因为换工作,搬到了新的小区,于是新的玩具(门禁卡)到手。

照例,老套路。

先acr122判断卡类型

1
2
3
4
5
6
7
8
nfc-list
nfc-list uses libnfc 1.7.1
NFC device: ACR122U Smart Card Reader / opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 1e aa 7b 55
SAK (SEL_RES): 08

看到ISO14443A和ATQA是0004
初步推断是m1卡

因为不知道是否是全加密
mfoc一把梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
mfoc -O xxx.dump

Found Mifare Classic 1k tag

ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): 1e aa 7b 55
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
nfc_initiator_mifare_cmd: Invalid argument(s)
[Key: ffffffffffff] -> [#

然后就停止了
m1是没错
这是不兼容还是咋滴?

不会是cpu卡吧。。感觉遇到了挑战。。
透露下,那个小区的房子也是用这张卡打开。

上proxmark3

查看卡片信息

1
2
3
4
5
6
7
8
9
10
11
12
13
proxmark3> hf 14a reader

Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Stopped

UID : 1e aa 7b 55
ATQA : 00 04
SAK : 08 [2]

TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

查看是否存在默认密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
proxmark3> hf mf chk *1 ? t

No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9

--sector: 0, block: 3, key type:A, key count:13

Found valid key:[ffffffffffff]

--sector: 1, block: 7, key type:A, key count:13

--sector: 2, block: 11, key type:A, key count:13

...

Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 0, block: 3, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:B, key count:13
--sector: 2, block: 11, key type:B, key count:13

...

Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:B, key count:13
Found valid key:[ffffffffffff]
Found keys have been transferred to the emulator memory

中间省略一些

用已知密码探测其他扇区(nested攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
proxmark3> hf mf nested 1 3 A FFFFFFFFFFFF d

Testing known keys. Sector count=16
nested...
-----------------------------------------------
uid:1eaa7b55 trgbl=4 trgkey=0
-----------------------------------------------
uid:1eaa7b55 trgbl=4 trgkey=1
-----------------------------------------------
uid:1eaa7b55 trgbl=8 trgkey=0

Found valid key:201604139999
-----------------------------------------------
uid:1eaa7b55 trgbl=8 trgkey=1

-----------------------------------------------
uid:1eaa7b55 trgbl=12 trgkey=0

Found valid key:201604139999

-----------------------------------------------
uid:1eaa7b55 trgbl=4 trgkey=0

Found valid key:abc6d5e4f3ba

-----------------------------------------------
uid:1eaa7b55 trgbl=4 trgkey=1

Found valid key:abc6d5e4f3ba

-----------------------------------------------
uid:1eaa7b55 trgbl=8 trgkey=1

-----------------------------------------------
uid:1eaa7b55 trgbl=16 trgkey=0

Found valid key:201604139999

-----------------------------------------------
uid:1eaa7b55 trgbl=16 trgkey=1
-----------------------------------------------
Time in nested: 30.536 (0.599 sec per key)
-----------------------------------------------
Iterations count: 51


|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| abc6d5e4f3ba | 1 | abc6d5e4f3ba | 1 |
|002| 201604139999 | 1 | 000000000000 | 0 |
|003| 201604139999 | 1 | 201604139999 | 1 |
|004| 201604139999 | 1 | 201604139999 | 1 |
|005| 201604139999 | 1 | 201604139999 | 1 |
|006| 201604139999 | 1 | 201604139999 | 1 |
|007| 201604139999 | 1 | 201604139999 | 1 |
|008| 201604139999 | 1 | 201604139999 | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|

Printing keys to binary file dumpkeys.bin...

有了key了我们可以用mfoc指定key来破解
将key放入keys.txt
mfoc是使用acr122设备

然后mfoc
还是mfoc导出dump比较方便

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
mfoc -f keys.txt -O xxx.dump
The custom key 0xabc6d5e4f3ba has been added to the default keys
The custom key 0xffffffffffff has been added to the default keys
The custom key 0x201604139999 has been added to the default keys
Found Mifare Classic 1k tag

ISO/IEC 14443A (106 kbps) target:

ATQA (SENS_RES): 00 04

* UID size: single
* bit frame anticollision supported
UID (NFCID1): 1e aa 7b 55
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:

* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation

Other possible matches based on ATQA & SAK values:
Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found

