OS:kali linux 2.0 amd64
NFC reader: ACR122U-A9 Smart Card Reader

写下ACR122 Reader在linux下的各种命令用法
百度自然能看到各种各样的用法 但是过于杂乱 所以一直想要整合一下 为自己所用
基于实战总结
下次会写下proxmark3神器的

kali系统默认是安装好了ACR122U驱动和libnfc库 libnfc 1.7.1

nfc-list

查看读卡器/卡

1
2
3
4
5
6
7
8
[email protected]:~# nfc-list
nfc-list uses libnfc 1.7.1
NFC device: ACR122U Smart Card Reader / opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): e4 31 a1 b5
SAK (SEL_RES): 08

这个命令是可以查看多张卡的。
目前就我自己尝试来看,可以读取三张卡

1
3 ISO14443A passive target(s) found:

卡片多了可能会出错 如下

1
error libnfc.driver.acr122_usb PN532 didn't reply

从这个错误信息 可以看出三点:

  1. acr122的驱动
  2. acr122的芯片模块其实是PN532

群里有人发了acr122的pcb图
里面其实就是pn532加上ttl串口

acr122u

貌似并不能看不出来=。=

  1. 错误原因 PN532没有响应 (其中的2张卡有贴纸和塑料膜 也许是这个影响了读取

于是我去掉卡贴 再次查看 发现。。

1
4 ISO14443A passive target(s) found:

pcscd -f 现在不需要运行这个命令了 参考1 以前是需要运行这条来监听

mfcuk

一般用于全加密卡(不知道卡的任何一个key)即Dark-side攻击

MiFare Classic Universal toolKit (MFCUK)
https://github.com/nfc-tools/mfcuk

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
mfcuk - 0.3.8
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], http://andreicostin.com

Usage:
-C - require explicit connection to the reader. Without this option, the connection is not made and recovery will not occur
-i mifare.dmp - load input mifare_classic_tag type dump
-I mifare_ext.dmp - load input extended dump specific to this tool, has several more fields on top of mifare_classic_tag type dump
-o mifare.dmp - output the resulting mifare_classic_tag dump to a given file
-O mifare_ext.dmp - output the resulting extended dump to a given file
-V sector[:A/B/any_other_alphanum[:fullkey]] - verify key for specified sector, -1 means all sectors
After first semicolon key-type can specified: A verifies only keyA, B verifies only keyB, anything else verifies both keys
After second semicolon full 12 hex-digits key can specified - this key will override any loaded dump key for the given sector(s) and key-type(s)
-R sector[:A/B/any_other_alphanum] - recover key for sector, -1 means all sectors.
After first semicolon key-type can specified: A recovers only keyA, B recovers only keyB, anything else recovers both keys
-U UID - force specific UID. If a dump was loaded with -i, -U will overwrite the in the memory where dump was loaded
-M tagtype - force specific tagtype. 8 is 1K, 24 is 4K, 32 is DESFire
-D - for sectors and key-types marked for verification, in first place use default keys to verify (maybe you are lucky)
-d key - specifies additional full 12 hex-digits default key to be checked. Multiple -d options can be used for more additional keys
-s - milliseconds to sleep for SLEEP_AT_FIELD_OFF (Default: 10 ms)
-S - milliseconds to sleep for SLEEP_AFTER_FIELD_ON (Default: 50 ms)
-P hex_literals_separated - try to recover the key from a conversation sniffed with Proxmark3 (mifarecrack.c based). Accepts several options:
Concatenated string in hex literal format of form uid:tag_chal:nr_enc:reader_resp:tag_resp
Example -P 0x5c72325e:0x50829cd6:0xb8671f76:0xe00eefc9:0x4888964f would find key FFFFFFFFFFFF
-p proxmark3_full.log - tries to parse the log file on it's own (mifarecrack.py based), get the values for option -P and invoke it
-F - tries to fingerprint the input dump (-i) against known cards' data format
-v verbose_level - verbose level (default is O)

Usage examples:
Recove all keys from all sectors:
mfcuk -C -R -1
Recove the sector #0 key with 250 ms for all delays (delays could give more results):
mfcuk -C -R 0 -s 250 -S 250

mfoc

离线破解 (已知key破解) 即nested攻击

Mifare Classic Offline Cracker

https://github.com/nfc-tools/mfoc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Usage: mfoc [-h] [-k key] [-f file] ... [-P probnum] [-T tolerance] [-O output]
h print this help and exit
k try the specified key in addition to the default keys
f parses a file of keys to add in addition to the default keys
P number of probes per sector, instead of default of 20
T nonce tolerance half-range, instead of default of 20
(i.e., 40 for the total range, in both directions)
O file in which the card contents will be written (REQUIRED)
Example: mfoc -O mycard.mfd
Example: mfoc -k ffffeeeedddd -O mycard.mfd
Example: mfoc -f keys.txt -O mycard.mfd
Example: mfoc -P 50 -T 30 -O mycard.mfd
This is mfoc version 0.10.7.
For more information, run: 'man mfoc'.

