Cracking Mifare Classic On The Cheap . - Smart Lock Picking
1y ago
24 Views
1 Downloads
3.91 MB
78 Pages
Report/dmca
Download PDF

Transcription

Sławomir racking Mifare Classic onthe cheapWorkshopHackInParis, 19-20.06.2019

Sławomir suavomeer Jasek yaseck Enjoy appsec (dev, break, build.) since2003.„Smart lockpicking” trainingswww.smartlockpicking.comSignificant part of time for research.

How much can we fit in 45 min?Mifare Classic – intro, hardware neededCard UID, cloning access control badge using phoneMifare Classic dataAttacks and required hardware- brute leaked keys, clone hotel key- „nested”, „darkside”, „hardnested” attacks

Card types, frequencies, .125 kHz („low frequency”)RFID13.56MHz („high frequency”)NFC868MHz (UHF),othercovered todayEM4XX (Unique), HID Prox,Indala, Honeywell, AWID, .Mifare/DESFire, iCLASS, Legic,Calypso, contactless payments, .Vehicle id,asset tracking.

Mifare ClassicThe MIFARE Classic family is the most widely usedcontactless smart card ICs operating in the 13.56 MHzfrequency range with read/write ds/2015/03/MIFARE Classic EV1.pdfCity cards, access control, student id, memberships, internalpayment, tourist card, ski pass, hotels, .

Some of Mifare Classic hacking toolsFeatures vs PriceProxmark 350- 300 EUR5- 40 EUR - NXP PN532 - Android smartphoneFree mobile app

What you will need?Mifare Classic – introCard UID, usage in access control, cloningMifare Classic data – introAttacks and required hardware- brute leaked keys- „nested”, „darkside”, „hardnested” attacksPossible ashomework

What I brought hereYou can easily getit yourself - e.g.Aliexpress fromChina, or somelocal distributors.Note: the qualitymay vary.

What is stored on the card?UID – individual, read only, not protectedData – stored in sectors, protected byaccess keysUIDDATA

The simplest access control systemsCheck just for individual ID 3-10 bytes (most commonly 4). Read-only Freely accessible to read Reader checks for registered ID.UID valid?UID

The UIDSecurity: UID is set in factory andcannot be altered. Only vendorknows how to make a tag – by laserfusing of poly silicon links.Guess what happened next?

„Magic UID” or „UID-changeable” cardsAllow to change the UIDVarious generations gen 1 – requires special hardware(e.g PN532) gen 2 – possible to write usingmobile phoneUID„MAGICUID”ANY UID

EXERCISE #1- Clone Mifare UID using mobile phone

Our access control cardQuite common setupfor apartments, gates,parkings, offices, .

Clone the access control card using AndroidMifare Classic Tool by @iiiikarusFree, ils?id de.syss.MifareClassicToolNote: some phones are not icTool/blob/master/INCOMPATIBLE DEVICES.md

Read UID using mobile phoneTools - Display tag infoAlso: displays UID when new tagdetectedTools - Display tag info

Write UID using smartphone?Standard cards UID is read-only.You need „direct write” (Gen 2) UID-changeable card.For example my business card https://smartlockpicking.com/card

Swipe the originalcard by the phone

Original UIDIt worked!Swipe the „magic”card by the phone

Now try the cloned card at the reader!Video: https://www.youtube.com/watch?v btLQB8WCQXA

BTW, it also works for hotelsReader by the door (notembedded in the lock) –checks the UID 171280478208

EXERCISE #2- Mifare Classic data

What is stored on the card?UID – individual, read only, not protectedData – stored in sectors, protected byaccess keysUIDDATA

Try reading the content of access control card„std.keys” (default keys)The dumpedcontent (blank, 0’s)

Mifare classic data structureSector 0Block 0MF Classic 1K: 16 sectors, each has4 16-byte blocksEach sector has 2 different keys: A – e.g. for reading B – e.g. for writing stored in last block of sector,along with access rightsBlock 1Block 2KeyA access rights KeyBSector 1Block 4Block 5Block 6KeyA access rights KeyB

The access control (blank) card contentManufacturer block(read only)Card UIDData (blank, 0’s)Key A(default)Access conditionsKey B(default)

Now try with hotel keyThis tag unlocks our hotel door lock

Try to dump the hotel tagNo, standard keys didnot work for sector 0

Leaked keys database

Our key was inthe leaked dbHotelaccess data

Clone the card?

