Mifare Classic Crackle

In this blog post I will cover some quick basics about NFC, Mifare Classic and how to set up everything for reading and writing a NFC tag. At the end I show you how to reprogram a vending machine’s NFC tag to contain more credits. NFC stands for Near Field Communication and is used to communicate over short distances. For more Infos on NFC you can read the. NFC nowadays is used for access cards, public transport, some more and in this case: Vending Machines. Basically there is an active NFC enabled device (the reader) and a passive device (the tag).

1. Mifare Classic Tool Apk
2. Mifare Classic Cards

The active device scans for the passive one and establishes a connection on contact. It also powers the passive device via an electromagnetic field. There is also an active - active mode where both endpoints can send data and need to be powered seperately. This is usually used when sending data for example in “Android Beam”. In this example the vending machine has an active NFC reader built in. You can touch it with your tag to buy some drinks and the corresponding price is subtracted from the ammount stored on the tag.

You can also recharge your tag via the machine if you run out of credits. The NFC tag I analyzed is a so called “Mifare Classic 1k” tag. 1k stands for the size of data the tag can store. There are also other types like the “Mifare Classic 4k” and the “Mifare Mini” each having a different memory size. Mifare Classic in general is stated insecure, because it’s encryption protocol has been cracked. More deatiled Information about this can be found in the following links: A Mifare Classic 1k tag contains 16 sectors.

Each of these sectors has 3 blocks of data storage and 1 block for storing the secret access keys and access controls. Each block contains 16 bytes of data. Before reading a sector, the reader must authenticate to the tag with a secret access key. Each sector has two keys: Key A and Key B Each of the 16 sectors can define it’s own access right and wich key is needed for a particular action. As an example you can define to use Key A for reading the block and Key B for writing to it. Sector 0 Block 0 also contains a non changeable UID (the tags unique ID) and some manufacturer data. This section is only writeable on some special chinese tags.

Here is a basically memory layout of a Mifare Classic tag: (taken from the Mifare Datasheet, link see below) More about Mifare in general can be found on. For more information on Mifare 1k Tags, the memory layout and more details you can visit these pages: Now I will demonstrate how to get all access keys for all sectors, locate the credits and modify them. For this example I used the connected via an and as an alternative a Raspberry Pi with the PN352 Breakout Board. These items can be purchased from various online shops around the world.

For connection instructions on the Raspberry Pi please refer to. Important notice: NFC and the used attack depend a lot on timing. Connecting a NFC device to a VM running linux will not work reliable because the drivers mess with this timing. I spent a lot of time finding this out, so please boot into a linux live cd for the following example or use a Raspberry Pi. Here are the basics to set your machine up for getting the access keys. The first step is to set up libnfc so the OS can communicate with the NFC reader.

You can get the latest libnfc version from. At the time of writing the current version was 1.7.1.

BlackArch code-audit Name Version Description Homepage acccheck 0.2.1 A password dictionary attack tool that targets windows authentication via the SMB protocol. Against 0.2 A very fast ssh attacking script which includes a multithreaded port scanning module (tcp connect) for discovering possible targets and a multithreaded brute-forcing module which attacks parallel all discovered hosts or given ip addresses from a list. Asleap 2.2 Actively recover LEAP/PPTP passwords. Beleth A Multi-threaded Dictionary based SSH cracker. Bgp-md5crack 0.1 RFC2385 password cracker biosmemimage 1.2 A tool to dump RAM contents to disk (aka cold boot attack). Bkhive 1.1.1 Program for dumping the syskey bootkey from a Windows NT/2K/XP system hive. Blackhash 0.2 Creates a filter from system hashes bob-the-butcher 0.7.1 A distributed password cracker package.

Brut3k1t 80.1973a5a Brute-force attack that supports multiple protocols and services. Bruteforce-wallet 30.b7ac13d Try to find the password of an encrypted Peercoin (or Bitcoin,Litecoin, etc.) wallet file.

Brutessh 0.6 A simple sshd password bruteforcer using a wordlist, it's very fast for internal networks. It's multithreads.

