Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-11-13 10:54:45

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

nested auth key recovery

Hi there!
A time ago I played with mf classc authentification trace logs and met a trouble with multiple sectors nested auth key recovery.
I didn't found any public solutions for this task, so i read again Garcia's whitepaper and coded a couple dirty tools to recover keys to nested authentificated sectors.
For this we need a reader-card communication trace log, card which we want to crack and libnfc compatible reader.

Therre are 2 tools that I want to share with you:
mf_nonce_brute (https://github.com/J-Run/mf_nonce_brute)
and
mf_key_brute (https://github.com/J-Run/mf_key_brute)

Offline

#2 2014-11-13 19:57:09

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: nested auth key recovery

Thank you for your contribution. I hope this will be added to the main trunk soon !

Offline

#3 2014-11-26 23:57:46

clayer
Contributor
Registered: 2013-12-22
Posts: 45

Re: nested auth key recovery

100x lot thanks
But one more little quest
Can you compile them to run under windows

Offline

#4 2014-11-27 01:57:04

clayer
Contributor
Registered: 2013-12-22
Posts: 45

Re: nested auth key recovery

i`re tried to compile but gcc gives errors, can this be used???

Offline

#5 2014-12-03 18:32:50

NeiJPass
Contributor
From: Usa
Registered: 2014-05-14
Posts: 37
Website

Re: nested auth key recovery

Someone can explain install and use like with proxmark3 the command mf_nonce_brute and mf_key_brute and this way we can testearlo. THANK YOU sad

Offline

#6 2014-12-04 08:22:49

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: nested auth key recovery

how can i  compile? thanks

Offline

#7 2014-12-05 17:01:46

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: nested auth key recovery

clayer, i did not think about windows version.

lets try to compile mf_nonce_brute step-by-step.

git clone https://github.com/J-Run/mf_nonce_brute.git
cd mf_nonce_brute
make

and for mf_key_brute it should be like:

git clone https://github.com/J-Run/mf_nonce_brute.git
cd mf_nonce_brute
./build.sh

autoconf and libnfc-dev needed for successful build.

Offline

#8 2014-12-10 00:22:59

clayer
Contributor
Registered: 2013-12-22
Posts: 45

Re: nested auth key recovery

J-Run, thanks

i`ve compiled 1st part of program it worked fine to get keys.
For 2nd part i`ve used dictionary bruteforcerv(i`ce made dictionary based on 1st part key), all worked fine with 4byte UID card, but how make bruteforce with 7byte UID card???

Does libnfc works with 7-byte UID Cards.

Can anyone test?

Offline

#9 2014-12-10 08:27:21

alexeybar200
Contributor
Registered: 2014-05-16
Posts: 17

Re: nested auth key recovery

J-Run, good work!

How many time was spent on the search key using mf_key_brute?  What will work faster your attack or nested attack (using first key)?Can you use the attack on the parity bits (about 10 seconds on the poll card and check 65536 keys )?

Your program mf_nonce_brute will not work with mifare emulated card (etc mifare plus sl1)  because a tag challenge (Nt) contains all four random bytes.

P.S. I solved the problem classically: guessing open command data following the authorization and check reader response (card: mifare plus sl1 found max 4 key candidate).

clayer,
I don't test program. Source code takes different uid size:

memcpy(mp.mpa.abtAuthUid, t.nt.nti.nai.abtUid + t.nt.nti.nai.szUidLen - 4, sizeof(mp.mpa.abtAuthUid));

Offline

#10 2014-12-10 13:38:53

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: nested auth key recovery

Thank you, guys for your feedback!

Clayer,
I tested this only with 4-byte UID cards and yes, this code accepts as UID only 4-byte values.  At the moment I not sure that is possible to find last 4 bytes of key(key candidates) with only 2 known last bytes of Nt in case of 7-byte UID. Also not sure that Crapto1 library that I used works fine with 7-byte UIDs. Anyway I'll try to get a 7-byte uid card and check it.

alexeybar200,
>How many time was spent on the search key using mf_key_brute?
With ACR122u reader, bruteforce of first 2 bytes of key may be done in less than 1 hour. (cant remember actual speed, will post it later)

>What will work faster your attack or nested attack (using first key)?
I suppose that classic nested attack(mfoc for example) will be faster, because in my attack we need a ~40 minutes to find key candidates and about a hour to online key bruteforce. Mfoc works about maximim ~20 minutes on my tests. But classic nested attack not working for new MF Classic cards with fixed PRNG and MF Plus in emulation mode.

