OS:kali linux 2.0 amd64
NFC reader: ACR122U-A9 Smart Card Reader
写下ACR122 Reader在linux下的各种命令用法
百度自然能看到各种各样的用法 但是过于杂乱 所以一直想要整合一下 为自己所用
基于实战总结
下次会写下proxmark3神器的
kali系统默认是安装好了ACR122U驱动和libnfc库 libnfc 1.7.1
nfc-list
查看读卡器/卡1
2
3
4
5
6
7
8root@kali:~# nfc-list
nfc-list uses libnfc 1.7.1
NFC device: ACR122U Smart Card Reader / opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): e4 31 a1 b5
SAK (SEL_RES): 08
这个命令是可以查看多张卡的。
目前就我自己尝试来看,可以读取三张卡1
3 ISO14443A passive target(s) found:
卡片多了可能会出错 如下1
error libnfc.driver.acr122_usb PN532 didn't reply
从这个错误信息 可以看出三点:
- acr122的驱动
- acr122的芯片模块其实是PN532
群里有人发了acr122的pcb图
里面其实就是pn532加上ttl串口
貌似并不能看不出来=。=
- 错误原因 PN532没有响应 (其中的2张卡有贴纸和塑料膜 也许是这个影响了读取
于是我去掉卡贴 再次查看 发现。。1
4 ISO14443A passive target(s) found:
pcscd -f 现在不需要运行这个命令了 参考1 以前是需要运行这条来监听
mfcuk
一般用于全加密卡(不知道卡的任何一个key)即Dark-side攻击
MiFare Classic Universal toolKit (MFCUK)
https://github.com/nfc-tools/mfcuk1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33mfcuk - 0.3.8
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], http://andreicostin.com
Usage:
-C - require explicit connection to the reader. Without this option, the connection is not made and recovery will not occur
-i mifare.dmp - load input mifare_classic_tag type dump
-I mifare_ext.dmp - load input extended dump specific to this tool, has several more fields on top of mifare_classic_tag type dump
-o mifare.dmp - output the resulting mifare_classic_tag dump to a given file
-O mifare_ext.dmp - output the resulting extended dump to a given file
-V sector[:A/B/any_other_alphanum[:fullkey]] - verify key for specified sector, -1 means all sectors
After first semicolon key-type can specified: A verifies only keyA, B verifies only keyB, anything else verifies both keys
After second semicolon full 12 hex-digits key can specified - this key will override any loaded dump key for the given sector(s) and key-type(s)
-R sector[:A/B/any_other_alphanum] - recover key for sector, -1 means all sectors.
After first semicolon key-type can specified: A recovers only keyA, B recovers only keyB, anything else recovers both keys
-U UID - force specific UID. If a dump was loaded with -i, -U will overwrite the in the memory where dump was loaded
-M tagtype - force specific tagtype. 8 is 1K, 24 is 4K, 32 is DESFire
-D - for sectors and key-types marked for verification, in first place use default keys to verify (maybe you are lucky)
-d key - specifies additional full 12 hex-digits default key to be checked. Multiple -d options can be used for more additional keys
-s - milliseconds to sleep for SLEEP_AT_FIELD_OFF (Default: 10 ms)
-S - milliseconds to sleep for SLEEP_AFTER_FIELD_ON (Default: 50 ms)
-P hex_literals_separated - try to recover the key from a conversation sniffed with Proxmark3 (mifarecrack.c based). Accepts several options:
Concatenated string in hex literal format of form uid:tag_chal:nr_enc:reader_resp:tag_resp
Example -P 0x5c72325e:0x50829cd6:0xb8671f76:0xe00eefc9:0x4888964f would find key FFFFFFFFFFFF
-p proxmark3_full.log - tries to parse the log file on it's own (mifarecrack.py based), get the values for option -P and invoke it
-F - tries to fingerprint the input dump (-i) against known cards' data format
-v verbose_level - verbose level (default is O)
Usage examples:
Recove all keys from all sectors:
mfcuk -C -R -1
Recove the sector #0 key with 250 ms for all delays (delays could give more results):
mfcuk -C -R 0 -s 250 -S 250
mfoc
离线破解 (已知key破解) 即nested攻击
Mifare Classic Offline Cracker
https://github.com/nfc-tools/mfoc1
2
3
4
5
6
7
8
9
10
11
12
13
14Usage: mfoc [-h] [-k key] [-f file] ... [-P probnum] [-T tolerance] [-O output]
h print this help and exit
k try the specified key in addition to the default keys
f parses a file of keys to add in addition to the default keys
P number of probes per sector, instead of default of 20
T nonce tolerance half-range, instead of default of 20
(i.e., 40 for the total range, in both directions)
O file in which the card contents will be written (REQUIRED)
Example: mfoc -O mycard.mfd
Example: mfoc -k ffffeeeedddd -O mycard.mfd
Example: mfoc -f keys.txt -O mycard.mfd
Example: mfoc -P 50 -T 30 -O mycard.mfd
This is mfoc version 0.10.7.
