MAGS TRIP EMAD NESS
10.08.2015 Views
Share Embed Flag

MAGS TRIP EMAD NESS

Makstripe - CanSecWest

Makstripe - CanSecWest

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
  • No tags were found...
cansecwest.com

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

<strong>MAGS</strong> <strong>TRIP</strong> <strong>EMAD</strong> <strong>NESS</strong>VALID FROMEXPIRES END04/06 44/20OF-3MALFUNCTION, MAJ.CANSECWEST 06DC-44-20ISSUER ISSUE SORT CODE

who am i ?●security professional by day●white hat hacker by night, weekends &when traveling..●DEFCON goon●DC4420 P.O.C. (London)

why mag stripe ?●old skewl●thoroughly insecure and yet still in use●security by obscurity (again!)●because it's there●i have no life

swipe cards

spot the room key...

spot the room key...

spot the ATM card...

spot the ATM card...

equipment - makstripe●●●●http://www.makinterface.deParallel portRead / Write all 3 tracksRaw data– Does not care about checksums– Does not care about parity●Windows support only :(– not working with VMWare :( :(

equipment●●http://www.sephail.net/articles/magstripe/Audio output– Analyse WAV files offline●●Read all 3 tracks plus non-standardRaw data– Does not care about checksums– Does not care about parity●Read only

equipment - makstripe

equipment - makstripe

equipment - makstripe

analysis - makstripe

write - makstripe

standard track formats●track 1– IATA – 210 BPI, 7 bit, 79 alphanumeric characters●track 2– ABA – 75 BPI, 5 bit, 40 numeric characters●track 3– THRIFT – 210 BPI, 5 bit, 107 numeric characters

track standards - IATATrack 1: 210 BPI, 7 bit, 79Alphanumeric characters

track standards - IATAData formatAirportFlight No.Day of yearStartFormatFromToFlightClass Day Seat Passenger End LRC

track standards - IATAYVR LHR 19KLAURIE/ADAM MRStartFormatFromToFlightClass Day Seat Passenger End LRC%WYVRLHRBA 0084 W 034019K LAURIE/ADAM MR ?E

efore

after

hotel door locks●passive– all logic in the lock●active– reader only– all logic on back-end– centralised alarms & reporting

passive locksKey TYPE correct

passive locksHousekeeping OpenOne­Time OpenGuest LockoutCrime Scene LockoutKey TYPE correctSPECIAL keyPerform SPECIALREJECT

passive locksHousekeeping OpenOne­Time OpenGuest LockoutCrime Scene LockoutKey TYPE correctSPECIAL keyPerform SPECIALREJECTCorrect ROOMRESCINDED keyREJECT

passive locksHousekeeping OpenOne­Time OpenGuest LockoutCrime Scene LockoutKey TYPE correctSPECIAL keyPerform SPECIALREJECTCorrect ROOMRESCINDED keyREJECTNEW keyEXPIRED key

passive locksHousekeeping OpenOne­Time OpenGuest LockoutCrime Scene LockoutKey TYPE correctSPECIAL keyPerform SPECIALREJECTCorrect ROOMRESCINDED keyREJECTRESCIND previousNEW keyEXPIRED keyOPEN

keycard – multiple keys●;5101153528010176630125000120000000000?8●;5101153528020176630125000120000000000?;Start Property? Room No. Key No. Magic Number? Expire Key Type? End LRC; 510115 3528 01 0176630125 0001200..?8; 510115 3528 01 02 0176630125 0001200..? 8;

keycard – multiple keys●;5101153528010176630125000120000000000?8●;5101153528020176630125000120000000000?;●;5101153528030176630125000120000000000?:Start Property? Room No. Key No. Magic Number? Expire Key Type? End LRC; 510115 3528 01 0176630125 0001200..?8; 510115 3528 01 02 0176630125 0001200..? 8;; 510115 3528 03 01766 30125 0001200.. ? :

keycard – rescinding●;5101150611010700431125000120000000000?6●;5101150611010703231125000120000000000?3Start Property? Room No. Key No. Magic Number? Expire Key Type? End LRC; 510115 0611 01 07004 31125 0001200.. ? 6; 510115 0611 01 07032 31125 0001200.. ? 3

