Topic: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi all,

Please find the link to the initial version 0.1 of the Mifare Classic Key Recovery tool implementing "Dark Side" Attack and some-what stable tag fixation with DropField+ConstantDelay technique.

http://code.google.com/p/tk-libnfc-crap … loads/list

Tested on 2 European cards and on 1 Taipei EasyCard - none had default/known keys.

After getting the key with this tool, the other keys were friendly provided by Nested Attack from MFOC of Nethemba - these two tools should merge I propose smile

"Dark Side" attack relies on lsfr_common_prefix() beauty-of-art from Crapto1 3.1
Tag nonce fixation is not 100% proof, so it is helped with a cache/lookup of most common tag nonces.

The source file's header gives all the information needed, as well as requirements for Crapto1 and libnfc.

Code is GPL2 - and btw feel free to use, feel free to contribute, feel free to cite, feel free to contact.

Hope it helps, though I must admit the source code and and it's implementation is not yet in it's best shape smile.

Regards,
zveriu - http://andreicostin.com

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi, I have a touchatag reader and its running with nfclib

guepardo mezcla # ./nfc-anticol

Connected to NFC reader: ACR122U102 - PN532 v1.4 (0x07)

R: 26
T: 04  00
R: 93  20
T: 4b  1f  09  5e  03
R: 93  70  4b  1f  09  5e  03  68  c9
T: 08  b6  dd
R: 50  00  57  cd

Found tag with UID: 4b1f095e

Now ,I want use this tool,but ....

guepardo mezcla # gcc zv_mf_dark_side-v0.1.c  -o mf
zv_mf_dark_side-v0.1.c:125:21: error: windows.h: No existe el fichero o el directorio
zv_mf_dark_side-v0.1.c: In function ‘main’:
zv_mf_dark_side-v0.1.c:560: error: too many arguments to function ‘nfc_connect’
guepardo mezcla #

developing the future!

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

The code seems for windows "only" at the moment.
Are you using the current (SVN) version of libnfc?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

roel wrote:

The code seems for windows "only" at the moment.
Are you using the current (SVN) version of libnfc?

only for "windows"?¿?   :S

first, i install

$ wget http://libnfc.googlecode.com/files/libnfc-x.x.x.tar.gz
$ tar -xvzf libnfc-x.x.x.tar.gz

and then....

svn checkout http://tk-libnfc-crapto1.googlecode.com/svn/trunk/ tk-libnfc-crapto1-read-only

i will run with windows,but it is unfortunate that not work with linux

   
Am I doing something wrong?
Sorry about my English

developing the future!

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

*dudux wrote:
roel wrote:

The code seems for windows "only" at the moment.
Are you using the current (SVN) version of libnfc?

only for "windows"?¿?   :S

i will run with windows,but it is unfortunate that not work with linux

Am I doing something wrong?
Sorry about my English

Hi *dudux,

Thanks for your interest in the sources. To answer shortly your questions:
1. For the sake of shortening the release time, the windows version of the .c files was released, i.e. it is a version is uses Sleep() function from windows.h. If you have MS Visual Studio 2005/2008, you can use it with vs-2005 solution of libnfc

2. It absolutely works on linux/cygwin + gcc - just remove the windows.h and use sleep() function from stdlib.h or keep both and do yourself a generic wrapper sleep function with #ifdef - plenty of options are available as you see, and there is no magic involved

3. In near future, the code will be improved and packaged properly - so it will compile smooth based on configuration of the compiler

4. Please do not get desperate at first compiling errors - search engines and forums are your friend - you are not a script-kiddie, are you?

Best of luck and shout your questions in case of troubles.

Thanks

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

zveriu wrote:

1. For the sake of shortening the release time, the windows version of the .c files was released, i.e. it is a version is uses Sleep() function from windows.h. If you have MS Visual Studio 2005/2008, you can use it with vs-2005 solution of libnfc

The following code should be a portable sleep (Windows, Mac OS X, Linux, BSD, etc.)

// Set time-out on 30 miliseconds
const struct timeval timeout = { 
  .tv_sec  =     0, // 0 second
  .tv_usec = 30000  // 30000 micro seconds
};

void test()
{
  struct timeval tv = timeout;
  select(0,NULL,NULL,NULL,&tv);
}

NOTE: do not trust the content of struct timeval tv after the running the select() function!

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Thank you very much for making this project zveriu.

It needs just a few minor tweaks I guess to make it running on all platforms, but it windows it seems to work fine smile
Though it is kind of confusing that it asks for a "key" and a "block", the block I understand, but the key is going to be recovered right? smile

8 (edited by *dudux 2009-11-15 21:45:54)

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Comment this line

125 //#include "windows.h"

compile and ....

guepardo mezcla # gcc zv_mf_dark_side-v0.1.c -o DF
zv_mf_dark_side-v0.1.c: In function ‘main’:
zv_mf_dark_side-v0.1.c:560: error: too many arguments to function ‘nfc_connect’

must i compile how this line?

