Hacking RFID, rompiendo la seguridad de Mifare

[3ljhon]

Picandole he llegado a crear el archivo ejecutable de mfcuk_keyrecovery_darkside, espero haberlo creado bien -jejeje- si no ya andare posteandoles mi rrecorrido por este apasionante mundillo...


solo que al ejecutarlo sale lo siguiente,,,,
me podrian apoyar comentando la manera de usarlo, los parametros que se le pasan...

================================================== ==
root@gandalf-laptop:~/fuck/9/libnfc/mfcuk-read-only# mfcuk_keyrecovery_darkside -h


MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], http://andreicostin.com

WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_skgt.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_ratb.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_oyster.mfd'
Fallo de segmentación
root@gandalf-laptop:~/fuck/9/libnfc/mfcuk-read-only#
================================================== =====
si lo ejecuto sin parametros salen las opciones del programa

root@gandalf-laptop:~/fuck/9/libnfc/mfcuk-read-only# mfcuk_keyrecovery_darkside

MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], http://andreicostin.com


Usage:
-C - require explicit connection to the reader. Without this option, the connection is not made and recovery will not occur
-i mifare.dmp - load input mifare_tag type dump
-I mifare_ext.dmp - load input extended dump specific to this tool, has several more fields on top of mifare_tag type dump
-o mifare.dmp - output the resulting mifare_tag dump to a given file
-O mifare_ext.dmp - output the resulting extended dump to a given file
-V sector[:A/B/any_other_alphanum[:fullkey]] - verify key for specified sector, -1 means all sectors
After first semicolon key-type can specified: A verifies only keyA, B verifies only keyB, anything else verifies both keys
After second semicolon full 12 hex-digits key can specified - this key will override any loaded dump key for the given sector(s) and key-type(s)
-R sector[:A/B/any_other_alphanum] - recover key for sector, -1 means all sectors.
After first semicolon key-type can specified: A recovers only keyA, B recovers only keyB, anything else recovers both keys
-U UID - force specific UID. If a dump was loaded with -i, -U will overwrite the in the memory where dump was loaded
-M tagtype - force specific tagtype. 8 is 1K, 24 is 4K, 32 is DESFire
-D - for sectors and key-types marked for verification, in first place use default keys to verify (maybe you are lucky)
-d key - specifies additional full 12 hex-digits default key to be checked. Multiple -d options can be used for more additional keys
-s - miliseconds to sleep for DROP FIELD
-S - miliseconds to sleep for CONSTANT DELAY
-P hex_literals_separated - try to recover the key from a conversation sniffed with Proxmark3 (mifarecrack.c based). Accepts several options:
Concatenated string in hex literal format of form uid:tag_chal:nr_enc:reader_resp:tag_resp
Example -P 0x5c72325e:0x50829cd6:0xb8671f76:0xe00eefc9:0x4888 964f would find key FFFFFFFFFFFF
-p proxmark3_full.log - tries to parse the log file on it's own (mifarecrack.py based), get the values for option -P and invoke it
-F - tries to fingerprint the input dump (-i) against known cards' data format


Gracias de antemano

[3ljhon]

Os comento:
el trecer comando se queda colgado en error

Hasta el momento he podido ejecutar los siguientes comandos y sus salidas respectivas:

================================================== ========
1
%mfcuk_keyrecovery_darkside -U 0240fe5d -M 8 -C 0

MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], http://andreicostin.com


INFO: Connected to NFC reader: ACS ACR122U 00 00 / ACR122U207 - PN532 v1.6 (0x07)


VERIFY:
Key A sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f

RECOVER: 0 1 2 3 4 5 6 7 8 9 a b c d e f
================================================== ============
La salida anterior me sugiere que esta trabajando de manera dummy sin hacer gran cosa...
================================================== ============


2
%mfcuk_keyrecovery_darkside -U 0240fe5d -M 8 -C 0 -V 1:A -o mifare_jhon.dmp

MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], http://andreicostin.com


INFO: Connected to NFC reader: ACS ACR122U 00 00 / ACR122U207 - PN532 v1.6 (0x07)


VERIFY:
Key A sectors: 0 1ERROR: AUTH sector 1, block 7, key 000000000000, key-type 0x60, error code 0x00
2 3 4 5 6 7 8 9 a b c d e f
Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f

RECOVER: 0 1 2 3 4 5 6 7 8 9 a b c d e f
================================================== ============

3
%mfcuk_keyrecovery_darkside -U 0240fe5d -M 8 -C 0 -R 1:A -o mifare_jhon.dmp

MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], http://andreicostin.com


INFO: Connected to NFC reader: ACS ACR122U 00 00 / ACR122U207 - PN532 v1.6 (0x07)


