NFC dictionnary attack and Vigik services

pull/25/head
Swissky 2024-08-24 13:04:15 +02:00
parent afec0ee0dc
commit e3b3caac12
4 changed files with 58 additions and 11 deletions

File diff suppressed because one or more lines are too long

After

Width:  |  Height:  |  Size: 18 KiB

View File

@ -27,6 +27,8 @@ while True:
### Implementation
![UDS message structure](../assets/uds-message-frame-can-bus.svg)
* [pylessard/python-udsoncan](https://github.com/pylessard/python-udsoncan) - Python implementation of UDS (ISO-14229) standard.
* [driftregion/iso14229](https://github.com/driftregion/iso14229) - C implementation of ISO 14229 (UDS) server and client for embedded systems

View File

@ -4,6 +4,31 @@
New method for Proxmark : `hf mf autopwn`
### Dictionary attack
Common keys to try against the card when attempting a dictionnary attack.
| Key | Description |
| ---- | ---- |
| FFFFFFFFFFFF | Default key |
| 000000000000 | Blank key |
| A396EFA4E24F | FM11RF08S universal backdoor key |
| A31667A8CEC1 | FM11RF08 older backdoor key |
More keys and dictionnaries can be found at the following links:
* [RfidResearchGroup/proxmark3/dictionaries](https://github.com/RfidResearchGroup/proxmark3/tree/master/client/dictionaries)
* [ikarus23/MifareClassicTool/std.keys](https://github.com/ikarus23/MifareClassicTool/blob/master/Mifare%20Classic%20Tool/app/src/main/assets/key-files/std.keys)
* [ikarus23/MifareClassicTool/extended-std.keys](https://github.com/ikarus23/MifareClassicTool/blob/master/Mifare%20Classic%20Tool/app/src/main/assets/key-files/extended-std.keys)
```powershell
hf mf chk *1 ? t # Default keys
hf mf chk *1 ? d default_keys.dic
hf mf chk 0 A default_keys.dic # Dictionary attack with file: default_keys.dic
```
### Darkside attack (PRNG Weak)
**Proxmark method**
@ -150,16 +175,6 @@ hf 14a raw -p -c a0 00
hf 14a raw -p -c de ad be ef 22 08 04 00 46 59 25 58 49 10 23 02
```
### Key Bruteforce/Dictionary attack
* [ikarus23/MifareClassicTool/std.keys](https://github.com/ikarus23/MifareClassicTool/blob/master/Mifare%20Classic%20Tool/app/src/main/assets/key-files/std.keys)
* [ikarus23/MifareClassicTool/extended-std.keys](https://github.com/ikarus23/MifareClassicTool/blob/master/Mifare%20Classic%20Tool/app/src/main/assets/key-files/extended-std.keys)
```powershell
hf mf chk *1 ? t # Default keys
hf mf chk *1 ? d default_keys.dic
hf mf chk 0 A default_keys.dic # Dictionary attack with file: default_keys.dic
```
### Write and read sectors
@ -275,3 +290,4 @@ Again, watch out to have correct BCC and avoid Cascading Tag (0x88) as first byt
* [Coffee, NFC, Exploit, Coffee again - ari_ - 14 NOVEMBER 2017](http://arishitz.net/coffee-nfc-exploit-coffee-again/)
* [ACR122U, mfcuk, and mfoc: Cracking MIFARE Classic on Arch Linux - Linus Karlsson - 2014-08-18](https://linuskarlsson.se/blog/acr122u-mfcuk-and-mfoc-cracking-mifare-classic-on-arch-linux/)
* [Reading NFC cards - Flipper Docs](https://docs.flipper.net/nfc/read)
* [MIFARE Classic: exposing the static encrypted nonce variant - Philippe Teuwen](https://eprint.iacr.org/2024/1275.pdf)

View File

