed for real-time data exchange in embedded systems, particularly in automotive and industrial applications. It operates on a multi-master, message-oriented architecture, allowing multiple devices (nodes) to communicate on the same network without a central controller.
|
||||
|
||||
|
||||
## Interact
|
||||
|
||||
```ps1
|
||||
pip install python-can
|
||||
pip install python-can-utils
|
||||
```
|
||||
|
||||
```py
|
||||
import can
|
||||
bus = can.Bus()
|
||||
while True:
|
||||
msg = can.Message(3, data=[0 for _ in range(8)])
|
||||
bus.send(msg)
|
||||
```
|
||||
|
||||
* [Tbruno25/can-explorer](https://github.com/Tbruno25/can-explorer) - Visualize CAN Bus messages in real time
|
||||
|
||||
|
||||
## UDS
|
||||
|
||||
> Unified Diagnostic Services (UDS) is a communication protocol used in automotive Electronic Control Units (ECUs) to enable diagnostics, firmware updates, routine testing and more.
|
||||
|
||||
### Implementation
|
||||
|
||||
* [pylessard/python-udsoncan](https://github.com/pylessard/python-udsoncan) - Python implementation of UDS (ISO-14229) standard.
|
||||
* [driftregion/iso14229](https://github.com/driftregion/iso14229) - C implementation of ISO 14229 (UDS) server and client for embedded systems
|
||||
|
||||
|
||||
### SID
|
||||
|
||||
| UDS SID (Request) | UDS SID (Response) | UDS Service | Details |
|
||||
| ----------------- | --------------------- | ------------- | ------- |
|
||||
| 0x10 | 0x50 | Diagnostic session control | Control which UDS services are available. |
|
||||
| 0x11 | 0x51 | ECU Reset | It resets the ECU (includes hard reset, key off and soft reset) |
|
||||
| 0x27 | 0x67 | Security access | It enables use of security critical services via authentication. |
|
||||
| 0x28 | 0x68 | Communication control | This field turns send/receive of messages ON or OFF in the ECU. |
|
||||
| 0x29 | 0x69 | Aunthentication | Enables more advanced authentication vs. 0x27 (PKI based exchange). |
|
||||
| 0x3E | 0x7E | Tester present | Send a heartbeat message periodically to remain in existing session . |
|
||||
| 0x83 | 0xC3 | Access timing parameters | View/Modify timing parameters used in client/server communication. |
|
||||
| 0x84 | 0xC4 | Secured Data Transmission | Send encrypted data via ISO 15764 (extended data link security) |
|
||||
| 0x85 | 0xC5 | Control DTC Settings | Enable/Disable detection of errors (e.g. used during diagnostics) |
|
||||
| 0x86 | 0xC6 | Response On Event | Request that ECU processes a service request if an event happens |
|
||||
| 0x87 | 0xC7 | Link Control | Set the baud rate for diagnostic access |
|
||||
| 0x22 | 0x62 | Read Data by Identifier | Read data from targetted ECU - e.g. VIN, sensor data etc. |
|
||||
| 0x23 | 0x63 | Read Data by Address | Read data from physical memory (e.g. to understand software behaviour) |
|
||||
| 0x24 | 0x64 | Read Scaling Data By Identifier | Read information about how to scale data identifiers |
|
||||
| 0x2A | 0x6A | Read Data by Identifier Periodic | Request ECU to broadcast sensor data at slow/medium/fast/stop rate |
|
||||
| 0x2C | 0x6C | Dynamically Define Data Identifier | Define data parameter for use in 0x22 or 0x2A dynamically |
|
||||
| 0x2E | 0x6E | Write Data By Identifier | Program specific variables determined by data parameters |
|
||||
| 0x3D | 0x7D | Write Memory By address | Write information to the ECU's memory |
|
||||
| 0x14 | 0x54 | Clear Diagnostic Information | Delete stored DTCs |
|
||||
| 0x19 | 0x59 | Read DTC Information | Read stored DTCs as well as related information |
|
||||
| 0x2F | 0x6F | Input Output Control By Identifier | Gain control over ECU analog/digital inputs/outputs |
|
||||
| 0x31 | 0x71 | Routine Control | Initiate/stop routines (e.g. self testing, erasing of flash memory) |
|
||||
| 0x34 | 0x74 | Request Download | Start request to add software/data to ECU (including location/size) |
|
||||
| 0x35 | 0x75 | Request Upload | Start request to read software/data from ECU (including location/size) |
|
||||
| 0x36 | 0x76 | Transfer Data | Perform actual transfer of data following use of 0x74/0x75 |
|
||||
| 0x37 | 0x77 | Request Transfer Exit | Stop the transfer of data |
|
||||
| 0x38 | 0x78 | Request File Transfer | Perform a file download/upload to/from the ECU |
|
||||
| 0x7F | Negative Response | Send with a negative response code when a request can not be handled. |
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Awesome CAN bus tools, hardware and resources - iDoka](https://github.com/iDoka/awesome-canbus)
|
||||
* [UDS SID Table | UDS SID Request And Response - rfwireless-world](https://www.rfwireless-world.com/Terminology/UDS-SID-Table.html)
|
||||
* [UDS Explained - A Simple Intro (Unified Diagnostic Services) - csselectronics](https://www.csselectronics.com/pages/uds-protocol-tutorial-unified-diagnostic-services)
|
||||
* [Unified Diagnostic Services (UDS) Explained - A Simple Intro [2022] - csselectronics](https://youtu.be/CV_B8tJgI5E)
|
|
@ -1,518 +0,0 @@
|
|||
# NFC - RFID
|
||||
|
||||
> Radio Frequency Identification (RFID) & Near Field Communication (NFC)
|
||||
|
||||
|
||||
## Install and configuration
|
||||
|
||||
Dependencies to install first
|
||||
|
||||
```ps1
|
||||
sudo apt-get install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib ncurses-dev libpcsclite-dev pcscd
|
||||
```
|
||||
|
||||
Cloning and building the tool.
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/Proxmark/proxmark3.git
|
||||
cd proxmark3
|
||||
make clean && make all
|
||||
dmesg | grep -i usb
|
||||
~/proxmark3/client/proxmark3 /dev/ttyACM0
|
||||
```
|
||||
|
||||
* Ubuntu : `curl https://raw.githubusercontent.com/daveio/attacksurface/master/proxmark3/pm3-setup.sh | bash`
|
||||
* Kali : `Same script should work, just replace Ubuntu 14.04 by Kali`
|
||||
|
||||
Testing the tool with the commands `hw tune` and `hw version`.
|
||||
|
||||
```powershell
|
||||
proxmark3> hw tune
|
||||
Measuring antenna characteristics, please wait.........
|
||||
# LF antenna: 73.70 V @ 125.00 kHz
|
||||
# LF antenna: 59.12 V @ 134.00 kHz
|
||||
# LF optimal: 73.97 V @ 126.32 kHz
|
||||
# HF antenna: 29.32 V @ 13.56 MHz
|
||||
|
||||
proxmark3> hw version
|
||||
Prox/RFID mark3 RFID instrument
|
||||
uC: AT91SAM7S256 Rev D
|
||||
Embedded Processor: ARM7TDMI
|
||||
```
|
||||
|
||||
If the `ACR122` doesn't work properly, try `sudo rmmod pn533_usb`
|
||||
|
||||
|
||||
### Update and flash
|
||||
|
||||
In order to update and flash your proxmark you have to kill the `ModemManager` process as it is interfering with the process.
|
||||
|
||||
```powershell
|
||||
ps -aux | grep ModemManager
|
||||
kill [pid] - on my system stable 521
|
||||
```
|
||||
|
||||
By default the compilation makefile will target the Proxmark rdv4, to make a firmware and boot image for the Proxmark3 Easy you need to edit the `Makefile.platform` from `PLATFORM=PM3RDV4` to `PLATFORM=PM3OTHER`.
|
||||
|
||||
| PLATFORM | DESCRIPTION |
|
||||
| ------------- | ------------------------ |
|
||||
| PM3RDV4 (def) | Proxmark3 rdv4 |
|
||||
| PM3OTHER | Proxmark3 generic target |
|
||||
|
||||
The compilation steps are as follows.