Chapcrack 17.ae2827f A tool for parsing and decrypting MS-CHAPv2 network handshakes. Checkpwd 1.23 Oracle Password Checker (Cracker). Cintruder 6.a628c62 An automatic pentesting tool to bypass captchas. Cisco-auditing-tool 1 Perl script which scans cisco routers for common vulnerabilities. Checks for default passwords, easily guessable community names, and the IOS history bug. Includes support for plugins and scanning multiple hosts. Cisco-ocs 0.2 Cisco Router Default Password Scanner.

Mifare Classic Tool Apk

Cisco-scanner 0.2 Multithreaded Cisco HTTP vulnerability scanner. Tested on Linux, OpenBSD and Solaris. Cisco5crack 2.c4b228c Crypt and decrypt the cisco enable 5 passwords. Cisco7crack 2.f1c21dd Crypt and decrypt the cisco enable 7 passwords. Cmospwd 5.0 Decrypts password stored in CMOS used to access BIOS setup. Crackhor 2.ae7d83f A Password cracking utility.

Crackle 100.ff47a48 Crack and decrypt BLE encryption crackq Hashcrack.org GPU-accelerated password cracker. Crackserver 33.e5763ab An XMLRPC server for password cracking. Creddump 0.3 A python tool to extract various credentials and secrets from Windows registry hives. Crowbar 79.a338de6 A brute forcing tool that can be used during penetration tests.

It is developed to support protocols that are not currently supported by thc-hydra and other popular brute forcing tools. Cryptohazemultiforcer 1.31a High performance multihash brute forcer with CUDA support. Cudahashcat 2.01 Worlds fastest WPA cracker with dictionary mutation engine. Cupp 20.07f9b83 Common User Password Profiler dbpwaudit 0.8 A Java tool that allows you to perform online audits of password quality for several database engines.

Depant 0.3a Check network for services with default passwords. Device-pharmer 37.e0e6281 Opens 1K+ IPs or Shodan search results and attempts to login. Dislocker 0.6.1 A tool to exploit the hash length extension attack in various hashing algorithms. With FUSE capabilities built in.

Doozer 9.5cfc8f8 A Password cracking utility. Dpeparser beta002 Default password enumeration project eapmd5pass 1.4 An implementation of an offline dictionary attack against the EAP-MD5 protocol enabler 1 Attempts to find the enable password on a cisco system via brute force. Evilize 0.2 Tool to create MD5 colliding binaries.

Evilmaid 1.01 TrueCrypt loader backdoor to sniff volume password f-scrack 19.9a00357 A single file bruteforcer supports multi-protocol. Facebrute 7.ece355b This script tries to guess passwords for a given facebook account using a list of passwords (dictionary). Fang 22.4f94552 A multi service threaded MD5 cracker. Fcrackzip 1.0 Zip file password cracker fern-wifi-cracker 222 WEP, WPA wifi cracker for wireless penetration testing ftp-scanner 0.2.5 Multithreaded ftp scanner/brute forcer. Tested on Linux, OpenBSD and Solaris. Hashcat 4.0.1 Multithreaded advanced password recovery utility hasher 48.40173c5 A tool that allows you to quickly hash plaintext strings, or compare hashed values with a plaintext locally. Hashtag 0.41 A python script written to parse and identify password hashes.

Hostbox-ssh 0.1.1 A ssh password/account scanner. Htpwdscan 16.99697fc A python HTTP weak pass scanner. Hydra 8.6 Very fast network logon cracker which support many different services ibrute 12.3a6a11e An AppleID password bruteforce tool. It uses Find My Iphone service API, where bruteforce protection was not implemented. Iheartxor 0.01 A tool for bruteforcing encoded strings within a boundary defined by a regular expression.