 23  Compiling:
 24     Linux/Cygwin
 25         gcc -o zv_mf_dark_side zv_mf_dark_side.c ./crapto1-v3.1/crapto1.c
 26             ./crapto1-v3.1/crypto1.c ./libnfc-v1.2.1/bin/libnfc.lib -lnfc
 27             -I./libnfc-v1.2.1/include -L./libnfc-v1.2.1/lib

edit the source,but i dont know

 // Try to open the NFC reader
  pdi = nfc_connect(NULL);
developing the future!

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

roel wrote:

Thank you very much for making this project zveriu.

My pleasure to contribute to the open source community - hopefully it will not be used in abusive/illegal manners though (relying on the users' thoughtful actions!)

roel wrote:

It needs just a few minor tweaks I guess to make it running on all platforms, but it windows it seems to work fine smile

Tweaks and improvements are on the way wink - just stay tuned for the toolkit to get it's spin and dices rolling

roel wrote:

Though it is kind of confusing that it asks for a "key" and a "block", the block I understand, but the key is going to be recovered right? smile

Actually the history behind is like this - the sample code used as basis for this project (which is a code provided by you roel wink - thanks) required key and block (the auth example).

However, given what the tool is supposed to do, it makes KEY the parameter useless (at most optional just to make a positive/negative test for authentication) as well as BLOCK parameter optional - if a block parameter is supplied, that block will be used in 60 xx AUTH command, otherwise a random/default block (eg. block 0) will be used.

And yes, even if the key parameter is required (though not needed - just pass some bogus 12 hex digits), the real key for some sector is being successfully recovered - exactly what the tool is supposed to do.

All - please let me know improvements and features wish-list and I will check what I can incorporate and improve to make it worth all the time spent on this smile

NOTE: the tool still have some minor bugs, to be improved on version 0.2, specifically some reported that this text comes in the logs and thus no key is recovered sometimes:


SUCCESS
Trying to recover the key
Press 1 to continue search of other keys...
Press anything else to exit...
At: 0d

Authentication Succesful

A quick-fix would be to find these lines of code and introduce the ones with comments below:

// If someone wonders why (i<(1<<20)) - this is the size of malloc() in lsfr_common_prefix(), so this is max number of states in the list
// List which is ZERO-terminated, i.e. both odd and even are zero when the list finishes
for (i=0; (state) && ((state+i)->odd != 0 || (state+i)->even != 0) && (i<(1<<20)); i++)
                {
                    current_state = state + i;
                    lfsr_rollback_word(current_state, uid ^ ptrFoundTagNonceEntry->tagNonce, 0);
                    crypto1_get_lfsr(current_state, &key_recovered);
                    printf("\nkey recovered: %012llx\n\n", key_recovered);
flag_key_recovered = 1; // ADD THIS LINE, ALSO DECLARE VARIABLE AHEAD
                }

crypto1_destroy(state);

// ADD THIS BLOCK
if (!flag_key_recovered)
{
printf("{Nr} is not a DEADBEEF.... Need to find BEEF ALIVE!... Trying next one...\n");
ptrFoundTagNonceEntry->spoofNrEnc++;
        ptrFoundTagNonceEntry->spoofArEnc = 0xFACECAFE;
        ptrFoundTagNonceEntry->spoofParBitsEnc = 0x0;

        // First we need to satisfy STAGE1
        ptrFoundTagNonceEntry->current_out_of_8 = -1;

return false;
}

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

>> The following code should be a portable sleep (Windows, Mac OS X, Linux, BSD, etc.)

No, select() on Windows with *no* socket descriptors listed is an error. Use Sleep() to sleep on Win32.

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi all,

Version 0.2 is there. Should be no issues with portability. If better portability options are there, please advise and I will incorporate, however I have defined a wrapping sleep(x) macro which gets to Sleep() on WIN32 and select() on __STDC__ compilers. Seems to work and compile fine on both MSVS2005 and Cygwin.

http://code.google.com/p/tk-libnfc-crap … loads/list

Also included the 0xDEADBEEF {Nr} variation in case the key is not recoverable for 0xDEADBEEF.

For me works fine on both Win and Cygwin. Some people reported to have compiled on MacOS without big issues. Version 0.2 should pose no problems with compilation.

Working towards improvements for v0.3

Stay tuned

Have a nice and productive-sleepless night wink

Regards,
zveriu - http://andreicostin.com

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

I have exams this week when I finish, I will return to the attack
Hope to "dump" a Mifare 1K

developing the future!

13 (edited by *dudux 2009-11-17 19:58:06)

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

the code is working in windows.with cygwin and libnfc,but i want to use the code under linux
i am testing it under windows
However,i hope that version0.3 works with unix systems

Regards

developing the future!

