{"id":5896,"date":"2019-02-01T01:56:53","date_gmt":"2019-02-01T01:56:53","guid":{"rendered":"https:\/\/hackmethod.com\/?p=5896"},"modified":"2019-02-01T01:56:59","modified_gmt":"2019-02-01T01:56:59","slug":"hacking-mifare-rfid-2","status":"publish","type":"post","link":"https:\/\/hackmethod.com\/hacking-mifare-rfid-2\/","title":{"rendered":"Hacking our first MIFAR\/RFID Tag"},"content":{"rendered":"\n<p>Easy tutorial about hacking our first MIFAR\/RFID Tag. RFID is\u00a0a technology\u00a0widely used in our lives, from our\u00a0building access badges, to payment facilities, or even our gates\u2019 remotes.  As we\u2019ve seen in the previous post<a href=\"https:\/\/hackmethod.com\/hacking-mifare-rfid\/\"> here<\/a>, some of them are utilizing little to no security mechanisms, like MIFARE. Today we will start working on a really basic series of hacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What you will need<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Hardware<\/h3>\n\n\n\n<p>What&#8217;s covered can be done with a simple <code>RFID<\/code> card reader found on Amazon for ~30\u20ac (~35$). Mine was the [easyazon_link identifier=&#8221;B07FCLY4S9&#8243; locale=&#8221;US&#8221; tag=&#8221;hackm01-20&#8243;]ACS ACR122U[\/easyazon_link]<strong> <\/strong>simply because it was the\u00a0most mentioned one\u00a0on a few forums and blog posts I had read at the time.  Consequently, it would make things easier for support if any issues arise.<\/p>\n\n\n\n<p>With the previous post, we saw that tags a have a specific block of memory reserved to the manufacturer, including an\u00a0<strong>UID<\/strong>\u00a0(Unique IDentifier). If you want to try and clone a tag, you will need to be able to spoof this UID, so I also ordered a few tags ( [easyazon_link identifier=&#8221;B072P1L9LR&#8221; locale=&#8221;US&#8221; tag=&#8221;hackm01-20&#8243;]blank cards[\/easyazon_link]  and  [easyazon_link identifier=&#8221;B0784NP1MR&#8221; locale<\/p>\n\n\n\n<p>=&#8221;US&#8221; tag=&#8221;hackm01-20&#8243;]key-fobs[\/easyazon_link] ) with an UID rewritable.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/pfery.com\/wp-content\/uploads\/2019\/01\/acr-122.jpg?resize=317%2C317\" alt=\"\" class=\"wp-image-64\" width=\"317\" height=\"317\"\/><figcaption>ACS ACR122U<\/figcaption><\/figure><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Software<\/h3>\n\n\n\n<p>Any *NIX distribution will do the trick (Windows too eventually), but after a bit of trial and error, I figured out working on RFID and NFC works better with security oriented distributions like\u00a0<strong>Kali<\/strong>\u00a0or\u00a0<strong>ParrotSec.<\/strong> They already include all the tools and libraries needed to do the job.<\/p>\n\n\n\n<p>I also found out working in Virtual Machines (VMs) can sometimes be a pain. The host always keep a bit of control over the USB ports (via probes).  This is annoying bc our card reader needs full access to those ports at any time.  Without full access time-outs during read\/write operations will occur and can permanently damage a tag.<em><br><br>NB: For those of you getting an error when trying to run any NFC related operations on an ACR122.  The following command removes the USB module off your OS and \u201creset\u201d the USB port so your reader can freely access it.<\/em><br><br> <strong><em><code>sudo rmmod pn533_usb<\/code><\/em><\/strong> <\/p>\n\n\n\n<p>The best combination\/setup <em>(aka the one I struggled the less with)<\/em>\u00a0was the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>ParrotSec<\/strong>&nbsp;4.19 (as a guest OS)<\/li><li><strong>Super user<\/strong>&nbsp;rights (most NFC commands will require it, just saving you some time here)<\/li><li>The latest&nbsp;<strong>libusb<\/strong>&nbsp;(just a C library to handle generic USB peripherals, should be present on any decent distribution anyway)<\/li><li>The latest&nbsp;<strong>libcrypto<\/strong>&nbsp;(belongs to the OpenSSL package, but can be used for various cryptographic operations, like cracking keys *wink wink*)<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Basic exploitation<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">NFC-LIST<\/h3>\n\n\n\n<p>Let\u2019s start with&nbsp;<strong>nfc-list<\/strong>&nbsp;which will try to connect to the reader and read any tags in range:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/pfery.com\/wp-content\/uploads\/2019\/01\/giphy.gif?w=1080\" alt=\"\" class=\"wp-image-67\"\/><figcaption><code>nfc-list<\/code> &#8211; Figure 2.1<br><\/figcaption><\/figure><\/div>\n\n\n\n<p>When done, the device is detected and active, interface is opened, and there is an\u00a0<strong>ISO\/IEC 14443A<\/strong>\u00a0compliant tag in range.  