How to use Mifare Classic Offline Cracker

MFOC is an open source implementation of “offline nested” attack by Nethemba. It allows to recover authentication keys from MIFARE Classic card.

Project on Github

https://github.com/nfc-tools/mfoc

Build from Source

autoreconf -is
./configure
make && sudo make install

Usage Help

Usage: mfoc [-h] [-k key] [-f file] ... [-P probnum] [-T tolerance] [-O output]

  h     print this help and exit
  k     try the specified key in addition to the default keys
  f     parses a file of keys to add in addition to the default keys
  P     number of probes per sector, instead of default of 20
  T     nonce tolerance half-range, instead of default of 20
        (i.e., 40 for the total range, in both directions)
  O     file in which the card contents will be written (REQUIRED)
  D     file in which partial card info will be written in case PRNG is not vulnerable

Example

Example: mfoc -O mycard.mfd
Example: mfoc -k ffffeeeedddd -O mycard.mfd
Example: mfoc -f keys.txt -O mycard.mfd
Example: mfoc -P 50 -T 30 -O mycard.mfd

Have a try

  1. Connect PN532 to Linux, macOS, Windows or Android Devices.

2. Open a terminal and read the card type with the cmd nfc-list.

➜  mfoc nfc-list
nfc-list uses libnfc libnfc-1.7.1-223-gf8b2852
NFC device: RFID-PN532 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
       UID (NFCID1): f1  48  f7  84
      SAK (SEL_RES): 08

3. Start to crack keys with the command mfoc -O card.mfd.

➜  mfoc mfoc -O card.mfd
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): f1  48  f7  84
      SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [xxx.xxxxxxxxxxxx]
[Key: a0a1a2a3a4a5] -> [xxx.xxxxxxxxxxxx]
[Key: d3f7d3f7d3f7] -> [xxx.xxxxxxxxxxxx]
[Key: 000000000000] -> [xxx.xxxxxxxxxxxx]
[Key: b0b1b2b3b4b5] -> [xxx.xxxxxxxxxxxx]
[Key: 4d3a99c351dd] -> [xxx.xxxxxxxxxxxx]
[Key: 1a982c7e459a] -> [xxx.xxxxxxxxxxxx]
[Key: aabbccddeeff] -> [xxx.xxxxxxxxxxxx]
[Key: 714c5c886e97] -> [xxx.xxxxxxxxxxxx]
[Key: 587ee5f9350f] -> [xxx.xxxxxxxxxxxx]
[Key: a0478cc39091] -> [xxx.xxxxxxxxxxxx]
[Key: 533cb6c723f6] -> [xxx.xxxxxxxxxxxx]
[Key: 8fd0a4f256e9] -> [xxx.xxxxxxxxxxxx]

Sector 00 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 01 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 02 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 03 - Unknown Key A               Unknown Key B
Sector 04 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 05 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 06 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 07 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 08 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 09 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 10 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 11 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 12 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 13 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 14 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 15 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff

3. The keys of Sector 03 is unknown, so the program start to use other known keys to crack the key in sector 03.

Using sector 00 as an exploit sector
Sector: 3, type A, probe 0, distance 32 .....
  Found Key: A [fffffffffff1]
  Data read with Key A revealed Key B: [fffffffffff1] - checking Auth: OK
Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key ffffffffffff :00  00  00  00  00  00  ff  07  80  69  ff  ff  ff  ff  ff  ff
Block 62, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
Block 61, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
......

4. Then we get the mifare classic dump file – card.mfd.

5. Open dump file vim card.mfd and read as HEX type:%!xxd

Tips

  1. MFOC is useful if it exist known key of one sector.
  2. MFOC is only for recover keys for Mifare Classic type card.
  3. The speed of cracking is depending on the sectors that encrypted.
  4. The mfd file can be used to clone to another card.

Leave a Reply

Your email address will not be published. Required fields are marked *

0
    Your Cart
    Your cart is emptyReturn to Shop