Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2009-10-29 02:45:59

sine
Member
Registered: 2009-08-30
Posts: 2

Mifare Classic Offline Cracker

Hello,

we have implemented and released our open source implementation of "offline nested" attack, tested on Mac OS X and Linux. You can try it here http://www.nethemba.com/mfoc.tar.bz2

Feel free to provide any feedback, ideas and bug reports. Thanks.

Last edited by sine (2009-10-29 02:55:28)

Offline

#2 2009-10-29 04:42:21

henryk
Contributor
Registered: 2009-07-27
Posts: 99

Re: Mifare Classic Offline Cracker

Hey, great work!

Two annotations on compilation issues: your src/Makefile.am hard-codes the path to libnfc (as INCLUDES = -I/usr/local/include/libnfc) even though ./configure insists on pkg-config and therefore has the proper path available. I'm not that familiar with writing auto* scripts, but I believe INCLUDES = $(LIBNFC_CFLAGS) would fix that, though there may be a better way. Also, the newest libnfc revision that the code will build with is SVN r94, since the libnfc API has been changed after that.

The output of src/mfoc -h doesn't match the options that are actually available, the examples there list options -s, -k and -N which don't exist (yet?).

Possible enhancement: After finding a key through the attack, try that key with the remaining unsolved sectors before performing the attack on them.

(And if you really want to go out of your way to make a convenient tool: Dump the sector contents after finding a key. :-) )

Offline

#3 2009-10-29 13:41:45

adam@algroup.co.uk
Contributor
From: UK
Registered: 2009-05-01
Posts: 203
Website

Re: Mifare Classic Offline Cracker

Nice!

BTW, mifaretag.h is also missing from the default libnfc install...

libnfc/src/examples/mifaretag.h needs to be manually copied to your local .../include/libnfc directory (or libnfc needs tweaking to auto-install it)

cheers,
Adam

Offline

#4 2009-10-29 13:45:10

hat
Contributor
Registered: 2009-04-12
Posts: 160

Re: Mifare Classic Offline Cracker

i have a few comments as well, after an initial quick code review.

- First the dickish one. Pointing out that you have functions of respectively 316, and 227 lines. making code review less pleasant.

- you chose -imho- a weird version of the attack. If i'm understanding everything correctly. And this is a bit of a bigger if due to the first point.

You get *1* encrypted tag nonce. use this to get a group of on average 8192*65536 keys (in memory this would be 4gig. probably having noticed this to be hard to handle.  You use two methods to cut this number down.
a)This first one i have no issues with. Using timing you try to predict the right nonce, and use a user definable tollerance to only test probable nonces. This gets it down to something of an 20*65536 ? Although you might want to fallback on testing a larger range if it fails
b) the second method i don't understand at all, using the TRY_KEYS, you just chop all the likely keys, by only taking 10
keys from the sorted array of keys you got from step 1. and test these keys by communicating with the tag.

If this fails you simply try again ? for probes times?

- given the previous 2 points correctness i would assume getting more nonces and eliminating the keys on a crypto basis could benefit this code a lot.

- And finally could you explain your reasoning for calling it "offline cracker". seems to me like that's a misnomer, or at least too vague.

ps: it seems like there is a crapto2.5 today too. free code galore.

Last edited by hat (2009-10-29 14:23:32)

Offline

#5 2009-10-29 15:42:53

adam@algroup.co.uk
Contributor
From: UK
Registered: 2009-05-01
Posts: 203
Website

Re: Mifare Classic Offline Cracker

Thanks for the tip!

hmmm...

  In file included from qrapto1.cxx:24:
  qrapto1.h:22:24: error: ui_qrapto1.h: No such file or directory

sad

Offline

#6 2009-10-29 17:50:07

rconty
Member
Registered: 2009-06-15
Posts: 7

Re: Mifare Classic Offline Cracker

Hey,

adam@algroup.co.uk wrote:

Nice!
BTW, mifaretag.h is also missing from the default libnfc install...

libnfc/src/examples/mifaretag.h needs to be manually copied to your local .../include/libnfc directory (or libnfc needs tweaking to auto-install it)

Fixed in r157.
Feel free to report libnfc issue at: http://code.google.com/p/libnfc/issues

Thanks.

Offline

#7 2009-10-30 21:50:12

hat
Contributor
Registered: 2009-04-12
Posts: 160

Re: Mifare Classic Offline Cracker

adam@algroup.co.uk wrote:

Thanks for the tip!

hmmm...

