Easy tutorial about hacking our first MIFAR/RFID Tag. RFID is a technology widely used in our lives, from our building access badges, to payment facilities, or even our gates’ remotes. As we’ve seen in the previous post, some of them are utilizing little to no security mechanisms, like MIFARE. Today we will start working on a really basic series of hacks. What you will need HardwareWhat’s covered can be done with a simple RFID card reader found on Amazon for 30€ (35$). Mine was the simply because it was the most mentioned one on a few forums and blog posts I had read at the time.

1. Mifare Plus Hack
2. Mifare Classic
3. Mifare Classic 1k

Consequently, it would make things easier for support if any issues arise.With the previous post, we saw that tags a have a specific block of memory reserved to the manufacturer, including an UID (Unique IDentifier). If you want to try and clone a tag, you will need to be able to spoof this UID, so I also ordered a few tags ( and ) with an UID rewritable. ACS ACR122U SoftwareAny.NIX distribution will do the trick (Windows too eventually), but after a bit of trial and error, I figured out working on RFID and NFC works better with security oriented distributions like Kali or ParrotSec.

They already include all the tools and libraries needed to do the job.I also found out working in Virtual Machines (VMs) can sometimes be a pain. The host always keep a bit of control over the USB ports (via probes). This is annoying bc our card reader needs full access to those ports at any time.

Without full access time-outs during read/write operations will occur and can permanently damage a tag.NB: For those of you getting an error when trying to run any NFC related operations on an ACR122. Nfc-list – Figure 2.1When done, the device is detected and active, interface is opened, and there is an ISO/IEC 14443A compliant tag in range.

This tag is a barbaric term for a MIFARE card. Our first relevant information, this MIFARE tag’s UID is 7BE88C21. MFOC – MiFare classic Offline CrackerThe easiest and most basic tool to use against MIFARE tags, is MFOC.

It tries different keys against a MIFARE tags. Once MFOC finds a correct key the tool can “guess” the other keys and dump the memory of the tag. (Figure 2.2). MFOC’s black magic – Figure 2.3In figure 2.3, MFOC is using the sector 00 as an exploit sector simply because both A & B keys are known for this tag (hence any sector from 0 to 11 could be used as an exploit sector).

MFOC is then sending probes onto the “uncracked” sectors and will compare the answer’s delay with a positive one onto sector 00, similar to how a works.With the last 4 uncracked sectors have unveiled their B keys, MFOC is able to authenticate. Now we have both A & B keys.

Now we will dump the memory of the entire tag in the file location specified, as seen in Figure 2.4. Hexeditor of the dump file – Figure 2.5In Figure 2.5 above, the red area is actually a whole sector as we detailed in the first article, and on line 2B0 you can see the A key, A0A1A2A3A4A5, and B key, B0B1B2B3B4B5, which is separated by the 8 access bits 78 77 88 69 of the concerned sector. NFC-MFCLASSICThe tag I worked on is the building access tag for my apartment. Lucky for me all sectors were using a default key and the dump only took me 20-25 seconds. From here I copied my building badge. I did this to see if my building’s scanner could tell the difference between the original tag and a clone (UID included).This brings us to a new tool nfc-mfclassic.

Mifare Plus Hack

This tool will allow us to write dump files on the new tag and is quite simple to use. A quick look at the man page is all that is needed. This tells us all we need to know. We can write dumps on a new tag with a w options, but a W (notice the uppercase) will not only write the whole dump’s data but will also rewrite the UID.Let’s try to write the dump we just created with mfoc onto the new tag ordered on Amazon, using the A keys stored in the dump file itself (Figure 2.6). Figure 2.7 ConclusionIn conclusion, we’ve identified how to use a few basic NFC and MIFARE commands to read and detect a tag.

With the few more MFOC commands we were able to crack a generic NFC key. Eventually, we dump the content of the tag’s memory if it was using default keys. Rod ellis second language acquisition. This makes up more than 75% of the tags I have tried so far. With this information,the knowledge of cloning different MIFARE classic tags. A few things you might be asking yourself. What to do if no default keys are used?. What if you want to edit the content of the data and give you access somewhere you shouldn’t be?That, my friends, will be for the next article of this RFID series.

BackgroundI recently bought an ACR122U reader 1 to play around with RFID, and especially MIFARE Classic cards because of their low security 2 3 4 5 and widespread adoption.The different sectors of the MIFARE Classic card are protected by different keys. To be able to decrypt the content of the card, the keys must be found. There are two well-known applications for this: mfcuk 6 and mfoc 7. A typical attack scenario is to use mfcuk to find the first key of the card (which may take quite some time). When one key is found, mfoc can be used to find all other keys within minutes.

