1 (edited by sine 2009-10-29 01:55:37)

Topic: Mifare Classic Offline Cracker

Hello,

we have implemented and released our open source implementation of "offline nested" attack, tested on Mac OS X and Linux. You can try it here http://www.nethemba.com/mfoc.tar.bz2

Feel free to provide any feedback, ideas and bug reports. Thanks.

Re: Mifare Classic Offline Cracker

Hello,

sine wrote:

we have implemented and released our open source implementation of "offline nested" attack, tested on Mac OS X and Linux. You can try it here http://www.nethemba.com/mfoc.tar.bz2

Nice job ! But that's better than "our open source implementation", that your Free/Libre implementation (under GPLv2) !

sine wrote:

Feel free to provide any feedback, ideas and bug reports. Thanks.

* First, maybe you should release the archive produced using "make dist" or better "make distcheck" instead of compress whole directory (with svn files).

* About subversion, you don't need to put "aclocal.m4", "config.h", "config.h.in" "configure" and "Makefile.in" under VCS, theses files are generated using usual autogen.sh (or sometimes named bootstrap.sh).
Note: if you don't have this file look in libnfc's development repository.

* In configure.ac, you wrote "AC_PREREQ([2.63])" but as far as I see, you don't need 2.63 version, that works fine with 2.61 (version present in Debian Lenny).

* In src/mfoc.c (function "usage"), you should use information provide by autotools (in generated config.h) like PACKAGE_STRING.
ie. instead of

fprintf(stream, "%s, version 0.03\n\n", "mfoc");

you can write

#include "../config.h"
...
fprintf(stream, "%s\n\n", PACKAGE_STRING);

Of course, you need to correctly setup "configure.ac" on each release: ie. for 0.03 version

AC_INIT([mfoc], [0.03], [mifare@nethemba.com])

* In "configure.ac", following lines

AC_SUBST(DEPS_CFLAGS)
AC_SUBST(DEPS_LIBS)

should be replace by

AC_SUBST(LIBNFC_CFLAGS)
AC_SUBST(LIBNFC_LIBS)

because you previously use:

PKG_CHECK_MODULES(LIBNFC, libnfc, [WITH_LIBNFC="1"], [WITH_LIBNFC="0"])

but not

PKG_CHECK_MODULES(DEPS, libnfc, [WITH_LIBNFC="1"], [WITH_LIBNFC="0"])

And you can use theses values in "src/Makefile.am", instead of hardcoded path "-I/usr/local/..."

bin_PROGRAMS = mfoc

# set the include path found by configure
INCLUDES =  $(all_includes)

AM_CFLAGS = @LIBNFC_CFLAGS@
AM_LDFLAGS = @LIBNFC_LIBS@

mfoc_SOURCES = mfoc.c crapto1.c crypto1.c

Hope it helps.

Romuald Conty

Re: Mifare Classic Offline Cracker

Very interesting wink

Do you think we need to take care of this problem Romuald?

Re: Mifare Classic Offline Cracker

roel wrote:

Very interesting wink

Do you think we need to take care of this problem Romuald?

Fixed in r157.

Romuald Conty

Re: Mifare Classic Offline Cracker

Hello,
just to let everyone know, I've rewritten mfoc's code to be compatible with libnfc 1.3.3.

The new tarball is available here (for the time being, hope it will get updated also in the tarball released by nethemba):
http://code.google.com/p/micmd/downloads/list

Re: Mifare Classic Offline Cracker

Hello
With debian, libnfc r318 I try to compile mfoc-new.tar but I get Error! You need to have libnfc >= 1.2.1.

Re: Mifare Classic Offline Cracker

Hello,
by default, configure script checks for presence of nfc.h and nfc-types.h in /usr/local/include/nfc
Are you sure, those files are placed there? You can try following things:
- don't launch ./configure, launch ./autogen.sh instead
- use --with-libnfc=/path-to-libnfc as an argument to conf script

Re: Mifare Classic Offline Cracker

Thanks for your reply
I did ./autogen.sh --with-libnfc=/usr and ./configure --prefix=/usr --with-libnfc=/usr and mfoc compile OK (good work !)