>Can you use the attack on the parity bits (about 10 seconds on the poll card and check 65536 keys )?
Yes, with help of parity bits leakage we can reduce a number of possible keys to check for phase#2 from 65536 to only 64(as we know from Garcia's whitepaper). But I did not used this possibility. Because I not able to  get large reader-card communication sniff log with my proxmark and stock PCB antenna(a lot of bytes corrupting or simply lost), I used hardware tool HydraNFC to sniff data. Unfortunately this tool can not provide information about transmitted parity bits, so I just bruteforce all the 2^16 keys.

>Your program mf_nonce_brute will not work with mifare emulated card (etc mifare plus sl1)  because a tag challenge (Nt) contains all four random bytes.
Cards that I used for test was actually a MF Plus in SL1 emulation mode. As i see, there is no matter how good tag's PRNG is, so it works fine.

Offline

#11 2014-12-10 17:08:54

alexeybar200
Contributor
Registered: 2014-05-16
Posts: 17

Re: nested auth key recovery

>>Can you use the attack on the parity bits (about 10 seconds on the poll card and check 65536 keys )?
Yes, with help of parity bits leakage we can reduce a number of possible keys to check for phase#2 from 65536 to only 64(as we know from Garcia's whitepaper). But I did not used this possibility. Because I not able to  get large reader-card communication sniff log with my proxmark and stock PCB antenna(a lot of bytes corrupting or simply lost), I used hardware tool HydraNFC to sniff data. Unfortunately this tool can not provide information about transmitted parity bits, so I just bruteforce all the 2^16 keys.

I mean my brute force attack on mifare plus sl1:
http://www.proxmark.org/forum/viewtopic.php?id=2120

Offline

#12 2014-12-11 01:55:11

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: nested auth key recovery

Clayer,
7-bytes UIDs are much easier than I thought. If we dealing with 7-byte UID card, all we need is just use last 4 bytes as a usual 4-byte UID.

Alexeybar200,
Seen your topic but still not sure, what you actually asking about.

And I measured online key bruteforce speed with acr122u:
~35 keys/sec for mf classic 1k
~12 keys/sec for mf plus in sl1 mode (~1.5 hour to check all 2^16 keys)

Offline

#13 2014-12-17 11:57:25

clayer
Contributor
Registered: 2013-12-22
Posts: 45

Re: nested auth key recovery

I mean 2nd part of bruteforcer seems doesn`t support 7 byte uid, because libnfc can`t they read

Offline

#14 2014-12-19 12:12:53

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: nested auth key recovery

Hm, strange. Because I used libnfc-1.7.1, and it operates well with 7-byte UID tags.
mf_key_brute uses for auth command abtAuthUid field of mifare params structure that 4byte sized and contains last bytes of real 7-bute UID. Corresponding to this commit https://groups.google.com/forum/#!topic/libnfc-commits/oKoNJUit1Uw.

Offline

#15 2014-12-21 23:48:12

clayer
Contributor
Registered: 2013-12-22
Posts: 45

Re: nested auth key recovery

J-Run wrote:

Hm, strange. Because I used libnfc-1.7.1, and it operates well with 7-byte UID tags.
mf_key_brute uses for auth command abtAuthUid field of mifare params structure that 4byte sized and contains last bytes of real 7-bute UID. Corresponding to this commit https://groups.google.com/forum/#!topic/libnfc-commits/oKoNJUit1Uw.

thanks i`ll try (probably i`ve used live cd with old libnfc)

Offline

#16 2014-12-26 13:38:45

clayer
Contributor
Registered: 2013-12-22
Posts: 45

Re: nested auth key recovery

J-Run maybe you can give step by step instructions how i can compile program under linux?

