Add instructions for building mfoc on Windows.

[DavidBerdik]

The available documentation for mfoc details how to build it on *nix-based systems, but not Windows. Even if this project is not intended for Windows, I believe the project could still benefit from providing instructions for building for Windows for those who would like to try it.

Unfortunately, using a VM with USB passthrough is not possible, as the program does not work properly in a VM, and USB passthrough is apparently not supported by the Windows Subsystem for Linux for anything other than external drives and flash drives.

[xavave]

Hi,
I've cross-compiled mfoc and nfc utils for windows 64 bits , you can find them on my blog:
http://legacy.averbouch.biz/libnfc-and-nfc-utils-binaries-on-windows-10/

[DavidBerdik]

Hello @xavave,

Thank you so much for sharing this! This is wonderful! Do you by chance have any documentation on what you changed from the original Linux version? Or is it linked in your post and I just didn't see it? I ask because I would be interested in trying to maintain a Windows version that tries to keep up to date with changes applied to the Linux version. You certainly provide a wonderful starting point for doing just that.

[xavave]

@DavidBerdik I used libnfc1.7.1 and mainly used tutorial here : https://github.com/peacepenguin/libnfc-unofficialbuilds
then I used mfoc hardnested source : https://github.com/vk496/mfoc/tree/hardnested

btw I've also cross-compiled libfreefare for windows 64, you can find binaries in attachment at the end of my post here :
nfc-tools/libfreefare#52 (post named : allow to cross-compile 32 and 64 bit dlls using MinGW)
new post on my blog too : http://legacy.averbouch.biz/en/how-to-cross-compile-libfreefare-examples-for-windows-with-msys2-mingw64/

and also a forked C# wrapper here : https://github.com/xavave/sharp-free-fare

I've just updated my post about mfoc here : http://legacy.averbouch.biz/libnfc-and-nfc-utils-binaries-on-windows-10/
I've simply changed this in mfoc code for hardnested branch version:

[DavidBerdik]

Excellent! Thanks for sharing! I played with the prebuilt binaries a bit last weekend, and everything worked fine except for mfoc_hardnested.exe which was crashing with the following error.

Installing MINGW from the Chocolatey repo (https://chocolatey.org/packages/mingw) fixed the problem. I found that I could get the program to work on a machine without MINGW installed by copying the DLL mentioned in the error from the MINGW installation from a machine that has it and dropping it in the same directory as the executable.

TL;DR - If mfoc_hardnested.exe crashes with an error about not being found, download the attached zip file and extract the DLL contained in it to the same folder as mfoc_hardnested.exe.

libwinpthread-1.zip

[DavidBerdik]

After further experimentation, I am not sure that the mfcuk prebuilt binary that you provide works properly. I've had it running an attack on a card for several hours now, and it doesn't look like it's making any progress. I've broken this same card in the past using the same reader (ACR122U) using mfcuk on Ubuntu and it's worked, so I do not really know what to make of this.

Last chunk of output as of this post:

-----------------------------------------------------
Let me entertain you!
    uid: b2588311
   type: 08
    key: 000000000000
  block: 03
diff Nt: 19905
   hit4: 0
  auths: 19905
-----------------------------------------------------

My command to start running the attack was mfcuk_keyrecovery_darkside.exe -C -R -1:A -s 250 -S 250 -v 3 -o mfcuk-dump.

Any suggestions @xavave?

[xavave]

@DavidBerdik Did you use exactly the same command parameters when it worked on Ubuntu ?
Which source code/version did you use to compile mfcuk on Ubuntu ?
I've just recompiled a fresh version from latest mfcuk code (https://github.com/nfc-tools/mfcuk) (attached). Could you test with it please ?
mfcuk_keyrecovery_darkside_win64.zip
EDIT: I've just also recompiled DrSkottky version (https://github.com/DrSchottky/mfcuk) so you can compare them :
mfcuk_keyrecovery_darkside_DrSkottky_Win64.zip

[DavidBerdik]

@xavave Yes, I used exactly the same command parameters when testing on Ubuntu. I can say that with absolute confidence because I copied the command off to a text file for future use when testing on Ubuntu.

As for which version I used, I am not sure because I did not compile from source. I installed it using apt.

I will try testing now and let you know how it goes.