Write dataIn our caseonly sector 0has data

Now try the cloned card at the readerYes, it works in so many hotels.

Wipe the „magic” card again!

The hotel key data – sector 0Hotel key data

Hotel key dataI checked in Friday, 14.06.2019 and stay till next Saturday

Hotel key dataI checked in Friday, 14.06.2019 and stay till next SaturdayCheck in: 2019.06.14,9:26Check out: 2019.06.2212:30

„Master” card that unlocks all the doors?Having just a guest card for anyhotel using this system, I can create„master” card in 1 min (in mostcases using just a phone).I’m sorry I can’t tell you how to do it– it looks like the vendor will notpatch ;)

4-star hotel – unlock all the doors like a boss (video)

My hotel in Paris recently, same system

Mifare Classic cracking processTry default, leakedh keysFew secondsHave allkeys?YESHOORAY!

EXERCISE #3- Cracking access keys using „nested” attack

For the next challenge.Hotel has set a different,individual key.Take the next card fromthe set and try to read it.

Keys not leaked?Nope, it does not work.The keys are not leaked.Brute all the possible values? Too much time.There are several other attacks possible!

Mifare Classic cracking processTry default, leakedh keysHave allkeys?YESFew secondsNO?HOORAY!

Mifare Classic cracking processTry default, leakedh keysHave allkeys?YESFew secondsNOHave atleast onekey?YESnestedHOORAY!

What if we could not brute the key?„Nested” attack - exploits weakness inRNG and auth to other sector based onprevious auth.Required at least one key to any sector.Technical details:http://www.cs.ru.nl/ r 0Key: FFFFFFFFSector 1Key: unknownSector 2Key: unknownSector 3Key: unknownSector 4Key: unknown.

How to exploit it?Not possible using smartphone, some nonstandard communication required.PN532 libnfc MFOC by Nethembahttps://github.com/nfc-tools/mfocKali Linux: installed by default.

How to connect our PN532 board?

Connect to Linux, check your device recognizedroot@kali: # 09][301928.142996]usb 1-1.3: Product: USB-Serial Controllerusb 1-1.3: Manufacturer: Prolific Technology Inc.pl2303 1-1.3:1.0: pl2303 converter detectedusb 1-1.3: pl2303 converter now attached to ttyUSB0

Edit /etc/nfc/libnfc.conf config fileUncomment (at the end of file):device.connstring "pn532 uart:/dev/ttyUSB0"

Check if it works correctlyroot@kali: # nfc-listnfc-list uses libnfc 1.7.1NFC device: pn532 uart:/dev/ttyS0 openedOK

Troubleshooting: communication errorroot@kali: # nfc-listnfc-list uses libnfc 1.7.1error libnfc.driver.pn532 uart pn53x check communication errornfc-list: ERROR: Unable to open NFC device: pn532 uart:/dev/ttyS0Check your wiring

MFOC toolOutput dump fileroot@kali: # mfoc -O hotel.mfdThe tool will:1. Check if any sector’s key is default/publicly known2. Leverage one known key to brute others using „nested”attack

Try default keys

Default keys foundKeys to sector 0 missing

Few minutes later – found remaining keys

Using proxmark?5 seconds(about 2s/key)

You can now add the cracked keys to MCTCreate newOr edit existingFrom now you can read thecard content with a phone

Mifare Classic cracking processTry default, leakedh keysFew secondsHave atleast onekey?NOHave allkeys?YESYESnestedfew secfew minHOORAY!

Mifare Classic cracking processTry default, leakedh keysFew secondsHave atleast onekey?NOHave allkeys?YESYESnestedfew secfew minNO?HOORAY!

But what if all the keys are unknown?„Darkside” attack, Nicolas T. Courtois – sidechannel. Tech : MFCUK by Andrei Costinhttps://github.com/nfc-tools/mfcukPN532 may take 30 minutes for one key.Having one key - proceed with „nested”.Sector 0Key: unknownSector 1Key: unknownSector 2Key: unknownSector 3Key: unknownSector 4Key: unknown.

Libnfc implementation: MFCUKhttps://github.com/nfc-tools/mfcukSleep options, necessary forour hardware# mfcuk -C -R 0:A -s 250 -S 250 -v 3Recover Key Asector 0Verbosity, so we can seeprogress

Mifare Classic cracking processTry default, leakedh keys30 secFew secondsHave atleast onekey?NOHave allkeys?YESYESnestedfew sec30-60 minfew minNOdarksidecracked 1 keyHOORAY!

