Topic: mftool feature to read mifare card keys

Anybody working on recoginize all keys using NFC reader using brute force crack?
I'm trying to working on this.
Is it possible?

Re: mftool feature to read mifare card keys

Sorry, but I had to move this one. It is more about MIFARE Classic than it is about requesting a new NFC related feature wink

Do you mean the search the whole 48bit key-space (online)? This could take you ages.
Or are you saying that you want to search for a default key (or some other known keys) on a tag?

Re: mftool feature to read mifare card keys

Hi everyone!
One of the papers say:
"We assume that the attacker can control the power up timing of the tag, thereby causing the tag to produce the same nT (nonce sent by the tag) every time" (during the authentication protocol).

Does anyone know how to do it with libnfc?

Thanks a lot!

Re: mftool feature to read mifare card keys

It is possible to drop down the field and power it up again. This will give you often the same nT.

For the nested authentication you could ask for a first nonce from a known-key sector, then roll into the next nonce for the same sector as fast as possible. Calculate the nonce-shift difference between the nonces. I suggest you do this a lot times and take the most occurring nonce-shift value.

Now authenticate again on the known-key sector and roll-over to a different sector. "Guess" the nonce by shifting the old nonce to the most likely nonce you would expect and try to recover the key wink

You better first get some (encrypted) next nonce samples, so you can test there your recovered key on.

Re: mftool feature to read mifare card keys

roel wrote:

It is possible to drop down the field and power it up again. This will give you often the same nT.

For the nested authentication you could ask for a first nonce from a known-key sector, then roll into the next nonce for the same sector as fast as possible. Calculate the nonce-shift difference between the nonces. I suggest you do this a lot times and take the most occurring nonce-shift value.

Now authenticate again on the known-key sector and roll-over to a different sector. "Guess" the nonce by shifting the old nonce to the most likely nonce you would expect and try to recover the key wink

You better first get some (encrypted) next nonce samples, so you can test there your recovered key on.

Thanks a lot for the responce! That's what I'm trying to do. I stopped because I was in doubt about this nonces (it's qute difficult to catch the same one). Did someone actually posted a code for something like this? I was just curious if it is possible for a beginner in C like me to do this thing smile and I would really appreciate any help smile

Re: mftool feature to read mifare card keys

Hi roel, I don't mean  search the whole 48bit key-space. maybe we using offline crack method and nested crack way.
show all keys in a short period time ..
Seems somebody are working on this...