Offline

#17 2014-12-26 15:04:14

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: nested auth key recovery

OK, I'll try.  For a just deployed, clear Ubuntu 14.04 desktop-amd64:
mf_nonce_brute:

sudo apt-get install git
sudo apt-get install libnfc-dev
sudo apt-get install autoconf
cd ~
git clone https://github.com/J-Run/mf_nonce_brute.git
cd mf_nonce_brute/
make
./mf_nonce_brute

and then mf_key_brute:

cd ~
git clone https://github.com/J-Run/mf_key_brute.git
cd mf_key_brute/
./build.sh
./mf_key_brute

Offline

#18 2015-06-28 02:18:21

roman921
Contributor
Registered: 2015-06-21
Posts: 48

Re: nested auth key recovery

alexeybar200 wrote:

>>Can you use the attack on the parity bits (about 10 seconds on the poll card and check 65536 keys )?
Yes, with help of parity bits leakage we can reduce a number of possible keys to check for phase#2 from 65536 to only 64

I try write this options in this programs.

Offline

#19 2015-06-29 15:08:10

roman921
Contributor
Registered: 2015-06-21
Posts: 48

Re: nested auth key recovery

J-Run wrote:

Unfortunately this tool can not provide information about transmitted parity bits, so I just bruteforce all the 2^16 keys.

Why keys 2^16 ? Nt is 32 bit, 2^32 keys. Why you brutofoce do Nt from 0000 0000 to 0000 FFFF. Why don't 0000 0000 to FFFF FFFF ?

Offline

#20 2015-06-29 16:29:35

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: nested auth key recovery

roman921,
I meant parity bits extra information may can help us to reduce amount of keys to check on phase#2 (online bruteforce). Correct me if I'm wrong.

At phase#1 knowledge of at least last half of Nt is enough for decrypting following data stream and find correct value. First bytes of Nt are not effects on following key stream. So it runs from 0000 0000 to 0000 FFFF.

Last edited by J-Run (2015-06-29 16:30:28)

Offline

#21 2015-06-29 17:05:46

roman921
Contributor
Registered: 2015-06-21
Posts: 48

Re: nested auth key recovery

J-Run wrote:

roman921,
I meant parity bits extra information may can help us to reduce amount of keys to check on phase#2 (online bruteforce).

Thank you.
do you know how to crack the key to the sector in which the turnstile does not apply?
Is it real do Full brutofors Card 2 ^ 46 ?

Offline

#22 2015-06-29 19:27:47

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: nested auth key recovery

No, I haven't such information. Dark Side and Nested attacks works well, but not with new cards.
Online bruteforce is really slow and much slower on SL1 cards so more likely no than yes.

Offline

#23 2015-06-29 19:40:15

roman921
Contributor
Registered: 2015-06-21
Posts: 48

Re: nested auth key recovery

J-Run wrote:

No, I haven't such information.

Do you can to help me to hack card JCOP31 in emulation Mifare Classic ? I don't have proxmark. Are you from Moscow ?
This card when paying alters two sectors. Write on first sector is it multi auth or basic auth ?

Offline

#24 2015-06-29 20:20:07

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: nested auth key recovery

Never played with jcop cards before so don't think I can help you. And I am not from Moscow. Anyway on this forum no one helps with a real world deployed system hacks.

Offline

#25 2015-06-29 20:26:31

roman921
Contributor
Registered: 2015-06-21
Posts: 48

Re: nested auth key recovery

J-Run wrote:

Never played with jcop cards before so don't think I can help you.

And do you know why in fare data changes in the two sectors cards instead of one?

Can money is stored in two sectors on this card ? This card is used to pay the bus fare.

Last edited by roman921 (2015-06-29 20:28:15)

Offline

#26 2015-06-29 20:45:19

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: nested auth key recovery

Sorry, I really have no idea about your case

Offline

#27 2015-06-29 22:59:35

roman921
Contributor
Registered: 2015-06-21
Posts: 48

Re: nested auth key recovery

J-Run wrote:

Sorry, I really have no idea about your case

J-Run, I want to offer you to improve your program by reducing key space Ht from 2^16  to 64 using the parity bits.
I try to read this topic http://www.proxmark.org/forum/viewtopic.php?id=210
There are code for reduce key space.

