Mifare Classic Offline Cracker

sine · 2009-10-29 02:45:59

Hello,

we have implemented and released our open source implementation of "offline nested" attack, tested on Mac OS X and Linux. You can try it here http://www.nethemba.com/mfoc.tar.bz2

Feel free to provide any feedback, ideas and bug reports. Thanks.

Last edited by sine (2009-10-29 02:55:28)

henryk · 2009-10-29 04:42:21

Hey, great work!

Two annotations on compilation issues: your src/Makefile.am hard-codes the path to libnfc (as INCLUDES = -I/usr/local/include/libnfc) even though ./configure insists on pkg-config and therefore has the proper path available. I'm not that familiar with writing auto* scripts, but I believe INCLUDES = $(LIBNFC_CFLAGS) would fix that, though there may be a better way. Also, the newest libnfc revision that the code will build with is SVN r94, since the libnfc API has been changed after that.

The output of src/mfoc -h doesn't match the options that are actually available, the examples there list options -s, -k and -N which don't exist (yet?).

Possible enhancement: After finding a key through the attack, try that key with the remaining unsolved sectors before performing the attack on them.

(And if you really want to go out of your way to make a convenient tool: Dump the sector contents after finding a key. :-) )

adam@algroup.co.uk · 2009-10-29 13:41:45

Nice!

BTW, mifaretag.h is also missing from the default libnfc install...

libnfc/src/examples/mifaretag.h needs to be manually copied to your local .../include/libnfc directory (or libnfc needs tweaking to auto-install it)

cheers,
Adam

hat · 2009-10-29 13:45:10

i have a few comments as well, after an initial quick code review.

- First the dickish one. Pointing out that you have functions of respectively 316, and 227 lines. making code review less pleasant.

- you chose -imho- a weird version of the attack. If i'm understanding everything correctly. And this is a bit of a bigger if due to the first point.

You get *1* encrypted tag nonce. use this to get a group of on average 8192*65536 keys (in memory this would be 4gig. probably having noticed this to be hard to handle. You use two methods to cut this number down.
a)This first one i have no issues with. Using timing you try to predict the right nonce, and use a user definable tollerance to only test probable nonces. This gets it down to something of an 20*65536 ? Although you might want to fallback on testing a larger range if it fails
b) the second method i don't understand at all, using the TRY_KEYS, you just chop all the likely keys, by only taking 10
keys from the sorted array of keys you got from step 1. and test these keys by communicating with the tag.

If this fails you simply try again ? for probes times?

- given the previous 2 points correctness i would assume getting more nonces and eliminating the keys on a crypto basis could benefit this code a lot.

- And finally could you explain your reasoning for calling it "offline cracker". seems to me like that's a misnomer, or at least too vague.

ps: it seems like there is a crapto2.5 today too. free code galore.

Last edited by hat (2009-10-29 14:23:32)

adam@algroup.co.uk · 2009-10-29 15:42:53

Thanks for the tip!

hmmm...

In file included from qrapto1.cxx:24:
qrapto1.h:22:24: error: ui_qrapto1.h: No such file or directory

rconty · 2009-10-29 17:50:07

Hey,

adam@algroup.co.uk wrote:

Nice!
BTW, mifaretag.h is also missing from the default libnfc install...
libnfc/src/examples/mifaretag.h needs to be manually copied to your local .../include/libnfc directory (or libnfc needs tweaking to auto-install it)

Fixed in r157.
Feel free to report libnfc issue at: http://code.google.com/p/libnfc/issues

Thanks.

hat · 2009-10-30 21:50:12

adam@algroup.co.uk wrote:

Thanks for the tip!
hmmm...
In file included from qrapto1.cxx:24:
qrapto1.h:22:24: error: ui_qrapto1.h: No such file or directory

i don't want to go off topic too much but that header file is automatically generated from .ui, if you do it right.

btw looking at the code more closely it seems like it might be sorting them in a way to make it test the most likely TRY_KEYS so i guess it makes sense. Though i think getting more nonces might still be the right road to take.

adam@algroup.co.uk · 2009-10-31 17:55:28

Ah, OK.... thanks...

qmake-qt4 qrapto1.pro

FTW!

brokentesting · 2009-11-18 02:19:54

EXCELLENT!

Thank you

schwa226 · 2009-11-23 09:13:04

Is there a windows version of mfoc aviable?