Do you have any documentation on how to use mfoc ?

Regards

Re: Mifare Classic Offline Cracker

MFOC is utility to compute (crack) all keys (A and B) to all sectors, providing at least one of the keys is already known.
Use is pretty simple, plug the reader into USB port, place mifare classic card onto the reader and run following command:

mfoc -O /path/to/.keys/file

.keys file is the file, where mfoc will store cracked keys (format of that file is compatible with nfc-mfclassic, so you can then use it to dump the card into file, or vice versa, write a dump onto the card.)

You can also use the -k key parameter, to add a key to the list of known keys, which is being tried against your card in the initial phase. (however, the -k option somehow didn't work for me, so I always compile my known keys directly into mfoc)

10 (edited by 0blar 2010-03-14 17:44:10)

Re: Mifare Classic Offline Cracker

Thanks for your reply

I saw the use of mfoc when I did mfoc -h
What I mean by documentation is how to get one key of a mifare card when I don't know it ?
I have a mifare card whitch is use for making photocopy but don't know the key used, my question is what is the procedure to get it ?

This is the result when I use mfoc -O test command with a blank card

Sector 00 -  UNKNOWN_KEY [A]  Sector 00 -  UNKNOWN_KEY (B)
.....
Sector 15 -  UNKNOWN_KEY [A]  Sector 15 -  UNKNOWN_KEY (B)

No sector encrypted with the default key has been found, exiting.


But when I use the mifare card for photocopy, I get
.....
.....
Sector 00 -  FOUND_KEY   [A]  Sector 00 -  UNKNOWN_KEY (B)
.....
Sector 15 -  UNKNOWN_KEY [A]  Sector 15 -  UNKNOWN_KEY (B)

Using sector 00 as an exploit sector
.....
....
TX: ff  00  00  00  04  d4  06  63  05
..... 
TX: ff  00  00  00  04  d4  4a  01  00

!Error: tag has been removed

Any idea on what happen (The tag is on the top of the reader )

Regards

Re: Mifare Classic Offline Cracker

Any help ?

Re: Mifare Classic Offline Cracker

Are you using an ACR122?.

Regards.

Re: Mifare Classic Offline Cracker

yes

14 (edited by Baquinjam Palas 2010-03-17 17:57:21)

Re: Mifare Classic Offline Cracker

So, maybe the firmware version of your ACR122; some versions are not compatible. The same error: "tag has been removed" appears in my ACR122.

Try with touchatag.

Regards.

Re: Mifare Classic Offline Cracker

Has anyone used a Snapper Feeder dongle with MFOC?

I get a "Reader-answer transfer error, exiting.." after it finds the key to use.

The latest version posted above doesn't seem to have the 0xfffff default key defined either

16 (edited by Baquinjam Palas 2010-03-29 18:51:39)

Re: Mifare Classic Offline Cracker

Some ACR122 don¨t run with mfoc. I think it´s a question of firmware version.

ACR122U205 - PN532 v1.4 (0x07).

With this reader appears the error named in above replay.


ACR122U102 - PN532 v1.4 (0x07).(TOUCHATAG).

With this one, the same compiled mfoc code works perfectly.

I´m not quite sure, but I think that touchatag version is always 102.

Regards.

Re: Mifare Classic Offline Cracker

I have an ACR122 with P/N ACR122U-WB-R and doesn't work etheir

18 (edited by *dudux 2010-03-29 21:29:00)

Re: Mifare Classic Offline Cracker

0blar wrote:

I have an ACR122 with P/N ACR122U-WB-R and doesn't work etheir

Which mfoc version?

developing the future!

