Home » Tips
Tips

How to use Mifare Classic Offline Cracker

Posted on by admin
07
Mar

MFOC is an open-source implementation of an “offline nested” attack by Nethemba. It allows recovering authentication keys from the MIFARE Classic card.

Project on Github

https://github.com/nfc-tools/mfoc

Build from Source

autoreconf -is
./configure
make && sudo make install

MFOC Help

Usage: mfoc [-h] [-k key] [-f file] ... [-P probnum] [-T tolerance] [-O output]

  h     print this help and exit
  k     try the specified key in addition to the default keys
  f     parses a file of keys to add in addition to the default keys
  P     number of probes per sector, instead of default of 20
  T     nonce tolerance half-range, instead of default of 20
        (i.e., 40 for the total range, in both directions)
  O     file in which the card contents will be written (REQUIRED)
  D     file in which partial card info will be written in case PRNG is not vulnerable

MFOC Example

Example: mfoc -O mycard.mfd
Example: mfoc -k ffffeeeedddd -O mycard.mfd
Example: mfoc -f keys.txt -O mycard.mfd
Example: mfoc -P 50 -T 30 -O mycard.mfd

Have a try

  1. Connect PN532 to Linux, macOS, Windows or Android Devices.

2. Open a terminal and read the card type with the cmd nfc-list.

➜  mfoc nfc-list
nfc-list uses libnfc libnfc-1.7.1-223-gf8b2852
NFC device: RFID-PN532 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
       UID (NFCID1): f1  48  f7  84
      SAK (SEL_RES): 08

3. Start to crack keys with the command mfoc -O card.mfd.

➜  mfoc mfoc -O card.mfd
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): f1  48  f7  84
      SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [xxx.xxxxxxxxxxxx]
[Key: a0a1a2a3a4a5] -> [xxx.xxxxxxxxxxxx]
[Key: d3f7d3f7d3f7] -> [xxx.xxxxxxxxxxxx]
[Key: 000000000000] -> [xxx.xxxxxxxxxxxx]
[Key: b0b1b2b3b4b5] -> [xxx.xxxxxxxxxxxx]
[Key: 4d3a99c351dd] -> [xxx.xxxxxxxxxxxx]
[Key: 1a982c7e459a] -> [xxx.xxxxxxxxxxxx]
[Key: aabbccddeeff] -> [xxx.xxxxxxxxxxxx]
[Key: 714c5c886e97] -> [xxx.xxxxxxxxxxxx]
[Key: 587ee5f9350f] -> [xxx.xxxxxxxxxxxx]
[Key: a0478cc39091] -> [xxx.xxxxxxxxxxxx]
[Key: 533cb6c723f6] -> [xxx.xxxxxxxxxxxx]
[Key: 8fd0a4f256e9] -> [xxx.xxxxxxxxxxxx]

Sector 00 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 01 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 02 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 03 - Unknown Key A               Unknown Key B
Sector 04 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 05 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 06 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 07 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 08 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 09 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 10 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 11 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 12 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 13 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 14 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 15 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff

3. The keys of Sector 03 are unknown, so the program starts to use other known keys to crack the key in sector 03.

Using sector 00 as an exploit sector
Sector: 3, type A, probe 0, distance 32 .....
  Found Key: A [fffffffffff1]
  Data read with Key A revealed Key B: [fffffffffff1] - checking Auth: OK
Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key ffffffffffff :00  00  00  00  00  00  ff  07  80  69  ff  ff  ff  ff  ff  ff
Block 62, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
Block 61, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
......

4. Then we get the Mifare classic dump file – card.mfd.

5. Open dump file vim card.mfd and read as HEX type:%!xxd

Tips

  1. It is useful if it exist known key of one sector.
  2. It is only for recover keys for Mifare Classic type card.
  3. The speed of cracking is depending on the sectors that encrypted.
  4. The mfd file can be used to clone to another card.

Run with PN532 on the Phone

How To Use PN532 To Restore Mifare Classic 1K Keys on Android Phone

Buy All-in-one PN532

Run mfoc with Proxmark3 on the Phone

Connect Proxmark3 X with Bluetooth

This entry was posted in Tips and tagged .
admin

Leave a Reply

Your email address will not be published. Required fields are marked *