Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2011-08-24 06:41:43

henry2010
Member
Registered: 2010-06-11
Posts: 9

Darkside attack for mifare card

I' ve tested mfcuk (newest version ) It works for NXP product . For those unlicensed card ,It's a little bit difference.
Here is the description.

The card also reply with NACK even if the parity bit is wrong .(not the same as mifare card).
The card have UID = 0x6ec92c63
Some traces is listed. The card block 7 (sector 1) have key : 0xffffffffffff

 +  76074:    :     52    
 +     64:   0: TAG 04  00    
 +  17984:    :     93  20    
 +     64:   0: TAG 6e  c9  2c  63  e8    
 +  19160:    :     93  70  6e  c9  2c  63  e8  ce  59    
 +     66:   0: TAG 08  b6  dd    
 +  16422:    :     60  04  d1  3d    
 +     90:   0: TAG 52  69  66  0d    
 +   1534:    :     d1  40  fe  2c  0f  46  90  a5     !crc
 +     66:   0: TAG 09!                                         !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +  14334:    :     30  04  26  ee    
 +  19320:    :     50  00  57  cd    
 +  76923:    :     52    
 +     64:   0: TAG 04  00    
 +  17968:    :     93  20    
 +     64:   0: TAG 6e  c9  2c  63  e8    
 +  19176:    :     93  70  6e  c9  2c  63  e8  ce  59    
 +     65:   0: TAG 08  b6  dd    
 +  16344:    :     60  04  d1  3d    
 +     88:   0: TAG 1b  86  6e  83    
 +   1416:    :     e9  80  40  bf  c9  f8  6c  c1     !crc
 +     64:   0: TAG 00!                                     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +  12824:    :     30  04  26  ee    
 +  17704:    :     50  00  57  cd    
 +  76954:    :     52    
 +     64:   0: TAG 04  00    
 +  18008:    :     93  20    
 +     64:   0: TAG 6e  c9  2c  63  e8    
 +  19208:    :     93  70  6e  c9  2c  63  e8  ce  59    
 +     65:   0: TAG 08  b6  dd    
 +  16336:    :     60  04  d1  3d    
 +     88:   0: TAG f6  e3  6a  50    
 +   1544:    :     70  9d  2d  e4  43  b6  26  14     !crc
 +     64:   0: TAG 04    
 +  14392:    :     30  04  26  ee    
 +  18640:    :     50  00  57  cd    
 +  76073:    :     52    
 +     66:   0: TAG 04  00    
 +  17958:    :     93  20    
 +     66:   0: TAG 6e  c9  2c  63  e8    
 +  18992:    :     93  70  6e  c9  2c  63  e8  ce  59    
 +     64:   0: TAG 08  b6  dd    
 +  16432:    :     60  04  d1  3d    
 +     88:   0: TAG 38  81  58  75    
 +   1552:    :     b6  aa  2a  6c  a8  4f  76  69     !crc
 +     64:   0: TAG 00!   
 +  13680:    :     30  04  26  ee    
 +  18440:    :     50  00  57  cd    

Can anybody tell me how it works for those unlicensed card.


Thanks.

Offline

#2 2011-08-26 01:08:15

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Darkside attack for mifare card

+1 ! Good Question. Maybe @Zveriu can answer this wink

Offline

#3 2011-08-27 16:37:32

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Darkside attack for mifare card

Some unlicensed and new original mifare cards have fixed pseudo-random number generator(PRNG). AFAIK "Darkside" attack works for older cards which has PRNG that is built on four XORs.

Offline

#4 2011-08-27 17:48:20

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Darkside attack for mifare card

vivat wrote:

Some unlicensed and new original mifare cards have fixed pseudo-random number generator(PRNG). AFAIK "Darkside" attack works for older cards which has PRNG that is built on four XORs.

Bu it's still possible to get the key by sniffing the comm between an original reader with the card.. right?

I'm trying to crack one mifare card (maybe with the kid we can know that it's one of those "new" mifare cards...).. it's been cracking for 3 (yes three) days.. here's the result.. (still running)


Let me entertain you!
    uid: ee30fed4
   type: 08
    key: 000000000000
  block: 07
diff Nt: 65533
  auths: 1578368
-----------------------------------------------------

1.5M auths! that's a record!

Do you think that i'm going to break it?

thanks!

Offline

#5 2011-08-27 18:28:24

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Darkside attack for mifare card

moebius wrote:
vivat wrote:

Some unlicensed and new original mifare cards have fixed pseudo-random number generator(PRNG). AFAIK "Darkside" attack works for older cards which has PRNG that is built on four XORs.

Bu it's still possible to get the key by sniffing the comm between an original reader with the card.. right?

Yes

Do you think that i'm going to break it?

No. If the software can't recover any keys for 1~1.5 hour, you are out of luck. It should recover some key within few minutes.

Offline

#6 2011-08-28 02:51:22

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Darkside attack for mifare card

OK, I stopped the process...

How can I know by reading the uid that it's a "new" mifare card with "anti darkside attack" protection?

Thanks!

Offline

#7 2011-10-22 22:06:30

jonor
Contributor
Registered: 2009-09-17
Posts: 97

Re: Darkside attack for mifare card

I have a little bit different problem with this attack. After ~1.5 hour I have an invalid key with NT, when I relaunch the attack with previous NT I have another invalid key. I tried to relaunch the attack 5 time until I have the same NT as the first and so on. I have a loop without recover a valid key. Am I out of luck?

With these cards the nested attack works great.

Are test cards with keys 0xFFFFFFFFFFFF.

Offline

#8 2011-11-10 23:16:23

miguegold
Contributor
Registered: 2011-08-05
Posts: 12

Re: Darkside attack for mifare card

I think I have found a way to make the crack work on these chineese cards. Before posting it I want to make sure it works in other cards than mine, so if anyone is interested in helping just send me a message. So far, I have two pieces of code which, together, implements the dark side attack for chineese cards and returned the appropriate keys.

PS: The cards I'm referring to are those that always answer, regardless of the parity bits (when the console with all answers appears, they all tend to have zeros in all parity bits)

Last edited by miguegold (2011-11-10 23:33:12)

Offline

#9 2011-11-11 18:34:51

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Darkside attack for mifare card

i would like to help you, i have some of those cards to try, so if you want email me.
because i can´t send you a message, you don´t have the email buttom
also my email is my nickname finished : @hotmail.com

Offline

#10 2011-11-11 22:10:52

miguegold
Contributor
Registered: 2011-08-05
Posts: 12

Re: Darkside attack for mifare card

thefkboss wrote:

i would like to help you, i have some of those cards to try, so if you want email me.
because i can´t send you a message, you don´t have the email buttom
also my email is my nickname finished : @hotmail.com

Thanks for your answer! I've sent you an email.

Offline

#11 2012-12-12 08:22:14

kxn
Member
Registered: 2012-12-12
Posts: 5

Re: Darkside attack for mifare card

Hi, is there any update for this kind of card?  I have several this type of card in my hand.  They respond 4-bit regardless the parity bits.

Thanks

Offline

#12 2012-12-24 16:11:03

miguegold
Contributor
Registered: 2011-08-05
Posts: 12

Re: Darkside attack for mifare card

I've explained what I did to attack these cards in http://www.proxmark.org/forum/viewtopic.php?pid=6315#p6315 Enjoy!!!

Offline

Board footer

Powered by FluxBB