If I buy a smartphone and installed nfs-proxy, can I get a log of communication between the card and the turnstile is the same as with proxmark?

Last edited by roman921 (2015-06-29 23:01:31)

Offline

#28 2015-06-30 13:01:52

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: nested auth key recovery

At the moment I'am not going to implement parity bits exploitation. You can do it by yourself and it will be great improvement! :-)
Anyway my current POC work well and ~2hours is not too long time to recover a key I guess.
Parity bits is a kind of service info and can be captured only with proxmark or such lowlevel tools so it useless until you cant get it.
NFC-proxy may work, but you need at least 2 nfc enabled smartphones and remember that relaying(proxy) attacks works only with huge timing tolerant systems.

Offline

#29 2015-07-22 00:11:08

roman921
Contributor
Registered: 2015-06-21
Posts: 48

Re: nested auth key recovery

How read log of proxmark to understand that this multi-sector auth or basic auth ? In some cases it is necessary to use J-run software instead cryptogui ?

Offline

#30 2015-08-15 09:56:31

clayer
Contributor
Registered: 2013-12-22
Posts: 45

Re: nested auth key recovery

roman921, https://github.com/J-Run/mf_nonce_brute

Here is explained how you can know about nested auth.
Of course if you have some hard issues you can put here full log, we can help to decrypt keys

Which moscow card uses JCOP31????

Last edited by clayer (2015-08-15 10:14:06)

Offline

#31 2015-09-10 19:58:27

Hawkins
Member
Registered: 2015-09-10
Posts: 9

Re: nested auth key recovery

Hi, J-Run.

Sorry if the question is primitive, but can you please explain how to choose parameters for mf_nonce_brute. I have a Mifare Classic 1K/4K card and ACR122u reader.

Thanks in advance!

Offline

#32 2015-09-10 20:20:53

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: nested auth key recovery

Hello, Hawkins!
To use a mf_nonce_brute you must have a snoop(sniff) log of card and reader. It is all explained in a Readme file. If you have any trouble please post details about your input data (please don't post here real  deployed systems dump data) and what goes wrong. Feel free to ask any questions but give a info to help you :-)

Offline

#33 2015-09-10 21:31:13

Hawkins
Member
Registered: 2015-09-10
Posts: 9

Re: nested auth key recovery

Hi, J-Run

I got that I need to have a card-reader communication log, but I don't know what software I should use to get it. Any suggestions? Thanks!

Offline

#34 2015-09-11 03:39:09

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: nested auth key recovery

There is not only software needed. As I know it is not possible to switch acr122 into sniffing mode. For communication log capturing you can use a proxmark3 or any other hardware that able to sniff.

Offline

#35 2015-09-11 10:02:55

Hawkins
Member
Registered: 2015-09-10
Posts: 9

Re: nested auth key recovery

Now I see the problem smile What hardware can you recommend (proxmark3 or smth. else?) and where to buy it? Thanks

Offline

#36 2015-09-11 19:27:59

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: nested auth key recovery

This all described in a readme file.
Pm3 is very powerfull tool. Hydrabus+hydranfc is also nice for sniffing purposes. May the google be with you  wink there are lot of places to buy pm3 and at least couple to order a hydrabus.

Offline

#37 2015-09-11 21:07:37

meter
Contributor
Registered: 2015-07-13
Posts: 78

Re: nested auth key recovery

I don't like Hydrabus+hydranfc, has a good microcontroller, but chip TRF7970A is bad for me, has many problems with rfid communications. Also the project is sleeping from too many time and for last is not cheaper 99$ is too much for a microcontroller + TRF7970A.
Now with about 140$ you can buy a PM3 from taobao.

Offline

#38 2015-09-12 01:12:09

Hawkins
Member
Registered: 2015-09-10
Posts: 9

Re: nested auth key recovery

Thanks, guys!