VERIFY:
Key A sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f

RECOVER: 0 1

ERROR: configuring NDO_ACTIVATE_FIELD
ERROR: mfcuk_key_recovery_block() (error code=0x08)
ERROR: configuring NDO_ACTIVATE_FIELD
ERROR: mfcuk_key_recovery_block() (error code=0x08)
ERROR: configuring NDO_ACTIVATE_FIELD
ERROR: mfcuk_key_recovery_block() (error code=0x08)
ERROR: configuring NDO_ACTIVATE_FIELD
ERROR: mfcuk_key_recovery_block() (error code=0x08)
ERROR: configuring NDO_ACTIVATE_FIELD
ERROR: mfcuk_key_recovery_block() (error code=0x08)
ERROR: configuring NDO_ACTIVATE_FIELD
ERROR: mfcuk_key_recovery_block() (error code=0x08)
ERROR: configuring NDO_ACTIVATE_FIELD
ERROR: mfcuk_key_recovery_block() (error code=0x08)
ERROR: configuring NDO_ACTIVATE_FIELD
ERROR: mfcuk_key_recovery_block() (error code=0x08)
..
..
..
================================================== =============
Se queda ciclado en ese error. Ademàs depuès de este comando el LED del lector se queda en rojo y ya no responde a otro comando... por lo cual cada vez que he ejecutado este comando he tenido que reiniciar el ordenador...
================================================== =============


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Anexo la siguiente info de mi sistema-lector: Para que tengais más elementos al respecto y puedan auxiliarme...
================================================== =============
root@gandalf-laptop:~# pcsc_scan
PC/SC device scanner
V 1.4.14 (c) 2001-2008, Ludovic Rousseau <[email protected]>
Compiled with PC/SC lite version: 1.4.99
Scanning present readers
0: ACS ACR122U 00 00

Sat Aug 28 14:12:40 2010
Reader 0: ACS ACR122U 00 00
Card state: Card inserted,
ATR: 3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 01 00 00 00 00 6A

ATR: 3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 01 00 00 00 00 6A
+ TS = 3B --> Direct Convention
+ T0 = 8F, Y(1): 1000, K: 15 (historical bytes)
TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0
-----
TD(2) = 01 --> Y(i+1) = 0000, Protocol T = 1
-----
+ Historical bytes: 80 4F 0C A0 00 00 03 06 03 00 01 00 00 00 00
Category indicator byte: 80 (compact TLV data object)
Tag: 4, len: F (initial access data)
Initial access data: 0C A0 00 00 03 06 03 00 01 00 00 00 00
+ TCK = 6A (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 01 00 00 00 00 6A
Philips MIFARE Standard (1 Kbytes EEPROM)
http://www.nxp.com/products/identification/mifare/classic/
RFID - ISO 14443 Type A - Transport for London Oyster

================================================== ==========
root@gandalf-laptop:~# nfc-list
nfc-list use libnfc 1.3.9 (r584)
Connected to NFC reader: ACS ACR122U 00 00 / ACR122U207 - PN532 v1.6 (0x07)
1 ISO14443A passive target(s) was found:
ATQA (SENS_RES): 00 04
UID (NFCID1): 5d fe 40 02 //Found MIFARE Classic 1k card with UID: 0240fe5d
SAK (SEL_RES): 08

0 Felica (212 kbps) passive target(s) was found.

0 Felica (424 kbps) passive target(s) was found.

0 ISO14443B passive target(s) was found.
================================================== ==============
root@gandalf-laptop:~/fuck/9/libnfc/mfcuk-read-only/src/bin# nfc-anticol

Connected to NFC reader: ACS ACR122U 00 00 / ACR122U207 - PN532 v1.6 (0x07)

R: 26 (7 bits)
T: 04 00
R: 93 20
T: 5d fe 40 02 e1
R: 93 70 5d fe 40 02 e1 a2 ca
T: 08 b6 dd
R: 50 00 57 cd

Found tag with UID: 5dfe4002
================================================== ==============
root@gandalf-laptop:~# nfc-poll
nfc-poll use libnfc 1.3.9 (r584)
Connected to NFC reader: ACS ACR122U 00 00 / ACR122U207 - PN532 v1.6 (0x07)
PN53x will poll during 6000 ms
1 target(s) have been found.
T1: targetType=10, targetData:
ATQA (SENS_RES): 00 04
UID (NFCID1): 5d fe 40 02
SAK (SEL_RES): 08


%%%%%%%%%%%%
%%%%%%%%%%%%

Gracias de antemano....

[Izai]

Me parece que tienes ahi un cacao de tres pares de cojones.

