MIFARE cracking info
From kweks on HN:
There are multiple ways to crack MIFARE - depending on the actual chipset version / manufacturer. For Mifare Classic: - Nested (Uses one known key to crack others) - darkside (Derives a key with no others. Slower, results are typically handed off to the nested attack to calculate remaining keys..)
For newer versions of the Mifare Classic with better PRNGs - βHardenedβ cards: HardNested. Needs one known key.
For cards that provide a static nonce (to try to evade cracking, ie FUDAN) - Static Nested.
For the latest generation FUDAN: Static Encrypted HardNested.
Note, for the nested attacks - if you donβt have a known key, these can be sniffed from the access control reader, and then cracked (MFKey32/64).
Flipper supports the MFKey32 attacks, and limited nested. You may bump into limits of your Proxmark clone with hardnested cracking - itβs memory intensive, and most of the Proxmark Easy clones have reduced RAM.
Thereβs actually an auto_crack LUA script on proxmark ( Use this fork: https://github.com/RfidResearchGroup/proxmark3 ) which will take most of the hassle out of cracking.
Cracking requires very, very precise timing: In a nutshell, youβre trying to predict nonces / PRNG values, by sending very precicesly timed requests, and then later cracking those results.
The Flipper has limited CPU power - its main βattack vectorβ against MIFARE is a very large keylist / dictionary of common MIFARE keys. Itβs slow and dumb, but it works for most cases. It can also do limited cracking, depending on the type required.
The Proxmark is built around an FPGA, and can crack much, much more efficiently.
Last updated on September 20, 2024. For any questions/feedback, email me at hi@stavros.io.