|
||||
|
||||
```powershell
|
||||
make armsrc/obj/fullimage.elf bootrom/obj/bootrom.elf client/flasher
|
||||
./client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf
|
||||
```
|
||||
|
||||
## Notes about card types
|
||||
|
||||
* **MIFARE Classic 1K/4K**: basically just a memory storage device. This memory, either 1024 or 4096 bytes, is divided into sectors and blocks. Most of the time used for regular access badges and has really simple security mechanisms for access control
|
||||
* **MIFARE Ultralight**: a 64 bytes version of MIFARE Classic. It’s low costs make it widely used as disposable tickets for events or transportation.
|
||||
* **MIFARE Plus**: announced as a replacement of MIFARE Classic. The Plus subfamily brings the new level of security up to 128-bit AES encryption.
|
||||
* **MIFARE DESFire**: those tags come pre-programmed with a general purpose DESFire operating system which offers a simple directory structure and files, and are the type of MIFARE offering the highest security levels.
|
||||
|
||||
## LF - HID & Indala
|
||||
|
||||
> Cloning requires writable T55xx card. The T55x7 card can be configured to emulate many of the 125 kHz tags.
|
||||
|
||||
```powershell
|
||||
lf search # HID Prox TAG ID: 2004263f88
|
||||
lf hid fskdemod # (Push the button on the PM3 to stop scanning - not necessary)
|
||||
lf hid demod # (Push the button on the PM3 to stop scanning - not necessary)
|
||||
lf hid clone 2004263f88 # (id à cloner)
|
||||
lf hid sim 200671012d # simulate HID card with UID=200671012d
|
||||
|
||||
lf indala read
|
||||
lf indala demod
|
||||
lf indala sim a0000000c2c436c1 # simulate Indala with UID=a0000000c2c436c1
|
||||
lf indala clone a0000000c2c436c1 # clone Indala to T55x7 card
|
||||
|
||||
lf hitag info
|
||||
lf hitag sim c378181c_a8f7.ht2 # simulate HiTag
|
||||
```
|
||||
|
||||
## LF - EM410X
|
||||
|
||||
Read only memory :/
|
||||
|
||||
```powershell
|
||||
Proxmark> lf em4x em410xread
|
||||
EM410x Tag ID: 23004d4dee
|
||||
Proxmark> lf em4x em410xsim 23004d4dee
|
||||
```
|
||||
|
||||
## HID : Example - Card
|
||||
|
||||
### HID card format
|
||||
|
||||
```powershell
|
||||
proxmark3> lf hid decode 10001fc656
|
||||
--------------------------------------------------
|
||||
Format: H10302 (HID H10302 37-bit huge ID)
|
||||
Card Number: 1041195
|
||||
Parity: Valid
|
||||
--------------------------------------------------
|
||||
Format: H10304 (HID H10304 37-bit)
|
||||
Facility Code: 1
|
||||
Card Number: 516907
|
||||
Parity: Valid
|
||||
--------------------------------------------------
|
||||
```
|
||||
|
||||
### Write an HID card
|
||||
|
||||
```powershell
|
||||
# version with facility code is better
|
||||
proxmark3> lf hid encode H10304 f 49153 c 516907
|
||||
HID Prox TAG ID: 1c001fc656
|
||||
|
||||
proxmark3> lf hid encode H10302 c 1041195
|
||||
HID Prox TAG ID: 10001fc656
|
||||
-------------------------------------------------
|
||||
```
|
||||
|
||||
Example 2
|
||||
|
||||
```powershell
|
||||
proxmark3> lf hid decode 1c0006bb43
|
||||
--------------------------------------------------
|
||||
Format: H10302 (HID H10302 37-bit huge ID)
|
||||
Card Number: 220577
|
||||
Parity: Valid
|
||||
--------------------------------------------------
|
||||
Format: H10304 (HID H10304 37-bit)
|
||||
Facility Code: 49152
|
||||
Card Number: 220577
|
||||
Parity: Valid
|
||||
--------------------------------------------------
|
||||
proxmark3> lf hid encode H10302 c 220577
|
||||
HID Prox TAG ID: 100006bb43
|
||||
```
|
||||
|
||||
### Bruteforce an HID reader
|
||||
|
||||
```powershell
|
||||
pm3 --> lf hid brute a 26 f 224
|
||||
pm3 --> lf hid brute v a 26 f 21 c 200 d 2000
|
||||
|
||||
Options
|
||||
---
|
||||
a <format> : 26|33|34|35|37|40|44|84
|
||||
f <facility-code> : 8-bit value HID facility code
|
||||
c <cardnumber> : (optional) cardnumber to start with, max 65535
|
||||
d <delay> : delay betweens attempts in ms. Default 1000ms
|
||||
v : verbose logging, show all tries
|
||||
```
|
||||
|
||||
## HF - Mifare DESFire
|
||||
|
||||
> No known attacks yet ! Unencrypted sectors can be read, also you can try to look for default keys. All MIFARE cards are prone to relay attack.
|
||||
|
||||
* Mifare DESFire [MF3ICD40](https://arstechnica.com/information-technology/2011/10/researchers-hack-crypto-on-rfid-smart-cards-used-for-keyless-entry-and-transit-pass/): uses Triple DES encryption, product discontinued.
|
||||
|
||||
```powershell
|
||||
It requires the attacker to have the card itself, an RFID reader, and a radio probe.
|
||||
Using differential power analysis, data is collected from radio frequency energy
|
||||
that leaks out of the card (its “side channels”).
|
||||
```
|
||||
* Mifare DESFire EV1 : the challenge is done with AES or 3DES.
|
||||
* Mifare DESFire EV2
|
||||
|
||||
## HF - Mifare Ultra Light
|
||||
|
||||
* Ultralight C (3DES authentication)
|
||||
* Ultralight EV1
|
||||
* NTAG2
|
||||
|
||||
### Chinese backdoor
|
||||
|
||||
```powershell
|
||||
pm3 --> hf 14a raw -p -b 7 40
|
||||
pm3 --> hf 14a raw -p 43
|
||||
pm3 --> hf 14a raw -p -c a20059982120
|
||||
|
||||
0x40, init backdoor mode
|
||||
0x41, wipe fills card with 0xFF
|
||||
0x42, fills card with 0x00
|
||||
0x43, no authentication needed. issue a 0x3000 to read block 0, or write block.
|
||||
0x44, fills card with 0x55
|
||||
```
|
||||
|
||||
### Simulate
|
||||
|
||||
```powershell
|
||||
hf 14a sim 2 <7-byte tag>
|
||||
```
|
||||
|
||||
## HF - Mifare Classic 1k
|
||||
|
||||
New method for Proxmark : `hf mf autopwn`
|
||||
|
||||
### Darkside attack (PRNG Weak)
|
||||
|
||||
**Proxmark method**
|
||||
|
||||
```powershell
|
||||
pm3> hf search
|
||||
pm3> hf mfu
|
||||
pm3> hf mf darkside (fork command)
|
||||
pm3> hf mf mifare (original command)
|
||||
Parity is all zero. Most likely this card sends NACK on every failed authentication. # Card is empty...
|
||||
or
|
||||
Found valid key:ffffffffffff # KEY_FOUND
|
||||
|
||||
pm3> hf mf chk 0 A KEY_FOUND (Check Found Key On Block 0 A)
|
||||
```
|
||||
|
||||
**ACR122u method**
|
||||
|
||||
```powershell
|
||||
# start cracking the first key of the first sector.
|
||||
mfcuk -C -R 0:A -v 3 -s 250 -S 250
|
||||
mfcuk -C -R 3:A -v 3 -s 250 -S 250 -o mycard.mfc
|
||||
```
|
||||
|
||||
### Nested attack (PRNG Weak)
|
||||
|
||||
> Need to find a default key to extract the others
|
||||
|
||||
**Proxmark method**
|
||||
|
||||
```powershell
|
||||
hf search
|
||||
hf mf chk 1 ? t # "Test Block Keys" command which will test the default keys for us
|
||||
hf mf nested 1 0 A a0a1a2a3a4a5 t. # "Nested Attack" use the key a0a1a2a3a4a5, keeping the key in memory with "t"
|
||||
hf mf chk * ? # "Test Block Keys" command which will test the default keys for us
|
||||
hf mf nested 1 0 A ffffffffffff d # "Nested Attack" use the key ffffffffffff to extract the others (file:dumpkeys.bin)
|
||||
hf mf dump 1 # Dump content
|
||||
hf mf restore 1 # Restore content into the card
|
||||
hf mf wrbl 5 A 080808080808 32110000cdeeffff3211000005fa05fa # write on block 5, with the key 0808... the content 3211...