翻一下

1
2
3
4
5
6
7
8
9
10
11
12
Usage: mfoc [-h] [-k key]... [-P probnum] [-Ttolerance] [-O output]
h 打印帮助
k 将一个新的密钥添加到密钥表里
f 将新的密钥添加到文件中 引用
P 每扇区测试多少个密钥(默认20)
T 随机和随机范围(默认20)
O 输出到的文件 (必要参数,不加会报错)

Example: mfoc -O mycard.mfd
Example: mfoc -k ffffeeeedddd -O mycard.mfd
Example: mfoc -f keys.txt -O mycard.mfd
Example: mfoc -P 50 -T 30 -O mycard.mfd

常用的命令如上了

1
mfoc -k xxxxxxxxxxxx -O card.dump

PT参数一般不用设置。。
注意一点!!!

mfoc命令行-O参数生成的.dump都是1k的大小
可以直接写卡

但是mfocGUI导出的dump文件是4k的
所以这也算是linux下的便利性吧

mfterm mifare

仿真终端

不常用
自己也没有用到过
参考https://github.com/4ZM/mfterm
或者man mfterm

进入终端后 help一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[email protected]:~# mfterm 
$ help
quit Exit the program.
load Load tag data from a file.
save Save tag data to a file.
clear Clear the current tag data.
read A|B : Read tag data from a physical tag.
read unlocked On pirate cards, read card without keys.
write A|B : Write tag data to a physical tag.
write unlocked On pirate cards, write 1k tag with block 0.
print 1k|4k : Print tag data.
print head Print first sector.
print keys 1k|4k : Print tag s keys.
print ac Print access conditions.
set #block #offset = xx xx xx : Set tag data.
setuid xx xx xx xx: Set tag UID.
keys load Load keys from a file.
keys save Save keys to a file.
keys clear Clear the keys.
keys set A|B #S key : Set a key value.
keys import Import keys from the current tag.
keys test Try to authenticate with the keys.
keys 1k|4k : Print the keys.
dict load Load a dictionary key file.
dict clear Clear the key dictionary.
dict attack Find keys of a physical tag.
dict Print the key dictionary.
spec load Load a specification file.
spec clear Unload the specification.
spec Print the specification.
mac key <k0..k7> : Get or set MAC key.
mac compute #block : Compute block MAC.
mac update #block : Compute block MAC.
mac validate 1k|4k : Validates block MAC of the whole tag.

mifare-classic-format

格式化卡片

1
2
3
4
5
usage: mifare-classic-format [-fy] [keyfile]
Options:
-f Fast format (only erase MAD) 快速格式化(只擦除MAD)
-y Do not ask for confirmation (dangerous) 自动确认是(危险)
keyfile Use keys from dump in addition to internal default keys

MAD是指MIFARE_APPLICATION_DIRECTORY

一般这样使用

1
2
3
4
[email protected]:~# mifare-classic-format card.dump
#dump主要是提供keyA 和 keyB
Found Mifare Classic 1k with UID xxxxxxxx. Format [yN] y
Formatting 16 sectors [...4...8...12...16] done.

nfc-mfclassic

克隆dump到新的卡片

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Usage: nfc-mfclassic f|r|R|w|W a|b <dump.mfd> [<keys.mfd> [f]]
f|r|R|w|W - Perform format (f) or read from (r) or unlocked read from (R) or write to (w) or unlocked write to (W) card
*** format will reset all keys to FFFFFFFFFFFF and all data to 00 and all ACLs to default
*** unlocked read does not require authentication and will reveal A and B keys
*** note that unlocked write will attempt to overwrite block 0 including UID
*** unlocking only works with special Mifare 1K cards (Chinese clones)
a|A|b|B - Use A or B keys for action; Halt on errors (a|b) or tolerate errors (A|B)
<dump.mfd> - MiFare Dump (MFD) used to write (card to MFD) or (MFD to card)
<keys.mfd> - MiFare Dump (MFD) that contain the keys (optional)
f - Force using the keyfile even if UID does not match (optional)
Examples:
Read card to file, using key A:
nfc-mfclassic r a mycard.mfd
Write file to blank card, using key A:
nfc-mfclassic w a mycard.mfd
Write new data and/or keys to previously written card, using key A:
nfc-mfclassic w a newdata.mfd mycard.mfd
Format/wipe card (note two passes required to ensure writes for all ACL cases):
nfc-mfclassic f A dummy.mfd keyfile.mfd f
nfc-mfclassic f B dummy.mfd keyfile.mfd f