Re: Mifare Classic Offline Cracker

I use mfoc-new.tar posted on march 13 from http://code.google.com/p/micmd/downloads/list (with libnfc v318)

Re: Mifare Classic Offline Cracker

Have you tested the  package of www.nethemba.com (version 0.8)?
because you are working with the old version(0.7)

developing the future!

Re: Mifare Classic Offline Cracker

Hi
I just tested the 0.08 version with the following command ./autogen.sh --with-libnfc=/usr and I get

checking /usr/include/libnfc/libnfc.h usability... no
checking /usr/include/libnfc/libnfc.h presence... no
checking for /usr/include/libnfc/libnfc.h... no
Error! You need to have libnfc >= 1.2.1.

I didn't have this probleme with the version of the march 13

Any idea ?

Re: Mifare Classic Offline Cracker

Hi
I put the src folder of the 0.08 version to the first folder  and I successfuly compile the latest version
mfoc -h
mfoc 0.08
...
(ACS ACR122U 00 00 / ACR122U203 - PN532 v1.4 (0x07)=

I use mfoc -O test command with a blank card an is OK
When I use the same command with a non blanck card, I have the same issue
TX: ff  00  00  00  04  d4  06  63  05 
TX: ff  00  00  00  05  d4  08  63  05  40 
TX: ff  00  00  00  04  d4  32  01  00 
TX: ff  00  00  00  06  d4  32  05  00  00  00 
TX: ff  00  00  00  04  d4  06  63  02 
TX: ff  00  00  00  05  d4  08  63  02  b7 
TX: ff  00  00  00  04  d4  06  63  0d 
TX: ff  00  00  00  05  d4  08  63  0d  00 
TX: ff  00  00  00  04  d4  32  01  01 
TX: ff  00  00  00  04  d4  4a  01  00
!Error: tag has been removed

Any idea

Re: Mifare Classic Offline Cracker

i have both ACR122U104 and ACR122U203.i tested with MFOC with both versions, ACR122U104 have no errors at all but ACR122U203 has an error "tag has been removed".But u have try MFOC for the 2nd time again with ACR122U203(without unplugging the usb) ,it works.

Re: Mifare Classic Offline Cracker

Hello,

I was able to recover all Keys of card with mfoc version 0.0.8 and a nSCM SCL3711.
I recognized a probem:

If I enter the option -k 536943633031 the key isn´t right inside the def-Key Table.
This is because of the function strtol (or strtoul) bacause long int (or unsigned long int) is only 32 Bit ....

Any ideas ?

Thank you

25 (edited by mcore 2010-04-21 18:36:59)

Re: Mifare Classic Offline Cracker

Hey,
Im trying to make a copy of a Mifare Classic 4k card and got libnfc-1.3.4 and mfoc-0.7(0.8 didnt compiled right) working now with acr122U under Ubuntu.
But trying to get all the data of this card seems not to work. With mfoc im trying to make a backup/dump file of the card, but after more than an hour it said no succes.

marc@ubuntu:~$ mfoc -O blaaa.mfd >blaaa.txt
DBG nfc.c:147: Autodetecting available devices using ACR122 driver.
DBG acr122.c:162: PCSC reports following device(s):
DBG acr122.c:167: - ACS ACR122U PICC Interface 00 00 (pos=0)
DBG nfc.c:151: Auto-connecting to ACS ACR122U PICC Interface 00 00 using ACR122 driver
DBG acr122.c:208: Connecting to ACS ACR122U PICC Interface 00 00
DBG nfc.c:176: [ACS ACR122U PICC Interface 00 00 / ACR122U206] has been claimed.
No success, maybe you should increase the probes
marc@ubuntu:~$

It created this blaaa.txt file http://www.sendspace.com/file/ea8ozs
And increase probes doesnt work.
It found the uid and a key as you can see in the txt file, and then ends up in a loop than keeps trying to get more or something.
Somebody knows how to get the right dump file that i can write to another Mifare Classic card?

thnx Marc