It will bruteforce the key value range of 0x1 through 0x255. Iisbruteforcer 15 HTTP authentication cracker. It's a tool that launchs an online dictionary attack to test for weak or simple passwords against protected areas on an IIS Web server. Ikecrack 1.00 An IKE/IPSec crack tool designed to perform Pre-Shared-Key analysis of RFC compliant aggressive mode authentication inguma 0.1.1 A free penetration testing and vulnerability discovery toolkit entirely written in python.

Framework includes modules to discover hosts, gather information about, fuzz targets, brute force usernames and passwords, exploits, and a disassembler. Ipmipwn 6.74a08a8 IPMI cipher 0 attack tool. Jbrute 0.99 Open Source Security tool to audit hashed passwords. Jeangrey 16.79a924e A tool to perform differential fault analysis attacks (DFA). John 1.8.0.jumbo1 John the Ripper password cracker johnny 20120424 GUI for John the Ripper.

Jwt-cracker 17.906d670 JWT brute force cracker written in C. Keimpx 166.a10a0c7 Tool to verify the usefulness of credentials across a network over SMB. Khc 0.2 A small tool designed to recover hashed knownhosts fiels back to their plain-text equivalents. Ldap-brute 21.acc06e3 A semi fast tool to bruteforce values of LDAP injections over HTTP.

Levye A brute force tool which is support sshkey, vnckey, rdp, openvpn. Lodowep 1.2.1 Lodowep is a tool for analyzing password strength of accounts on a Lotus Domino webserver system. Mdcrack 1.2 MD4/MD5/NTLM1 hash cracker medusa 2.2 Speedy, massively parallel and modular login brute-forcer for network mfoc 0.10.7 Mifare Classic Offline Cracker mkbrutus 1.0.2 Password bruteforcer for MikroTik devices or boxes running RouterOS. Morxbook 1.0 A password cracking tool written in perl to perform a dictionary-based attack on a specific Facebook user through HTTPS. Morxbrute 1.01 A customizable HTTP dictionary-based password cracking tool written in Perl morxbtcrack 1.0 Single Bitcoin private key cracking tool released. Morxcoinpwn 1.0 Mass Bitcoin private keys brute forcing/Take over tool released.

Morxcrack 1.2 A cracking tool written in Perl to perform a dictionary-based attack on various hashing algorithm and CMS salted-passwords. Mybff 94.6547c51 A Brute Force Framework. Ncrack 0.5 A high-speed network authentication cracking tool oclhashcat 2.01 Worlds fastest WPA cracker with dictionary mutation engine. Omen 15.78ce868 Ordered Markov ENumerator - Password Guesser. Onesixtyone 0.7 An SNMP scanner that sends multiple SNMP requests to multiple IP addresses ophcrack 3.7.0 Windows password cracker based on rainbow tables outlook-webapp-brute 1.61d7177 Microsoft Outlook WebAPP Brute.

Owabf 1.3 Outlook Web Access bruteforcer tool. Pack 0.0.4 Password Analysis and Cracking Kit passcracking 20131214 A little python script for sending hashes to passcracking.com and milw0rm passe-partout 0.1 Tool to extract RSA and DSA private keys from any process linked with OpenSSL. The target memory is scanned to lookup specific OpenSSL patterns.

Patator 148.4d7ebf4 A multi-purpose bruteforcer. Pdfcrack 0.16 Password recovery tool for PDF-files pdgmail 1.0 A password dictionary attack tool that targets windows authentication via the SMB protocol. Pemcrack 11.a0fecd7 Cracks SSL PEM files that hold encrypted private keys. Brute forces or dictionary cracks.

Pemcracker 9.a741c93 Tool to crack encrypted PEM files. Phoss 0.1.13 Sniffer designed to find HTTP, FTP, LDAP, Telnet, IMAP4, VNC and POP3 logins. Php-mt-seed 3.2 PHP mtrand seed cracker php-rfi-payload-decoder 30.bd42caa Decode and analyze RFI payloads developed in PHP. Phrasendrescher 1.2.2 A modular and multi processing pass phrase cracking tool pipal 1.1 A password analyser. Pipeline 18.d90fc65 Designed to aid in targeted brute force password cracking attacks.