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

it works perfectly under linux/mac!
Just needed a Makefile.

Check out:
http://code.google.com/p/tk-libnfc-crap … etail?id=1

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

roel wrote:

it works perfectly under linux/mac!
Just needed a Makefile.

Check out:
http://code.google.com/p/tk-libnfc-crap … etail?id=1

Perfect! I will try it immediately.

Thanks to roel and zveriu for help

Regards

developing the future!

16 (edited by *dudux 2009-11-21 13:08:54)

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

well,the key is recovered and then i use mfoc and i get more keys.
When i have a lot of keys,how do i dump the card?because nfc-mftool isnt working for me

developing the future!

17 (edited by Likesmoke 2009-11-27 17:57:52)

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Connected to NFC reader: ACR122U102 - PN532 v1.4 (0x07)

root@ubuntu:~/Escritorio/zv_mf_dark_side# nfc-list
The following (NFC) ISO14443A tag was found:

    ATQA (SENS_RES): 00  04  
       UID (NFCID1): 95  3e  17  72  
      SAK (SEL_RES): 88  

Edit:Reason Stupid question ^^
INFO - 4-bit (uiRxLen=4) error code 0x5 encrypted (abtRx=0x02)

It works really good , thx for this tool.

18 (edited by mifarre 2009-12-01 08:51:47)

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

I recieved yesterday a reader and finally it worked for me, I dumped a Mifare 1k with v0.2 and mfoc.. I'm trying now with v0.3 but it returns me some errors after long time trying

MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.com


INFO: Connected to NFC reader: ACR122U102 - PN532 v1.4 (0x07)


VERIFY: 
    Key A sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
    Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f

RECOVER:  0 1 2 3ERROR: mfcuk_key_recovery_block() (error code=0x03)
 4 5ERROR: mfcuk_key_recovery_block() (error code=0x03)
ERROR: mfcuk_key_recovery_block() (error code=0x03)
 6 7 8 9 a b c d e f

Really nice tool zveriu, thanks for releasing it as GPL!

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

i have the same error but in other sector

20 (edited by zveriu 2009-12-03 01:25:39)

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi,

1. This error is actually:

MFCUK_FAIL_CRAPTO and it is returned at line 630 of mfcuk_keyrecovery_darkside.c

What it actually means, is that for the given sector (which is printed right before the word "ERROR" - in the example posted these are sectors 3, 5), and for  given tag_nonce (which is not printed), the {Nr} didn't produce a register state which is prone to dark-side 29bits prefix attack, i.e. a state which is "recoverable" to it's origins/keys.

I might read these (though it is not exactly like this, but...) errors as: "The attack, as stated in the paper has 0.75 probability of success. Given you have 3 errors in 16 sectors, the non-success is less than 0.25, more precisely it is 0.1875"

Thus, this error is ignorable at the end.

2. I would suggest running the program as:

./mfcuk_keyrecovery_darkside -v 1 [yours_whatever_other_args] 2> errors.log | tee results.log

This will "clean" the output from the errors, which you can investigate later.

And yes, I know - timestamping of log output (both stdout/stderr) is a good idea, but didn't have time to incorporate - hope in the next version, though other things are in the queue right now smile

Thanks,
Andrei Costin - http://andreicostin.com

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Approximately how long does it take for the MFCUK to recover a key for example with

-R 1

option?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi,

@whitewash - it usually takes 5 to 10 minutes.

However, notice the usually - since it is a probabilistic attack, it is not guaranteed that keys can be recovered in almost constant times. It would be nice, if I would have knowledge to fingerprint a given card by it's responses and combined with UID, to optimally choose {Nr} (and {Ar} perhaps) so that the constant running times is assured. Having no knowledge of such technique, I have to rely on sequentially choosen {Nr} (maybe a random pick would be better, but would make tracking non-successfully tried {Nr}s more difficult).

Also, please note the "Known issues" in the source headers - i.e. make sure you have no big load on the CPU, since this CPU load exponentially (at least from my and JPS@UCLovain quick tests) increases the randomness of the tag-nonces, thus breaking tag-fixation assumption of the dark-side attack.

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Mine is calculating 20mins already... firstly I tried mfcuk -R 1, now it's running with mfcuk -R -1 .... still no result.

The keys are already known to me, i just want to test it.... did I do something wrong (forgot some argument on the command line) or is it because this card is especially "stubborn" ?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

try including this option for verbose output, otherwise it goes in silent mode smile

./mfcuk_keyrecovery_darkside -v 1

or

./mfcuk_keyrecovery_darkside -v 2

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

On my PC, I have needed up to several hours to get keys, depending on the tag chip. But they all eventually fold. Maybe (on Linux) you should try putting your PC in single user mode, no X or such processes?