The problemAfter installing libnfc 8, together with mfcuk and mfoc using AUR in Arch Linux, everything seemed to work. I launched an attack using mfcuk and got a key back after some time. The key was, however, incorrect. I assume that the bug described in 9 is the one causing trouble.

The fix seems to be to use an older version of mfcuk. However, this will also require an older version of libnfc. This older version is, in turn, not compatible with mfoc.Deep sigh.So, let’s install duplicate copies of libnfc to get everything working. Command-line frenzyNote that # command means that the command should be executed as root, and that $ command should be executed as your own user.

Also, take care to replace all instances of with your own username.I use yaourt to install packages from the AUR. You may use whatever tool you want.

Mfcuk r65 and libnfc 1.5.1A working combination of mfcuk and libnfc seems to be mfcuk r65 and libnfc 1.5.1. So let’s start by getting these, together with pcsclite and the PC/SC drivers for the ACR122U. # pacman -S pcsclite$ yaourt -S acsccid$ mkdir -p /builds/nfc$ cd /builds/nfc$ wget svn checkout -r 65 mfcuk-r65$ tar zxf libnfc-1.5.1.tar.gzNow, let’s compile this older libnfc version and install it in a local directory to avoid messing up the system libraries. $ cd libnfc-1.5.1$./configure -prefix=/home//builds/nfc/prefix$ make$ make install$ cd.Now, let’s compile mfcuk and make it use our newly compiled version of libnfc. $ cd mfcuk-r65$ autoreconf -is$ LIBNFCCFLAGS=-I/home//builds/nfc/prefix/include LIBNFCLIBS='-L/home//builds/nfc/prefix/lib -lnfc'./configure -prefix=/home//builds/nfc/prefix$ make$ make install$ cd.Now lets continue to mfoc.Note: You cannot use mfcuk just yet, because libnfc 1.7.1 needs to be installed to blacklist the kernel’s built-in drivers for the ACR122U, which will otherwise interfere with pcsclite. Mfoc 0.10.6 and libnfc 1.7.1I will use the latest version of both libnfc and mfoc in the AUR, which (as of this writing) is 1.7.1 and 0.10.6. $ yaourt -S libnfc mfocDone!

Cracking MIFARE ClassicTo decrypt the contents of a MIFARE Classic card, we must first find the keys. This will be done in two steps. Find the first key using mfcukNow, here is the tricky part. Libnfc 1.5.1 must use pcsclite to be able to communicate with the reader, while newer versions of libnfc seem to prefer not to use pcsclite at all.

Follow the instructions in the order written. If something goes wrong, unplug everything, remove the card, and try again from the beginning. Open a terminal window and run (as root): pcscd -f to start the pcsclite daemon in foreground. Connect your reader (without card). Put card on reader. Run mfcuk (as root) in a new window using the not-so-nice command-line:# LDLIBRARYPATH=/home//builds/nfc/prefix/lib /home//builds/nfc/prefix/bin/mfcuk -C -R 0:A -s 250 -S 250 -v 3This will start cracking the first key of the first sector. This may take some time (up to hours).When finished, the program will print something like (key censored as XXXXXXXXXXXX): INFO: block 3 recovered KEY: XXXXXXXXXXXX1 2 3 4 5 6 7 8 9 a b c d e fACTION RESULTS MATRIX AFTER RECOVER - UID YY YY YY YY - TYPE 0x08 (MC1K)-Sector Key A ACTS RESL Key B ACTS RESL-0 XXXXXXXXXXXX.

Mifare Classic

R 00.1 00. 00.2 00. 00.3 00. 00.4 00. 00.5 00.

00.6 00. 00.7 00. 00.8 00.

Mifare Classic 1k

00.9 00. 00.10 00. 00.11 00.

00.12 00. 00.13 00.

00.14 00. 00.15 00. 00.Finally, kill the pcscd daemon with Ctrl-C.This key can now be used together with mfoc to crack the remaining keys.

Find the remaining keys using mfocSince mfoc will use the newer version of libnfc, the command will be much simpler. Ensure that you have killed pcscd above before continuing. Replace XXXXXXXXXXXX with the key you got from mfcuk above. # mfoc -O carddump.dmp -k XXXXXXXXXXXXWhen finished, mfoc will dump the contents of your card both to the screen and to carddump.dmp.