Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-07-07 14:47:43

my_fair_cats_sick
Contributor
Registered: 2016-03-15
Posts: 81

Mifare Plus Attack Improvements

Could anyone summarize the Mifare Plus Attack in some plain english?  I am looking into the paper and trying to understand it further but it would help somewhat to understand better the attack type up front, and where improvements could be made?  I am looking to do some research into this topic and help improve the attack if possible, I am a programmer by day so code optimizations would be one but I am also trying to understand the crypto (no pun intended) portion and make improvements in that realm as well, but I will have to understand that further first.  Suggestions here would be greatly appreciated and all results would be posted right here!

I have posted some snoops of transitioning security levels of the Plus card - if those help I can certainly post some more for transitioning to different levels.

Offline

#2 2016-07-08 11:33:42

osys
Contributor
From: Nearby
Registered: 2016-03-28
Posts: 62

Re: Mifare Plus Attack Improvements

Great initiative! The most interesting part for Plus is SL1 -> SL2 transition, catching AES keys during the process (if keys are re-enrolled of course). To begin with, I would rather start on extracting AES keys from snoop trace during SL0 -> SL1 and then switch to more advanced level SL1 -> SL2 knowing crypto1 keys.

Offline

#3 2016-07-08 14:09:37

my_fair_cats_sick
Contributor
Registered: 2016-03-15
Posts: 81

Re: Mifare Plus Attack Improvements

Ok - not sure if this is working quite right, looks like a lot of parity errors.  I place first the reader on my desk, then the card on the reader, then a small plastic jar cap which is a few CM thick, then the proxmark with the HF antenna on that. 

I did "hf 14a sniff" (running @iceman's branch) and then "hf 14a list" and here is what I got:

hf list 14a
Waiting for a response from the proxmark...          
Don't forget to cancel its operation first by pressing on the button          
#db# cancelled by button          
#db# maxDataLen=4, Uart.state=0, Uart.len=0          
#db# traceLen=446, Uart.output[0]=0000000b          
Recorded Activity (TraceLen = 446 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |      26592 | Rdr |0a  08  a8  00  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  6a  55                                       |  ok | ?          
     230068 |     235956 | Tag |0a  08  90  27  8c                                               |     |           
   48412480 |   48414816 | Rdr |7f  7f                                                           |     | ?          
   48415552 |   48423648 | Rdr |ff  13! 3f! ff! 7e! 3e! 7c                                       | !crc| ?          
   48423872 |   48424672 | Rdr |0f!                                                              |     | ?          
   48424896 |   48429280 | Rdr |1e! fe! 3c  1c                                                   | !crc| ?          
   48429760 |   48430688 | Rdr |07                                                               |     | ?          
   48430912 |   48432864 | Rdr |3f! 07                                                           |     | ?          
   48433088 |   48437344 | Rdr |3e  1e! 8e  01                                                   | !crc| CHK_TEARING(30)          
   48437824 |   48438496 | Rdr |02                                                               |     | ?          
   48641828 |   48647716 | Tag |0b  08  90  fb  d6                                               |     |           
  106462496 |  106465664 | Rdr |0a  08  28!                                                      | !crc| ?          
  106465904 |  106474256 | Rdr |f9! 4f  fe  fc! f9! f8  f2  00!                                  | !crc| ?          
  106474480 |  106475280 | Rdr |0f!                                                              |     | ?          
  106475504 |  106479888 | Rdr |1e! fe! 3c  1c                                                   | !crc| ?          
  106480368 |  106481296 | Rdr |07                                                               |     | ?          
  106481520 |  106483472 | Rdr |3f! 07                                                           |     | ?          
  106483696 |  106486928 | Rdr |3e  1e! 0e                                                       | !crc| CHK_TEARING(30)          
 -312309312 | -312282464 | Rdr |2c  20  a0! 0d  42! 03! 06! 08  0c! 12! 14! 1a  1e! 20  24! 2a   |     |           
            |            |     |2e! 30! 36! 38  3c! fa! 8c  02                                   | !crc| ?          
  175995764 |  176001652 | Tag |0b  08  90  fb  d6                                               |     |           
  230623824 |  230626160 | Rdr |67  7f                                                           |     | ?          
  230626640 |  230634992 | Rdr |f3! 4f  fe  fc! f9! f8  f2  00!                                  | !crc| ?          
  230635216 |  230636016 | Rdr |0f!                                                              |     | ?          
  230636240 |  230640624 | Rdr |1e! fe! 3c  1c                                                   | !crc| ?          
  230641104 |  230642032 | Rdr |07                                                               |     | ?          
  230642256 |  230644208 | Rdr |3f! 07                                                           |     | ?          
  230644432 |  230647664 | Rdr |3e  1e! 0e                                                       | !crc| CHK_TEARING(30)          
  230647888 |  230648688 | Rdr |03!                                                              |     | ?          
  230648912 |  230649200 | Rdr |00!                                                              |     | ?          
  230649680 |  230649904 | Rdr |01                                                               |     | ?          
  230853188 |  230859076 | Tag |0a  08  90  27  8c                                               |     |           
  256722480 |  256728336 | Rdr |0b  08  aa  22  48                                               |  ok | ?          
  256950244 |  256956132 | Tag |0b  08  90  fb  d6                                               |     |     