  In file included from qrapto1.cxx:24:
  qrapto1.h:22:24: error: ui_qrapto1.h: No such file or directory

sad

i don't want to go off topic too much but that header file is automatically generated from .ui, if you do it right.


btw looking at the code more closely it seems like it might be sorting them in a way to make it test the most likely TRY_KEYS so i guess it makes sense. Though i think getting more nonces might still be the right road to take.

Offline

#8 2009-10-31 17:55:28

adam@algroup.co.uk
Contributor
From: UK
Registered: 2009-05-01
Posts: 203
Website

Re: Mifare Classic Offline Cracker

Ah, OK.... thanks...

  qmake-qt4 qrapto1.pro

FTW! smile

Offline

#9 2009-11-18 02:19:54

brokentesting
Member
Registered: 2008-11-22
Posts: 13

Re: Mifare Classic Offline Cracker

EXCELLENT!

Thank you

Offline

#10 2009-11-23 09:13:04

schwa226
Contributor
Registered: 2009-09-17
Posts: 17

Re: Mifare Classic Offline Cracker

Is there a windows version of mfoc aviable?

With VS2008 I can't compile the source.

thx

EDIT:
I got the source running under windows but I have problems with coping the argument give key in case "k":
How to copy the give parameter to a byte array?

  option_t *optList, *thisOpt;

  /* get list of command line options and their arguments */
  optList = NULL;
  optList = GetOptList(argc, argv, "hD:s:BP:T:S:O:k:t:");

  /* display results of parsing */
  while (optList != NULL)
  {
    thisOpt = optList;
    optList = optList->next;

    switch (thisOpt->option) {
      case 'P':
        // Number of probes
        if (!(probes = atoi(thisOpt->argument)) || probes < 1) {
          fprintf(stderr, "The number of probes must be a positive number\n"); 
          exit(1);
        }
        // fprintf(stdout, "Number of probes: %d\n", probes);
        break;
      case 'T':
        // Nonce tolerance range
        if (!(d.tolerance = atoi(thisOpt->argument)) || d.tolerance < 0) {
          fprintf(stderr, "The nonce distances range must be a zero or a positive number\n"); 
          exit(1);
        }
        // fprintf(stdout, "Tolerance number: %d\n", probes);
        break;
      case 'k':
        // Add this key to the default keys list
        if ((defKey = calloc(6, sizeof(byte_t))) == NULL) {
          fprintf(stderr, "Cannot allocate memory for defKey\n");
          exit(1);
        } else {
          //bzero(defKey, 6);
          num_to_bytes(strtol(thisOpt->argument, NULL, 16), 6, defKey);
          memcpy(defaultKeys[0], defKey, 6);
        }
        fprintf(stdout, "The custom key 0x%012llx has been added to the default keys\n", bytes_to_num(defKey, 6));
        
        break;        
//      case 'B':
//        // Dump B keys instead of Keys 'A'
//        dumpKeysA = false;
//        break;
      case 'O':
        // File output
        if (!(pfDump = fopen(thisOpt->argument, "wb"))) {
          fprintf(stderr, "Cannot open: %s, exiting\n", thisOpt->argument); 
          exit(1);
        }
        // fprintf(stdout, "Output file: %s\n", optarg);
        break;
      case 'h':
        usage(stdout, 0);
        break;
      default:
        usage(stderr, 1);
        break;
    }

    free(thisOpt); /* done with this item, free it */
  }

  FreeOptList(optList);   /* free the rest of the list */

Last edited by schwa226 (2009-11-23 19:17:58)

Offline

#11 2009-11-24 14:14:02

zveriu
Member
Registered: 2008-10-21
Posts: 3

Re: Mifare Classic Offline Cracker

Hi  schwa226,

First, regarding MFOC on Windows.

With VS2008 I can't compile the source.

Since it uses getopt(), and getopt() is not ANSI, the following getopt() alternatives are possible for WIN32:
- xgetopt - http://www.codeproject.com/KB/cpp/xgetopt.aspx
- gnu.getopt.dll - http://getopt.codeplex.com/ (If anyone can provide steps to incorporate into any Win32 C command line executable - pls let me know)
- ANSI C Command Line Option Parsing Library - http://michael.dipperstein.com/optlist/index.html

I think guys at Nethemba are already taking care of this.

Second, regarding:

How to copy the give parameter to a byte array?

Doesn't this code (present in MFOC) answer your question:

memcpy(defaultKeys[0], defKey, 6);

Thanks,
zveriu

http://andreicostin.com
http://code.google.com/p/tk-libnfc-crapto1/

Offline

#12 2009-11-24 14:28:33

schwa226
Contributor
Registered: 2009-09-17
Posts: 17

Re: Mifare Classic Offline Cracker

thx

the code above for comandline argument parsing is from the side of michael dipperstein.