@ -14,6 +14,34 @@ mfoc -P 500 -O original-card.dmp # Copy the content of the original RFID chip in
nfc-mfclassic W a original-card.dmp blank-card.dmp # Write the content of the original chip onto the Chinese chip
```
## Residential & Service Tokens
Usually the key A is `0x314b49474956` ("1KIGIV")
* Residential token - can access one given building at any time
* Service token - (based on Mifare Classic + RSA signature of 768 or 1024 bits) can access all buildings during specific time slots
| Provider | Service Code | Days | Hours |
| --- | --- | --- | --- |
| La Poste Service Universel | 0x7aa | Mo-Sa | 6:00-0:00 |
| La Poste Autre Services | 0x7ab | Any day | 6:00-0:00 |
| France Telecom | 0x7ac | Any day | Any time |
| EDF-GDF | 0x7ad | Any day | Any time |
### Public Keys
```ps1
"La Poste Service Universel", 0x07AA, "AB9953CBFCCD9375B6C028ADBAB7584BED15B9CA037FADED9765996F9EA1AB983F3041C90DA3A198804FF90D5D872A96A4988F91F2243B821E01C5021E3ED4E1BA83B7CFECAB0E766D8563164DE0B2412AE4E6EA63804DF5C19C7AA78DC14F608294D732D7C8C67A88C6F84C0F2E3FAFAE34084349E11AB5953AC68729D07715"
"La Poste Service Universel", 0x07AA, "1577D02987C63A95B51AE149430834AEAF3F2E0F4CF8C6887AC6C8D732D79482604FC18DA77A9CC1F54D8063EAE6E42A41B2E04D1663856D760EABECCFB783BAE1D43E1E02C5011E823B24F2918F98A4962A875D0DF94F8098A1A30DC941303F98ABA19E6F996597EDAD7F03CAB915ED4B58B7BAAD28C0B67593CDFCCB5399AB"
"La Poste Autres Services", 0x07AB, "A6D99B8D902893B04F3F8DE56CB6BF24338FEE897C1BCE6DFD4EBD05B7B1A07FD2EB564BB4F7D35DBFE0A42966C2C137AD156E3DAB62904592BCA20C0BC7B8B1E261EF82D53F52D203843566305A49A22062DECC38C2FE3864CAD08E79219487651E2F79F1C9392B48CAFE1BFFAFF4802AE451E7A283E55A4026AD1E82DF1A15"
"La Poste Autres Services", 0x07AB, "151adf821ead26405ae583a2e751e42a80f4afff1bfeca482b39c9f1792f1e65879421798ed0ca6438fec238ccde6220a2495a3066358403d2523fd582ef61e2b1b8c70b0ca2bc92459062ab3d6e15ad37c1c26629a4e0bf5dd3f7b44b56ebd27fa0b1b705bd4efd6dce1b7c89ee8f3324bfb66ce58d3f4fb09328908d9bd9a6"
"France Telecom", 0x07AC, "C44DBCD92F9DCF42F4902A87335DBB35D2FF530CDB09814CFA1F4B95A1BD018D099BC6AB69F667B4922AE1ED826E72951AA3E0EAAA7D49A695F04F8CDAAE2D18D10D25BD529CBB05ABF070DC7C041EC35C2BA7F58CC4C349983CC6E11A5CBE828FB8ECBC26F08E1094A6B44C8953C8E1BAFD214DF3E69F430A98CCC75C03669D"
"France Telecom", 0x07AC, "9d66035cc7cc980a439fe6f34d21fdbae1c853894cb4a694108ef026bcecb88f82be5c1ae1c63c9849c3c48cf5a72b5cc31e047cdc70f0ab05bb9c52bd250dd1182daeda8c4ff095a6497daaeae0a31a95726e82ede12a92b467f669abc69b098d01bda1954b1ffa4c8109db0c53ffd235bb5d33872a90f442cf9d2fd9bc4dc4"
"EDF-GDF", 0x07AD, "B35193DBD2F88A21CDCFFF4BF84F7FC036A991A363DCB3E802407A5E5879DC2127EECFC520779E79E911394882482C87D09A88B0711CBC2973B77FFDAE40EA0001F595072708C558B484AB89D02BCBCB971FF1B80371C0BE30CB13661078078BB68EBCCA524B9DD55EBF7D47D9355AFC95511350CC1103A5DEE847868848B235"
"EDF-GDF", 0x07AD, "35b248888647e8dea50311cc50135195fc5a35d9477dbf5ed59d4b52cabc8eb68b0778106613cb30bec07103b8f11f97cbcb2bd089ab84b458c508270795f50100ea40aefd7fb77329bc1c71b0889ad0872c4882483911e9799e7720c5cfee2721dc79585e7a4002e8b3dc63a391a936c07f4ff84bffcfcd218af8d2db9351b3"
```
## References