Yes, I saw the README file. Just wanted to know your opinion about this hardware. Now I will try to order. Unfortunately it takes a lot of time to deliver

Offline

#39 2015-10-26 19:46:05

jgarnham
Contributor
Registered: 2015-10-25
Posts: 11

Re: nested auth key recovery

Hi J-Run,

I'm considering ordering a PM3 to make use of your software and was wondering if anything else was needed. What will the PM3 sniff communications between? A standard ACR122U and the card/tag?

Thanks!

Offline

#40 2016-08-08 16:46:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: nested auth key recovery

Old thread I know, but I got around and implemented J-Run's phase2 mf_key_brute inside the PM3 Client.

Keyspace: 0xFFFF - 65535
Estimated seach time of keypace: ~18min

I used a tag with a key that was in the end of keyspace. It tried more than 62900 online authentications in 1106 seconds.

pm3 --> hf mf key h
J_Run's 2nd phase of multiple sector nested authentication key recovery
You have a known 4 last bytes of a key recovered with mf_nonce_brute tool.
First 2 bytes of key will be bruteforced

Usage:  hf mf keybrute [h] <block number> <A|B> <key>
options:
      h               this help
      <block number>  target block number
      <A|B>           target key type
      <key>           candidate key from mf_nonce_brute tool
samples:
           hf mf keybrute 1 A 000011223344
pm3 --> hf mf key 1 a 1122018778f7
tried : 06 4F 01 87 78 F7 ..     1700 keys
tried : 0C F3 01 87 78 F7 ..     3400 keys
tried : 13 97 01 87 78 F7 ..     5100 keys
tried : 1A 3B 01 87 78 F7 ..     6800 keys
tried : 20 DF 01 87 78 F7 ..     8500 keys
tried : 27 83 01 87 78 F7 ..     10200 keys
tried : 2E 27 01 87 78 F7 ..     11900 keys
tried : 34 CB 01 87 78 F7 ..     13600 keys
tried : 3B 6F 01 87 78 F7 ..     15300 keys
tried : 42 13 01 87 78 F7 ..     17000 keys
tried : 48 B7 01 87 78 F7 ..     18700 keys
tried : 4F 5B 01 87 78 F7 ..     20400 keys
tried : 55 FF 01 87 78 F7 ..     22100 keys
tried : 5C A3 01 87 78 F7 ..     23800 keys
tried : 63 47 01 87 78 F7 ..     25500 keys
tried : 69 EB 01 87 78 F7 ..     27200 keys
tried : 70 8F 01 87 78 F7 ..     28900 keys
tried : 77 33 01 87 78 F7 ..     30600 keys
tried : 7D D7 01 87 78 F7 ..     32300 keys
tried : 84 7B 01 87 78 F7 ..     34000 keys
tried : 8B 1F 01 87 78 F7 ..     35700 keys
tried : 91 C3 01 87 78 F7 ..     37400 keys
tried : 98 67 01 87 78 F7 ..     39100 keys
tried : 9F 0B 01 87 78 F7 ..     40800 keys
tried : A5 AF 01 87 78 F7 ..     42500 keys
tried : AC 53 01 87 78 F7 ..     44200 keys
tried : B2 F7 01 87 78 F7 ..     45900 keys
tried : B9 9B 01 87 78 F7 ..     47600 keys
tried : C0 3F 01 87 78 F7 ..     49300 keys
tried : C6 E3 01 87 78 F7 ..     51000 keys
tried : CD 87 01 87 78 F7 ..     52700 keys
tried : D4 2B 01 87 78 F7 ..     54400 keys
tried : DA CF 01 87 78 F7 ..     56100 keys
tried : E1 73 01 87 78 F7 ..     57800 keys
tried : E8 17 01 87 78 F7 ..     59500 keys
tried : EE BB 01 87 78 F7 ..     61200 keys
tried : F5 5F 01 87 78 F7 ..     62900 keys
Found valid key: fc00018778f7


Time in keybrute: 1106492 ticks 1106 seconds

Offline

Board footer

Powered by FluxBB