I had problems with this line:

num_to_bytes(strtol(thisOpt->argument, NULL, 16), 6, defKey);

Because thisOpt->argument is an char. The function num_to_bytes is needing a uint64_t.
If used it in this way I got for example with the key A0A1A2A3A4A5: ...added Key 0x0007fffff to list....
Didn't work!

So I used sscanf first to make an uint64_t of the paramter and than the num_to_bytes function.
The result is now: ...added Key 0xA0A1A2A3A4A5 to list...

Offline

#13 2009-11-25 22:46:23

rule
Member
Registered: 2008-05-21
Posts: 417

Re: Mifare Classic Offline Cracker

strtoll() seems to work fine also wink

Offline

#14 2009-11-26 02:55:56

hat
Contributor
Registered: 2009-04-12
Posts: 160

Re: Mifare Classic Offline Cracker

since it's unit64_t, roel meant to say strtoull ^^

Offline

#15 2009-11-26 14:47:11

rule
Member
Registered: 2008-05-21
Posts: 417

Re: Mifare Classic Offline Cracker

the 'u' is expensive nowadays wink

Offline

#16 2009-12-22 14:04:46

hat
Contributor
Registered: 2009-04-12
Posts: 160

Re: Mifare Classic Offline Cracker

i doubt roel et al changed their policy on not publishing any tool support but who knows.. it's that time of year.

anyway even if they did it's going to be extremely hard to implement mfoc in a qt project file. Then again he is known to pull of a little trick or two.

i challenge thee ;-)

Offline

#17 2010-03-03 21:25:56

jh.rfid
Member
Registered: 2010-02-11
Posts: 4

Re: Mifare Classic Offline Cracker

I can't compile the source codes on windows, crapto and mfoc..
I do not know how to work with linux, I have ubuntu but i dont have the command lines.
Can someone help me?...

Offline

#18 2010-03-03 21:48:32

d18c7db
Contributor
Registered: 2008-08-19
Posts: 292

Re: Mifare Classic Offline Cracker

Have you downloaded and extracted the latest ProxSpace ? It has a whole posix environment and gcc compiler all set up for you to use under windows.

Offline

#19 2010-03-04 21:40:21

Andy
Member
Registered: 2009-07-20
Posts: 5

Re: Mifare Classic Offline Cracker

Hi there,
would you post a compiled MFOC source running under Windows. Thank you! Best regards, Andy

Offline

#20 2010-03-04 23:16:13

iZsh
Contributor
Registered: 2010-01-02
Posts: 95

Re: Mifare Classic Offline Cracker

That sounds like a "cracking for dummies" request.

Offline

#21 2010-03-06 16:54:25

Andy
Member
Registered: 2009-07-20
Posts: 5

Re: Mifare Classic Offline Cracker

I'm using MFOC under ubuntu but it will be nice to use it under Windows too.

Offline

#22 2010-04-28 02:14:22

slipdop
Member
Registered: 2010-01-31
Posts: 8

Re: Mifare Classic Offline Cracker

to make this work with the latest libnfc, you have to change all references to $LIBNFC/local/include/libnfc/libnfc.h and $LIBNFC/include/libnfc/defines.h in configure and configure.ac to the actual path /usr/local/include/nfc/nfc.h. additionally just remove the defines.h references as defines.h is no longer used.

Offline

#23 2010-05-06 07:19:08

albertoparis
Member
Registered: 2010-05-06
Posts: 6

Re: Mifare Classic Offline Cracker

I got mi PM3 today, and just started playing with it (update firmware + playing with "hf 14a snoop/info/etc") ... I think I am ready to go test the Mifare Classic 1K attack (crapto) on a reader of the local transportation system, but it seems risky ... you know ? tongue

Reading this post ... does that code (mfoc) works with the PM3 ? or just with NXP-based (or other) readers ?

Last edited by albertoparis (2010-05-06 13:35:23)

Offline

#24 2010-05-10 00:34:46

Widmo
Member
Registered: 2008-09-15
Posts: 8

Re: Mifare Classic Offline Cracker

only other readers. go to page libnfc, there is implemented method.

Offline

#25 2010-05-10 23:35:36

albertoparis
Member
Registered: 2010-05-06
Posts: 6

Re: Mifare Classic Offline Cracker

OK, Thanks.

I guess I will be getting some Touchatag reader/cards next month, when I travel to the US ... Thank you again ...

Just a question. What do the NXP chip/implementation or libnfc have that allows it to do the offline attack, that the PM3 doesn't ?

Last edited by albertoparis (2010-05-10 23:38:31)

Offline

Board footer

Powered by FluxBB