RESCINDING keysNew magic numberLock storeslast 100 keys12345851235678723677...

active locks●all locks connected to central computer– one wire●●checking done against live databasekey swipe as messaging system– room clean, out of service etc.●security– access attempts●raise alarm!– audit trail●much more expensive– harder to retrofit

non-standard keys

non-standard equipment

magnasee●●magnetic field visualisationhead alignment– audio– 1/2” Tape– lead-in●Carbon Tetrachloride!– (carbon chloride, methanetetrachloride, perchloromethane,tetrachloroethane, or benziform)– iron filings– banned as a carcinogen!! =:O

magnasee

magnasee

magnasee

magnasee

magnasee

magnasee

size matters!

size matters!British Rail track is 2.5 times the widthof ISO standard

size matters!But BPI is the same...

data matters!

data analysis●dmsb– decode standard track formats & character sets– Joseph Battaglia●http://www.sephail.net/articles/magstripe/●binchop– aid to look for patterns and parity– Major Malfunction●http://www.alcrypto.co.uk

demonstration

making sense of the data●character sets– http://www.magtek.com/documentation/public/99875065-4.pdf

attack combiningmmirda + magstripe = drinks are on me!

evolution

next generation●●RFIDbiometric

RFID I/O tools: RFIDIOt●http://rfidiot.org– python library●ISO 14443A/B●MIFARE ® Standard, MIFARE ® 4k, MIFARE ® Pro, MIFARE ®Ultralight, MIFARE ® DESFIRE, MIFARE ® SmartMX, SLE55Rxx, SLE 66CL160S, SLE 66CLX320P, SR176,SRIX4K, ISO14443A Tags, ISO14443B Tags, Jewel Tag(IRT0302B11 KSW DIY Eng. Sample), Sharp B, ASKGTML2ISO, TOSMART P064– support for ACG Dual ISO reader●●http://www.acg.deno drivers required – serial device

MIFARE tags●Block layout●Access controls●Demonstration

MIFARE 1K – block layoutSector 0Block 0Manufacturer blockBlock 1 Block 2Block 3Sector trailerAccess controlBlockSector 2Sector 3Sector ...Sector 15Block 0Block 4Manufacturer blockBlock 15 Block 26Block 0Block 8Manufacturer blockBlock 19 Block 10 2Block 0Block ...Manufacturer blockBlock ... 1 Block ...Block 0Block 60Manufacturer blockBlock 61 1 Block 62 2Block 37Sector trailerBlock 11 3Sector trailerBlock ... 3Sector trailerBlock 63 3Sector trailer16 sectors, 4 blocks per sector,16 bytes per block = 1024 bytes

manufacturer blocklayoutSector Byte 0 00010203040506070809101112131415Serial NumberCManufacturer dataCheck byteWhole block is read only

access control blocklayoutSector Byte 0 00010203040506070809101112131415KeyAWRITE onlyAccess ControlBitsKeyB or DATA●●KeyA can never be readKeyB may be read and/or written– Depending on ACB●ACB for various combinations– Who may read/write keys– Who may increment/decrement/restorevalue blocks

data blockSector Byte 0 00010203040506070809101112131415Value●16 bytes free storage

value blockSector Byte 0 00010203040506070809101112131415ValueValue(inverted)ValueAdr Adr(i)Adr Adr(i)●Value stored 3 times– Twice non-inverted, once inverted●Address byte stored 4 times– Twice non-inverted, twice inverted– Audit trails– Backup– Read only (by value commands)

tag operationsCard SelectSector LoginRead/Writeetc.

demonstration

Questions?

majormal@pirate­radio.orghttp://www.alcrypto.co.ukoh dear...

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!