Si no entiendo mal:

root@gandalf-laptop:~/fuck/9/libnfc/mfcuk-read-only# mfcuk_keyrecovery_darkside

Entiendo que tienes compilado el paquete mfcuk en la carpeta de la libreria nfc. La verdad es que no se como has conseguido hacer eso (bueno, si, me lo imagino). Son dos paquetes separados.

Desinstala lo que tengas instalado.

Instala primero el paquete libnfc y despues compilas mfcuk.

Una vez lo tengas compilado, te situas en la carpeta src y lo ejecutas.

El paquete parece que esta aqui:

http://code.google.com/p/mfcuk/source/browse/trunk/src/?r=2

Supongo que estara entero. No se.

Saludos.

[3ljhon]

Saludos

Os cometnto la carpeta

root@gandalf-laptop:~/fuck/9/libnfc/mfcuk-read-only/

La llame solamente asi "libnfc" , los paquetes libnfc y mfcuk estan compilados de manera separada.

Me pueden comentar como usar el mfcuk, los parametros a pasarle en la ejecuciòn

Gracias!.

ya que comentaba al ejecutarlo por ejemplo:
oot@gandalf-laptop:~/fuck/9/libnfc/mfcuk-read-only/src/bin# mfcuk_keyrecovery_darkside -C 1 -s 56700


MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], http://andreicostin.com

WARN: non-supported sleep-AFTER-field ON value (56700)

INFO: Connected to NFC reader: ACS ACR122U 00 00 / ACR122U207 - PN532 v1.6 (0x07)


VERIFY:
Key A sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f

RECOVER: 0 1 2 3 4 5 6 7 8 9 a b c d e f


Me parece que no està haciendo lo que se pretende!

[3ljhon]

Saludos os comento que al intentar ejecutar desde src como lo sugereis:

root@gandalf-laptop:~/fuck/9/libnfc/mfcuk-read-only/src# mfcuk_keyrecovery_darkside -C 1 -s 56700
MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], http://andreicostin.com

WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_skgt.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_ratb.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_oyster.mfd'
Fallo de segmentación
================================================== ============

Observo que dentro de src/bin/data

root@gandalf-laptop:~/fuck/9/libnfc/mfcuk-read-only/src/bin/data# ls -la
total 20
drwxr-xr-x 5 root root 4096 2010-08-31 18:20 .
drwxr-xr-x 4 root root 4096 2010-08-31 22:16 ..
drwxr-xr-x 3 root root 4096 2010-08-31 18:20 logs_proxmark3
drwxr-xr-x 6 root root 4096 2010-08-31 18:20 .svn
drwxr-xr-x 3 root root 4096 2010-08-31 18:20 tmpls_fingerprints

================================================== ============
Lo cual me ha sugerido ejecutarlo desde src/bin

root@gandalf-laptop:~/fuck/9/libnfc/mfcuk-read-only/src/bin# mfcuk_keyrecovery_darkside -C 1 -s 56700


MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], http://andreicostin.com

WARN: non-supported sleep-AFTER-field ON value (56700)

INFO: Connected to NFC reader: ACS ACR122U 00 00 / ACR122U207 - PN532 v1.6 (0x07)


VERIFY:
Key A sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f

RECOVER: 0 1 2 3 4 5 6 7 8 9 a b c d e f


================================================== =============

Espero me puedan ayudar a ejecutar de manera correcta mfcuk, es decir, parametrizarlo correctamente.

Gracias de antemano

[3ljhon]

Cuando ejecuto el programa con la opciòn "-h" . Solo muestra la ayuda del programa..

root@gandalf-laptop:~/fuck/9/libnfc/mfcuk-read-only/src/bin# mfcuk_keyrecovery_darkside -h


MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], http://andreicostin.com


Usage:
-C - require explicit connection to the reader. Without this option, the connection is not made and recovery will not occur
-i mifare.dmp - load input mifare_tag type dump
-I mifare_ext.dmp - load input extended dump specific to this tool, has several more fields on top of mifare_tag type dump
-o mifare.dmp - output the resulting mifare_tag dump to a given file
-O mifare_ext.dmp - output the resulting extended dump to a given file
-V sector[:A/B/any_other_alphanum[:fullkey]] - verify key for specified sector, -1 means all sectors
After first semicolon key-type can specified: A verifies only keyA, B verifies only keyB, anything else verifies both keys
After second semicolon full 12 hex-digits key can specified - this key will override any loaded dump key for the given sector(s) and key-type(s)
-R sector[:A/B/any_other_alphanum] - recover key for sector, -1 means all sectors.
After first semicolon key-type can specified: A recovers only keyA, B recovers only keyB, anything else recovers both keys
-U UID - force specific UID. If a dump was loaded with -i, -U will overwrite the in the memory where dump was loaded
-M tagtype - force specific tagtype. 8 is 1K, 24 is 4K, 32 is DESFire
-D - for sectors and key-types marked for verification, in first place use default keys to verify (maybe you are lucky)
-d key - specifies additional full 12 hex-digits default key to be checked. Multiple -d options can be used for more additional keys
-s - miliseconds to sleep for DROP FIELD
-S - miliseconds to sleep for CONSTANT DELAY
-P hex_literals_separated - try to recover the key from a conversation sniffed with Proxmark3 (mifarecrack.c based). Accepts several options:
Concatenated string in hex literal format of form uid:tag_chal:nr_enc:reader_resp:tag_resp
Example -P 0x5c72325e:0x50829cd6:0xb8671f76:0xe00eefc9:0x4888 964f would find key FFFFFFFFFFFF
-p proxmark3_full.log - tries to parse the log file on it's own (mifarecrack.py based), get the values for option -P and invoke it
-F - tries to fingerprint the input dump (-i) against known cards' data format


