This time, the main character is the school's poor water card (hot water card)
Checking with the MCT (Mifare Classic Tool) installed on the NFC phone, the water card is indeed of the Mifare Classic 1k type
The tools used in this crack are: a computer, a ACR122U, a mobile phone with NFC function, and a water card
Before cracking, we need to build a corresponding environment for the computer, and you need to install it on the computer. NET Farmwork 4 and Java, please download and install it online, and the software used later depends on these two runtime libraries.
After installing the runtime, you need to install the ACR122U driver (the article is attached to the software link), and in order to facilitate subsequent development, I also installed the SDK.
After installing the driver and SDK, connect the ACR122U to the computer and the device will work normally. Put our water card on and the ACR122U buzzer will go off and the color of the LED will change
The program to verify that vulnerabilities can be exploited is mfoc, and the Windows version of mfoc is called mfocgui, but mfocgui is a bit troublesome for students who are new to RFID security, so this time it directly uses the M1 card service program (actually a simplified version of mfocgui).
After opening, the program interface is very simple, with only one button, which is to start cracking. I have seen my ACR122U in the card reader list, so just press start cracking
Then wait for the program to crack the key on its own.
It didn't take long to see that all sectors were ticked and cracked.
After the cracking is successful, the root directory generates the dump file of this card, the size is 1kb, and the entire card is read.
However, mfoc originally ran in the Linux environment, and the dump file generated by mfocgui ported to Windows cannot be used directly, and a repair tool fixdump (download fixdump) is needed to repair the 1kb dump file into a 4kb dump file.
fixdump is a command-line operation and must be installed with . NET Farmwork 4 runtime library, in order to facilitate command operation, we copy the dump file to the fixdump directory and open cmd to repair it. The command is simple, just "fixdump", and the generated file will directly overwrite the source file.
After the repair is completed, open it with a hexadecimal editor such as UltraEdit or WinHex and you can see the data of the dump file.
See the data I framed in the box in the picture above? This is the control segment of the card sector, of which the first 6 bytes and the last 6 bytes of FFFFFFFFFFFF is the password of this sector, and the FF078069 in the middle is the control bit.
After knowing the password, I imported the password into the MCT and started reading the card data.
Due to the function of MCT with data highlighting, we can clearly see that there are two rows of value blocks in the 4 sectors, and the current balance in my card is 32.31. The value of the value block is reversed twice and reversed once, and is stored in the lowest address. Seeing the first value block, 0C9F, because the computer data is stored in reverse order, the real data is 9F0C, which is 3231 in decimal order. The 60F3 in the middle section is reversed, and the 60F3 reverse order is F360, which is 1111001101100000 when it is reversed, and it is 0000110010011111 when it is reversed, and it is 3231 when it is changed to decimal. The last paragraph, like the first paragraph, is not taken and preserved. The 11 and EE at the end are the addresses, which can be ignored, as long as the addresses are consistent later. Up to this point, the data of the card has been cracked because it has not taken any encryption, now I will modify the money of the card to 999.99 to try, 999.99 yuan should be decimal 99999, hexadecimal is 01869F, the reverse order result is 9F8601, the other bits are calculated on the same principle, or we can use MCT's own value block calculation tool to calculate, and finally calculate the result as shown in the figure below.
Write the data into the card, now it's time to go to the machine practice.
|
Posted on 10/27/2014 10:07:21 AM
|
|
|
|
Posted on 11/10/2014 5:23:59 PM