NFC Card Vulnerability Exploitation Leading to Free Top-Up i...

src/todo/radio-hacking/pentesting-rfid.md

@@ -91,6 +91,58 @@ flipper-zero/fz-nfc.md
 Or using the **proxmark**:
 
 
+{{#ref}}
+proxmark-3.md
+{{#endref}}
+
+### MiFare Classic offline stored-value tampering (broken Crypto1)
+
+When a system stores a monetary balance directly on a MiFare Classic card, you can often manipulate it because Classic uses NXP’s deprecated Crypto1 cipher. Crypto1 has been broken for years, allowing recovery of sector keys and full read/write of card memory with commodity hardware (e.g., Proxmark3).
+
+End-to-end workflow (abstracted):
+
+1) Dump the original card and recover keys
+
+```bash
+# Attempt all built-in Classic key recovery attacks and dump the card
+hf mf autopwn
+```
+
+This typically recovers sector keys (A/B) and generates a full-card dump in the client dumps folder.
+
+2) Locate and understand the value/integrity fields
+
+- Perform legitimate top-ups on the original card and take multiple dumps (before/after).
+- Do a diff of the two dumps to identify the changing blocks/bytes that represent the balance and any integrity fields.
+- Many Classic deployments either use the native "value block" encoding or roll their own checksums (e.g., XOR of the balance with another field and a constant). After changing the balance, recompute the integrity bytes accordingly and ensure all duplicated/complemented fields are consistent.
+
+3) Write the modified dump to a writable “Chinese magic” Classic tag
+
+```bash
+# Load a modified binary dump onto a UID-changeable Classic tag
+hf mf cload -f modified.bin
+```
+
+4) Clone the original UID so terminals recognize the card
+
+```bash
+# Set the UID on a UID-changeable tag (gen1a/gen2 magic)
+hf mf csetuid -u <original_uid>
+```
+
+5) Use at terminals
+
+Readers that trust the on-card balance and the UID will accept the manipulated card. Field observations show many deployments cap balances based on field width (e.g., 16-bit fixed-point).
+
+Notes
+
+- If the system uses native Classic value blocks, remember the format: value (4B) + ~value (4B) + value (4B) + block address + ~address. All parts must match.
+- For custom formats with simple checksums, differential analysis is the fastest way to derive the integrity function without reversing firmware.
+- Only UID-changeable tags ("Chinese magic" gen1a/gen2) allow writing block 0/UID. Normal Classic cards have read-only UIDs.
+
+For hands-on Proxmark3 commands, see:
+
+
 {{#ref}}
 proxmark-3.md
 {{#endref}}
@@ -110,7 +162,8 @@ maxiprox-mobile-cloner.md
 
 - [https://blog.flipperzero.one/rfid/](https://blog.flipperzero.one/rfid/)
 - [Let's Clone a Cloner – Part 3 (TrustedSec)](https://trustedsec.com/blog/lets-clone-a-cloner-part-3-putting-it-all-together)
+- [NXP statement on MIFARE Classic Crypto1](https://www.mifare.net/en/products/chip-card-ics/mifare-classic/security-statement-on-crypto1-implementations/)
+- [MIFARE security overview (Wikipedia)](https://en.wikipedia.org/wiki/MIFARE#Security)
+- [NFC card vulnerability exploitation in KioSoft Stored Value (SEC Consult)](https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-

src/todo/radio-hacking/proxmark-3.md

@@ -35,6 +35,36 @@ proxmark3> hf mf wrbl 01 B FFFFFFFFFFFF 000102030405060708090a0b0c0d0e0f # Write
 
 The Proxmark3 allows to perform other actions like **eavesdropping** a **Tag to Reader communication** to try to find sensitive data. In this card you could just sniff the communication with and calculate the used key because the **cryptographic operations used are weak** and knowing the plain and cipher text you can calculate it (`mfkey64` tool).
 
+#### MiFare Classic quick workflow for stored-value abuse
+
+When terminals store balances on Classic cards, a typical end-to-end flow is:
+
+```bash
+# 1) Recover sector keys and dump full card
+proxmark3> hf mf autopwn
+
+# 2) Modify dump offline (adjust balance + integrity bytes)
+#    Use diffing of before/after top-up dumps to locate fields
+
+# 3) Write modified dump to a UID-changeable ("Chinese magic") tag
+proxmark3> hf mf cload -f modified.bin
+
+# 4) Clone original UID so readers recognize the card
+proxmark3> hf mf csetuid -u <original_uid>
+```
+
+Notes
+
+- `hf mf autopwn` orchestrates nested/darkside/HardNested-style attacks, recovers keys, and creates dumps in the client dumps folder.
+- Writing block 0/UID only works on magic gen1a/gen2 cards. Normal Classic cards have read-only UID.
+- Many deployments use Classic "value blocks" or simple checksums. Ensure all duplicated/complemented fields and checksums are consistent after editing.
+
+See a higher-level methodology and mitigations in:
+
+{{#ref}}
+pentesting-rfid.md
+{{#endref}}
+
 ### Raw Commands
 
 IoT systems sometimes use **nonbranded or noncommercial tags**. In this case, you can use Proxmark3 to send custom **raw commands to the tags**.
@@ -61,7 +91,11 @@ proxmark3> script run mfkeys
 
 You can create a script to **fuzz tag readers**, so copying the data of a **valid card** just write a **Lua script** that **randomize** one or more random **bytes** and check if the **reader crashes** with any iteration.
 
-{{#include ../../banners/hacktricks-training.md}}
-
+## References
 
+- [Proxmark3 wiki: HF MIFARE](https://github.com/RfidResearchGroup/proxmark3/wiki/HF-Mifare)
+- [Proxmark3 wiki: HF Magic cards](https://github.com/RfidResearchGroup/proxmark3/wiki/HF-Magic-cards)
+- [NXP statement on MIFARE Classic Crypto1](https://www.mifare.net/en/products/chip-card-ics/mifare-classic/security-statement-on-crypto1-implementations/)
+- [NFC card vulnerability exploitation in KioSoft Stored Value (SEC Consult)](https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/)
 
+{{#include ../../banners/hacktricks-training.md}}