NFC Cards: Mifare 1k Cracking
Introduction
RFID relies on a group of technologies that operate in specific radio frequency bands. You can divide them into high and low frequency. The higher the frequency gets, the less wire winds are present in the tag. Furthermore there are active and passive RFID tags. This blog post focuses on the NFC technology which is a subset of the RFID Field.
The MIFARE Cards are based on the ISO/IEC 14443 standard and are among the most vulnerable high-frequency cards. They often use default keys and an insecure proprietary cryptographic mechanism. In the section below, I’ll walk through the process of cloning a MIFARE Classic 1k card and analyzing the extracted data.
Card Content Overview
MIFARE Classic 1k Cards have a total memory of 1024 bytes. All bytes are divided into 16 sectors of 64 bytes. Each of the sectors is divided into 4 blocks of 16 bytes. Blocks 0, 1 and 2 of each sector can store data. Block 3 stores the keys and the accessbits. An exception is the manufacturblock (located at sector 0 block 0) which cannot store “real” data.
Sector 0 Datastructur
Sector 1-15 Datastructur
Memory Layout
| Acronym | Description |
|---|---|
| NUID | Non-Unique Identifier |
| BCC | Block Check Character |
| SAK | Select Acknowledge, Type A |
| ATQA | Answer to Request, Type A |
| UDF | Undefined data |
Card Reader
If you want to go the cheapest way, simply build a card reader with a PN532 Modul and a USB to UART adapter (e.g. CP2102). If you want to start right away, I advise you to buy a PN532 Modul with a Micro USB Port onboard. It costs a few dollars more, but saves you a little bit of hustle. More professional tools is the Proxmark3. It is more expensive (about 300$). Offers functionalities like a sniffer and emulator.
PN532 Modul with a Micro USB Port:
Proxmark 3 RDV4:
Dump data
There are many tools out there which extract data from a Mifare 1k Card.
Here is a list of tools:
- MIFARE Classic Tool (Android App)
- MFOC (offline nested attack)
- MFCUK (hardnested attack)
- miLazyCracker (combination of MFOC and MFCUK)
We will use the miLazyCracker tool. To get the keys and copy the card, we need: libnfc for userspace applications to access NFC devices, and miLazyCracker, an open source script which includes mfoc and mfcuk. It tests if the MIFARE 1k Card is vulnerable for “offline nested” attack or a “hardnested” attack. It combines the two tools and saves you some time, when cracking cards.
Install Libnfc
Follow the instructions on the GitHub repository of Libnfc
Check if your PN532 Modul is connected and ready to scan a NFC Tag:
1nfc-list -v
Clone and navigate to miLazyCracker repository folder and install the miLazyCracker:
1./miLazyCrackerFreshInstall.sh
Dump data from the card and find all keys 🔑:
1miLazyCracker
Write Data (Cloning the Card)
If you want to write data to a new card, you need to have a Magic Card. With Magic Card’s it is possible to write a UID in the manufactur block. This is very helpful in the process of cloning cards. For Cloning MFOC is necessary.
Backup the Magic Card:
1mfoc -P 500 -O magiccard.mfc
Backup the original Card:
1mfoc -P 500 -O cardtocopy.mfc
Write the Magic Card with the original card image, including the complete manufacturer block:
1nfc-mfclassic W b magiccard.mfc cardtocopy.mfc
The parameter captial “W” stands for: “writing with UID”.
IMPORTANT NOTE: Some people report that the mfc-mfclassic command fails sometimes and must be executed multiple times before writing data on a Magic Card. Nevertheless I had no problems with it. If mfc-mfclassic won’t work for you, I recommend using the MIFARE Classic Tool App, with your already dumped keys (you can enter them in the app).
Analysis of dumped card content
Here is a list of tools which can be used to analyze the card content:
- mfdread a mifare dump parser written in python. Gives a quick overview of the data.
- 010 Editor proprietary Hex Editor, useful when editing dumped data. MIFARE Template available.
- ImHex OpenSource Hex Editor
Analysis in Detail
coming soon…