Tags are used in France by companies who need to access common parts of buildings, as a replacement to old locks they used to have the keys for. To enter a building, the data stored in the tag (the data blocks, the.) are used to determine if the owner of the tag can open the lock. As they use classic tags, they share the same vulnerability: the protection is broken. This post deals with attacking the Vigik tag offline, which means we do not snoop the exchange between the tag and the reader to retrieve the A/B keys. Though, snooping on the exchange may be a last resort if the following offline attack does not work. Disclaimer I wrote this for learning purposes, so that anyone wondering how easy it is to clone a Vigik tag can have a better idea of how it can be done by anyone with the right set of tools in his possession. I took the example of French Vigiks tags, but the following applies to any Classic tags.
Depending on the purpose for which these tags are used, and other factors (do you own the Vigik and do you have the right to copy it?), doing this may be illegal. Tools Read the tag and crack the keys There are many tools available to mess with RFID, ranging from basic NFC readers to more expensive tools. Some allow one to read or write a tag, some other to snoop on conversations between the tag and the reader but the swiss-army knife for RFID hacking is called a, which offers a lot of software tools to read or write tags, snoop on exchanges, and emulate tags and readers, both HF and LF.
It also allows to code your own modules to suit your needs. I will be using this tool throughout my experiments since it makes things easier, though it is not very practical to use when you are not at home. Software tools like MFOC and MFCUK could be used with a NFC reader to do most of the things I will present here. You could run MFOC on a rooted Android smartphone for example (provided you can cross-compile the tool). Clone tag hardware support We will also need a support for the clone tag. Almost all the tags (especially the cheap ones) have a read-only block 0, which means the (or any of the manufacturer information) of the tag cannot be changed.
Finally in October 2008 Radbond. University published a Crypto-1 cipher implementation as Open. Source (GNU GPL v2 license). A tiny history and some facts • Since of previous publications a lot of public exploits (tools) to hack Mifare Classic cards are developed, what completely jeopardized the card reputation.
This means the original tag cannot be entirely cloned. To circumvent this constraint, we use more expensive 'magic' tags which have a programmable block 0, which will allow us to change the. These cards can be ordered on specialized Chinese e-commerce websites. If you don't own a card to clone the vigik on a physical support but you want to check if everything went as expected, emulating the vigik could be an option.
Easy2game Pro 2.1 here. Offline attack on the card The first step to clone a Vigik is to dump its content. This can be done easily with the ProxmarkIII. Let's read the tag first. Classic 1K more or less follow the ISO-14443-A standard, so we can read the tag information using the ISO-14443-A tools the proxmark offers.
Proxmark3>hf 14a read ATQA: 04 00: 01 02 03 04 SAK: 08 [2] TYPE: CLASSIC 1k Plus 2k SL1 proprietary non iso14443a-4 card found, RATS not supported Running this command will ask the proxmark to search for a tag nearby. If we put a tag close to the antenna, during this process, the tag will answer by sending some information (ATQA,, and SAK, used for anti-collision), which are displayed by the command output. We can see the tag is indeed a classic 1k from the information retrieved from the tag (which includes the manufacturer, but more important, the of the tag).
The of the tag here is 01020304, and we will keep this value in mind for later use. We can now start breaking the A/B keys. Dungeon Siege 2 Iso Torrent Chomikuj on this page.
For this, we need a valid A key first, as an entry point to discover other keys. We start by checking if any default A key is used for this tag, which would ease the process. Proxmark3>hf mf chk *1? T No key specified,try default keys chk default key[0] ffffffffffff chk default key[1] 00 chk default key[2] a0a1a2a3a4a5 --SectorsCnt:0 block no:0x03 key type:A key count:13 snip --SectorsCnt:15 block no:0x0f key type:A key count:13 --SectorsCnt:0 block no:0x03 key type:B key count:13 snip --SectorsCnt:15 block no:0x3f key type:B key count:13 Well, unfortunately for us, it appears no default key was found according to the output of the command. We will have to use something else to find a valid A key. The 'something else' is called a (no, unfortunately it doesn't involve light sabers, but statistics). This attack allows to retrieve a valid A key for sector 0 in case no default key is used.
Note that if this attack doesn't work either, another solution to get them would be to snoop on exchanges between the reader and the valid tag, but I assumed earlier that in the scope of this post the reader would not be used. Maybe another time. The darkside attack is performed using the following command on the proxmark.