查看NFC Research的源代码
←
NFC Research
跳转到:
导航
,
搜索
因为以下原因,你没有权限编辑本页:
您刚才请求的操作只有这个用户组中的用户才能使用:
用户
您可以查看并复制此页面的源代码:
== 解码 == Mifare 1 S50 (1K EEPROM) 和 Mifare 1 S70 (4K EEPROM) 早以被全面爆破,现在最新的应用都是 Mifare DESFire 硬件: ACR 122U,人民币 200 左右 软件: 开源工具 :扫 keys: mfoc http://code.google.com/p/mfoc/ :爆破一个区的 key: mfcuk http://code.google.com/p/mfcuk/ :Mifare Classic Card 辅助工具: mfterm https://github.com/4ZM/mfterm :核心支持库: libnfc http://code.google.com/p/libnfc/ <br> === 编译 === <source lang=bash> $ wget http://libnfc.googlecode.com/files/libnfc-1.7.0.tar.bz2 $ tar jxf libnfc-1.7.0.tar.bz2 $ cd libnfc-1.7.0 $ ./configure # 默认使用的 ACR122U 的 driver 是 acr122_usb,直接USB通讯而不是通过 acr122_pcsc 这个driver 去通过中间件 PCSC 支持读卡器 $ make $ sudo make install $ wget http://mfoc.googlecode.com/files/mfoc-0.10.6.tar.gz && tar -xvzf mfoc-0.10.6.tar.gz $ cd mfoc-0.10.6 $ ./configure $ make $ sudo make install $ git clone git://github.com/4ZM/mfterm $ cd mfterm $ ./autogen.sh $ ./configure $ make $ sudo make install mfcuk 同理,编译过程中缺库,补上即可 </source> <br> === 扫 key === 确认系统发现 ACR122U: <source lang=bash> $ nfc-list nfc-list uses libnfc libnfc-1.7.0-40-g7e5257d error libnfc.driver.acr122_usb Unable to claim USB interface (Operation not permitted) nfc-list: ERROR: Unable to open NFC device: acr122_usb:001:009 $ sudo nfc-list nfc-list uses libnfc libnfc-1.7.0-40-g7e5257d NFC device: ACS / ACR122U PICC Interface opened 在 vmware 虚拟机上没法工作,老出现 Unable to write USB interface 错误 </source> 开始扫所有 Sector 的 key: <source lang=bash> $ sudo mfoc -P 500 -O dump.card.file ISO/IEC 14443A (106 kbps) target: ATQA (SENS_RES): 00 02 * UID size: single * bit frame anticollision supported UID (NFCID1): 25 55 aa 10 SAK (SEL_RES): 18 * Not compliant with ISO/IEC 14443-4 * Not compliant with ISO/IEC 18092 Fingerprinting based on MIFARE type Identification Procedure: * MIFARE Classic 4K * MIFARE Plus (4 Byte UID or 4 Byte RID) 4K, Security level 1 * SmartMX with MIFARE 4K emulation Other possible matches based on ATQA & SAK values: Try to authenticate to all sectors with default keys... Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found [Key: ffffffffffff] -> [........................................] [Key: a0a1a2a3a4a5] -> [/.......................................] [Key: d3f7d3f7d3f7] -> [/.......................................] [Key: 000000000000] -> [/.......................................] [Key: b0b1b2b3b4b5] -> [/.......................................] [Key: 4d3a99c351dd] -> [/.......................................] [Key: 1a982c7e459a] -> [/.......................................] [Key: aabbccddeeff] -> [/.......................................] [Key: 714c5c886e97] -> [/.......................................] [Key: 587ee5f9350f] -> [/.......................................] [Key: a0478cc39091] -> [/.......................................] [Key: 533cb6c723f6] -> [/.......................................] [Key: 8fd0a4f256e9] -> [/.......................................] Sector 00 - FOUND_KEY [A] Sector 00 - UNKNOWN_KEY [B] Sector 01 - UNKNOWN_KEY [A] Sector 01 - UNKNOWN_KEY [B] Sector 02 - UNKNOWN_KEY [A] Sector 02 - UNKNOWN_KEY [B] Sector 03 - UNKNOWN_KEY [A] Sector 03 - UNKNOWN_KEY [B] Sector 04 - UNKNOWN_KEY [A] Sector 04 - UNKNOWN_KEY [B] Sector 05 - UNKNOWN_KEY [A] Sector 05 - UNKNOWN_KEY [B] Sector 06 - UNKNOWN_KEY [A] Sector 06 - UNKNOWN_KEY [B] Sector 07 - UNKNOWN_KEY [A] Sector 07 - UNKNOWN_KEY [B] Sector 08 - UNKNOWN_KEY [A] Sector 08 - UNKNOWN_KEY [B] Sector 09 - UNKNOWN_KEY [A] Sector 09 - UNKNOWN_KEY [B] Sector 10 - UNKNOWN_KEY [A] Sector 10 - UNKNOWN_KEY [B] Sector 11 - UNKNOWN_KEY [A] Sector 11 - UNKNOWN_KEY [B] Sector 12 - UNKNOWN_KEY [A] Sector 12 - UNKNOWN_KEY [B] Sector 13 - UNKNOWN_KEY [A] Sector 13 - UNKNOWN_KEY [B] Sector 14 - UNKNOWN_KEY [A] Sector 14 - UNKNOWN_KEY [B] Sector 15 - UNKNOWN_KEY [A] Sector 15 - UNKNOWN_KEY [B] Sector 16 - UNKNOWN_KEY [A] Sector 16 - UNKNOWN_KEY [B] Sector 17 - UNKNOWN_KEY [A] Sector 17 - UNKNOWN_KEY [B] Sector 18 - UNKNOWN_KEY [A] Sector 18 - UNKNOWN_KEY [B] Sector 19 - UNKNOWN_KEY [A] Sector 19 - UNKNOWN_KEY [B] Sector 20 - UNKNOWN_KEY [A] Sector 20 - UNKNOWN_KEY [B] Sector 21 - UNKNOWN_KEY [A] Sector 21 - UNKNOWN_KEY [B] Sector 22 - UNKNOWN_KEY [A] Sector 22 - UNKNOWN_KEY [B] Sector 23 - UNKNOWN_KEY [A] Sector 23 - UNKNOWN_KEY [B] Sector 24 - UNKNOWN_KEY [A] Sector 24 - UNKNOWN_KEY [B] Sector 25 - UNKNOWN_KEY [A] Sector 25 - UNKNOWN_KEY [B] Sector 26 - UNKNOWN_KEY [A] Sector 26 - UNKNOWN_KEY [B] Sector 27 - UNKNOWN_KEY [A] Sector 27 - UNKNOWN_KEY [B] Sector 28 - UNKNOWN_KEY [A] Sector 28 - UNKNOWN_KEY [B] Sector 29 - UNKNOWN_KEY [A] Sector 29 - UNKNOWN_KEY [B] Sector 30 - UNKNOWN_KEY [A] Sector 30 - UNKNOWN_KEY [B] Sector 31 - UNKNOWN_KEY [A] Sector 31 - UNKNOWN_KEY [B] Sector 32 - UNKNOWN_KEY [A] Sector 32 - UNKNOWN_KEY [B] Sector 33 - UNKNOWN_KEY [A] Sector 33 - UNKNOWN_KEY [B] Sector 34 - UNKNOWN_KEY [A] Sector 34 - UNKNOWN_KEY [B] Sector 35 - UNKNOWN_KEY [A] Sector 35 - UNKNOWN_KEY [B] Sector 36 - UNKNOWN_KEY [A] Sector 36 - UNKNOWN_KEY [B] Sector 37 - UNKNOWN_KEY [A] Sector 37 - UNKNOWN_KEY [B] Sector 38 - UNKNOWN_KEY [A] Sector 38 - UNKNOWN_KEY [B] Sector 39 - UNKNOWN_KEY [A] Sector 39 - UNKNOWN_KEY [B] Using sector 00 as an exploit sector Sector: 1, type A, probe 0, distance 15105 ..... Sector: 1, type A, probe 1, distance 15147 ..... Found Key: A [2c5a3710d3a5] Sector: 2, type A, probe 0, distance 15147 ..... Found Key: A [c3a4fa8db109] Sector: 3, type A, probe 0, distance 15147 ..... Found Key: A [3c34515b11d4] Sector: 4, type A, probe 0, distance 15149 ..... Found Key: A [0725a08f31e6] Sector: 5, type A, probe 0, distance 15151 ..... Found Key: A [5601f83644bb] Sector: 6, type A, probe 0, distance 15149 ..... Sector: 6, type A, probe 1, distance 15149 ..... Sector: 6, type A, probe 2, distance 15149 ..... Found Key: A [20f2bf55ac1a] Sector: 7, type A, probe 0, distance 15147 ..... Found Key: A [dd77fb8c3736] Sector: 8, type A, probe 0, distance 15149 ..... Sector: 8, type A, probe 1, distance 15147 ..... Found Key: A [c2180972c580] Sector: 9, type A, probe 0, distance 15151 ..... Found Key: A [742c582e8c04] Sector: 10, type A, probe 0, distance 15151 ..... Sector: 10, type A, probe 1, distance 15193 ..... Sector: 10, type A, probe 2, distance 15151 ..... Found Key: A [db338f92bb98] Sector: 11, type A, probe 0, distance 15151 ..... Found Key: A [15559907e873] Sector: 12, type A, probe 