RFID is something I have wanted to get into for a while but never had the time to focus my attention on. There are a couple of reasons for my interest in RFID: (1) It makes me reminisce of the good old days of wireless hacking (poorly encrypted data transmitted over the air), (2) there is something really old-school about trying to figure out and modify hex-dumps and (3) in a lot of cases these RFID cards interact with physical devices you would not otherwise me able to test/interact with.
The following tutorial parts will mostly be case studies of specific cards/systems. I'm no expert in this subject matter by any measure so this will be journey of discovery for all of us. From my experience the best way to get a grasp on any topic is to dive in head first, do or do not there is no try!
For this introductory part I just want to cover the hardware that I am using for my research, other options are certainly possible.
ACR122U_A9 Card Reader/Writer - Link
The ACR122U is an accomplished NFC card reader/writer which operates at 13.56 MHz. It supports ISO14443 Type A/B cards, Mifare, FeliCa and ISO/IEC18092 tags. It operates at a maximum distance of 5cm with a maximum read/write speed of 424 kbps.
Proxmark3 - Link
The proxmark3 is simply awesome, I will let you discover all the details for yourself on the wiki as there is to much to go through. As a high level overview the proxmark3 can operate as a card reader/writer, it can eavesdrop on RFID communication and can even emulate various card types. With the use of HF (13.56 MHz) and LF (125/134 Khz) antennas it has support for a very large variety of card types. If you have ph33r level VHDL and verilog skills (or are a bit crazy) you can even reprogram the FPGA. The only issue I had with the proxmark3 was flashing it, I will add an appendix about this at some later point because the official documentation is totally fu%#!d (read as totally wrong and no longer working with the current firmware!).
Magic Chinese Mifare 1k&4k Cards - 1k here 4k here
If you are somewhat familiar with Mifare you will know that block0 contains the card UID and is write protected at the time of manufacturing. This is done for security reasons so cards cannot just be copied fully and in many cases RFID systems use this UID to identify the "user" of the card. There is however a manufacturer in china that produces and sells cards that give you write access on block0.
Tools Of The Trade
To use the ACR122 or other generic devices such as tikitag you will need to get some programs installed and running. Getting all the right libraries configured can be tricky but the default build of Kali-Linux comes pre-configured with everything that you need!!
mfcuk - Mfcuk implements the mifare "DarkSide" attack developed by Andre Costin. It uses libnfc and crapto1 to exploit a vulnerability in the mifare architecture. Mfcuk can recover a valid key from mifare calssic 1k&4k cards even if all sector keys are unknown/non-default.
mfoc - Mfoc in an implementation of the nested mifare classic attack by Nethemba. Mfoc also uses libnfc and crapto1 and is able to swiftly recover all keys if at least one valid key is specified. By default it will look through a list of default keys but the user can also specify a known key manually.
nfc-mfclassic - NFC-mfclassic is a very useful tool which allows you to overwrite a mifare card with a dump file (*.mdf) for easy cloning convenience, it even has support for our Chinese magic mifare cards and allows you to overwrite block0.
The proxmark3 comes packaged with accompanying software. With new firmware come new features and updated binaries. To get a proper understanding of the firmware and the available features you should have a look at the forums here and grab the latest packages here.
(3) 010 Editor (Hex Editor)
Decrypting the mifare cards keys and getting into a position where you can modify the data is the easy part. The challenging part is figuring out the data format, once we accomplish this we can interpret the data and modify it in a meaningful way. To do that we will be looking at and comparing (allot of) hex dumps. The moral of the story is to get a good hex editor. My personal favorite is 010 editor which comes in Windows/MAC/Unix flavors. 010 Editor has powerful scripting/template capabilities and will allow you to do byte comparisons between files. For my own convenience I have created a 010 editor mifare 1k template which you can find here.