【PM3】对公司新工卡的分析记录(一)——卡片分析

  1. 1. 背景
  2. 2. 卡片分析
  3. 3. 尝试DUMP

背景

公司近期替换了整个工卡系统,新的工卡系统采用的是一家名为“新开普”公司的解决方案。

新的工卡到手,马上用PM3分析一波,看看相比之前漏洞百出的Mifare Classic卡有什么改进。

卡片分析

执行hf 14a info看看是什么类型的卡片。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[usb] pm3 --> hf 14a info

[+] UID: C1 F0 6A 3E
[+] ATQA: 00 04
[+] SAK: 28 [1]
[+] Possible types:
[+] SmartMX with MIFARE Classic 1K
[=] -------------------------- ATS --------------------------
[+] ATS: 10 78 80 A0 02 20 90 00 00 00 00 00 C1 F0 6A 3E [ 43 00 ]
[=] 10............... TL length is 16 bytes
[=] 78............ T0 TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
[=] 80......... TA1 different divisors are NOT supported, DR: [], DS: []
[=] A0...... TB1 SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 10 (FWT = 4194304/fc)
[=] 02... TC1 NAD is NOT supported, CID is supported

[=] -------------------- Historical bytes --------------------
[+] 20900000000000C1F06A3E
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands

这是一张NXP的SmartMX系列的卡片,同时附带MIFARE Classic 1K模拟。SmartMX是NXP的JCOP卡系列,也就是说这张卡是一种CPU卡(也有叫做Java卡)。CPU卡意味着卡中有一个完整功能的CPU,并且带有操作系统,卡片的功能是基于软件实现的,而不是像MIFAREClassic这种基于ASIC的卡,用硬件电路实现卡片功能。

说了这么多废话,结论就是这种类型的卡相比较MifareClassic类型的卡要安全的多,几乎不可能被破解和复制。

那我们的分析之路已经到了尽头吗?也不一定,安全也是有“木桶效应”的。业务安不安全,并不只有卡片的安全等级决定,卡片安全只是一个因素。之前Mifare也有很多使用默认密码的案例。正好这张卡还带了MIFARE Classic 1K模拟,看看这个模拟MIFARE卡片里面有什么。

尝试DUMP

执行hf mf chk看看有没有使用默认/常见密码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[usb] pm3 --> hf mf chk --dump
[=] No key specified, trying default keys
[ 0] ffffffffffff
...省略
[=] Start check for keys...
[=] .................................
[=] time in checkkeys 2 seconds

[=] testing to read key B...

[+] found keys:

[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 001 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 002 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 003 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 004 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 005 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 006 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 007 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 008 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 009 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 010 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 011 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 012 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 013 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 014 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 015 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] |-----|----------------|---|----------------|---|
[+] ( 0:Failed / 1:Success )

[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-C1F06A3E-key.bin
[=] FYI! --> 0xFFFFFFFFFFFF <-- has been inserted for unknown keys where res is 0

看来都是默认密码,那估计也没什么有价值的内容在里面了。

执行hf mf dump尝试dump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[usb] pm3 --> hf mf dump
[!] No tag found.
[usb] pm3 --> hf mf dump
[=] Using `hf-mf-C1F06A3E-key.bin`
[=] Reading sector access bits...
[=] .................
[+] Finished reading sector access bits
[=] Dumping all blocks from card...
[+] successfully read block 0 of sector 0.
...省略
[+] time: 7 seconds


[+] Succeeded in dumping all blocks

[+] saved 1024 bytes to binary file hf-mf-C1F06A3E-dump.bin
[+] saved 64 blocks to text file hf-mf-C1F06A3E-dump.eml
[+] saved to json file hf-mf-C1F06A3E-dump.json

dump成功,看看里面有啥。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
[usb] pm3 --> hf mf view -f hf-mf-C1F06A3E-dump.bin
[+] loaded 1024 bytes from binary file hf-mf-C1F06A3E-dump.bin

[=] ----+-------------------------------------------------+-----------------
[=] blk | data | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 0 | C1 F0 6A 3E 65 28 04 00 00 00 00 00 00 00 00 00 | ..j>e(..........
[=] 1 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 3 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 4 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 7 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 8 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 9 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 11 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 15 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 19 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 23 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 27 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 31 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 35 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 39 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 43 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 47 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 51 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 55 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 59 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] ----+-------------------------------------------------+-----------------

果然不出所料,啥也没有。那单纯针对卡片的分析也就到此为止了,还需要收集其他信息才能更进一步了。