Edit: When I start running the attack, I always get 3 warnings in the console. Perhaps they are of some importance?

mfcuk_keyrecovery_darkside - 0.3.8
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], http://andreicostin.com - compiled on windows 64 by xavave

WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_skgt.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_ratb.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_oyster.mfd'

[xavave]

@DavidBerdik I’m not sure the warnings make a difference.
I think you can remove these warnings by unzipping attached file data.zip in mfcuk.exe folder:
data.zip
folder structure should be like this:
|__mfcuk.exe
|data
______|_tmpls_fingerprints
_____________|__mfcuk_tmpl_oyster.mfd
_____________|_mfcuk_tmpl_ratb.mfd
_____________|_mfcuk_tmpl_skgt.mfd
Btw I saw an old “official” windows version here:
https://github.com/nfc-tools/mfcuk/releases/tag/windows
Does this old version works better ?
Update :
my compiled 'DrSkottky' version was not working, I've recompiled it:
mfcuk_keyrecovery_darkside_drSkottky.zip
Can you send me a dump of the card you've successfully dumped on Ubuntu ? (in PM on my mail ?) so I could test it too please ?

[DavidBerdik]

@xavave Unfortunately, none of the mfcuk variations you have made available seem to work for me. As for sharing the dump of my card, I can (it's only an old hotel room key, so there aren't any security concerns), but you may have to wait a while. The hard drive in the laptop that I used to do this on died a month or two ago. That hard drive had the only copy of the card dump that I made, and I haven't had a chance to do anything about the laptop, and as you likely know, using USB pass-through to an Ubuntu VM does not cooperate with the ACR122U.

[xavave]

@DavidBerdik on my laptop When I test my mfcuk I can see different « diff nt » and « auth » values. So I don’t understand the problem for now. I can wait for your dump, no problem. Thank you

[xavave]

@DavidBerdik I tried also mfcuk on linux but I get the same results : same count of auths and diff nt , maybe the issue comes with the reader ACR122U-A9 or, the tag used for test is protected too much ? I have no clue for now --> nfc-tools/mfcuk#50

[DavidBerdik]

@xavave I expect that I will have time to play with this a little tomorrow. I will try to take a dump of it on Linux and post it here. I remember the last time I cracked the card, I used mfcuk to crack all of the A keys which took a great deal of time. I hadn't realized at the time that you only need one of the A keys to derive the rest. Hopefully that will speed things up a bit.

What reader are you using? ACR122U as well?

[DavidBerdik]

@xavave An update for you: I am trying to crack the card on my Linux laptop right now, and it's doing the same thing. I know it worked before so I'm going to try to just let it run its course. I'm at about 37,000 auths right now.

[xavave]

@DavidBerdik do you use exactly the same card reader than before ?

[DavidBerdik]

@xavave Yep! Same card reader and same card. I woke up this morning to find that mfcuk had crashed, so I am trying again with a different card but the same reader.

[DavidBerdik]

@xavave Have you had any luck? I have been trying with another, different card now for several days and it's doing the same thing. I have also cracked this card before successfully.

[xavave]

@DavidBerdik I didn't try again, but you are saying that on linux and, on windows mfcuk doesn't work ? and on linux it was working previously ? I have no clue, or mfcuk has been upgraded meanwhile and has new bugs ? on some tags mfcuk seems to work on my windows (« diff nt » and « auth » are different), and on some other tags, it doesn't ((« diff nt » and « auth » are different)

[DavidBerdik]

@xavave I finally managed to get a key by setting -R 2:A when attacking on Linux, but I still have not had any success on Windows. So far, I have only tested with this parameter using the original mfcuk that you linked to in your initial reply. I am going to try the other builds as well though.

[xavave]

@DavidBerdik good 👍🏻
How long did it take on Linux ? Could you send me the dump please ?

[DavidBerdik]

@xavave It took about 30 minutes. Unfortunately, the card that I successfully dumped was not the hotel room key that I told you about earlier. The card that I managed to get working is actually sensitive, so I cannot share it. I am going to keep experimenting with the other card on Linux to see if I can get a dump to share with you. The room key has one of the default keys that mfoc checks for which makes using mfcuk unnecessary, but even so, it should be a good test card.

[xavave]

@DavidBerdik ok 👍 thank you

[DavidBerdik]

@xavave It just occurred to me that even though mfcuk testing with the hotel room key is not working, I can still give you an mfoc dump since the card uses default keys, so I have attached one. I am still going to keep trying to get mfcuk working on it though. Thanks for your help with this!

