MFOC is an open-source implementation of an “offline nested” attack by Nethemba. It allows recovering authentication keys from the MIFARE Classic card.
Project on Github
https://github.com/nfc-tools/mfoc
Build from Source
autoreconf -is
./configure
make && sudo make install
MFOC Help
Usage: mfoc [-h] [-k key] [-f file] ... [-P probnum] [-T tolerance] [-O output]
h print this help and exit
k try the specified key in addition to the default keys
f parses a file of keys to add in addition to the default keys
P number of probes per sector, instead of default of 20
T nonce tolerance half-range, instead of default of 20
(i.e., 40 for the total range, in both directions)
O file in which the card contents will be written (REQUIRED)
D file in which partial card info will be written in case PRNG is not vulnerable
MFOC Example
Example: mfoc -O mycard.mfd
Example: mfoc -k ffffeeeedddd -O mycard.mfd
Example: mfoc -f keys.txt -O mycard.mfd
Example: mfoc -P 50 -T 30 -O mycard.mfd
Have a try
- Connect PN532 to Linux, macOS, Windows or Android Devices.
2. Open a terminal and read the card type with the cmd nfc-list
.
➜ mfoc nfc-list
nfc-list uses libnfc libnfc-1.7.1-223-gf8b2852
NFC device: RFID-PN532 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): f1 48 f7 84
SAK (SEL_RES): 08
3. Start to crack keys with the command mfoc -O card.mfd
.
➜ mfoc mfoc -O card.mfd
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): f1 48 f7 84
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:
Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [xxx.xxxxxxxxxxxx]
[Key: a0a1a2a3a4a5] -> [xxx.xxxxxxxxxxxx]
[Key: d3f7d3f7d3f7] -> [xxx.xxxxxxxxxxxx]
[Key: 000000000000] -> [xxx.xxxxxxxxxxxx]
[Key: b0b1b2b3b4b5] -> [xxx.xxxxxxxxxxxx]
[Key: 4d3a99c351dd] -> [xxx.xxxxxxxxxxxx]
[Key: 1a982c7e459a] -> [xxx.xxxxxxxxxxxx]
[Key: aabbccddeeff] -> [xxx.xxxxxxxxxxxx]
[Key: 714c5c886e97] -> [xxx.xxxxxxxxxxxx]
[Key: 587ee5f9350f] -> [xxx.xxxxxxxxxxxx]
[Key: a0478cc39091] -> [xxx.xxxxxxxxxxxx]
[Key: 533cb6c723f6] -> [xxx.xxxxxxxxxxxx]
[Key: 8fd0a4f256e9] -> [xxx.xxxxxxxxxxxx]
Sector 00 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 01 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 02 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 03 - Unknown Key A Unknown Key B
Sector 04 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 05 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 06 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 07 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 08 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 09 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 10 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 11 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 12 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 13 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 14 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 15 - Found Key A: ffffffffffff Found Key B: ffffffffffff
3. The keys of Sector 03 are unknown, so the program starts to use other known keys to crack the key in sector 03.
Using sector 00 as an exploit sector
Sector: 3, type A, probe 0, distance 32 .....
Found Key: A [fffffffffff1]
Data read with Key A revealed Key B: [fffffffffff1] - checking Auth: OK
Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 62, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 61, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
......
4. Then we get the Mifare classic dump file – card.mfd.
5. Open dump file vim card.mfd
and read as HEX type:%!xxd
Tips
- It is useful if it exist known key of one sector.
- It is only for recover keys for Mifare Classic type card.
- The speed of cracking is depending on the sectors that encrypted.
- The mfd file can be used to clone to another card.
Run with PN532 on the Phone
How To Use PN532 To Restore Mifare Classic 1K Keys on Android Phone
Run mfoc with Proxmark3 on the Phone
Connect Proxmark3 X with Bluetooth