Pkcrack 1.2.2 A PkZip encryption cracker. Pybozocrack A silly & effective MD5 cracker in Python. Pyrit 0.5.0 The famous WPA precomputed cracker rainbowcrack 1.6 Password cracker based on the faster time-memory trade-off. With MySQL and Cisco PIX Algorithm patches.

Rarcrack 0.2 This program uses bruteforce algorithm to find correct password (rar, 7z, zip). Rcracki-mt 0.7.0 A tool to perform rainbow table attacks on password hashes.

It is intended for indexed/perfected rainbow tables, mainly generated by the distributed project www.freerainbowtables.com rdesktop-brute 1.5.0 It connects to windows terminal servers - Bruteforce patch included. Ridenum 67.a6ed473 A null session RID cycle attack for brute forcing domain controllers. Rlogin-scanner 0.2 Multithreaded rlogin scanner. Tested on Linux, OpenBSD and Solaris.

Rootbrute 0.1 Local root account bruteforcer. Rpdscan 2.a71b0f3 Remmina Password Decoder and scanner. Rsakeyfind 1.0 A tool to find RSA key in RAM. Samdump2 3.0.0 Dump password hashes from a Windows NT/2k/XP installation samydeluxe 2.2ed1bac Automatic samdump creation script. Sidguesser 1.0.5 Guesses sids/instances against an Oracle database according to a predefined dictionary file. Sipcrack 0.2 A SIP protocol login cracker. Skul 14.e2c33ef A PoC to bruteforce the Cryptsetup implementation of Linux Unified Key Setup (LUKS).

Smbbf 0.9.1 SMB password bruteforcer. Snmp-brute 15.64ec0ce SNMP brute force, enumeration, CISCO config downloader and password cracking script. Speedpwn 8.3dd2793 An active WPA/2 Bruteforcer, original created to prove weak standard key generation in different ISP labeled routers without a client is connected.

Sqlpat 1.0.1 This tool should be used to audit the strength of Microsoft SQL Server passwords offline. Ssh-privkey-crack 0.4 A SSH private key cracker. Sshatter 1.2 Password bruteforcer for SSH. Sshscan 1.0 A horizontal SSH scanner that scans large swaths of IPv4 space for a single SSH user and pass.

Sshtrix 0.0.2 A very fast multithreaded SSH login cracker. Sslnuke 5.c5faeaa Transparent proxy that decrypts SSL traffic and prints out IRC messages. Sucrack 1.2.3 A multi-threaded Linux/UNIX tool for brute-force cracking local user accounts via su tckfc 21.a32167e TrueCrypt key file cracker. Tftp-bruteforce 0.1 TFTP-bruteforcer is a fast TFTP filename bruteforcer written in perl. Thc-keyfinder 1.0 Finds crypto keys, encrypted data and compressed data in files by analyzing the entropy of parts of the file. Thc-pptp-bruter 0.1.4 A brute force program that works against pptp vpn endpoints (tcp port 1723).

Thc-smartbrute 1.0 This tool finds undocumented and secret commands implemented in a smartcard. Truecrack 35 Password cracking for truecrypt(c) volumes. Ufo-wardriving 4 Allows you to test the security of wireless networks by detecting their passwords based on the router model. Vnc-bypauth 0.0.1 Multi-threaded bypass authentication scanner for VNC smaller than v4.1.1 servers. Vncrack 1.21 What it looks like: crack VNC.

Wmat 0.1 Automatic tool for testing webmail accounts. Wordbrutepress Python script that performs brute forcing against WordPress installs using a wordlist. Wpbf 7.11b6ac1 Multithreaded WordPress brute forcer.

Mifare Classic Cards

Wpbrute-rpc 3.e7d8145 Tool for amplified bruteforce attacks on wordpress based website via xmlrcp API. Wyd 0.2 Gets keywords from personal files. IT security/forensic tool. Zulu 0.1 A light weight 802.11 wireless frame generation tool to enable fast and easy debugging and probing of 802.11 networks.