MIFARE CLASSIC EV1

Mifare Classic EV1 („hardened”)The „nested” and „darkside” attacks exploit implementationflaws (PRNG, side channel, .).Mifare Classic EV1, Plus in Classic mode (SL1) – fixes theexploit vectors.Your example card „Mifare Classic EV1” with guest hotelcard content.

Hardnested libnfc„Hardnested” attack – exploits CRYPTO1 weakness. Tech details:http://cs.ru.nl/ rverdult/Ciphertextonly Cryptanalysis on Hardened Mifare Classic Cards-CCS 2015.pdfPN532 libnfc: miLazyCracker - automatically detects card type,proceeds with relevant attack rhttps://www.youtube.com/watch?v VcU3Yf5AqQI

miLazyCracker – installationroot@kali: # git clone : # cd miLazyCracker/root@kali: /miLazyCracker# ./miLazyCrackerFreshInstall.shRecently may not build out of the box(missing dependencies)

miLazyCracker – installation troubleshootingThe installation depends on external sources that are notofficially available any more.

miLazyCracker vs Mifare Classic EV1root@kali: # miLazyCracker(.)Card is not vulnerable to nested attackMFOC not possible, detected hardened Mifare ClassicTrying HardNested Attack.libnfc crypto1 crack ffffffffffff 60 B 8 A mfc de7d61c0 foundKeys.txt(.)Found key: 1ab2[.]

Mifare Classic hardened (Plus SL1, EV1) crackingTry default, leakedh keysHave allkeys?Few secondsNOHave atleast onekey?YESYEShardnestedSeveral minHOORAY!

Mifare Classic hardened (Plus SL1, EV1) crackingTry default, leakedh keysHave allkeys?Few secondsNOHave atleast onekey?YESYEShardnestedSeveral minNO?HOORAY!

EV1 with all sectors secured?„Hardnested” requires at least one known key.What if all the keys are unknown?Recover the key using online attack (mfkey) –requires to emulate/sniff the card to a valid reader.Hardware: Proxmark, Chameleon Mini RevE„Rebooted” (starting 30), .

Mifare Classic hardened (Plus SL1, EV1) crackingTry default, leakedh keysHave allkeys?Trip to the readerFew secondsNOHave atleast onekey?NOReader attackYESYEShardnestedSeveral minHOORAY!

Final NXP recommendation to upgrade (2015.10)NXP is recommending that existing MIFARE Classic systemsare upgraded (e.g. to DESFire). Furthermore, NXP does notrecommend to design in MIFARE Classic in any securityrelevant pto1-implementations/

WANT TO LEARNMORE?

Want to learn more?A 2018 practical guide to hacking nfidence A 2018 Practical Guide To Hacking RFID NFC.pdfhttps://www.youtube.com/watch?v 7GFhgv5jfZk

Want to learn more?TrainingsTutorialsEvents.Don’t forget to subscribe fornewsletter https://www.smartlockpicking.com

Jun 20, 2019 · Cracking Mifare Classic on the cheap Workshop Sławomir Jasek slawomir.jasek@

Related Books

Claim Appeals, Adjustments and Voids - Nevada

Claim Appeals, Adjustments and Voids - Nevada

Cracking Passwords Version 1 - ZenK-Security

Cracking Passwords Version 1 - ZenK-Security

Naphtha Steam Cracking (NSC) unit optimization The use of .

Naphtha Steam Cracking (NSC) unit optimization The use of .

The Princeton Review - IndiaMART

The Princeton Review - IndiaMART

SHOP MANUAL MASSEY-HARRIS - Free

SHOP MANUAL MASSEY-HARRIS - Free

Performance Modeling and Design for Highly Modified Asphalt Pavement

Performance Modeling and Design for Highly Modified Asphalt Pavement

Password Cracking 101 - Phoenix, Arizona

Password Cracking 101 - Phoenix, Arizona

aka , Grand Idea Studio, Inc. - Black Hat Home

aka , Grand Idea Studio, Inc. - Black Hat Home

2021 Classic Parts Book - airstream

2021 Classic Parts Book - airstream

Merillat Classic Product Line Spec Book - Baer Supply

Merillat Classic Product Line Spec Book - Baer Supply

CLASSIC PLAN BOOK - timberblock

CLASSIC PLAN BOOK - timberblock

PopularTags

Recent Views