RFID penetration test-Mifare Classic card cracking (1)

0x00 Preface

I have always wanted to play wireless security, but wangcai said that the threshold is low (where is it low? =. = Web dog: I am stupid, Wang). I started ACR122u and wanted to get into trouble from NFC. Now I have read this article to popularize basic knowledge.

Mifare Classic card provides 1-4 k capacity. We often see the Mifare Classic 1 k (S50), the so-called M1 card. The M1 card has 16 sectors from 0 to 15, and each sector has an independent password. Each sector is equipped with 4 segments from 0 to 3, each segment can store 16 bytes of content. The number starts from 0, which is the same as that of array subscript 0 ).

Section 4th of each slice is used to store KeyA, KeyB, and control bits. Each card also has a unique UID. For details about the card structure, refer to Baidu.

This is the object of our research in this article. Google tells us that such card-type attacks are roughly divided into the following types:

 

1) brute-force cracking

Brute-force cracking is effective for M1 card cracking. Because M1 card is a passive card, a card reader is required to provide energy. After energy supply is cut off, the temporary data of the card is lost, that is to say, there will be no such situation as locking after too many wrong passwords are entered.
FFFFFFFFFFFF, A0B0C0D0E0F0, and so on are the default passwords of M1 white cards. Therefore, when we use tools such as mfoc to crack the passwords of the remaining sectors, these default passwords are basically used to fill the passwords of the remaining sectors.

2) replay attacks

We just mentioned that the M1 card is a passive card. When it is powered, a random series will be generated. After the energy supply is cut off, the data will not be saved, and the same series will be generated when the energy supply is again, then we can control the disconnection, calculate the time series for the next energy supply, and replay the attack to modify the data.

3) clone a card (card copy)

The sector of the M1 card can store data. Therefore, most cards use encrypted sectors to store data. We can use the uid card for copying, each M1 card has a unique identifier in the 0-sector 1st segment and cannot be modified. The uid card is a card without 0-sector protection, so you can modify the uid you want at will, so that we can clone a card with the same uid. (However, do not break the 00 sector. During the previous test, the 00 sector cannot be read due to unknown reasons ).

4) sniffing attack

PM3 is used here to sniff data and attack data during card-to-machine data exchange, using the XOR key calculation tool, you can calculate the key of a sector (which means you cannot afford it ).

0x01 details

The science popularization is over. Next we will use an example to explain how to crack the M1 card below (I started to break into the trap. If there is something wrong, please make sure that you are correct ).

For brute force cracking, we use ACR122u, mfoc, and libnfc.

Among them, ACR122u is used for hardware power supply, reading and writing, mfoc is used for cracking, and libnfc is used for writing data.

We can see that we have read the card type, and the keyA keyB below is where we want to crack it. Of course, we can also use another simplified version, which is more rough and simpler, baidu M1 card service program.

Wait a moment and you will find that all 16 hooks are marked, indicating that the attack has been successful. After the success, a dump file will be generated in the current directory, the data of this card is fully dump, and the dumpfile1 size is only 1 K. During the win operation, you need to use a fixdump tool to fill the remaining part.

fixdump dumpfile1

It can be fixed. The size is 4 k. Then, we can consume this card (change the data of the region you want to modify)

The FF of the first 6 bytes and the last 6 bytes are the key, and the number of FF 07 80 69 in the middle is the control bit.

Dump data dumpfile2 again and fix it

fixdump dumpfile2

In this case, we have two samples and then perform hex diff. in linux, diff is used directly, and hexcmp2 can be used in win.

After diff, the region where data changes is found.

This article only modifies the simple Jinlong card function, so after sampling twice, you can easily find the sector where the data is located. If it is a complicated modification, the sampling may be more than once, for example, access control attacks.

We can see some values in this sector. The 40 and FF values at the end are the addresses that store the values. We don't need to worry about it, in the M1 card, the reverse and reverse orders are originally to be stored, however, it is possible that the card of the local scum school is directly converted into a hexadecimal value, which is the amount of the card...

Here are two more statements. Generally, data is stored in reverse order, for example, F9 FE. In fact, the actual data is FE F9, then convert it to the binary system and convert it to the 10th system. There may be Data Encryption. After decryption, we can get the saved value.

In the figure, the maximum value I successfully modified is 640.00 yuan, and the hex value is fa 00. During the test, the author overestimated the school and guessed its conversion algorithm multiple times, after 20 times of sampling, the back brain holes were opened, and the hexadecimal conversion was directly carried out through the 10th hexadecimal conversion... That's simple! If F9 FE is 63998 decimal point, ignore it.

Then use libnfc to write data

.\nfc-mfclassic.exe w b dumpfile_new dumpfile_old

At this point, the attack was almost completed (simply referring to the purpose of modifying data, not to solve any problems or other problems ).

The last test chart after successful rewriting.

The attack duration is three hours (it takes a lot of time to perform back-and-forth sampling ).

Regarding vulnerability verification attacks, we mentioned earlier that each sector has an independent password. In general, some key data (such as money in a meal card) is stored) for example, if the 4th sector in a card is saved with money, the default password is changed, but the default password is not changed for other sectors, so how can we use other sectors to operate on 4th sectors? Here we will use the verification vulnerability attack, that is, the nested authentication attack, it is usually used when we know the password of any sector in 16 sectors to crack other sectors.

First, we know that the M1 card algorithm is a peer-to-peer encryption algorithm. The card reader also stores the same password and uses the same algorithm for encryption. When the card interacts with the machine, the card reader first verifies the password of the 0-sector, and then sends a random sequence a (plaintext) to the card reader in plaintext mode, and then the card reader passes the encryption, at the same time, an encrypted random sequence B (ciphertext) is generated and returned. After the encrypted sequence is decrypted using the encrypted sequence, if it is a previously sent sequence, it is considered correct, then, the random sequence generated by the encrypted card reader is sent to the card reader through its own encryption algorithm. After the card reader decrypts the data, if it is the same as the random number B sent previously, it is deemed that the verification has passed, then all data is encrypted through this algorithm.

In the whole process, only a is in plain text, followed by ciphertext. After a card sends a message to the card reader, the card reader encrypts it with the wrong password and sends it to the card. The card must be decrypted incorrectly, then verify the interruption
However, we know the password of other sectors. After the verification is successful using this sector, all subsequent data interactions are ciphertext. When reading data from other sectors, it is also the card that first sends the random number a. This a is an encrypted data, and the password of each slice previously said is independent, therefore, encryption is actually a encrypted by using the password-related algorithm of the card sector. This data contains the password information of this sector, so we can continue to analyze the sector password through the Algorithm Vulnerability.

It is because of this principle that the password of at least one other sector must be known when the vulnerability is verified.

0x02 Summary

For a friend who just got into the trap, brute-force cracking is the simplest and most crude method. It is only possible that the program can automate the brute-force cracking (the next article or the next article may be cracked Based on replay attacks ).

Second, the main task is to perform multiple sampling and repeated diff operations to improve physical activity and mental activity.

Notice, wait for the moment to continue to study other mfoc cracking functions, such as replay, or completely crack other features of the HBA (because it is online, so I can easily win the logistics system)