Agradecere me apoyen en ivocarlo de manera correcta, como os comenta y consta en post previos, estoy trabajando con un lector ACR122U y tarjetas mifare.

Gracias.

[3ljhon]

Saludos

Os coemnto al ejecutar el siguiente comando:

root@gandalf-laptop:~/fuck/9/libnfc/mfcuk-read-only/src/bin# mfcuk_keyrecovery_darkside -v 1 -C 1 -R 0 -M 8 -U 0240fe5d 2>errors.log | tee results.log


MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], http://andreicostin.com


INFO: Connected to NFC reader: ACR122U207 - PN532 v1.6 (0x07)



INITIAL ACTIONS MATRIX - UID 02 40 fe 5d - TYPE 0x08 (MC1K)
---------------------------------------------------------------------
Sector | Key A |ACTS | RESL | Key B |ACTS | RESL
---------------------------------------------------------------------
0 | 000000000000 | . R | . . | 000000000000 | . R | . .
1 | 000000000000 | . . | . . | 000000000000 | . . | . .
2 | 000000000000 | . . | . . | 000000000000 | . . | . .
3 | 000000000000 | . . | . . | 000000000000 | . . | . .
4 | 000000000000 | . . | . . | 000000000000 | . . | . .
5 | 000000000000 | . . | . . | 000000000000 | . . | . .
6 | 000000000000 | . . | . . | 000000000000 | . . | . .
7 | 000000000000 | . . | . . | 000000000000 | . . | . .
8 | 000000000000 | . . | . . | 000000000000 | . . | . .
9 | 000000000000 | . . | . . | 000000000000 | . . | . .
10 | 000000000000 | . . | . . | 000000000000 | . . | . .
11 | 000000000000 | . . | . . | 000000000000 | . . | . .
12 | 000000000000 | . . | . . | 000000000000 | . . | . .
13 | 000000000000 | . . | . . | 000000000000 | . . | . .
14 | 000000000000 | . . | . . | 000000000000 | . . | . .
15 | 000000000000 | . . | . . | 000000000000 | . . | . .


VERIFY:
Key A sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f


ACTION RESULTS MATRIX AFTER VERIFY - UID 02 40 fe 5d - TYPE 0x08 (MC1K)
---------------------------------------------------------------------
Sector | Key A |ACTS | RESL | Key B |ACTS | RESL
---------------------------------------------------------------------
0 | 000000000000 | . R | . . | 000000000000 | . R | . .
1 | 000000000000 | . . | . . | 000000000000 | . . | . .
2 | 000000000000 | . . | . . | 000000000000 | . . | . .
3 | 000000000000 | . . | . . | 000000000000 | . . | . .
4 | 000000000000 | . . | . . | 000000000000 | . . | . .
5 | 000000000000 | . . | . . | 000000000000 | . . | . .
6 | 000000000000 | . . | . . | 000000000000 | . . | . .
7 | 000000000000 | . . | . . | 000000000000 | . . | . .
8 | 000000000000 | . . | . . | 000000000000 | . . | . .
9 | 000000000000 | . . | . . | 000000000000 | . . | . .
10 | 000000000000 | . . | . . | 000000000000 | . . | . .
11 | 000000000000 | . . | . . | 000000000000 | . . | . .
12 | 000000000000 | . . | . . | 000000000000 | . . | . .
13 | 000000000000 | . . | . . | 000000000000 | . . | . .
14 | 000000000000 | . . | . . | 000000000000 | . . | . .
15 | 000000000000 | . . | . . | 000000000000 | . . | . .


RECOVER: 0

...Del cual supongo que hay que esperarse un poco... despuès les comento como me fue con este comandillo

**Sí pueden ayudarme a invocarlo de manera correcta, por si en algo estoy invocando mal tal comando, os agradecere...

Gracias de antemano