本文章僅供技術交流,切勿用於違法行爲
微信公衆號:上古的碑
我會在微信公衆號上分享各種技術乾貨,歡迎來玩!
一. 準備工具:
- 樹莓派:
我使用的是Raspberry Pi 3B, 現在樹莓派4代都已經出了,去某魚撿一個3B並不貴。另外還得準備8G+的內存卡給樹莓派燒錄一個系統讓樹莓派運行起來。
- PN532:
購買的時候注意是否焊接,沒有焊接的話有工具可以到貨了自己焊接,沒有的焊接工具的聯繫賣家幫忙焊接,可能要加錢。
注意的是,我在樹莓派使用的I2C
的連接方式,PN532需要把角落裏的開關切換成 1 0
模式。不會的看下圖
需要使用杜邦線把PN532連接到樹莓派,連接的插口如下:
VCC <==> 5v
GND <==> GND
SDA <==> SDA.1
SCL <==> SCL.1
樹莓派的引腳圖:
二. 安裝
首先更新一下系統:
sudo apt updatesudo apt upgrade
啓動i2c
(不是官方的Raspbian
系統參考下面):
sudo nano /boot/config.txt
把 dtparam=i2c_arm=on
前的#
去掉然後重啓樹莓派。
重啓後會發現/dev
的目錄下多了一個文件夾i2c-1/
如果是官方的Raspbian
系統:
sudo raspi-config
便可以看到配置界面,
找到第5項:Interfacing Options中有I2C
,點擊進入,點擊Yes即可
安裝依賴:
sudo apt install libusb-dev libpcsclite-dev automake autoconf gcc make libsysfs-dev libtool pkg-config
編譯安裝libnfc:
wget https://github.com/nfc-tools/libnfc/releases/download/libnfc-1.7.1/libnfc-1.7.1.tar.bz2
tar -xf libnfc-1.7.1.tar.bz2
cd libnfc-1.7.1
./configure --prefix=/usr --sysconfdir=/etc
make
sudo make install
添加配置:
sudo mkdir /etc/nfc
sudo nano /etc/nfc/libnfc.conf
添加下面的內容到libnfc.conf:
allow_autoscan = true
allow_intrusive_scan = false
log_level = 1
device.name = "Itead_PN532_I2C"
device.connstring = "pn532_i2c:/dev/i2c-1"
編譯安裝mfoc(mfoc用來破解key,讀取出數據到文件):
git clone https://github.com/nfc-tools/mfoc.git
cd mfoc
autoheader && aclocal && automake --add-missing && automake && autoconf && autoreconf -is
./configure
make
sudo make install
編譯安裝mfcuk(mfcuk用來破解全加密的卡片):
git clone https://github.com/nfc-tools/mfcuk.git
cd mfcuk
autoheader && aclocal && automake --add-missing && automake && autoconf && autoreconf -is
./configure
make
sudo make install
三. 測試
在命令行裏輸入:
nfc-list
如果連接正常應該輸出類似下面的內容:
nfc-list uses libnfc 1.7.1
NFC device: pn532_i2c:/dev/i2c-1 opened
放上一張M1卡後再次執行的輸出類似下面的內容:
nfc-list uses libnfc 1.7.1
NFC device: pn532_i2c:/dev/i2c-1 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 4a 07 ce 23
SAK (SEL_RES): 08
四. 使用_獲取卡的數據:
在命令行輸入以下內容會打印幫助信息:
mfoc -h
mfcuk -h
下面是mfoc常用的參數:
h 打印幫助信息並退出
k 除了嘗試默認的key,還嘗試指定的key
f 除了嘗試默認的key,還嘗試從文件讀取到的key
O 輸出的內容保存爲的文件名
命令行輸入:
mfcuk -C -R 0
將會顯示幾行WARN:
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_skgt.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_ratb.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_oyster.mfd'
這個可以直接忽略,完整的輸出類似下面的內容:
mfcuk - 0.3.8
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], http://andreicostin.com
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_skgt.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_ratb.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_oyster.mfd'
INFO: Connected to NFC reader: pn532_i2c:/dev/i2c-1
VERIFY:
Key A sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
RECOVER: 0
接下來就是耐心的等待,一般來說半個小時到一個小時就可以完成。
看到屏幕輸出:
INFO: block 3 recovered KEY: 6fa6d98907a6
表明破解成功。
如果卡片的分區密碼不一樣也不需擔心,因爲mfoc工具知道一個分區的密碼後可以自動破解其他分區的密碼。
接下來在命令行輸入:
mfoc -k 6fa6d98907a6 -O mycard.mfd
如果密碼正確會輸出類似下面的內容:
The custom key 0x6fa6d98907a6 has been added to the default keys