With VS2008 I can't compile the source.

thx

EDIT:
I got the source running under windows but I have problems with coping the argument give key in case "k":
How to copy the give parameter to a byte array?

  option_t *optList, *thisOpt;

  /* get list of command line options and their arguments */
  optList = NULL;
  optList = GetOptList(argc, argv, "hD:s:BP:T:S:O:k:t:");

  /* display results of parsing */
  while (optList != NULL)
  {
    thisOpt = optList;
    optList = optList->next;

    switch (thisOpt->option) {
      case 'P':
        // Number of probes
        if (!(probes = atoi(thisOpt->argument)) || probes < 1) {
          fprintf(stderr, "The number of probes must be a positive number\n"); 
          exit(1);
        }
        // fprintf(stdout, "Number of probes: %d\n", probes);
        break;
      case 'T':
        // Nonce tolerance range
        if (!(d.tolerance = atoi(thisOpt->argument)) || d.tolerance < 0) {
          fprintf(stderr, "The nonce distances range must be a zero or a positive number\n"); 
          exit(1);
        }
        // fprintf(stdout, "Tolerance number: %d\n", probes);
        break;
      case 'k':
        // Add this key to the default keys list
        if ((defKey = calloc(6, sizeof(byte_t))) == NULL) {
          fprintf(stderr, "Cannot allocate memory for defKey\n");
          exit(1);
        } else {
          //bzero(defKey, 6);
          num_to_bytes(strtol(thisOpt->argument, NULL, 16), 6, defKey);
          memcpy(defaultKeys[0], defKey, 6);
        }
        fprintf(stdout, "The custom key 0x%012llx has been added to the default keys\n", bytes_to_num(defKey, 6));
        
        break;        
//      case 'B':
//        // Dump B keys instead of Keys 'A'
//        dumpKeysA = false;
//        break;
      case 'O':
        // File output
        if (!(pfDump = fopen(thisOpt->argument, "wb"))) {
          fprintf(stderr, "Cannot open: %s, exiting\n", thisOpt->argument); 
          exit(1);
        }
        // fprintf(stdout, "Output file: %s\n", optarg);
        break;
      case 'h':
        usage(stdout, 0);
        break;
      default:
        usage(stderr, 1);
        break;
    }

    free(thisOpt); /* done with this item, free it */
  }

  FreeOptList(optList);   /* free the rest of the list */

Last edited by schwa226 (2009-11-23 19:17:58)

zveriu · 2009-11-24 14:14:02

Hi schwa226,

First, regarding MFOC on Windows.

With VS2008 I can't compile the source.

Since it uses getopt(), and getopt() is not ANSI, the following getopt() alternatives are possible for WIN32:
- xgetopt - http://www.codeproject.com/KB/cpp/xgetopt.aspx
- gnu.getopt.dll - http://getopt.codeplex.com/ (If anyone can provide steps to incorporate into any Win32 C command line executable - pls let me know)
- ANSI C Command Line Option Parsing Library - http://michael.dipperstein.com/optlist/index.html

I think guys at Nethemba are already taking care of this.

Second, regarding:

How to copy the give parameter to a byte array?

Doesn't this code (present in MFOC) answer your question:

memcpy(defaultKeys[0], defKey, 6);

Thanks,
zveriu

http://andreicostin.com
http://code.google.com/p/tk-libnfc-crapto1/

schwa226 · 2009-11-24 14:28:33

thx

the code above for comandline argument parsing is from the side of michael dipperstein.

I had problems with this line:

num_to_bytes(strtol(thisOpt->argument, NULL, 16), 6, defKey);

Because thisOpt->argument is an char. The function num_to_bytes is needing a uint64_t.
If used it in this way I got for example with the key A0A1A2A3A4A5: ...added Key 0x0007fffff to list....
Didn't work!