|
||||
hf mf rdbl 5 A 080808080808 # Read block 5 with the keu 0808..
|
||||
|
||||
|
||||
python pm3_mfd2eml.py dumpdata.bin dumpdata.eml
|
||||
pm3> hf mf cload dumpdata
|
||||
```
|
||||
|
||||
**ACR122u method**
|
||||
|
||||
```powershell
|
||||
nfc-list
|
||||
mfoc -O card.mfd # dump the memory of the tag
|
||||
# Le paramètre P permet de spécifier le nombre de sondes par secteur. Par défaut, ce nombre est à 20 mais nous pouvons le passer à 500.
|
||||
mfoc -P 500 -O dump_first_try.dmp
|
||||
nfc-mfclassic w a key.mfd data.mfd # write data
|
||||
nfc-mfclassic W a key.mfd data.mfd # write data and sector 0
|
||||
```
|
||||
|
||||
### Hardnested attack
|
||||
|
||||
> One key is needed in order to use this attack
|
||||
|
||||
For newest MIFARE Classic and MIFARE Plus SL1
|
||||
|
||||
**Proxmark method**
|
||||
|
||||
:warning: NOTE: These hardware changes resulted in the Proxmark 3 Easy being incapable of performing several of the Proxmark's advanced features, including the Mifare Hard-Nested attacks. In other word you need a real Proxmark, not a cheap chinese copy.
|
||||
|
||||
```powershell
|
||||
# find a default key
|
||||
# res column is either equal to 1 or 0.
|
||||
# A 1 in the column means the key was valid for that sector.
|
||||
hf mf chk *1 ? t
|
||||
|
||||
|
||||
# <block number> <key A|B> <key (12 hex symbols)>
|
||||
# <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s]
|
||||
# w: Acquire nonces and write them to binary file nonces.bin
|
||||
hf mf hardnested 0 A 8829da9daf76 4 A w
|
||||
|
||||
# then https://github.com/aczid/crypto1_bs
|
||||
./solve_piwi 0xcafec0de.bin
|
||||
./solve_piwi_bs 0xcafec0de.bin
|
||||
```
|
||||
|
||||
**ACR122u method**
|
||||
|
||||
With the key n°A a0a1a2a3a4a5 for sector 0 and we want key n°A for sector 1. This method can be reused for every sectors.
|
||||
|
||||
```powershell
|
||||
./libnfc_crypto1_crack a0a1a2a3a4a5 0 a 4 a
|
||||
Found tag with uid 62ef9e5a, collecting nonces for key A of block 4 (sector 1) using known key A a0a1a2a3a4a5 for block 0 (sector 0)
|
||||
Collected 2379 nonces... leftover complexity 23833993588 (~2^34.47) - initializing brute-force phase...
|
||||
Starting 4 threads to test 23833993588 states using 256-way bitslicing
|
||||
Cracking... 88.93%
|
||||
Found key: c44e2b5e4ce3
|
||||
Tested 21232975852 states
|
||||
```
|
||||
|
||||
### Magic Chinese Card - Acronyms
|
||||
|
||||
**UID** - The original Chinese Magic Backdoor card. These cards respond to the backdoor commands and will show Chinese magic backdoor commands (GEN 1a) detected when you do an hf search. These cards can be detected by probing the card to see if it responds to the backdoor commands. Some RFID systems may try to detect these cards.
|
||||
|
||||
**CUID** - The 2nd generation Chinese Magic Backdoor card. These cards do not use the backdoor commands, but instead allow Block 0 to be written to like any other block on the card. This gives the card better compatibility to be written to from an Android phone. However, some RFID systems can detect this type of card by sending a write command to Block 0, making the card invalid after the first use is attempted.
|
||||
|
||||
**FUID** - This type of card is not as common, but allows Block 0 to be written to just once. This allows you to create a clone of a card and any checks done by the RFID system will pass because Block 0 is no longer writable.
|
||||
|
||||
**UFUID** - This type of card is apparently a "better" version of the FUID card. Instead of only allowing Block 0 to be written once, you can write to it many times and then lock the block later when you're happy with the result. After locking Block 0, it cannot be unlocked to my knowledge. I do not think there is currently a way to lock these cards using the Proxmark3.
|
||||
|
||||
### Magic Chinese Card - GEN 2
|
||||
|
||||
They can be copied directly. The software allows a new UID.
|
||||
|
||||
### Magic Chinese Card - GEN 1a
|
||||
|
||||
> **Works better on the official client.py instead of the iceman fork.**
|
||||
|
||||
Reset a UID Changeable Magic Card (7 bytes UID) :warning: You should prefer this method !
|
||||
|
||||
```powershell
|
||||
proxmark3> hf mf csetuid 42917CAB 0004 08
|
||||
uid:42 91 7c ab
|
||||
--atqa:00 04 sak:08
|
||||
Chinese magic backdoor commands (GEN 1a) detected
|
||||
```
|
||||
|
||||
To set all the block `hf mf csetblk 0 42917CAB00080400022A2C87933EF21D`
|
||||
|
||||
NOTE: The UID from several cards can be computed with the displayed id, e.g: ID is 2910621770.
|
||||
|
||||
```python
|
||||
import struct
|
||||
struct.pack('<I',2910621770).encode('hex')
|
||||
'4a907cad'
|
||||
```
|
||||
|
||||
### Unbricking Chinese Magic Mifare Classic
|
||||
|
||||
If you set the wrong BCC for UID and can't read the card anymore, you can use some backdoor commands to change sector 0 using Proxmark:
|
||||
|
||||
```powershell
|
||||
hf 14a raw -a -p -b 7 40
|
||||
hf 14a raw -p 43
|
||||
hf 14a raw -p -c a0 00
|
||||
hf 14a raw -p -c de ad be ef 22 08 04 00 46 59 25 58 49 10 23 02
|
||||
```
|
||||
|
||||
### Key Bruteforce/Dictionary attack
|
||||
|
||||
```powershell
|
||||
hf mf chk *1 ? t # Default keys
|
||||
hf mf chk *1 ? d default_keys.dic
|
||||
hf mf chk 0 A default_keys.dic # Dictionary attack with file: default_keys.dic
|
||||
```
|
||||
|
||||
### Write and read sectors
|
||||
|
||||
> Avoid writing wrbl 3 (contains key A/B + permissions)
|
||||
|
||||
```powershell
|
||||
proxmark3> hf mf wrbl 1 a ffffffffffff 000102030405060708090a0b0c0d0e0f
|
||||
proxmark3> hf mf wrbl 2 a ffffffffffff 464c4147313a4d31664072335f303037
|
||||
```
|
||||
|
||||
```powershell
|
||||
hf mf rdsc <sector number> <key A/B> <key (12 hex symbols)>
|
||||
```
|
||||
|
||||
### Dump Mifare card
|
||||
|
||||
```powershell
|
||||
proxmark3> hf mf dump 1 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-data.bin
|
||||
|
||||
<card memory>: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K
|
||||
k <name> : key filename, if no <name> given, UID will be used as filename
|
||||
f <name> : data filename, if no <name> given, UID will be used as filename
|
||||
```
|
||||
|
||||
### Simulate and emulate Mifare card
|
||||
|
||||
Emulate from a dump file
|
||||
|
||||
```powershell
|
||||
# convert .bin to .eml
|
||||
proxmark3> script run dumptoemul -i dumpdata.bin
|
||||
proxmark3> hf mf eload <file name w/o .eml>
|
||||
```
|
||||
|
||||
Simulate Mifare 1K UID
|
||||
|
||||
```powershell
|
||||
proxmark3> hf mf sim u 353c2aa6
|
||||
```
|
||||
|
||||
### MITM attack
|
||||
|
||||
```powershell
|
||||
hf 14a snoop
|
||||
# read card
|
||||
# push button
|
||||
|
||||
hf list 14a
|
||||
089220 | 095108 | Tag | 4d xx xx xx d3 | | UID
|
||||
114608 | 125072 | Rdr | 93 70 4d xx xx xx d3 4f 8d | ok | SELECT_UID
|
||||
...
