Hardnested attack with ACR122U

roman921 · 2016-05-05 09:40:39

I learned on this forum that a new attack for hardnested emulated mifare classic.
Tell me how to perform this attack on acr22u
I want to compile this https://github.com/aczid/crypto1_bs tools libnfc_crypto1_crack for hacking mifare classic emulating.

I want to compile your program libnfc_crypto1_crack.
But i get error: not found #include < nfc/nfc.h >.
How this fixed and compile this project ?
Do I understand correctly that this program libnfc_crypto1_crack can without proksmarka, without sniffing, hack mifare classic emulated card?
I will appreciate if you send me a compiled program.

Last edited by roman921 (2016-05-05 15:18:28)

osys · 2016-05-05 15:53:26

Hi Roma! You need to gather nonces using the reader. The rest is done on PC side thanks to aczid bitslicing implementation.

iceman · 2016-05-05 17:03:28

@aczid has released a libnfc version, check out it on his github

roman921 · 2016-05-05 17:53:03

iceman wrote:

@aczid has released a libnfc version, check out it on his github

Iceman, i see this https://github.com/aczid/crypto1_bs in @aczid github, but this only project hardnested without libnfc.
Do you can me help to find link on libnfc and manual about install on Windows or Kali Linux.

Your advice Windows or Kali Linux uses better ?

Last edited by roman921 (2016-05-05 17:53:35)

osys · 2016-05-05 17:58:08

Hi Roma, again! First of all you should use Linux to achieve the best performance.

roman921 · 2016-05-05 18:05:01

osys wrote:

use Linux

I use Kali Linux with installed mfoc,mfuck.
I download this https://github.com/aczid/crypto1_bs
I try install this: make -f Makefile but i get errors.
Do you can me send to compile program about hardnested.
I want to compile libnfc_crypto1_crack.c

Last edited by roman921 (2016-05-05 18:05:27)

osys · 2016-05-05 18:09:07

Take a closer look at making libnfc_crypto1_crack.c in particular.

iceman · 2016-05-05 18:51:34

If you want support on that code, open a issue on github and hope for the best.

roman921 · 2016-05-05 20:31:45

iceman wrote:

If you want support on that code, open a issue on github and hope for the best.

Yes, support help me yet. I compile program on kali linux 32 bit but on this system program don't work. Support give me advise install 64 bit kali linux.

Can you send me log this program when your work succesfull and find key To compare me and understand that everything is going well

osys · 2016-05-05 20:35:23

Here is the proxmark3 device forum, therefore we don't have an ability to play around reader in particular.
If everything goes well, Roma, you will get the sector key

my_fair_cats_sick · 2016-07-30 00:55:10

Is there a way to tell with LibNFC tools here that its a hardened Mifare Card and not vuln to MFOC/MFCUK, similar to how the proxmark can find that? I didn't know if the proxmark started collected nonces first and analysed that to tell, or if it could tell simply from the SAK or anti-collision phase.

iceman · 2016-07-30 09:33:02

The detection of a hardend prng is inside the PM3's darkside attack, as this can be one of the reasons for the darkside attack to fail. It will print a message about it. To have a general detection is not really needed, since we always try the darkside among the first things we do when researching a mifare classic tag.

my_fair_cats_sick · 2016-07-31 12:45:33

Correct - I was simply hoping to avoid waiting for the full attack to run via LibNFC before attempting the hardnested. I know it determines something based on the PRNG but was just curious how it did that, whether there is some info about that in the inital response bytes or it actually does some quick analysis on the data returned and can tell its not the predictable PRNG somehow. I see that after looking at the code more closely its actually analyzing the returned nonces and making a determination that its not predictable in a way that they should be. I would like to have this same capability with LibNFC tools and I might look into replicating that on that side - just wanted to make sure that doesn't already exist.

Last edited by my_fair_cats_sick (2016-07-31 13:06:36)

iceman · 2016-07-31 13:06:04

Since the prng is implemented in the code, you can predict all nonces in a sequence given the start value.
The current imp of darkside tries 4 times to find a predicted nonce, if it can't find a nonce within those four times it assume that the tag has a different prng-impl ie a newer hardend prng.

Proxmark3 community

Announcement

#1 2016-05-05 09:40:39

Hardnested attack with ACR122U

#2 2016-05-05 15:53:26

Re: Hardnested attack with ACR122U

#3 2016-05-05 17:03:28

Re: Hardnested attack with ACR122U

#4 2016-05-05 17:53:03

Re: Hardnested attack with ACR122U

#5 2016-05-05 17:58:08

Re: Hardnested attack with ACR122U

#6 2016-05-05 18:05:01

Re: Hardnested attack with ACR122U

#7 2016-05-05 18:09:07

Re: Hardnested attack with ACR122U

#8 2016-05-05 18:51:34

Re: Hardnested attack with ACR122U

#9 2016-05-05 20:31:45

Re: Hardnested attack with ACR122U

#10 2016-05-05 20:35:23

Re: Hardnested attack with ACR122U

#11 2016-07-30 00:55:10

Re: Hardnested attack with ACR122U

#12 2016-07-30 09:33:02

Re: Hardnested attack with ACR122U

#13 2016-07-31 12:45:33

Re: Hardnested attack with ACR122U

#14 2016-07-31 13:06:04

Re: Hardnested attack with ACR122U

Board footer