嘛 还比如nfc-mfclassic w b 饭卡100.dump 饭卡100.dump

诶 好像被你们发现了什么不得了的东西 (手动滑稽

但是对于不同uid的卡 dump不能刷进去 提示报错 如:

1
2
3
4
5
[email protected]:~# nfc-mfclassic W b watercard.dump watercard.dump 
NFC reader: ACR122U Smart Card Reader / opened
Expected MIFARE Classic card with UID starting as: e431a1b5
Got card with UID starting as: 503e4793
Aborting!

查看下面一个命令

nfc-mfsetuid [uid]

(灰常重要!!!!!!!!)用于修改M1特殊卡的uid

吐槽下:kali 2.0居然没有自带这个工具 但查阅资料,由参考可知 是libnfc库中提供的方法 于是我们下载一个libnfc库(可自行编译源码/直接apt-get 哈哈哈) 话说 kali不是安装了吗 我也不知道

1
2
3
4
apt-get install libnfc
#TAB补全后发现存在
libnfc5 libnfc-bin libnfc-examples
libnfc5-dbg libnfc-dev libnfc-pn53x-examples

随手安装一个 其他未测试

1
apt-get install libnfc-examples

ps:可以用apt search 搜索软件包 查看软件包的安装情况 和 简单描述

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[email protected]:~# apt search libnfc
正在排序... 完成
全文搜索... 完成
libnfc-bin/kali-current,now 1.7.1-2 amd64 [已安装]
Near Field Communication (NFC) binaries
libnfc-dev/kali-current,now 1.7.1-2 amd64 [已安装]
Near Field Communication (NFC) library (development files)
libnfc-examples/kali-current,now 1.7.1-2 amd64 [已安装]
Near Field Communication (NFC) examples
libnfc-pn53x-examples/kali-current 1.7.1-2 amd64
Near Field Communication (NFC) examples for PN53x chips only
libnfc5/kali-current,now 1.7.1-2 amd64 [已安装,自动]
Near Field Communication (NFC) library
libnfc5-dbg/kali-current 1.7.1-2 amd64
Near Field Communication (NFC) library (debugging information)
mfcuk/kali-current,now 0.3.8-0kali4 amd64 [已安装]
MFCUK - MiFare Classic Universal toolKit
ruby-nfc/kali-current 3.1.1-1 amd64
ruby wrapper for the libnfc

用法:

1
2
3
4
5
6
7
8
9
Usage: nfc-mfsetuid [OPTIONS] [UID]
Options:
-h Help. Print this message.
-f Format. Delete all data (set to 0xFF) and reset ACLs to default.
-q Quiet mode. Suppress output of READER and CARD data (improves timing).
Specify UID (4 HEX bytes) to set UID, or leave blank for default '01234567'.
This utility can be used to recover cards that have been damaged by writing bad
data (e.g. wrong BCC), thus making them non-selectable by most tools/readers.
*** Note: this utility only works with special Mifare 1K cards (Chinese clones).

补充:

vim下编辑16进制的dump

1
vim card100.dump

直接键入
:%!xxd —->切换到十六进制显示
:%!xxd -r —->切回文本方式显示

十六进制显示时,第一排前8位即是卡片的id

参考资料:

  1. RFID_Cooking_with_Mifare_Classic
  2. nfcgui使用帮助

其他资料:
bobylive.com
flylai.com

孔神的博客
nfc-tools主页
https://github.com/nfc-tools/
https://github.com/ikarus23/MifareClassicTool

nfc-tools中sniff-pn53x.sh
http://nfc-tools.github.io/
NFC-PN532
Linux下的RFID,简介nfc-mfclassic的使用
nfc-mfclassic 防止控制位误写 指定读写的块 补丁
破解mifare Classic(M1)非接触式射频IC卡–Mifare crack Hack 笔记二
修改板 mfoc 0.10.3 增加中断、选择扇区、可选默认密码等功能