|
||||
525076 | 529748 | Tag | 61 7a 66 18 | | TAG CHALLENGE
|
||||
540608 | 549920 | Rdr |50! 87! 8e ab 3b! 49 5a 1b | !crc| HALT
|
||||
551188 | 555860 | Tag |d6! 53! 7c 57! | | TAG RESPONSE
|
||||
UID: 4dxxxxxxd3
|
||||
TAG CHALLENGE: 617a6618
|
||||
READER CHALLENGE: 50878eab
|
||||
READER RESPONSE: 3b495a1b
|
||||
TAG RESPONSE: d6537c57
|
||||
|
||||
# crapto1gui or mfkey
|
||||
cd tools/mfkey
|
||||
make
|
||||
./mfkey64
|
||||
./mfkey64 xxxxxxxx 3b45a45a 7ddb6646 142fc1b9 9195fb3f
|
||||
```
|
||||
|
||||
### Reader only attack
|
||||
|
||||
Emulate a MIFARE Classic with a DEADBEEF UID.
|
||||
|
||||
```powershell
|
||||
proxmark3> hf mf sim u deadbeef n 1 x
|
||||
mf 1k sim uid: de ad be ef , numreads:0, flags:18 (0x12)
|
||||
#db# Collected two pairs of AR/NR which can be used to extract keyA from reader for sector 1:
|
||||
#db# ../tools/mfkey/mfkey32 deadbeef 0102xxxx 4d9axxxx 87e7xxxx 06d2xxxx b4a0xxxx
|
||||
#db# Emulator stopped. Tracing: 1 trace length: 253
|
||||
#db# 4B UID: deadbeef
|
||||
```
|
||||
|
||||
### Read a Mifare Dump
|
||||
|
||||
```powershell
|
||||
pip install bitstring
|
||||
git clone https://github.com/zhovner/mfdread
|
||||
mfdread.py ./dump.mfd
|
||||
```
|
||||
|
||||
## HF - Mifare Classic 4k
|
||||
|
||||
### Chinese Magic Mifare Classic 4K
|
||||
|
||||
Block 0 is writable through normal Mifare Classic commands, i.e. there is not special “unlocked” read/write like in “magic Mifare 1k” version.
|
||||
|
||||
Writing block 0 with Proxmark, UID 01020304, using key A being FFFFFFFFFFFF:
|
||||
|
||||
```powershell
|
||||
hf mf wrbl 0 a FFFFFFFFFFFF 01020304040000000000000000000000
|
||||
```
|
||||
|
||||
Again, watch out to have correct BCC and avoid Cascading Tag (0x88) as first byte of UID, or you may make the card unselectable (i.e. brick it).
|
||||
|
||||
## HF - Vigik
|
||||
|
||||
Tool : https://github.com/cjbrigato/kigiv-for-proxmark3/releases
|
||||
|
||||
```powershell
|
||||
modprobe -r pn533_usb
|
||||
modprobe -r pn533
|
||||
nfc-list # Vérifier le bon fonctionnement du lecteur
|
||||
mfoc -P 500 -O carte-vierge.dmp # Extraire les clés de chiffrement de la puce RFID chinoise dans un fichier
|
||||
mfoc -P 500 -O carte-originale.dmp # Copiez le contenu de la puce RFID d’origine dans un fichier
|
||||
nfc-mfclassic W a carte-originale.dmp carte-vierge.dmp # Ecrire le contenu de la puce originale sur la puce chinoise
|
||||
```
|
||||
|
||||
## Replay Attacks
|
||||
|
||||
Replay attack is a technique where a malicious user could implement a device to intercept a NFC transaction and redeem it later, using other device or even in different location.
|
||||
|
||||
|
||||
## Relay Attack
|
||||
The relay attack is a technique where a malicious user implements a man in the middle attack. The attacker(APDUer) is capable to intercept, manipulate and change the transaction in real time to take advantage of it.
|
||||
[https://en.wikipedia.org/wiki/Relay_attack](https://en.wikipedia.org/wiki/Relay_attack)
|
||||
|
||||
* NFC Payment Relay Attacks - [intro-to-nfc-payment-relay-attacks/](https://salmg.net/2018/12/01/intro-to-nfc-payment-relay-attacks/)
|
||||
* NFCopy85 is a 10 dollars device to make replay attacks against NFC payment systems - [nfcopy85](https://salmg.net/2019/06/16/nfcopy85/)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/
|
||||
* https://aur.archlinux.org/packages/proxmark3/
|
||||
* https://github.com/Proxmark/proxmark3/wiki/Kali-Linux
|
||||
* https://github.com/Proxmark/proxmark3/wiki/Mifare-HowTo
|
||||
* https://www.latelierdugeek.fr/2017/07/12/rfid-le-clone-parfait/
|
||||
* https://github.com/cjbrigato/kigiv-for-proxmark3/releases
|
||||
* http://guillaumeplayground.net/proxmark3-hardnested/
|
||||
* https://www.ordinoscope.net/index.php/Electronique/Hardware/Divers/RFID/Proxmak3/Mf\_(Mifare)
|
||||
* https://pi3rrot.net/wiki/doku.php?id=rfid:break\_mifare1k\_proxmark3
|
||||
* https://connect.ed-diamond.com/MISC/MISCHS-016/Proxmark-3-le-couteau-suisse-RFID
|
||||
* https://blandais.github.io/mifare/fr
|
||||
* http://www.icedev.se/pm3docs.aspx
|
||||
* http://www.icedev.se/pm3cmds.aspx
|
||||
* https://scund00r.com/all/rfid/2018/06/05/proxmark-cheatsheet.html
|
||||
* https://www.tinker.sh/badge-cloning-clone-hid-prox-with-proxmark3-rvd4/
|
||||
* https://hackmethod.com/hacking-mifare-rfid/
|
||||
* https://hackmethod.com/hacking-mifare-rfid-2/
|
||||
* https://github.com/Proxmark/proxmark3/wiki/Mifare-Tag-Ops
|
||||
* http://arishitz.net/coffee-nfc-exploit-coffee-again/
|
||||
* https://thetraaaxx.org/writeup-irl-hacking-le-porte-monnaie-nfc-securise
|
||||
* https://linuskarlsson.se/blog/acr122u-mfcuk-and-mfoc-cracking-mifare-classic-on-arch-linux/
|
||||
* https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/cheatsheet.md
|
||||
* https://smartlockpicking.com/slides/Confidence\_A\_2018\_Practical\_Guide\_To\_Hacking\_RFID\_NFC.pdf
|
|
@ -0,0 +1,101 @@
|
|||
# LF - HID & Indala
|
||||
|
||||
## HID & Indala
|
||||
|
||||
> Cloning requires writable T55xx card. The T55x7 card can be configured to emulate many of the 125 kHz tags.