For more information, run: 'man mfoc'.
翻一下1
2
3
4
5
6
7
8
9
10
11
12Usage: mfoc [-h] [-k key]... [-P probnum] [-Ttolerance] [-O output]
h 打印帮助
k 将一个新的密钥添加到密钥表里
f 将新的密钥添加到文件中 引用
P 每扇区测试多少个密钥(默认20)
T 随机和随机范围(默认20)
O 输出到的文件 (必要参数,不加会报错)
Example: mfoc -O mycard.mfd
Example: mfoc -k ffffeeeedddd -O mycard.mfd
Example: mfoc -f keys.txt -O mycard.mfd
Example: mfoc -P 50 -T 30 -O mycard.mfd
常用的命令如上了1
mfoc -k xxxxxxxxxxxx -O card.dump
PT参数一般不用设置。。
注意一点!!!
mfoc命令行-O参数生成的.dump都是1k的大小
可以直接写卡
但是mfocGUI导出的dump文件是4k的
所以这也算是linux下的便利性吧
mfterm mifare
仿真终端
不常用
自己也没有用到过
参考https://github.com/4ZM/mfterm
或者man mfterm
进入终端后 help一下1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34root@kali:~# mfterm
$ help
quit Exit the program.
load Load tag data from a file.
save Save tag data to a file.
clear Clear the current tag data.
read A|B : Read tag data from a physical tag.
read unlocked On pirate cards, read card without keys.
write A|B : Write tag data to a physical tag.
write unlocked On pirate cards, write 1k tag with block 0.
print 1k|4k : Print tag data.
print head Print first sector.
print keys 1k|4k : Print tag s keys.
print ac Print access conditions.
set #block #offset = xx xx xx : Set tag data.
setuid xx xx xx xx: Set tag UID.
keys load Load keys from a file.
keys save Save keys to a file.
keys clear Clear the keys.
keys set A|B #S key : Set a key value.
keys import Import keys from the current tag.
keys test Try to authenticate with the keys.
keys 1k|4k : Print the keys.
dict load Load a dictionary key file.
dict clear Clear the key dictionary.
dict attack Find keys of a physical tag.
dict Print the key dictionary.
spec load Load a specification file.
spec clear Unload the specification.
spec Print the specification.
mac key <k0..k7> : Get or set MAC key.
mac compute #block : Compute block MAC.
mac update #block : Compute block MAC.
mac validate 1k|4k : Validates block MAC of the whole tag.
mifare-classic-format
格式化卡片
1 | usage: mifare-classic-format [-fy] [keyfile] |
MAD是指MIFARE_APPLICATION_DIRECTORY
一般这样使用1
2
3
4root@kali:~# mifare-classic-format card.dump
#dump主要是提供keyA 和 keyB
Found Mifare Classic 1k with UID xxxxxxxx. Format [yN] y
Formatting 16 sectors [...4...8...12...16] done.
