Proxmark3 community

rtk

Member

Registered: 2013-09-08

Posts: 3

About the "Replay Attack"

Hi, I've been playing with my proxmark for some time now, updated it, cracked some Mifare 1K Cards, got the keys, cloned them into Chinese Cards, etc, but now, I want to go a bit further, I want to snoop a transaction and be able to replay it to a different card (For educational purposes of course).

I'm pretty sure this functionality isn't present on current releases, and, in fact, it has never been present on any "Oficcial" release, but, if you see the document Implementing an RFID MIFARE CLASSIC Attack, by Kyle E. Penri-Willians, you can see that he was able to modify the proxmark firmware/client to get a fully functional version of the replay attack.

The problem is, that his mod, was based on a very early version of the proxmark software, more precisely, a version where all the real instructions for the client are still stored on the command.c file, so, let's just say, something around r200 and r300, I been experimenting with r278, that's because, sadly, that's the only version of which I been able to get the necesary files to get the build enviroment up.

So, this is where am I right now, I can compile the client, the fpga, boot, os, everything, of course, I can't use the flasher to Downgrade that far, and If it's possible, I been unable to figure out how, so, I bought a Olimex ARM-USB-OCD JTAG dongle, and flashed the proxmark trough JTAG, the client opens, the commands execute with 0 errors, but, that's of course with the "Untouched" r278 files, when I try to mod the files like described on the document, I get lots of diferent error codes.

Normally, I like to do things like this on my own, learn it the hard way, even if it takes me months, I been trying to figure this out a since March, and frankly, I can't, it's not that I don't have the necesary skills, It's just that the errors are sooooooooo generic, like, Error 2: - Something is wrong, go figure !

So, If anybody has any experience with the mod explained on this document, or has any idea of how to implement this functionality on recent releases, I'll gladly take some advice on how to make this work

Thanks in advance.

vivat

Contributor

Registered: 2010-10-26

Posts: 332

Re: About the "Replay Attack"

I want to snoop a transaction and be able to replay it to a different card (For educational purposes of course).

Almost every time mifare tag wants to auth, new pseudo-random nr and nt is generated...

Normally, I like to do things like this on my own, learn it the hard way, even if it takes me months, I been trying to figure this out a since March, and frankly, I can't, it's not that I don't have the necesary skills, It's just that the errors are sooooooooo generic, like, Error 2: - Something is wrong, go figure !

I would strongly recommend to understand the code. Open untouched source file that you're editing and comment EVERY line of code, i.e. foobar(); //this code turns on green led and turns FPGA etc. You should very good understand functions, structure of code  that you have commented before adding new code.
Then you can add few lines of your code and see what happens.

rtk

Member

Registered: 2013-09-08

Posts: 3

Re: About the "Replay Attack"

Almost every time mifare tag wants to auth, new pseudo-random nr and nt is generated...

You can trick the card in order to get the same nonce twice, read the document I mentioned.

I would strongly recommend to understand the code. Open untouched source file that you're editing and comment EVERY line of code, i.e. foobar(); //this code turns on green led and turns FPGA etc. You should very good understand functions, structure of code  that you have commented before adding new code.
Then you can add few lines of your code and see what happens.

That really doesn't help me, I can't just read every line of every file I need to mod in order to get this to work, let me give you an example, command.c, has more than 3000 lines of code.

With all due respect, I'm looking for someone that has specific information on this specific subject, any help it's apreciated, but I can't work out anything with a generic answer like that one, again, I mean no disrespect, I'm just saying that's not the kind of info I need

rtk

Member

Registered: 2013-09-08

Posts: 3

Re: About the "Replay Attack"

Any other ideas ? Help will be really appreciated