|
||||
|
||||
```powershell
|
||||
lf search # HID Prox TAG ID: 2004263f88
|
||||
lf hid fskdemod # (Push the button on the PM3 to stop scanning - not necessary)
|
||||
lf hid demod # (Push the button on the PM3 to stop scanning - not necessary)
|
||||
lf hid clone 2004263f88 # (id à cloner)
|
||||
lf hid sim 200671012d # simulate HID card with UID=200671012d
|
||||
|
||||
lf indala read
|
||||
lf indala demod
|
||||
lf indala sim a0000000c2c436c1 # simulate Indala with UID=a0000000c2c436c1
|
||||
lf indala clone a0000000c2c436c1 # clone Indala to T55x7 card
|
||||
|
||||
lf hitag info
|
||||
lf hitag sim c378181c_a8f7.ht2 # simulate HiTag
|
||||
```
|
||||
|
||||
## LF - EM410X
|
||||
|
||||
Read only memory :/
|
||||
|
||||
```powershell
|
||||
Proxmark> lf em4x em410xread
|
||||
EM410x Tag ID: 23004d4dee
|
||||
Proxmark> lf em4x em410xsim 23004d4dee
|
||||
```
|
||||
|
||||
|
||||
## HID : Examples - Card
|
||||
|
||||
### HID card format
|
||||
|
||||
```powershell
|
||||
proxmark3> lf hid decode 10001fc656
|
||||
--------------------------------------------------
|
||||
Format: H10302 (HID H10302 37-bit huge ID)
|
||||
Card Number: 1041195
|
||||
Parity: Valid
|
||||
--------------------------------------------------
|
||||
Format: H10304 (HID H10304 37-bit)
|
||||
Facility Code: 1
|
||||
Card Number: 516907
|
||||
Parity: Valid
|
||||
--------------------------------------------------
|
||||
```
|
||||
|
||||
### Write to an HID card
|
||||
|
||||
```powershell
|
||||
# version with facility code is better
|
||||
proxmark3> lf hid encode H10304 f 49153 c 516907
|
||||
HID Prox TAG ID: 1c001fc656
|
||||
|
||||
proxmark3> lf hid encode H10302 c 1041195
|
||||
HID Prox TAG ID: 10001fc656
|
||||
-------------------------------------------------
|
||||
```
|
||||
|
||||
Example 2
|
||||
|
||||
```powershell
|
||||
proxmark3> lf hid decode 1c0006bb43
|
||||
--------------------------------------------------
|
||||
Format: H10302 (HID H10302 37-bit huge ID)
|
||||
Card Number: 220577
|
||||
Parity: Valid
|
||||
--------------------------------------------------
|
||||
Format: H10304 (HID H10304 37-bit)
|
||||
Facility Code: 49152
|
||||
Card Number: 220577
|
||||
Parity: Valid
|
||||
--------------------------------------------------
|
||||
proxmark3> lf hid encode H10302 c 220577
|
||||
HID Prox TAG ID: 100006bb43
|
||||
```
|
||||
|
||||
### Bruteforce an HID reader
|
||||
|
||||
```powershell
|
||||
pm3 --> lf hid brute a 26 f 224
|
||||
pm3 --> lf hid brute v a 26 f 21 c 200 d 2000
|
||||
|
||||
Options
|
||||
---
|
||||
a <format> : 26|33|34|35|37|40|44|84
|
||||
f <facility-code> : 8-bit value HID facility code
|
||||
c <cardnumber> : (optional) cardnumber to start with, max 65535
|
||||
d <delay> : delay betweens attempts in ms. Default 1000ms
|
||||
v : verbose logging, show all tries
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Proxmark 3, le couteau suisse RFID - Bourdin Pierre - octobre 2017](https://connect.ed-diamond.com/MISC/MISCHS-016/Proxmark-3-le-couteau-suisse-RFID)
|
||||
* [Badge Cloning: Clone HID Prox with Proxmark3 RDV4 - Standalone Mode - Tinker - October 22, 2018](https://web.archive.org/web/20210725163656/https://www.tinker.sh/badge-cloning-clone-hid-prox-with-proxmark3-rvd4/)
|
|
@ -0,0 +1,277 @@
|
|||
# HF - Mifare Classic
|
||||
|
||||
## HF - Mifare Classic 1k
|
||||
|
||||
New method for Proxmark : `hf mf autopwn`
|
||||
|
||||
### Darkside attack (PRNG Weak)
|
||||
|
||||
**Proxmark method**
|
||||
|
||||
```powershell
|
||||
pm3> hf search
|
||||
pm3> hf mfu
|
||||
pm3> hf mf darkside (fork command)
|
||||
pm3> hf mf mifare (original command)
|
||||
Parity is all zero. Most likely this card sends NACK on every failed authentication. # Card is empty...
|
||||
or
|
||||
Found valid key:ffffffffffff # KEY_FOUND
|
||||
|
||||
pm3> hf mf chk 0 A KEY_FOUND (Check Found Key On Block 0 A)
|
||||
```
|
||||
|
||||
**ACR122u method**
|
||||
|
||||
```powershell
|
||||
# start cracking the first key of the first sector.
|
||||
mfcuk -C -R 0:A -v 3 -s 250 -S 250
|
||||
mfcuk -C -R 3:A -v 3 -s 250 -S 250 -o mycard.mfc
|
||||
```
|
||||
|
||||
### Nested attack (PRNG Weak)
|
||||
|
||||
> Need to find a default key to extract the others
|
||||
|
||||
**Proxmark method**
|
||||
|
||||
```powershell
|
||||
hf search
|
||||
hf mf chk 1 ? t # "Test Block Keys" command which will test the default keys for us
|
||||
hf mf nested 1 0 A a0a1a2a3a4a5 t. # "Nested Attack" use the key a0a1a2a3a4a5, keeping the key in memory with "t"
|
||||
hf mf chk * ? # "Test Block Keys" command which will test the default keys for us
|
||||
hf mf nested 1 0 A ffffffffffff d # "Nested Attack" use the key ffffffffffff to extract the others (file:dumpkeys.bin)
|
||||
hf mf dump 1 # Dump content
|
||||
hf mf restore 1 # Restore content into the card
|
||||
hf mf wrbl 5 A 080808080808 32110000cdeeffff3211000005fa05fa # write on block 5, with the key 0808... the content 3211...
|
||||
hf mf rdbl 5 A 080808080808 # Read block 5 with the keu 0808..
|
||||
|
||||
|
||||
python pm3_mfd2eml.py dumpdata.bin dumpdata.eml
|
||||
pm3> hf mf cload dumpdata
|
||||
```
|
||||
|
||||
**ACR122u method**
|
||||
|
||||
```powershell
|
||||
nfc-list
|
||||
mfoc -O card.mfd # dump the memory of the tag
|
||||
# Le paramètre P permet de spécifier le nombre de sondes par secteur. Par défaut, ce nombre est à 20 mais nous pouvons le passer à 500.
|
||||
mfoc -P 500 -O dump_first_try.dmp
|
||||
nfc-mfclassic w a key.mfd data.mfd # write data
|
||||
nfc-mfclassic W a key.mfd data.mfd # write data and sector 0
|
||||
```
|
||||
|
||||
### Hardnested attack
|
||||
|
||||
> One key is needed in order to use this attack
|
||||
|
||||
For newest MIFARE Classic and MIFARE Plus SL1
|
||||
|
||||
**Proxmark method**
|
||||
|
||||
:warning: NOTE: These hardware changes resulted in the Proxmark 3 Easy being incapable of performing several of the Proxmark's advanced features, including the Mifare Hard-Nested attacks. In other word you need a real Proxmark, not a cheap chinese copy.
|
||||
|
||||
```powershell
|
||||
# find a default key
|
||||
# res column is either equal to 1 or 0.
|
||||
# A 1 in the column means the key was valid for that sector.
|
||||
hf mf chk *1 ? t
|
||||
|
||||
|
||||
# <block number> <key A|B> <key (12 hex symbols)>
|
||||
# <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s]
|
||||
# w: Acquire nonces and write them to binary file nonces.bin
|
||||
hf mf hardnested 0 A 8829da9daf76 4 A w
|
||||
|
||||
# then https://github.com/aczid/crypto1_bs
|
||||
./solve_piwi 0xcafec0de.bin
|
||||
./solve_piwi_bs 0xcafec0de.bin
|
||||
```
|
||||
|
||||
**ACR122u method**
|
||||
|
||||
With the key n°A a0a1a2a3a4a5 for sector 0 and we want key n°A for sector 1. This method can be reused for every sectors.
|
||||
|
||||
```powershell
|
||||
./libnfc_crypto1_crack a0a1a2a3a4a5 0 a 4 a
|
||||
Found tag with uid 62ef9e5a, collecting nonces for key A of block 4 (sector 1) using known key A a0a1a2a3a4a5 for block 0 (sector 0)
|
||||
Collected 2379 nonces... leftover complexity 23833993588 (~2^34.47) - initializing brute-force phase...
|
||||
Starting 4 threads to test 23833993588 states using 256-way bitslicing
|
||||
Cracking... 88.93%
|
||||
Found key: c44e2b5e4ce3
|
||||
Tested 21232975852 states
|
||||
```
|
||||
|
||||
### Magic Chinese Card - Acronyms
|
||||
|
||||
**UID** - The original Chinese Magic Backdoor card. These cards respond to the backdoor commands and will show Chinese magic backdoor commands (GEN 1a) detected when you do an hf search. These cards can be detected by probing the card to see if it responds to the backdoor commands. Some RFID systems may try to detect these cards.
|
||||
|
||||
**CUID** - The 2nd generation Chinese Magic Backdoor card. These cards do not use the backdoor commands, but instead allow Block 0 to be written to like any other block on the card. This gives the card better compatibility to be written to from an Android phone. However, some RFID systems can detect this type of card by sending a write command to Block 0, making the card invalid after the first use is attempted.