[Key: abc6d5e4f3ba] -> [.x..............]
[Key: ffffffffffff] -> [xx.......xxxxxxx]
[Key: 201604139999] -> [xxxxxxxxxxxxxxxx]
[Key: ffffffffffff] -> [xxxxxxxxxxxxxxxx]
[Key: a0a1a2a3a4a5] -> [xxxxxxxxxxxxxxxx]
[Key: d3f7d3f7d3f7] -> [xxxxxxxxxxxxxxxx]
[Key: 000000000000] -> [xxxxxxxxxxxxxxxx]
[Key: b0b1b2b3b4b5] -> [xxxxxxxxxxxxxxxx]
[Key: 4d3a99c351dd] -> [xxxxxxxxxxxxxxxx]
[Key: 1a982c7e459a] -> [xxxxxxxxxxxxxxxx]
[Key: aabbccddeeff] -> [xxxxxxxxxxxxxxxx]
[Key: 714c5c886e97] -> [xxxxxxxxxxxxxxxx]
[Key: 587ee5f9350f] -> [xxxxxxxxxxxxxxxx]
[Key: a0478cc39091] -> [xxxxxxxxxxxxxxxx]
[Key: 533cb6c723f6] -> [xxxxxxxxxxxxxxxx]
[Key: 8fd0a4f256e9] -> [xxxxxxxxxxxxxxxx]

Sector 00 - FOUND_KEY [A] Sector 00 - FOUND_KEY [B]
Sector 01 - FOUND_KEY [A] Sector 01 - FOUND_KEY [B]
Sector 02 - FOUND_KEY [A] Sector 02 - FOUND_KEY [B]
Sector 03 - FOUND_KEY [A] Sector 03 - FOUND_KEY [B]
Sector 04 - FOUND_KEY [A] Sector 04 - FOUND_KEY [B]
Sector 05 - FOUND_KEY [A] Sector 05 - FOUND_KEY [B]
Sector 06 - FOUND_KEY [A] Sector 06 - FOUND_KEY [B]
Sector 07 - FOUND_KEY [A] Sector 07 - FOUND_KEY [B]
Sector 08 - FOUND_KEY [A] Sector 08 - FOUND_KEY [B]
Sector 09 - FOUND_KEY [A] Sector 09 - FOUND_KEY [B]
Sector 10 - FOUND_KEY [A] Sector 10 - FOUND_KEY [B]
Sector 11 - FOUND_KEY [A] Sector 11 - FOUND_KEY [B]
Sector 12 - FOUND_KEY [A] Sector 12 - FOUND_KEY [B]
Sector 13 - FOUND_KEY [A] Sector 13 - FOUND_KEY [B]
Sector 14 - FOUND_KEY [A] Sector 14 - FOUND_KEY [B]
Sector 15 - FOUND_KEY [A] Sector 15 - FOUND_KEY [B]

We have all sectors encrypted with the default keys..

Auth with all sectors succeeded, dumping keys to a file!

...

后面的扇区数据就不显示了
卡数据已经保存到xxx.dump中了

btw,有个key是201604139999,这很明显是个日期

于是搜索了下 “小区名 2016”

原来这个日期在交房的前后,可能是物业做卡的时间 2333~

写卡 用acr122写会比较方便
先setuid

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
nfc-mfsetuid 1eaa7b55
NFC reader: ACR122U Smart Card Reader / opened
Sent bits: 26 (7 bits)
Received bits: 04 00
Sent bits: 93 20
Received bits: 1e aa 7b 55 9a
Sent bits: 93 70 1e aa 7b 55 9a 15 4d
Received bits: 08 b6 dd

Found tag with
UID: 1eaa7b55
ATQA: 0004
SAK: 08

Sent bits: 50 00 57 cd
Sent bits: 40 (7 bits)
Received bits: a (4 bits)
Sent bits: 43
Received bits: 0a
Sent bits: a0 00 5f b1
Received bits: 0a
Sent bits: 1e aa 7b 55 9a 08 04 00 46 59 25 58 49 10 23 02 02 4b
Received bits: 0a

因为已经写过了 所以显示id一样了

然后写入数据

1
nfc-mfclassic W b xxx.dump xxx.dump

这样就复制好了
测试后可用

解释下参数:
write to (w)
unlocked write to (W) card

大写W是解锁后写卡
小写b是使用key b执行操作,一旦有错误就终止
第一个dump是用来读取key
第二个dump是写入卡的数据