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): 52 ba 1d 23
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:
Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: 6fa6d98907a6] -> [xxxxx.xxxxx.xxxx]
如果M1卡有的分區密碼不一樣會輸出類似下面的Unknown Key A&B:
Sector 00 - Found Key A: 6fa6d98907a6 Found Key B: bb0127fc5600
Sector 01 - Found Key A: 6fa6d98907a6 Found Key B: bb0127fc5600
Sector 02 - Found Key A: 6fa6d98907a6 Found Key B: bb0127fc5600
Sector 03 - Found Key A: 6fa6d98907a6 Found Key B: bb0127fc5600
Sector 04 - Found Key A: 6fa6d98907a6 Found Key B: bb0127fc5600
Sector 05 - Unknown Key A Unknown Key B
Sector 06 - Found Key A: 6fa6d98907a6 Found Key B: bb0127fc5600
Sector 07 - Found Key A: 6fa6d98907a6 Found Key B: bb0127fc5600
Sector 08 - Found Key A: 6fa6d98907a6 Found Key B: bb0127fc5600
Sector 09 - Found Key A: 6fa6d98907a6 Found Key B: bb0127fc5600
Sector 10 - Found Key A: 6fa6d98907a6 Found Key B: bb0127fc5600
Sector 11 - Unknown Key A Unknown Key B
Sector 12 - Found Key A: 6fa6d98907a6 Found Key B: bb0127fc5600
Sector 13 - Found Key A: 6fa6d98907a6 Found Key B: bb0127fc5600
Sector 14 - Found Key A: 6fa6d98907a6 Found Key B: bb0127fc5600
Sector 15 - Found Key A: 6fa6d98907a6 Found Key B: bb0127fc5600
mfoc會自動獲取不知密碼分區的密碼:
Using sector 00 as an exploit sector
Sector: 5, type A, probe 0, distance 32 .....
Found Key: A [ce41f3012b2a]
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Sector: 11, type A, probe 0, distance 32 .....
Found Key: A [6fa6d7290776]
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Sector: 5, type B, probe 0, distance 32 .....
Found Key: B [531771d94a54]
Sector: 11, type B, probe 0, distance 32 .....
Found Key: B [69c2d2312608]
Auth with all sectors succeeded, dumping keys to a file!
獲取所有的分區密碼後就會獲取分區的數據並保存到當前目錄內,文件名爲使用參數 -O 指定的文件名。獲取到的數據爲16進制形式。
使用工具hexdump
可以查看其數據。
使用工具hexedit
可以修改其數據。
五. 使用_寫入數據到卡中:
- UID卡:
所有區塊可被重複讀寫,且卡片ID可改且使用後門指令更改ID,其ID可被重複修改,可被使用後門指令檢測是否爲克隆卡的機器發現。
nfc-mfclassic W a mycard_change.mf
寫入成功後會顯示:
NFC reader: pn532_i2c:/dev/i2c-1 opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 52 ba 1d 23
SAK (SEL_RES): 08
Guessing size: seems to be a 1024-byte card
Sent bits: 50 00 57 cd
Sent bits: 40 (7 bits)
Received bits: a (4 bits)
Sent bits: 43
Received bits: 0a
Writing 64 blocks |................................................................|
Done, 64 of 64 blocks written.
- CUID卡:
所有區塊可被重複讀寫,卡片ID可改且使用普通寫指令更改ID,其ID可被重複修改且不容易被反克隆系統發現。nfc-mfclassic
不支持直接將整個文件寫入 CUID 卡。略
- FUID/FCUID 卡:
這些卡片需要特殊的指令才能進行。略。
4 . 普通的M1卡:
nfc-mfclassic w a new_mycard.mfd mycard.mfd
# new_mycard.mfd 爲更改後的mfd文件
寫入成功後顯示:
NFC reader: pn532_i2c:/dev/i2c-1 opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 5a a4 cf 1c
SAK (SEL_RES): 08
Guessing size: seems to be a 1024-byte card
Writing 64 blocks |...............................................................|
Done, 63 of 64 blocks written.