nfc-mfclassic
克隆dump到新的卡片
1 | Usage: nfc-mfclassic f|r|R|w|W a|b <dump.mfd> [<keys.mfd> [f]] |
嘛 还比如nfc-mfclassic w b 饭卡100.dump 饭卡100.dump
诶 好像被你们发现了什么不得了的东西 (手动滑稽
但是对于不同uid的卡 dump不能刷进去 提示报错 如:
1 | root@kali:~# nfc-mfclassic W b watercard.dump watercard.dump |
查看下面一个命令
nfc-mfsetuid [uid]
(灰常重要!!!!!!!!)用于修改M1特殊卡的uid
吐槽下:kali 2.0居然没有自带这个工具 但查阅资料,由参考可知 是libnfc库中提供的方法 于是我们下载一个libnfc库(可自行编译源码/直接apt-get 哈哈哈) 话说 kali不是安装了吗 我也不知道1
2
3
4apt-get install libnfc
#TAB补全后发现存在
libnfc5 libnfc-bin libnfc-examples
libnfc5-dbg libnfc-dev libnfc-pn53x-examples
随手安装一个 其他未测试1
apt-get install libnfc-examples
ps:可以用apt search 搜索软件包 查看软件包的安装情况 和 简单描述1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19root@kali:~# apt search libnfc
正在排序... 完成
全文搜索... 完成
libnfc-bin/kali-current,now 1.7.1-2 amd64 [已安装]
Near Field Communication (NFC) binaries
libnfc-dev/kali-current,now 1.7.1-2 amd64 [已安装]
Near Field Communication (NFC) library (development files)
libnfc-examples/kali-current,now 1.7.1-2 amd64 [已安装]
Near Field Communication (NFC) examples
libnfc-pn53x-examples/kali-current 1.7.1-2 amd64
Near Field Communication (NFC) examples for PN53x chips only
libnfc5/kali-current,now 1.7.1-2 amd64 [已安装,自动]
Near Field Communication (NFC) library
libnfc5-dbg/kali-current 1.7.1-2 amd64
Near Field Communication (NFC) library (debugging information)
mfcuk/kali-current,now 0.3.8-0kali4 amd64 [已安装]
MFCUK - MiFare Classic Universal toolKit
ruby-nfc/kali-current 3.1.1-1 amd64
ruby wrapper for the libnfc
用法:1
2
3
4
5
6
7
8
9Usage: nfc-mfsetuid [OPTIONS] [UID]
Options:
-h Help. Print this message.
-f Format. Delete all data (set to 0xFF) and reset ACLs to default.
-q Quiet mode. Suppress output of READER and CARD data (improves timing).
Specify UID (4 HEX bytes) to set UID, or leave blank for default '01234567'.
This utility can be used to recover cards that have been damaged by writing bad
data (e.g. wrong BCC), thus making them non-selectable by most tools/readers.
*** Note: this utility only works with special Mifare 1K cards (Chinese clones).
补充:
vim下编辑16进制的dump
1 | vim card100.dump |
直接键入
:%!xxd —->切换到十六进制显示
:%!xxd -r —->切回文本方式显示
十六进制显示时,第一排前8位即是卡片的id
参考资料:
其他资料:
bobylive.com
flylai.com
孔神的博客
nfc-tools主页
https://github.com/nfc-tools/
https://github.com/ikarus23/MifareClassicTool
nfc-tools中sniff-pn53x.sh
http://nfc-tools.github.io/
NFC-PN532
Linux下的RFID,简介nfc-mfclassic的使用
nfc-mfclassic 防止控制位误写 指定读写的块 补丁
破解mifare Classic(M1)非接触式射频IC卡–Mifare crack Hack 笔记二
修改板 mfoc 0.10.3 增加中断、选择扇区、可选默认密码等功能