|
||||
|
||||
**FUID** - This type of card is not as common, but allows Block 0 to be written to just once. This allows you to create a clone of a card and any checks done by the RFID system will pass because Block 0 is no longer writable.
|
||||
|
||||
**UFUID** - This type of card is apparently a "better" version of the FUID card. Instead of only allowing Block 0 to be written once, you can write to it many times and then lock the block later when you're happy with the result. After locking Block 0, it cannot be unlocked to my knowledge. I do not think there is currently a way to lock these cards using the Proxmark3.
|
||||
|
||||
### Magic Chinese Card - GEN 2
|
||||
|
||||
They can be copied directly. The software allows a new UID.
|
||||
|
||||
### Magic Chinese Card - GEN 1a
|
||||
|
||||
> **Works better on the official client.py instead of the iceman fork.**
|
||||
|
||||
Reset a UID Changeable Magic Card (7 bytes UID) :warning: You should prefer this method !
|
||||
|
||||
```powershell
|
||||
proxmark3> hf mf csetuid 42917CAB 0004 08
|
||||
uid:42 91 7c ab
|
||||
--atqa:00 04 sak:08
|
||||
Chinese magic backdoor commands (GEN 1a) detected
|
||||
```
|
||||
|
||||
To set all the block `hf mf csetblk 0 42917CAB00080400022A2C87933EF21D`
|
||||
|
||||
NOTE: The UID from several cards can be computed with the displayed id, e.g: ID is 2910621770.
|
||||
|
||||
```python
|
||||
import struct
|
||||
struct.pack('<I',2910621770).encode('hex')
|
||||
'4a907cad'
|
||||
```
|
||||
|
||||
### Unbricking Chinese Magic Mifare Classic
|
||||
|
||||
If you set the wrong BCC for UID and can't read the card anymore, you can use some backdoor commands to change sector 0 using Proxmark:
|
||||
|
||||
```powershell
|
||||
hf 14a raw -a -p -b 7 40
|
||||
hf 14a raw -p 43
|
||||
hf 14a raw -p -c a0 00
|
||||
hf 14a raw -p -c de ad be ef 22 08 04 00 46 59 25 58 49 10 23 02
|
||||
```
|
||||
|
||||
### Key Bruteforce/Dictionary attack
|
||||
|
||||
* [ikarus23/MifareClassicTool/std.keys](https://github.com/ikarus23/MifareClassicTool/blob/master/Mifare%20Classic%20Tool/app/src/main/assets/key-files/std.keys)
|
||||
* [ikarus23/MifareClassicTool/extended-std.keys](https://github.com/ikarus23/MifareClassicTool/blob/master/Mifare%20Classic%20Tool/app/src/main/assets/key-files/extended-std.keys)
|
||||
|
||||
```powershell
|
||||
hf mf chk *1 ? t # Default keys
|
||||
hf mf chk *1 ? d default_keys.dic
|
||||
hf mf chk 0 A default_keys.dic # Dictionary attack with file: default_keys.dic
|
||||
```
|
||||
|
||||
### Write and read sectors
|
||||
|
||||
> Avoid writing wrbl 3 (contains key A/B + permissions)
|
||||
|
||||
```powershell
|
||||
proxmark3> hf mf wrbl 1 a ffffffffffff 000102030405060708090a0b0c0d0e0f
|
||||
proxmark3> hf mf wrbl 2 a ffffffffffff 464c4147313a4d31664072335f303037
|
||||
```
|
||||
|
||||
```powershell
|
||||
hf mf rdsc <sector number> <key A/B> <key (12 hex symbols)>
|
||||
```
|
||||
|
||||
### Dump Mifare card
|
||||
|
||||
```powershell
|
||||
proxmark3> hf mf dump 1 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-data.bin
|
||||
|
||||
<card memory>: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K
|
||||
k <name> : key filename, if no <name> given, UID will be used as filename
|
||||
f <name> : data filename, if no <name> given, UID will be used as filename
|
||||
```
|
||||
|
||||
### Simulate and emulate Mifare card
|
||||
|
||||
Emulate from a dump file
|
||||
|
||||
```powershell
|
||||
# convert .bin to .eml
|
||||
proxmark3> script run dumptoemul -i dumpdata.bin
|
||||
proxmark3> hf mf eload <file name w/o .eml>
|
||||
```
|
||||
|
||||
Simulate Mifare 1K UID
|
||||
|
||||
```powershell
|
||||
proxmark3> hf mf sim u 353c2aa6
|
||||
```
|
||||
|
||||
### MITM attack
|
||||
|
||||
```powershell
|
||||
hf 14a snoop
|
||||
# read card
|
||||
# push button
|
||||
|
||||
hf list 14a
|
||||
089220 | 095108 | Tag | 4d xx xx xx d3 | | UID
|
||||
114608 | 125072 | Rdr | 93 70 4d xx xx xx d3 4f 8d | ok | SELECT_UID
|
||||
...
|
||||
525076 | 529748 | Tag | 61 7a 66 18 | | TAG CHALLENGE
|
||||
540608 | 549920 | Rdr |50! 87! 8e ab 3b! 49 5a 1b | !crc| HALT
|
||||
551188 | 555860 | Tag |d6! 53! 7c 57! | | TAG RESPONSE
|
||||
UID: 4dxxxxxxd3
|
||||
TAG CHALLENGE: 617a6618
|
||||
READER CHALLENGE: 50878eab
|
||||
READER RESPONSE: 3b495a1b
|
||||
TAG RESPONSE: d6537c57
|
||||
|
||||
# crapto1gui or mfkey
|
||||
cd tools/mfkey
|
||||
make
|
||||
./mfkey64
|
||||
./mfkey64 xxxxxxxx 3b45a45a 7ddb6646 142fc1b9 9195fb3f
|
||||
```
|
||||
|
||||
### Reader only attack
|
||||
|
||||
Emulate a MIFARE Classic with a DEADBEEF UID.
|
||||
|
||||
```powershell
|
||||
proxmark3> hf mf sim u deadbeef n 1 x
|
||||
mf 1k sim uid: de ad be ef , numreads:0, flags:18 (0x12)
|
||||
#db# Collected two pairs of AR/NR which can be used to extract keyA from reader for sector 1:
|
||||
#db# ../tools/mfkey/mfkey32 deadbeef 0102xxxx 4d9axxxx 87e7xxxx 06d2xxxx b4a0xxxx
|
||||
#db# Emulator stopped. Tracing: 1 trace length: 253
|
||||
#db# 4B UID: deadbeef
|
||||
```
|
||||
|
||||
### Read a Mifare Dump
|
||||
|
||||
```powershell
|
||||
pip install bitstring
|
||||
git clone https://github.com/zhovner/mfdread
|
||||
mfdread.py ./dump.mfd
|
||||
```
|
||||
|
||||
## HF - Mifare Classic 4k
|
||||
|
||||
### Chinese Magic Mifare Classic 4K
|
||||
|
||||
Block 0 is writable through normal Mifare Classic commands, i.e. there is not special "unlocked" read/write like in "magic Mifare 1k" version.
|
||||
|
||||
Writing block 0 with Proxmark, UID `01020304`, using key A being `FFFFFFFFFFFF`:
|
||||
|
||||
```powershell
|
||||
hf mf wrbl 0 a FFFFFFFFFFFF 01020304040000000000000000000000
|
||||
```
|
||||
|
||||
Again, watch out to have correct BCC and avoid Cascading Tag (0x88) as first byte of UID, or you may make the card unselectable (i.e. brick it).
