Recovering MIFARE Classic keys

if you couldn ’ t read all the mifare classic® card ’ s sectors with the read function or the sectors you read aren ’ t enough to get access, try exploiting vulnerabilities in mifare classic nfc cards to get access on this page, you ’ ll learn how to conduct the mfkey32 attack, both with and without physical access to the card, as well as card only attacks for which you don ’t need access to the reader to calculate the keys mfkey32 attack t he mfkey32 attack exploits weaknesses in the crypto 1 encryption algorithm mfkey32 is the name of a tool/algorithm used to recover the mifare classic keys from the reader’s crypto 1 nonce pairs it works by recovering the initial state of the crypto 1 linear feedback shift register which contains the key with access to the reader and card the best way to conduct the mfkey32 attack is to have access to the card, even if not all sectors were read after getting the reader ’ s key, you can read more sectors of the card, which might be enough to get access to get the reader ’ s keys and read the mifare classic card, do the following read and save the card with your flipper zero go to main menu > nfc > saved > name of the saved card > extract mf keys flipper zero will emulate this card for the mfkey32 attack tap the reader with your flipper zero, as shown below when near the reader, your flipper zero will collect the reader ’ s nonces depending on the reader, you may need to tap the reader with your flipper zero several times until all 10 out 10 nonces are collected on your flipper zero ’ s screen, the number of collected nonce pairs should increase with each new tap of the reader if the number of nonce pairs doesn ’ t increase, the reader is not trying to authenticate the card emulated by your flipper zero press %ok% ok to save the collected nonce pairs to the microsd card once the required number of nonce pairs is collected, the screen will display a completed message after that, you can press the %ok% ok button to view the captured data, including the sector and key from which it was obtained recover keys from the collected nonces you can do it via flipper mobile app on your phone, run flipper mobile app and synchronize it with your flipper zero go to tools > mfkey32 (extract mf keys) flipper lab connect your flipper zero to your computer via a usb c cable on your computer, go to lab flipper net go to nfc tools , then click the give me the keys button mfkey app if you don ’ t have access to a smartphone or computer, you can recover keys from the collected nonces using only your flipper zero keep in mind that it takes several minutes to recover the keys due to the limited computing power of the device on your flipper zero, go to main menu > apps > nfc run the mfkey app and press the %ok% ok button the recovered keys will be displayed on the screen after that, they can be added to the user dictionary in some cases, the keys can’t be recovered from the nonces due to the reader not recognizing the flipper zero’s emulation properly once new keys are added to the user dictionary, read the card again the number of found keys and read sectors may increase, which indicates that necessary data is collected emulate the card and hold your flipper zero near the reader to get access with access only to the reader even if you don ’ t have access to the card, you can try to get the reader ’ s keys and then add them to the user dictionary to expand it to get and save the reader ’ s keys, do the following go to main menu > nfc > extract mf keys flipper zero will emulate an nfc card for the mfkey32 attack tap the reader with your flipper zero as shown below when near the reader, your flipper zero will collect the reader ’ s nonces depending on the reader, you may need to tap the reader with your flipper zero several times until all 10 out 10 nonces are collected on your flipper zero ’ s screen, the number of collected nonce pairs should increase with each new tap of the reader if the number of nonce pairs doesn ’ t increase, the reader is not trying to authenticate the card emulated by your flipper zero press %ok% ok to save the collected nonce pairs to the microsd card once the required number of nonce pairs is collected, the screen will display a completed message after that, you can press the %ok% ok button to view the captured data, including the sector and key from which it was obtained recover keys from the collected nonces you can do it via flipper mobile app on your phone, run flipper mobile app and synchronize it with your flipper zero go to tools > mfkey32 (extract mf keys) flipper lab connect your flipper zero to your computer via a usb c cable on your computer, go to lab flipper net go to nfc tools , then click the give me the keys button mfkey app if you don ’ t have access to a smartphone or computer, you can recover keys from the collected nonces using only your flipper zero keep in mind that it takes several minutes to recover the keys due to the limited computing power of the device on your flipper zero, go to main menu > apps > nfc run the mfkey app and press the %ok% ok button the recovered keys and sector numbers will be displayed on the screen after that, they can be added to the user dictionary in some cases, the keys can’t be recovered from the nonces because the reader won’t recognize the flipper zero emulation properly card only attacks this type of attacks can be performed directly on the card exploiting vulnerabilities in mifare classic cards the goal of these attacks is to recover the card ’ s data and keys, so that you can clone and emulate the card there are several card only attacks that flipper zero performs based on the card type and available data nested attacks, static nested attack, and hardnested attack these attacks begin at the stage of reading the card (nfc > read) if card reading fails, flipper zero collects and saves card nonces and runs the mfkey app to calculate the keys the calculated keys are then added to the user dictionary of mifare classic keys to get the card ’ s keys and emulate the card, do the following read the card to collect nonces go to more > crack nonces in mfkey32 save the card by pressing save press run to open the mfkey app press %ok% ok to start the calculation wait until the card keys are calculated from the collected nonces — this takes a few minutes after that , the new keys will be added to the user dictionary automatically read the card again to unlock the sectors that were protected with the calculated key emulate the card and hold your flipper zero against the reader to get access if the mfkey app fails to calculate keys reboot your flipper zero by pressing and holding the %left% left and %back% back buttons for 5 seconds delete the file with collected nonces, located at /ext/nfc/ nested log then try collecting the nonces again and run mfkey delete the file containing user keys, located at /ext/nfc/assets/mf classic dict user nfc then try collecting the nonces again and run mfkey this action will permanently delete all the user keys if you wish to retain your keys, back them up before deleting by downloading the file to your computer mifare and mifare classic are registered trademarks of nxp b v