Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2009-11-19 17:30:35

Baquinjam Palas
Contributor
Registered: 2009-09-27
Posts: 17

My first log

Incomplete, but it´s my first log. This is the only interesting zone.

recorded activity:
 ETU     :rssi: who bytes
---------+----+----+-----------
 +      0:    :     26    
 +     64:   0: TAG 04  00    
 +   1432:    :     93  20    
 +     64:   0: TAG 5e  c2  1c  61  e1    
 +   2168:    :     93  70  5e  c2  1c  61  e1  d5  65    
 +     64:   0: TAG 08  b6  dd    
 +  31064:    :     60  0c  99  b1    
 +    114:   0: TAG fd  6f  82  aa    
 +   1974:    :     22  9d  d4  94  85  c5  xx xx      !crc
 +     66:   0: TAG 80! eb! 19! ec 

Now, running crapto, I´ve obtained key A for sector 03. It works only in this sector.

Somewhere in the forum I´ve read that knowing one key it is possible to get the others keys running a nested authentication, but I don´t know how to do it.

Is it possible to do it in windows?. And how?.

In linux only have problems, a lot of problems.

Regards.

Last edited by Baquinjam Palas (2009-11-19 19:27:49)

Offline

#2 2009-11-20 01:42:29

hat
Contributor
Registered: 2009-04-12
Posts: 160

Re: My first log

the operating system is of little importance. At least in this case. If you are able to get this trace, you should also be able to do the nested authentication.

The attack goes in 3 steps

1- authenticate to the card's sector of which you already know the key
2- start authenticating to the sector you don't yet know the key of.
3- repeat this (at least 3 times) and use the encrypted tag nonces that the tag sends out after step 2 to retrieve the secret key.

mfoc provides code to do everything using libnfc and crapto1 underneath at least in some way. and the latest crapto1 code also has additional support for it.

Offline

#3 2009-11-20 21:56:06

Baquinjam Palas
Contributor
Registered: 2009-09-27
Posts: 17

Re: My first log

Thank you for your answer.

When I´ve read your post I´ve felt a flash in my mind. You´ve openned my eyes.

If I do what you are saiing me, I can obtain tree or more tag nonces ENCRYPTED with key I want to recover.

I´ll think about it this weekend.

Everybody knows a little the world in which live; for you this must be trivial because this is your world, but for me isn´t so easy because I belong to other world.

Thanks a lot.

Last edited by Baquinjam Palas (2009-11-20 21:57:37)

Offline

#4 2009-11-21 04:20:40

hat
Contributor
Registered: 2009-04-12
Posts: 160

Re: My first log

Baquinjam Palas wrote:

Everybody knows a little the world in which live; for you this must be trivial because this is your world, but for me isn´t so easy because I belong to other world.

well in my world that was the most useless use of bits to date. surpassed only by these bits commenting on it.

anyway good luck. it's implemented in mfoc too iirc but not the cleanest versoin imho tongue.

Offline

#5 2009-11-23 13:26:18

Baquinjam Palas
Contributor
Registered: 2009-09-27
Posts: 17

Re: My first log

You have reason.

I´m able to get 3 or more encrypted tag nonces:

+2770194:    :     26    
 +     64:   0: TAG 04  00    
 +   1432:    :     93  20    
 +     64:   0: TAG 5e  c2  1c  61  e1    
 +   2168:    :     93  70  5e  c2  1c  61  e1  d5  65    
 +     64:   0: TAG 08  b6  dd    
 +  31064:    :     60  08  bd  f7    
 +    112:   0: TAG d7  b2  ae  bd   
 +   1976:    :     60  d1  57  7f  aa  02  78  ea      !crc
 + 599060:    :     26    
 +     64:   0: TAG 04  00    
 +   1424:    :     93  20    
 +     64:   0: TAG 5e  c2  1c  61  e1    
 +   2168:    :     93  70  5e  c2  1c  61  e1  d5  65    
 +     64:   0: TAG 08  b6  dd    
 +  31160:    :     60  08  bd  f7    
 +    112:   0: TAG cc  ec  00  cd   
 +   1976:    :     86  ae  b4  79  69  34  ed  50      !crc
 + 545300:    :     26    
 +     64:   0: TAG 04  00    
 +   1440:    :     93  20    
 +     64:   0: TAG 5e  c2  1c  61  e1    
 +   2168:    :     93  70  5e  c2  1c  61  e1  d5  65    
 +     64:   0: TAG 08  b6  dd    
 +  31144:    :     60  08  bd  f7    
 +    112:   0: TAG 9c  6a  3c  1e   
 +   1976:    :     33  aa  1e  4c  8a  a1  58  ed      !crc

But now, I think I need the same plain tag nonce. Perhaps this is what mfoc makes; I don´t know because I´ve never used it.

I´ve tried this weekend to compile it on cygwin but I only have problems. Said better; the problem am I. I don´t know how to compile.

Anyone is so kind of sending me mfoc already compiled?.

P.D: I think that usefull is only a word we apply to thinks. In my working life I make "usefull thinks", of course; but in my free time I make many thinks only for personal satisfaction, and this is one of them. When I get the 32 keys of my tag I´ll have finish because I don´t travel in bus.

Regards.

Last edited by Baquinjam Palas (2009-11-23 13:53:03)

Offline

#6 2009-11-23 14:29:14

hat
Contributor
Registered: 2009-04-12
Posts: 160

Re: My first log

I´m able to get 3 or more encrypted tag nonces:

really are you sure because i'm not seeing them in your log.

and for freaks sake people. if you can't compile stuff like this ...

Offline

#7 2009-11-23 19:49:34

Baquinjam Palas
Contributor
Registered: 2009-09-27
Posts: 17

Re: My first log

Sorry, but I thought that these 3 tag nonces after 60 08 were encrypted in second auth.

I´ll try again.

Regards.

P.D. I don´t feel a freak. Sure.

Offline

#8 2009-11-24 00:05:09

hat
Contributor
Registered: 2009-04-12
Posts: 160

Re: My first log

you can feel all you want, and you can talk crap about different worlds. but in no way are you at all clever in any of them.

I outlined clearly 3 steps.
-> authenticate to the known sector
-> athenticating to an unknown sector
-> repeat and collect the encrypted nonces.

you only ever try to authenticate to sector 8 so in no case would it ever make sense.
You even know it's called nested authentication. yet you don't nest.
it goes.
[T,R anticollision][R send plaintext auth command][T plain tag nonce] [R encrypted reader nonce and reader answer][T encrypted tag answer][R encrypted nested auth command][T encrypted tag nonce]

Offline

Board footer

Powered by FluxBB