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Mifare HowTo - Qais Patankar - Jan 7, 2018](https://github.com/Proxmark/proxmark3/wiki/Mifare-HowTo)
|
||||
* [Proxmark3 Mifare Classic 1k Weak / Hard - Guillaume - November 29, 2017](https://guillaumeplayground.net/proxmark3-hardnested/)
|
||||
* [Electronique/Hardware/Divers/RFID/Proxmak3/Mf (Mifare) - 12 janvier 2022](https://www.ordinoscope.net/index.php/Electronique/Hardware/Divers/RFID/Proxmak3/Mf_(Mifare))
|
||||
* [Proxmark 3, le couteau suisse RFID - Bourdin Pierre - octobre 2017](https://connect.ed-diamond.com/MISC/MISCHS-016/Proxmark-3-le-couteau-suisse-RFID)
|
||||
* [Hacking MIFARE & RFID - phantasmthewhite - Jan 22, 2019](https://hackmethod.com/hacking-mifare-rfid/)
|
||||
* [Hacking our first MIFARE/RFID Tag - phantasmthewhite - Feb 1, 2019](https://hackmethod.com/hacking-mifare-rfid-2/)
|
||||
* [Coffee, NFC, Exploit, Coffee again - ari_ - 14 NOVEMBER 2017](http://arishitz.net/coffee-nfc-exploit-coffee-again/)
|
||||
* [ACR122U, mfcuk, and mfoc: Cracking MIFARE Classic on Arch Linux - Linus Karlsson - 2014-08-18](https://linuskarlsson.se/blog/acr122u-mfcuk-and-mfoc-cracking-mifare-classic-on-arch-linux/)
|
||||
* [Reading NFC cards - Flipper Docs](https://docs.flipper.net/nfc/read)
|
|
@ -0,0 +1,146 @@
|
|||
# HF - Mifare DESFire
|
||||
|
||||
## DESFire® Format
|
||||
|
||||
* Mifare DESFire [MF3ICD40](https://arstechnica.com/information-technology/2011/10/researchers-hack-crypto-on-rfid-smart-cards-used-for-keyless-entry-and-transit-pass/): uses 3DES encryption, product discontinued.
|
||||
* **Mifare DESFire EV1** : Secure channel that can work with all the keys: DES, two-key 3DES, three-key 3DES and AES. Limited to 28 applications containing a maximum of 32 files per application.
|
||||
* **Mifare DESFire EV2** : The newest channel that can work with aes key only
|
||||
* **Mifare DESFire EV3** : Enhanced transaction speed and even better multi-application support.
|
||||
|
||||
Each card has a master application with AID `0x000000` that saves the card's configuration.
|
||||
The memory organization of DESFire supports up to 28 applications on the card and up to 32 files in each application.
|
||||
|
||||
* Master Application (0x000000)
|
||||
* Applications
|
||||
* Files
|
||||
|
||||
|
||||
### Applications
|
||||
|
||||
```ps1
|
||||
hf mfdes lsapp --no-auth # show applications list without authentication
|
||||
hf mfdes lsapp # show applications list with authentication from default settings
|
||||
hf mfdes lsapp --files # show applications list with their files
|
||||
hf mfdes getaids --no-auth # this command can return a simple AID list if it is enabled in the card settings
|
||||
```
|
||||
|
||||
Each application has an individual set of up to 14 application keys (can be AES-128 or DES keys)
|
||||
|
||||
|
||||
### Files
|
||||
|
||||
* **Standard** File: used for static data like a employee ID
|
||||
* **Backup** File: like a Standard File but with a "Commit" feature that allows for secure storage of data, e.g. a changeable user password
|
||||
* **Value** File: storing changeable value information, e.g. the amount on a canteen payment card
|
||||
* **Linear Record** File: storing a defined number of records, e.g. collecting of goodies
|
||||
* **Cyclic Record** File: like a Linear Record file but this file doesn't get "full" but the oldest entry gets overwritten by a new entry, e.g. for a log file
|
||||
|
||||
Each file has it’s own **Communication Mode**:
|
||||
|
||||
* **Plain**: all data transfer between the NFC tag and the NFC reader is done in plain
|
||||
* **MACed**: like in Plain mode the communication is is readable but secured by an appended MAC
|
||||
* **Encrypted**: the communication is not visible be anyone, but only who posses the used key is been able to read the data.
|
||||
|
||||
**Dump files**
|
||||
|
||||
```ps1
|
||||
hf mfdes lsfiles --aid 123456 -t aes # file list for application 123456 with aes key
|
||||
hf mfdes dump --aid 123456 # shows files and their contents from application 123456
|
||||
```
|
||||
|
||||
**Read/Write files**
|
||||
|
||||
Read
|
||||
|
||||
```ps1
|
||||
hf mfdes read --aid 123456 --fid 01 # autodetect file type (with hf mfdes getfilesettings) and read its contents
|
||||
hf mfdes read --aid 123456 --fid 01 --type record --offset 000000 --length 000001 # read one last record from a record file
|
||||
```
|
||||
|
||||
Read via ISO command set
|
||||
|
||||
```ps1
|
||||
hf mfdes read --aid 123456 --fileisoid 1000 --type data -c iso # select application via native command and then read file via ISO
|
||||
hf mfdes read --appisoid 0102 --fileisoid 1000 --type data -c iso # select all via ISO commands and then read
|
||||
hf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000001 # read one record (number 5) from file ID 1100 via ISO command set
|
||||
hf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000000 # read all the records (from 5 to 1) from file ID 1100 via ISO command set
|
||||
```
|
||||
|
||||
Write
|
||||
|
||||
```ps1
|
||||
hf mfdes write --aid 123456 --fid 01 -d 01020304 # autodetect file type (with hf mfdes getfilesettings) and write data with offset 0
|
||||
hf mfdes write --aid 123456 --fid 01 --type data -d 01020304 --commit # write backup data file and commit
|
||||
hf mfdes write --aid 123456 --fid 01 --type value -d 00000001 # increment value file
|
||||
hf mfdes write --aid 123456 --fid 01 --type value -d 00000001 --debit # decrement value file
|
||||
hf mfdes write --aid 123456 --fid 01 --type record -d 01020304 # write data to a record file
|
||||
hf mfdes write --aid 123456 --fid 01 --type record -d 01020304 --updaterec 0 # update record 0 (latest) in the record file.
|
||||
```
|
||||
|
||||
Write via iso command set
|
||||
|
||||
```ps1
|
||||
hf mfdes write --appisoid 1234 --fileisoid 1000 --type data -c iso -d 01020304 # write data to std/backup file via ISO command set
|
||||
hf mfdes write --appisoid 1234 --fileisoid 2000 --type record -c iso -d 01020304 # send record to record file via ISO command set
|
||||
```
|
||||
|
||||
|
||||
## Default Keys
|
||||
|
||||
Changing the default keys is a crucial step in the deployment of MIFARE DESFire cards to prevent unauthorized cloning and access.
|
||||
|
||||
* Default AES key
|
||||
```
|
||||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
```
|
||||
* Default DES key
|
||||
```
|
||||
00 00 00 00 00 00 00 00
|
||||
```
|
||||
|
||||
Use a key to get UID
|
||||
|
||||
```ps1
|
||||
hf mfdes getuid # authenticate with default key
|
||||
hf mfdes getuid -s d40 # via d40 secure channel
|
||||
hf mfdes getuid -s ev2 -t aes -k 11223344556677889900112233445566 # via ev2 secure channel with specified aes key
|
||||
```
|
||||
|
||||
```ps1
|
||||
hf mfdes detect # simply detect key for master application (PICC level)
|
||||
hf mfdes detect --save # detect key and save to defaults. look after to output of hf mfdes default
|
||||
hf mfdes detect -s d40 # detect via channel d40
|
||||
hf mfdes detect --dict mfdes_default_keys # detect key with help of dictionary file
|
||||
hf mfdes detect --aid 123456 -n 2 # detect key 2 from application with AID 123456
|
||||
```
|
||||
|
||||
```ps1
|
||||
hf mfdes auth -n 0 -t des -k 1122334455667788 --aid 123456 # try application 123456 master key
|
||||
hf mfdes auth -n 0 -t aes --save # try PICC AES master key and save the configuration to defaults if authentication succeeds
|
||||
```
|
||||
|
||||
|
||||
## UID check
|
||||
|
||||
The UID of the modifiable MIFARE DESFire® Compatible UID tags consists of two parts: the UID itself and the BCC. The BCC is a checksum value calculated from the UID. If the BCC is incorrect, the tag will be rejected by the reader.
|
||||
|
||||
```ps1
|
||||
hf 14a raw -s -c 02 00 ab 00 00 00 07 xx xx xx xx xx xx xx xx xx
|
||||
```
|
||||
|
||||
For MIFARE DESFire cards, Flipper Zero is able to emulate only the UID.
