Mifare Classic – Partial and Full Cloning

Now that we own the keys of a Mifare Classic card, we can move onto cloning them.

Just as a quick reminder, the steps to crack the keys were:

proxmark3> hf mf mifare
proxmark3> hf mf nested 1 0 A XXXXXXXXXXXX d

If you take a look inside the current folder where the client is running, you’ll find a binary file called “dumpkeys.bin”. Basically, it’s like a dump of the contents of the card but only the trail blocks, where keys are stored.

A really simple attack to an electronic wallet implementation using this type of cards is to dump the contents aka “money” and then use the credit and, after that, restore the contents, filling it with our “stored” money inside a binary file. Easy, right? In some poor implementations, this could work! In other implementations, you can even take “the money” from a card, and “paste it” into another one. Remember that the only block in a mifare card that you cannot modify is the block 0 in sector 0, where the UID of the cards is burnt in the Factory. So, if “the money” is related to it, the attack won’t work.

A couple of years ago, a “Magic Chinese Card” appeared. This card, that is also known as “UID Changeable Card” is a special card, in which you can manipulate the UID and the full sector 0. Some of these cards have a special feature, which we called “a backdoor”, you can use this card, modify its contents (yeap! Block 0 too!) without even knowing the keys! So if you forgot the keys, you can send some special frames to it to overwrite it whenever you need! Cool! So basically, FULL clones are possible!

Using proxmark after cracking the keys, you can execute:

proxmark3> hf mf dump

and you’ll get a file, just next the other one, with this name: dumpdata.bin

The other commands that you will finally use will be:

restore – Restore MIFARE classic binary file to BLANK tag
csetuid – Set UID for magic Chinese card

The first one will restore the data into the same card and the other, in case you own an UID changeable card, will set the uid to match the original one. In case the other card has got the same keys as the original card, a partial clone will be there.

Take a look at the other commands, just type: “hf mf” and look for commands for the Magic Card. You will understand them after Reading this post. Tip: the only difference is that you will need the info inside the simulator memory, not a file, but this is really easy to achieve: just take a look at the options while using the “nested” attack 😉

Well, we covered a lot of stuff around the Mifare Classic World using Proxmark. You can also take a look at the LibNFC project, you will be able to do kind of the same stuff here, using some standard readers… with some limitations…

If you’re following our posts and practicing, just mail us and we will be very happy to help you!

See you on the next post!

This post was from Nahuel Grisolia who is a Information Security Professional. He has delivered trainings and talks in conferences around the world such as BugCON (Mexico), H2HC (Brazil), Ekoparty (Argentina), OWASP events (Argentina), TROOPERS (Germany), PHDays (Russia), and Ground Zero Summit (India). He is specialized in Web Application Security, Penetration Testing and Hardware Hacking.

Leave a Reply

Your email address will not be published. Required fields are marked *