This tag is a barbaric term for a MIFARE card. Our first relevant information, this MIFARE tag\u2019s UID is\u00a0<strong>7BE88C21<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">MFOC \u2013 MiFare classic Offline Cracker<\/h3>\n\n\n\n<p>The easiest and most basic tool to use against MIFARE tags, is MFOC.  It tries different keys against a MIFARE tags.  Once MFOC finds a correct key the tool can \u201cguess\u201d the other keys and dump the memory of the tag. (Figure 2.2)<br><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/pfery.com\/wp-content\/uploads\/2019\/01\/mfoc_blog.gif?w=1080\" alt=\"\" class=\"wp-image-77\"\/><figcaption>MFOC attack &#8211; Figure 2.2<\/figcaption><\/figure><\/div>\n\n\n\n<p>In Figure 2.2, I have launched a MFOC attack, asking the tool to dump the memory of the tag into a file using the <strong><code>-O &lt;file> option<\/code><\/strong>.<br>Just like <strong><code>nfc-list<\/code><\/strong>, MFOC will detect the tag on the reader as a MIFARE Classic 1K, gives us the UID, and then starts trying the keys from his own dictionary against every sector of the tag.<br><br>The output of MFOC is quite simple:<br>\u2013 the key\u00a0<strong><code>FFFFFFFFFFFF<\/code><\/strong>\u00a0is not used by any sector<br>\u2013 the key\u00a0<strong><code>A0A1A2A3A4A5<\/code><\/strong>\u00a0is used as a key A onto all sectors from 0 to 15<br>\u2013 the key\u00a0<strong><code>B0B1B2B3B4B5<\/code><\/strong>\u00a0is used as a key B onto sectors 0 to 11<br><br>As MFOC runs, we obtain keys A &amp; B for 12 sectors; now the A keys for the last 4 sectors, and the missing 4 keys are able to fully read.\u00a0<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Enter MFOC\u2019s phase 2:<\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/pfery.com\/wp-content\/uploads\/2019\/01\/mfoc_prove.gif?w=1080\" alt=\"\" class=\"wp-image-85\"\/><figcaption>MFOC\u2019s black magic &#8211; Figure 2.3<\/figcaption><\/figure><\/div>\n\n\n\n<p>In figure 2.3, MFOC is using the\u00a0<strong>sector\u00a000<\/strong> as\u00a0an\u00a0exploit\u00a0sector\u00a0simply because both A &amp; B keys are known for this tag (hence any sector from 0 to 11 could be used as an exploit sector). MFOC is then sending probes onto the \u201cuncracked\u201d sectors and will compare the answer\u2019s delay with a positive one onto sector 00, similar to how a\u00a0<a href=\"http:\/\/www.sqlinjection.net\/time-based\/\">time-based blind SQL injection<\/a> works.<br><br>With the last 4 uncracked sectors have unveiled their B keys, MFOC is able to authenticate. Now we have both A &amp; B keys. Now we will dump the memory of the entire tag in the file location specified, as seen in Figure 2.4.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/pfery.com\/wp-content\/uploads\/2019\/01\/mfoc_dump.png?w=1080\" alt=\"\" class=\"wp-image-88\"\/><figcaption>MFOC dumping the content of the tag &#8211; Figure 2.4<\/figcaption><\/figure><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Reading the Tag dump:<\/h3>\n\n\n\n<p> A simple hexadecimal tool like\u00a0<strong>hexeditor<\/strong> can be used read and edit the dump file, as seen in Figure 2.5:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/pfery.com\/wp-content\/uploads\/2019\/01\/hexdump-1.png?w=1080\" alt=\"\" class=\"wp-image-87\"\/><figcaption>Hexeditor of the dump file &#8211; Figure 2.5<\/figcaption><\/figure><\/div>\n\n\n\n<p>In Figure 2.5 above, the red area is actually a whole sector as we detailed in the first article, and on line\u00a0<strong>2B0<\/strong>\u00a0you can see the A key, <strong><code>A0A1A2A3A4A5<\/code><\/strong>, and B key, <strong><code>B0B1B2B3B4B5<\/code><\/strong>, which is separated by the 8 access bits <code>78 77 88 69<\/code> of the concerned sector.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">NFC-MFCLASSIC<\/h3>\n\n\n\n<p>The tag I worked on is the building access tag for my apartment.  