Author Archives: ggee

DEF CON 23

201508-defcon23-IMG_0995a

This year’s DEF CON was fun as usual. Exhausting, but quite fun. I hope those that caught the Con-Flu have a quick and speedy recovery! Thanks for all that stopped by as we had many great conversations and sold a bunch of gear.

I have a ton of takeaways of how to improve the booth for next year. For those that were frustrated with the crowds and being able to see everything – we heard you loud and clear and I’ll figure out how to massively improve.

IMG_2020a

Online orders are being fulfilled and we have nearly caught up on the queue. A few items went fully out of stock and we have shipping availability notes on the product pages that have some lead time.

DEF CON 23 talks we are excited about

DEF CON 23 is right around the corner as well. I have a bias towards offense topics and hardware hacking topics, but here are the talks I’d want to learn more about:

  • Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars
  • Don’t Whisper my Chips: Sidechannel and Glitching for Fun and Profit
  • Build a free cellular traffic capture tool with a vxworks based femoto
  • How to Hack a Tesla Model S
  • HamSammich – long distance proxying over radio
  • LTE Recon and Tracking with RTLSDR
  • How to Train Your RFID Hacking Tools
  • ThunderStrike 2: Sith Strike
  • Key-Logger, Video, Mouse — How To Turn Your KVM Into a Raging Key-logging Monster
  • Remote Exploitation of an Unaltered Passenger Vehicle
  • Hacking Electric Skateboards: Vehicle Research For Mortals
  • NSA Playset: JTAG Implants
  • RFIDiggity: Pentester Guide to Hacking HF/NFC and UHF RFID

Black Hat USA 2015 talks we are excited about at

Black Hat USA is coming up quickly and I’m excited to hear about all the latest research the community has been working on. I have a bias towards offense topics and hardware hacking topics, but here are the talks I’d want to learn more about:

  • Emanate Like a Boss: Generalized Covert Data Exfiltration with Funtenna
  • Take a Hacker to Work Day – How Federal Prosecutors Use the CFAA
  • Understanding and Managing Entropy Usage
  • Adventures in Femtoland: 350 Yuan for Invaluable Fun
  • Red vs Blue: Modern Active Directory Attacks Detection and Protection
  • Remote Exploitation of an Unaltered Passenger Vehicle
  • Stranger Danger! What is the Risk from 3rd Party Libraries?
  • Certifi-gate: Front-Door Access to Pwning Millions of Androids
  • Breaking Access Controls with BLEKey
  • Panel: How the Wassenaar Arrangements Export Control of Intrusion Software Affects the Security Industry
  • Forging the USB Armory an Open Source Secure Flash-Drive-Sized Computer
  • ZigBee Exploited the Good the Bad and the Ugly
  • Broadcasting Your Attack: Security Testing DAB Radio in Cars
  • ThunderStrike 2: Sith Strike

HackRF One shipping status

The second production run of HackRF is here, in stock and available to ship to customers. I’m working through the pre-order queue right now, and pre-orders between September and December have shipped already. December to February pre-orders will be shipped this week.

If you haven’t gotten your HackRF yet and have been waiting for them to become available again, it is time to put your order in.

Mifare Classic – Partial and Full Cloning

Now that we own the keys of a Mifare Classic card, we can move onto cloning them.

Just as a quick reminder, the steps to crack the keys were:

proxmark3> hf mf mifare
proxmark3> hf mf nested 1 0 A XXXXXXXXXXXX d

If you take a look inside the current folder where the client is running, you’ll find a binary file called “dumpkeys.bin”. Basically, it’s like a dump of the contents of the card but only the trail blocks, where keys are stored.

A really simple attack to an electronic wallet implementation using this type of cards is to dump the contents aka “money” and then use the credit and, after that, restore the contents, filling it with our “stored” money inside a binary file. Easy, right? In some poor implementations, this could work! In other implementations, you can even take “the money” from a card, and “paste it” into another one. Remember that the only block in a mifare card that you cannot modify is the block 0 in sector 0, where the UID of the cards is burnt in the Factory. So, if “the money” is related to it, the attack won’t work.

A couple of years ago, a “Magic Chinese Card” appeared. This card, that is also known as “UID Changeable Card” is a special card, in which you can manipulate the UID and the full sector 0. Some of these cards have a special feature, which we called “a backdoor”, you can use this card, modify its contents (yeap! Block 0 too!) without even knowing the keys! So if you forgot the keys, you can send some special frames to it to overwrite it whenever you need! Cool! So basically, FULL clones are possible!

Using proxmark after cracking the keys, you can execute:

proxmark3> hf mf dump

and you’ll get a file, just next the other one, with this name: dumpdata.bin

The other commands that you will finally use will be:

restore – Restore MIFARE classic binary file to BLANK tag
csetuid – Set UID for magic Chinese card

The first one will restore the data into the same card and the other, in case you own an UID changeable card, will set the uid to match the original one. In case the other card has got the same keys as the original card, a partial clone will be there.

Take a look at the other commands, just type: “hf mf” and look for commands for the Magic Card. You will understand them after Reading this post. Tip: the only difference is that you will need the info inside the simulator memory, not a file, but this is really easy to achieve: just take a look at the options while using the “nested” attack 😉

Well, we covered a lot of stuff around the Mifare Classic World using Proxmark. You can also take a look at the LibNFC project, you will be able to do kind of the same stuff here, using some standard readers… with some limitations…

If you’re following our posts and practicing, just mail us and we will be very happy to help you!

See you on the next post!

This post was from Nahuel Grisolia who is a Information Security Professional. He has delivered trainings and talks in conferences around the world such as BugCON (Mexico), H2HC (Brazil), Ekoparty (Argentina), OWASP events (Argentina), TROOPERS (Germany), PHDays (Russia), and Ground Zero Summit (India). He is specialized in Web Application Security, Penetration Testing and Hardware Hacking.