注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

suzumiya

宅窝

 
 
 

日志

 
 

ACR122U, mfcuk, and mfoc: Cracking MIFARE Classic on Arch Linux  

2016-02-29 07:20:24|  分类: 无线安全 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

ps:这是我转载一片老外的mfcuk配合mfoc破解M1卡的文章 转载时请注明文章地址

Background

I recently bought an ACR122U reader [1] to play around with RFID, and especially MIFARE Classic cards because of their low security [2,3,4,5] and widespread adoption.

The different sectors of the MIFARE Classic card are protected by different keys. To be able to decrypt the content of the card, the keys must be found. There are two well-known applications for this: mfcuk [6] and mfoc [7]. A typical attack scenario is to use mfcuk to find the first key of the card (which may take quite some time). When one key is found, mfoc can be used to find all other keys within minutes.

The problem

After installing libnfc [8], together with mfcuk and mfoc using AUR in Arch Linux, everything seemed to work. I launched an attack using mfcuk and got a key back after some time. The key was, however, incorrect. I assume that the bug described in [9] is the one causing trouble. The “fix” seems to be to use an older version of mfcuk. However, this will also require an older version of libnfc. This older version is, in turn, not compatible with mfoc.

Deep sigh.

So, let’s install duplicate copies of libnfc to get everything working.

Command-line frenzy

Note that # command means that the command should be executed as root, and that $ command should be executed as your own user. Also, take care to replace all instances of <user> with your own username.

I use yaourt to install packages from the AUR. You may use whatever tool you want.

mfcuk r65 and libnfc 1.5.1

A working combination of mfcuk and libnfc seems to be mfcuk r65 and libnfc 1.5.1. So let’s start by getting these, together with pcsclite and the PC/SC drivers for the ACR122U.

# pacman -S pcsclite
yaourt -S acsccid
mkdir -p ~/builds/nfc
cd ~/builds/nfc
svn checkout -r 65 http://mfcuk.googlecode.com/svn/trunk/ mfcuk-r65
tar zxf libnfc-1.5.1.tar.gz
Now, let’s compile this older libnfc version and install it in a local directory to avoid messing up the system libraries.
cd libnfc-1.5.1
./configure --prefix=/home/<user>/builds/nfc/prefix
make
make install
cd ..
Now, let’s compile mfcuk and make it use our newly compiled version of libnfc.
cd mfcuk-r65
autoreconf -is
LIBNFC_CFLAGS=-I/home/<user>/builds/nfc/prefix/include LIBNFC_LIBS="-L/home/<user>/builds/nfc/prefix/lib -lnfc" ./configure --prefix=/home/<user>/builds/nfc/prefix
make
make install
cd ..

Now lets continue to mfoc.

Note: You cannot use mfcuk just yet, because libnfc 1.7.1 needs to be installed to blacklist the kernel’s built-in drivers for the ACR122U, which will otherwise interfere with pcsclite.

mfoc 0.10.6 and libnfc 1.7.1

I will use the latest version of both libnfc and mfoc in the AUR, which (as of this writing) is 1.7.1 and 0.10.6.

yaourt -S libnfc mfoc


Done!

Find the first key using mfcuk

Now, here is the tricky part. libnfc 1.5.1 must use pcsclite to be able to communicate with the reader, while newer versions of libnfc seem to prefer not to use pcsclite at all. Follow the instructions in the order written. If something goes wrong, unplug everything, remove the card, and try again from the beginning.

  1. Open a terminal window and run (as root): pcscd -f to start the pcsclite daemon in foreground.
  2. Connect your reader (without card)
  3. Put card on reader.
  4. Run mfcuk (as root) in a new window using the not-so-nice command-line:

# LD_LIBRARY_PATH=/home/<user>/builds/nfc/prefix/lib /home/<user>/builds/nfc/prefix/bin/mfcuk -C -R 0:A -s 250 -S 250 -v 3

5.When finished, the program will print something like (key censored as XXXXXXXXXXXX):


INFO: block 3 recovered KEY: XXXXXXXXXXXX
 1 2 3 4 5 6 7 8 9 a b c d e f
 
 
ACTION RESULTS MATRIX AFTER RECOVER - UID YY YY YY YY - TYPE 0x08 (MC1K)
---------------------------------------------------------------------
Sector  |    Key A  |ACTS | RESL    |    Key B  |ACTS | RESL
---------------------------------------------------------------------
0   |  XXXXXXXXXXXX | . R | . R |  000000000000 | . . | . .
1   |  000000000000 | . . | . . |  000000000000 | . . | . .
2   |  000000000000 | . . | . . |  000000000000 | . . | . .
3   |  000000000000 | . . | . . |  000000000000 | . . | . .
4   |  000000000000 | . . | . . |  000000000000 | . . | . .
5   |  000000000000 | . . | . . |  000000000000 | . . | . .
6   |  000000000000 | . . | . . |  000000000000 | . . | . .
7   |  000000000000 | . . | . . |  000000000000 | . . | . .
8   |  000000000000 | . . | . . |  000000000000 | . . | . .
9   |  000000000000 | . . | . . |  000000000000 | . . | . .
10  |  000000000000 | . . | . . |  000000000000 | . . | . .
11  |  000000000000 | . . | . . |  000000000000 | . . | . .
12  |  000000000000 | . . | . . |  000000000000 | . . | . .
13  |  000000000000 | . . | . . |  000000000000 | . . | . .
14  |  000000000000 | . . | . . |  000000000000 | . . | . .
15  |  000000000000 | . . | . . |  000000000000 | . . | . .
  1. Finally, kill the pcscd daemon with Ctrl-C.

This key can now be used together with mfoc to crack the remaining keys.

Find the remaining keys using mfoc

Since mfoc will use the newer version of libnfc, the command will be much simpler. Ensure that you have killed pcscd above before continuing. Replace XXXXXXXXXXXX with the key you got from mfcuk above.

mfoc -O carddump.dmp -k XXXXXXXXXXXX


When finished, mfoc will dump the contents of your card both to the screen and to carddump.dmp.

文章转载于:https://zozs.se/2014/08/18/acr122u-mfcuk-mfoc-cracking-mifare-classic-on-arch-linux/
  评论这张
 
阅读(187)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017