I should point out that this mfoc dump was taken using Linux. Also, the MD5 hash for the dump file contained in the zip is 7e34f15beaa8db11b9c5e68df97328b5.

mfoc_hotel_room_key_dump.zip

[xavave]

thank you, I'm going to test it now

[DavidBerdik]

@xavave Excellent! Good luck!

[xavave]

@DavidBerdik after a few minutes, diff nt and auths or different :


btw I used key B in parameters for testing: -C -R -1:B -s 250 -S 250 -v 3 -o mfcuk-dump

the mfcuk I used is attached here
mfcuk_keyrecovery_darkside.zip

I will let you know how it ends..

[DavidBerdik]

@xavave I get different values for diff Nt and auths after a few minutes too, but it still doesn't seem to work for me. I am trying again on Ubuntu using -R 2:A, and here is where I am as of a few moments ago.

I was actually not aware that you could attack for B keys using mfcuk. I thought it was only for getting at least one A key which you then used with mfoc to get the B keys as well as the remaining A keys. I will let it continue running on Ubuntu for now, and if it does not crack a key within 24 hours, I will give up and try something else.

[xavave]

@DavidBerdik I was reading on some chinese forums (that I've google translated :) ) that the results depend on the sector you attack, so many tries can be done before finding

[DavidBerdik]

@xavave Thanks for sharing! I have seen similar claims on other websites, but as I understand, my attacks are taking longer than they should have to. In several cases over the last few weeks, I let them run for over 24 hours without any progress made at all. In some of those cases, mfcuk would start throwing an error with each read attempt.

[xavave]

@DavidBerdik it doesn't seem to work for me neither
I saw there is a dedicated support for mfcuk btw
nfc-tools/mfcuk#39
I wonder if it comes from ACR122 tag reader on windows version, but, I dont't have other USB reader to test for now

[DavidBerdik]

@xavave Have you experimented with doing it on Linux at all? Also, why do some versions of mfcuk have a hit4 field while others do not? What is that all about? I assume they are different versions of the program, but I do not know what it means. (Well, I actually do not know what any of those fields are except for the uid and auths ones.)

[xavave]

@DavidBerdik I should try on Linux again. Tonight I let mfcuk run with libnfc.dll v1.5 to check if issue can be related to latest Libnfc version 1.7.
Hit4 is the number of successful auths as you can see in dr skottky mfcuk improved version:

https://github.com/DrSchottky/mfcuk/blob/master/src/mfcuk.c line 623

[xavave]

@DavidBerdik I maybe some cards are not sentitive to mfcuk: http://www.cs.ru.nl/~rverdult/Ciphertext-only_Cryptanalysis_on_Hardened_Mifare_Classic_Cards-CCS_2015.pdf

[xavave]

@DavidBerdik I've decommented debug print in mfcuk source code on windows and ubuntu and, i've noticed that on ubuntu, nonce distance is between 0 and about 65535 and values follows each others
diff nt much lower than auths , the same on windows (but diff nt increases faster on windows and this is bad )
but on windows something is wrong: I never see nonce distance value lower than a few thousands
anyway , I run mfcuk on ubuntu for more than 1 hour with your dump written on a card , and also no successful result

[DavidBerdik]

I have had an mfcuk attack running against the card for 2 days now and still nothing has come of it. I am not really sure what to do at this point. I have another card that I can try that I had successfully cracked with mfcuk before. Unfortunately though, it is sensitive and therefore I cannot share the dump.

Also, I am not sure what the nonce distance value is supposed to mean.

Here is the state of my attack attempt as of this post:

[DavidBerdik]

@xavave I'm trying the other card that I mentioned in my previous post, and I am seeing no progress. The diff Nt and auths values are just incrementing together.

[xavave]

@DavidBerdik some cards are protected against dark side attack. But I still can’t explain why different mfcuk versions never found a key for me neither on Ubuntu neither on windows with different cards including blank ones. I’ve just ordered a proxmark 3 Tag reader so I will be able to compare results with Acr122u-a9 soon.
How long did it take to crack Your previous card successfully ?

[DavidBerdik]

@xavave What disturbs me is that I have already cracked this card using mfcuk on Ubuntu but now it's not working. Furthermore, this is the same card that I cracked 2:A on last week, but now it's acting weird again. I don't understand it.

As for how long it took when I did it last year, it was a several-hour process.

[xavave]

@DavidBerdik I've reopened this issue on dedicated mfcuk discussion : nfc-tools/mfcuk#76