So I used sscanf first to make an uint64_t of the paramter and than the num_to_bytes function.
The result is now: ...added Key 0xA0A1A2A3A4A5 to list...

rule · 2009-11-25 22:46:23

strtoll() seems to work fine also

hat · 2009-11-26 02:55:56

since it's unit64_t, roel meant to say strtoull ^^

rule · 2009-11-26 14:47:11

the 'u' is expensive nowadays

hat · 2009-12-22 14:04:46

i doubt roel et al changed their policy on not publishing any tool support but who knows.. it's that time of year.

anyway even if they did it's going to be extremely hard to implement mfoc in a qt project file. Then again he is known to pull of a little trick or two.

i challenge thee ;-)

jh.rfid · 2010-03-03 21:25:56

I can't compile the source codes on windows, crapto and mfoc..
I do not know how to work with linux, I have ubuntu but i dont have the command lines.
Can someone help me?...

d18c7db · 2010-03-03 21:48:32

Have you downloaded and extracted the latest ProxSpace ? It has a whole posix environment and gcc compiler all set up for you to use under windows.

Andy · 2010-03-04 21:40:21

Hi there,
would you post a compiled MFOC source running under Windows. Thank you! Best regards, Andy

iZsh · 2010-03-04 23:16:13

That sounds like a "cracking for dummies" request.

Andy · 2010-03-06 16:54:25

I'm using MFOC under ubuntu but it will be nice to use it under Windows too.

slipdop · 2010-04-28 02:14:22

to make this work with the latest libnfc, you have to change all references to $LIBNFC/local/include/libnfc/libnfc.h and $LIBNFC/include/libnfc/defines.h in configure and configure.ac to the actual path /usr/local/include/nfc/nfc.h. additionally just remove the defines.h references as defines.h is no longer used.

albertoparis · 2010-05-06 07:19:08

I got mi PM3 today, and just started playing with it (update firmware + playing with "hf 14a snoop/info/etc") ... I think I am ready to go test the Mifare Classic 1K attack (crapto) on a reader of the local transportation system, but it seems risky ... you know ?

Reading this post ... does that code (mfoc) works with the PM3 ? or just with NXP-based (or other) readers ?

Last edited by albertoparis (2010-05-06 13:35:23)

Widmo · 2010-05-10 00:34:46

only other readers. go to page libnfc, there is implemented method.

albertoparis · 2010-05-10 23:35:36

OK, Thanks.

I guess I will be getting some Touchatag reader/cards next month, when I travel to the US ... Thank you again ...

Just a question. What do the NXP chip/implementation or libnfc have that allows it to do the offline attack, that the PM3 doesn't ?

Last edited by albertoparis (2010-05-10 23:38:31)

Proxmark3 community

Announcement

#1 2009-10-29 02:45:59

Mifare Classic Offline Cracker

#2 2009-10-29 04:42:21

Re: Mifare Classic Offline Cracker

#3 2009-10-29 13:41:45

Re: Mifare Classic Offline Cracker

#4 2009-10-29 13:45:10

Re: Mifare Classic Offline Cracker

#5 2009-10-29 15:42:53

Re: Mifare Classic Offline Cracker

#6 2009-10-29 17:50:07

Re: Mifare Classic Offline Cracker

#7 2009-10-30 21:50:12

Re: Mifare Classic Offline Cracker

#8 2009-10-31 17:55:28

Re: Mifare Classic Offline Cracker

#9 2009-11-18 02:19:54

Re: Mifare Classic Offline Cracker

#10 2009-11-23 09:13:04

Re: Mifare Classic Offline Cracker

#11 2009-11-24 14:14:02

Re: Mifare Classic Offline Cracker

#12 2009-11-24 14:28:33

Re: Mifare Classic Offline Cracker

#13 2009-11-25 22:46:23

Re: Mifare Classic Offline Cracker

#14 2009-11-26 02:55:56

Re: Mifare Classic Offline Cracker

#15 2009-11-26 14:47:11

Re: Mifare Classic Offline Cracker

#16 2009-12-22 14:04:46

Re: Mifare Classic Offline Cracker

#17 2010-03-03 21:25:56

Re: Mifare Classic Offline Cracker

#18 2010-03-03 21:48:32

Re: Mifare Classic Offline Cracker

#19 2010-03-04 21:40:21

Re: Mifare Classic Offline Cracker

#20 2010-03-04 23:16:13

Re: Mifare Classic Offline Cracker

#21 2010-03-06 16:54:25

Re: Mifare Classic Offline Cracker

#22 2010-04-28 02:14:22

Re: Mifare Classic Offline Cracker

#23 2010-05-06 07:19:08

Re: Mifare Classic Offline Cracker

#24 2010-05-10 00:34:46

Re: Mifare Classic Offline Cracker

#25 2010-05-10 23:35:36

Re: Mifare Classic Offline Cracker

Board footer