0, distance 15151 ..... Found Key: A [c8313c454d2a] Sector: 13, type A, probe 0, distance 15149 ..... Sector: 13, type A, probe 1, distance 15149 ..... Found Key: A [c896c22e5b3e] Sector: 14, type A, probe 0, distance 15149 ..... Found Key: A [72558e3fe66c] Sector: 15, type A, probe 0, distance 15151 ..... Found Key: A [aec383ce3c12] ...... ...... </source> 完成后会把整个数据写入 dump.card.file 这个文件 <br> === 再读 === 扫描到所有区的 key 后,再读的话,可以在 mfterm 中直接加载 dump.card.file 这个文件,mfterm 会自动取出所有 key,再行读写就快很多 带 NFC 功能的手机,可以使用 MifareClassicTool 这个工具,移动读写,方便很多 <source lang=bash> comcat@jackslab:~$ mfterm $ read No key argument (A|B) given. Defaulting to A error libnfc.driver.acr122_usb Unable to claim USB interface (Operation not permitted) Could not connect to any NFC device comcat@jackslab:~$ sudo mfterm $ help quit Exit the program. load Load tag data from a file. save Save tag data to a file. clear Clear the current tag data. read A|B : Read tag data from a physical tag. read unlocked On pirate cards, read card without keys. write A|B : Write tag data to a physical tag. write unlocked On pirate cards, write 1k tag with block 0. print 1k|4k : Print tag data. print keys 1k|4k : Print tag's keys. print ac Print access conditions. set #block #offset = xx xx xx : Set tag data. keys load Load keys from a file. keys save Save keys to a file. keys clear Clear the keys. keys set A|B #S key : Set a key value. keys import Import keys from the current tag. keys test Try to authenticate with the keys. keys 1k|4k : Print the keys. dict load Load a dictionary key file. dict clear Clear the key dictionary. dict attack Find keys of a physical tag. dict Print the key dictionary. spec load Load a specification file. spec clear Unload the specification. spec Print the specification. mac key <k0..k7> : Get or set MAC key. mac compute #block : Compute block MAC. mac update #block : Compute block MAC. mac validate 1k|4k : Validates block MAC of the whole tag. $ read No key argument (A|B) given. Defaulting to A Connected to device, but no tag found. $ keys load dump.card.file # 直接解析 dump 出的整个卡数据,加载 keys Successfully loaded keys from: dump.card.file $ keys xS xB KeyA KeyB ---------------------------------- 00 03 c0c1c2c3c4c5 a1475c9ee325 01 07 2c5c3710d3c5 b40b2c0d47f1 02 0b c1f4ff83b109 dc0fc2d4d8cc 03 0f 3c34515b11d4 b42fc69d3ccf 04 13 0725c08f31e6 f8cf2c85e843 05 17 5601f83644bb c9398274cc1d 06 1b 20f2bf55cc1c 8f5cd31b4f53 07 1f dd77fb8c3736 e95fc402e7b6 08 23 c2180972c580 d43ec542967d 09 27 742c582e8c04 d43ec542967d 0a 2b db338f92bb98 e92d77b9c1f2 0b 2f 15559907e873 4f94956dfce7 0c 33 c8313c454d2c 25860937cf4d 0d 37 c896c22e5b3e 717b5b4b67d2 0e 3b 72558e3fe66c cded278592c2 0f 3f cec383ce3c12 f1475c9ee325 $ keys test 4k A # key 验证 $ keys save /tmp/a Successfully wrote keys to: /tmp/a $ keys load /tmp/a Successfully loaded keys from: /tmp/a $ read # 读取卡上所有数据 No key argument (A|B) given. Defaulting to A Reading: [.........0x13.0x12.0x11.0x10................] Auth errors in indicated sectors. Read MIFARE Classic 4k (SAK: 18, ATQA: 00 02) $ quit comcat@jackslab:~$ </source> <br><br>
返回到
NFC Research
。
个人工具
登录
名字空间
页面
讨论
变换
查看
阅读
查看源代码
查看历史
操作
搜索
导航
首页
社区专页
新闻动态
最近更改
随机页面
帮助
工具箱
链入页面
相关更改
特殊页面