diff --git a/src/todo/radio-hacking/pentesting-rfid.md b/src/todo/radio-hacking/pentesting-rfid.md index fef44eeb6e4..7e9228455aa 100644 --- a/src/todo/radio-hacking/pentesting-rfid.md +++ b/src/todo/radio-hacking/pentesting-rfid.md @@ -91,6 +91,58 @@ flipper-zero/fz-nfc.md Or using the **proxmark**: +{{#ref}} +proxmark-3.md +{{#endref}} + +### MiFare Classic offline stored-value tampering (broken Crypto1) + +When a system stores a monetary balance directly on a MiFare Classic card, you can often manipulate it because Classic uses NXP’s deprecated Crypto1 cipher. Crypto1 has been broken for years, allowing recovery of sector keys and full read/write of card memory with commodity hardware (e.g., Proxmark3). + +End-to-end workflow (abstracted): + +1) Dump the original card and recover keys + +```bash +# Attempt all built-in Classic key recovery attacks and dump the card +hf mf autopwn +``` + +This typically recovers sector keys (A/B) and generates a full-card dump in the client dumps folder. + +2) Locate and understand the value/integrity fields + +- Perform legitimate top-ups on the original card and take multiple dumps (before/after). +- Do a diff of the two dumps to identify the changing blocks/bytes that represent the balance and any integrity fields. +- Many Classic deployments either use the native "value block" encoding or roll their own checksums (e.g., XOR of the balance with another field and a constant). After changing the balance, recompute the integrity bytes accordingly and ensure all duplicated/complemented fields are consistent. + +3) Write the modified dump to a writable “Chinese magic” Classic tag + +```bash +# Load a modified binary dump onto a UID-changeable Classic tag +hf mf cload -f modified.bin +``` + +4) Clone the original UID so terminals recognize the card + +```bash +# Set the UID on a UID-changeable tag (gen1a/gen2 magic) +hf mf csetuid -u +``` + +5) Use at terminals + +Readers that trust the on-card balance and the UID will accept the manipulated card. Field observations show many deployments cap balances based on field width (e.g., 16-bit fixed-point). + +Notes + +- If the system uses native Classic value blocks, remember the format: value (4B) + ~value (4B) + value (4B) + block address + ~address. All parts must match. +- For custom formats with simple checksums, differential analysis is the fastest way to derive the integrity function without reversing firmware. +- Only UID-changeable tags ("Chinese magic" gen1a/gen2) allow writing block 0/UID. Normal Classic cards have read-only UIDs. + +For hands-on Proxmark3 commands, see: + + {{#ref}} proxmark-3.md {{#endref}} @@ -110,7 +162,8 @@ maxiprox-mobile-cloner.md - [https://blog.flipperzero.one/rfid/](https://blog.flipperzero.one/rfid/) - [Let's Clone a Cloner – Part 3 (TrustedSec)](https://trustedsec.com/blog/lets-clone-a-cloner-part-3-putting-it-all-together) +- [NXP statement on MIFARE Classic Crypto1](https://www.mifare.net/en/products/chip-card-ics/mifare-classic/security-statement-on-crypto1-implementations/) +- [MIFARE security overview (Wikipedia)](https://en.wikipedia.org/wiki/MIFARE#Security) +- [NFC card vulnerability exploitation in KioSoft Stored Value (SEC Consult)](https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/) {{#include ../../banners/hacktricks-training.md}} - - diff --git a/src/todo/radio-hacking/proxmark-3.md b/src/todo/radio-hacking/proxmark-3.md index ad968cfe29c..0c750753706 100644 --- a/src/todo/radio-hacking/proxmark-3.md +++ b/src/todo/radio-hacking/proxmark-3.md @@ -35,6 +35,36 @@ proxmark3> hf mf wrbl 01 B FFFFFFFFFFFF 000102030405060708090a0b0c0d0e0f # Write The Proxmark3 allows to perform other actions like **eavesdropping** a **Tag to Reader communication** to try to find sensitive data. In this card you could just sniff the communication with and calculate the used key because the **cryptographic operations used are weak** and knowing the plain and cipher text you can calculate it (`mfkey64` tool). +#### MiFare Classic quick workflow for stored-value abuse + +When terminals store balances on Classic cards, a typical end-to-end flow is: + +```bash +# 1) Recover sector keys and dump full card +proxmark3> hf mf autopwn + +# 2) Modify dump offline (adjust balance + integrity bytes) +# Use diffing of before/after top-up dumps to locate fields + +# 3) Write modified dump to a UID-changeable ("Chinese magic") tag +proxmark3> hf mf cload -f modified.bin + +# 4) Clone original UID so readers recognize the card +proxmark3> hf mf csetuid -u +``` + +Notes + +- `hf mf autopwn` orchestrates nested/darkside/HardNested-style attacks, recovers keys, and creates dumps in the client dumps folder. +- Writing block 0/UID only works on magic gen1a/gen2 cards. Normal Classic cards have read-only UID. +- Many deployments use Classic "value blocks" or simple checksums. Ensure all duplicated/complemented fields and checksums are consistent after editing. + +See a higher-level methodology and mitigations in: + +{{#ref}} +pentesting-rfid.md +{{#endref}} + ### Raw Commands IoT systems sometimes use **nonbranded or noncommercial tags**. In this case, you can use Proxmark3 to send custom **raw commands to the tags**. @@ -61,7 +91,11 @@ proxmark3> script run mfkeys You can create a script to **fuzz tag readers**, so copying the data of a **valid card** just write a **Lua script** that **randomize** one or more random **bytes** and check if the **reader crashes** with any iteration. -{{#include ../../banners/hacktricks-training.md}} - +## References +- [Proxmark3 wiki: HF MIFARE](https://github.com/RfidResearchGroup/proxmark3/wiki/HF-Mifare) +- [Proxmark3 wiki: HF Magic cards](https://github.com/RfidResearchGroup/proxmark3/wiki/HF-Magic-cards) +- [NXP statement on MIFARE Classic Crypto1](https://www.mifare.net/en/products/chip-card-ics/mifare-classic/security-statement-on-crypto1-implementations/) +- [NFC card vulnerability exploitation in KioSoft Stored Value (SEC Consult)](https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/) +{{#include ../../banners/hacktricks-training.md}}