|
||||
|
||||
UID rewritable cards:
|
||||
- [LAB 401 - MODIFIABLE MIFARE DESFIRE® COMPATIBLE UID](https://lab401.com/fr/products/desfire-compatible-emulator-uid-modifiable)
|
||||
- [LAB 401 - MIFARE DESFIRE® COMPATIBLE MODIFIABLE UID / ATQA / SAK / ATS / APDU](https://lab401.com/products/mifare-desfire-ev2-compatible-modifiable-uid-atqa-sak-ats-apdu)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Mifare DESFire EV3 — a beginner tutorial (Android Java) using the DESFire for Android tools - AndroidCrypto - Feb 18, 2024](https://medium.com/@androidcrypto/mifare-desfire-ev3-a-beginner-tutorial-android-java-using-the-desfire-for-android-tools-00aaecb8fa93)
|
||||
* [Mifare DESFire EVx NFC tag: Change the Master Application Key from DES to AES (Android/Java) - AndroidCrypto - Jun 19, 2024](https://medium.com/@androidcrypto/mifare-desfire-evx-nfc-tag-change-the-master-application-key-from-des-to-aes-android-java-e5dcf02861ff)
|
||||
* [DESFireChangeMasterAppKey - AndroidCrypto - Jun 19, 2024](https://github.com/AndroidCrypto/DESFireChangeMasterAppKey)
|
||||
* [Notes on MIFARE DESFire - iceman1001 - 2021](https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/desfire.md)
|
||||
* [Mifare DESFire - An Introduction - David Coelho - 19 mai 2019](https://www.linkedin.com/pulse/mifare-desfire-introduction-david-coelho/)
|
||||
* [AN-315 - Understanding MIFARE DESFire Credentials - ICT | Protege - 11-May-22](https://ict.co/media/3zznd34z/an-315_understanding_protege_mifare_desfire_credentials.pdf)
|
||||
* [MIFARE DESFire gallagher-research - megabug](https://github.com/megabug/gallagher-research/blob/master/formats/card-specific/mifare-desfire.md)
|
|
@ -0,0 +1,30 @@
|
|||
# HF - Mifare UltraLight
|
||||
|
||||
* Ultralight C (3DES authentication)
|
||||
* Ultralight EV1
|
||||
* NTAG2
|
||||
|
||||
## Chinese backdoor
|
||||
|
||||
```powershell
|
||||
pm3 --> hf 14a raw -p -b 7 40
|
||||
pm3 --> hf 14a raw -p 43
|
||||
pm3 --> hf 14a raw -p -c a20059982120
|
||||
|
||||
0x40, init backdoor mode
|
||||
0x41, wipe fills card with 0xFF
|
||||
0x42, fills card with 0x00
|
||||
0x43, no authentication needed. issue a 0x3000 to read block 0, or write block.
|
||||
0x44, fills card with 0x55
|
||||
```
|
||||
|
||||
## Simulate
|
||||
|
||||
```powershell
|
||||
hf 14a sim 2 <7-byte tag>
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* []()
|
|
@ -0,0 +1,19 @@
|
|||
# NFC - RFID
|
||||
|
||||
> Radio Frequency Identification (RFID) & Near Field Communication (NFC)
|
||||
|
||||
## Notes about card types
|
||||
|
||||
* **MIFARE Classic 1K/4K**: basically just a memory storage device. This memory, either 1024 or 4096 bytes, is divided into sectors and blocks. Most of the time used for regular access badges and has really simple security mechanisms for access control
|
||||
* **MIFARE Ultralight**: a 64 bytes version of MIFARE Classic. It’s low costs make it widely used as disposable tickets for events or transportation.
|
||||
* **MIFARE Plus**: announced as a replacement of MIFARE Classic. The Plus subfamily brings the new level of security up to 128-bit AES encryption.
|
||||
* **MIFARE DESFire**: those tags come pre-programmed with a general purpose DESFire operating system which offers a simple directory structure and files, and are the type of MIFARE offering the highest security levels.
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [RFID Hacking with The Proxmark 3 - Kevin Chung - May 29, 2017](https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/)
|
||||
* [RFID – Le clone parfait - Alex - 12 juillet 2017](https://www.latelierdugeek.fr/2017/07/12/rfid-le-clone-parfait/)
|
||||
* [Proxmark 3, le couteau suisse RFID - Bourdin Pierre - octobre 2017](https://connect.ed-diamond.com/MISC/MISCHS-016/Proxmark-3-le-couteau-suisse-RFID)
|
||||
* [A 2018 practical guide to hacking NFC/RFID - Sławomir Jasek - 4.06.2018](https://smartlockpicking.com/slides/Confidence_A_2018_Practical_Guide_To_Hacking_RFID_NFC.pdf)
|
||||
* [Infosec - NFC Mifare - @SecurityGuill](https://securityguill.com/nfc_mifare.html)
|
|
@ -0,0 +1,18 @@
|
|||
# Relay & Replay
|
||||
|
||||
## Replay Attacks
|
||||
|
||||
Replay attack is a technique where a malicious user could implement a device to intercept a NFC transaction and redeem it later, using other device or even in different location.
|
||||
|
||||
|
||||
## Relay Attack
|
||||
|
||||
The relay attack is a technique where a malicious user implements a man in the middle attack. The attacker(APDUer) is capable to intercept, manipulate and change the transaction in real time to take advantage of it. [https://en.wikipedia.org/wiki/Relay_attack](https://en.wikipedia.org/wiki/Relay_attack)
|
||||
|
||||
* NFC Payment Relay Attacks - [intro-to-nfc-payment-relay-attacks/](https://salmg.net/2018/12/01/intro-to-nfc-payment-relay-attacks/)
|
||||
* NFCopy85 is a 10 dollars device to make replay attacks against NFC payment systems - [nfcopy85](https://salmg.net/2019/06/16/nfcopy85/)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* []()
|
|
@ -0,0 +1,20 @@
|
|||
# HF - Vigik
|
||||
|
||||
Vigik is essentially a rebranded version of MIFARE Classic because it uses the same underlying technology and standards.
|
||||
|
||||
* [cjbrigato/kigiv-for-proxmark3](https://github.com/cjbrigato/kigiv-for-proxmark3/releases) - KIGIV stands for Reverse VIGIK, the French Residential and Postal/State services Residential Security system.
|
||||
|
||||
```powershell
|
||||
modprobe -r pn533_usb
|
||||
modprobe -r pn533
|
||||
|
||||
nfc-list # Check the proper functioning of the reader
|
||||
mfoc -P 500 -O blank-card.dmp # Extract the encryption keys from the Chinese RFID chip into a file
|
||||
mfoc -P 500 -O original-card.dmp # Copy the content of the original RFID chip into a file
|
||||
nfc-mfclassic W a original-card.dmp blank-card.dmp # Write the content of the original chip onto the Chinese chip
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* []()
|
|
@ -20,3 +20,4 @@
|
|||
|
||||
* [HydraUSB3 v1.0 Specifications](https://hydrabus.com/hydrausb3-v1-0-specifications)
|
||||
* [Nullcon Goa 2023 | Cracking With Automated USB Fuzz - Subba Bachina & Conna - 31 dec. 2023](https://youtu.be/4uHg6toV69k)
|
||||
* [Hands On with Chip Off Non-Volatile Memory - Philip DuBois - June 11, 2024](https://trustedsec.com/blog/hands-on-with-chip-off-non-volatile-memory)
|
|
@ -59,3 +59,4 @@ Here is a practical example, putting a cable between MOSI and Chip Select :
|
|||
* [Solving rhme fiesta from Riscure Hardware CTF 2016 with EM Fault Injection - Dangling Pointr - 2020, Oct 11](https://pedro-javierf.github.io/devblog/rhmefaultinjection/)
|
||||
* [Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100) - LiveOverflow - 16 june 2017](https://www.youtube.com/watch?v=6Pf3pY3GxBM)
|
||||
* [pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon - Carve Systems - DEFCON 24](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Brad-Dixon-Pin2Pwn-How-to-Root-An-Embedded-Linux-Box-With-A-Sewing-Needle-UPDATED.pdf)
|
||||
* [Replicant: Reproducing a Fault Injection Attack on the Trezor One - Voidstar - AUGUST 2022](https://voidstarsec.com/blog/replicant-part-1)
|
Loading…
Reference in New Issue