Lucky for me all sectors were using a default key and the dump only took me ~20-25 seconds. From here I copied my building badge.  I did this to see if my building\u2019s scanner could tell the difference between the original tag and a clone (UID included).<\/p>\n\n\n\n<p>This brings us to a new tool <strong><code>nfc-mfclassic<\/code><\/strong>. This tool will allow us to write dump files on the new tag and is quite simple to use.  A quick look at the <code>man<\/code> page is all that is needed.  This tells us all we need to know.  We can write dumps on a new tag with a\u00a0<strong><code>w<\/code><\/strong>\u00a0options, but a\u00a0<strong><code>W<\/code><\/strong>\u00a0(notice the uppercase) will not only write the whole dump\u2019s data but will also rewrite the\u00a0<strong>UID.<\/strong><br>Let\u2019s try to write the dump we just created with\u00a0<strong>mfoc<\/strong>\u00a0onto the new tag ordered on Amazon, using the\u00a0<strong>A\u00a0keys<\/strong>\u00a0stored in the dump file itself (Figure 2.6):<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/pfery.com\/wp-content\/uploads\/2019\/01\/mfclassic.gif?w=1080\" alt=\"\" class=\"wp-image-89\"\/><figcaption>Figure 2.6<\/figcaption><\/figure><\/div>\n\n\n\n<p>As we wrote to the tag, it tells us the previous UID of the tag was\u00a0<strong><code>949E0139<\/code><\/strong>, and that 64 blocks of data have been written on it. Using <strong><code>nfc-list<\/code><\/strong>\u00a0again to read a tag will show us the UID of the new tag has been changed and is now identical to my original building\u2019s tag (Figure 2.7).<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/pfery.com\/wp-content\/uploads\/2019\/01\/uid-change.gif?w=1080\" alt=\"\" class=\"wp-image-90\"\/><figcaption>Figure 2.7<\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>In conclusion, we&#8217;ve identified how to use a few basic NFC and MIFARE commands to read and detect a tag. With the few more MFOC commands we were able to crack a generic NFC key.  Eventually, we dump the content of the tag\u2019s memory if it was using default keys.  This makes up more than 75% of the tags I have tried so far. With this information,the knowledge of cloning different MIFARE classic tags.  A few things you  might be asking yourself&#8230;<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>What to do if no <code>default<\/code> keys are used? <\/li><li>What if you want to edit the content of the data and give you access somewhere you shouldn\u2019t be ?<\/li><\/ul>\n\n\n\n<p>That, my friends, will be for the next article of this RFID series.  Stay tuned. \ud83d\ude09<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Easy tutorial about hacking our first MIFAR\/RFID Tag. RFID is\u00a0a technology\u00a0widely used in our lives, from our\u00a0building access badges, to payment facilities, or even our gates\u2019 remotes. As we\u2019ve seen in the previous post here, some of them are utilizing little to no security mechanisms, like MIFARE. Today we will start working on a really [&hellip;]<\/p>\n","protected":false},"author":19,"featured_media":5905,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[52],"tags":[147,150,148],"class_list":["post-5896","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","tag-mifare","tag-nfc","tag-rfid-hacking"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/rfid-chip-hacking.png?fit=728%2C380&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5zY4D-1x6","_links":{"self":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/5896","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/users\/19"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/comments?post=5896"}],"version-history":[{"count":4,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/5896\/revisions"}],"predecessor-version":[{"id":5906,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/5896\/revisions\/5906"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media\/5905"}],"wp:attachment":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media?parent=5896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/categories?post=5896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/tags?post=5896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}