Last edited by my_fair_cats_sick (2016-07-08 14:11:05)

Offline

#4 2016-07-08 15:20:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Mifare Plus Attack Improvements

thats a bad sniff-trace. 

Try  reader - pm3 antenna - card  where the pm3 antenna and card is very close to each other.

Offline

#5 2016-07-09 01:16:50

my_fair_cats_sick
Contributor
Registered: 2016-03-15
Posts: 81

Re: Mifare Plus Attack Improvements

Hmm ok I thought it was necessary to have a few cm in between to get a good reading.  I'll try again.

Offline

#6 2016-07-09 21:47:08

my_fair_cats_sick
Contributor
Registered: 2016-03-15
Posts: 81

Re: Mifare Plus Attack Improvements

Here is one more trace with the PM3 HF antenna between the reader and the card:

pm3 --> hf 14a sniff
pm3 --> hf 14a list
Waiting for a response from the proxmark...          
Don't forget to cancel its operation first by pressing on the button          
#db# cancelled by button          
#db# maxDataLen=4, Uart.state=0, Uart.len=0          
#db# traceLen=438, Uart.output[0]=0000000b          
Recorded Activity (TraceLen = 438 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |       1056 | Rdr |26                                                               |     | REQA          
       2260 |       4628 | Tag |44  00                                                           |     |           
       8192 |      10656 | Rdr |93  20                                                           |     | ANTICOLL          
      11860 |      17684 | Tag |88  04  5f! 9f  4c!                                              |     |           
      24320 |      34848 | Rdr |93  70  88  04  5d  95  44  5c  64                               |  ok | SELECT_UID          
      36052 |      39572 | Tag |04  da  17                                                       |     |           
      42880 |      45344 | Rdr |95  20                                                           |     | ANTICOLL-2          
      46532 |      52356 | Tag |4a  95  36  80  69                                               |     |           
      58880 |      69408 | Rdr |95  70  4a  95  36  80  69  3f  ae                               |  ok | ANTICOLL-2          
      70612 |      74196 | Tag |20  fc  70                                                       |     |           
      75904 |      80608 | Rdr |e0  88  79  ff                                                   |  ok | RATS          
      81876 |      98132 | Tag |0c  75  77  80  02  c1  05  2f  2f  00  35  c7  60  d3           |  ok |           
   82152464 |   82179056 | Rdr |0a  08  a8  00  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  6a  55                                       |  ok | ?          
   82379460 |   82385348 | Tag |0a  08  90  27  8c                                               |     |           
  173839568 |  173866160 | Rdr |0b  08  a8  01  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  e1  9a                                       |  ok | ?          
  174066324 |  174072212 | Tag |0b  08  90  fb  d6                                               |     |           
  217195952 |  217222544 | Rdr |0a  08  a8  02  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  b5  ac                                       |  ok | ?          
  217230980 |  217236868 | Tag |0a  08  09  6f  85                                               |     |           
  261475936 |  261502528 | Rdr |0b  08  a8  03  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  3e  63                                       |  ok | ?          
  261702548 |  261708436 | Tag |0b  08  90  fb  d6                                               |     |           
  318566336 |  318592992 | Rdr |0a  08  a8  04  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  c5  ae                                       |  ok | ?          
  318793092 |  318798980 | Tag |0a  08  90  27  8c                                               |     |           
  359423248 |  359429104 | Rdr |0b  08  aa  22  48                                               |  ok | ?          
  359647060 |  359652948 | Tag |0b  08  90  fb  d6                                               |     |  

Offline

#7 2016-07-09 21:48:30

my_fair_cats_sick
Contributor
Registered: 2016-03-15
Posts: 81

Re: Mifare Plus Attack Improvements

And another:

pm3 --> hf 14a sniff
pm3 --> hf 14a list
Waiting for a response from the proxmark...          
Don't forget to cancel its operation first by pressing on the button          
#db# cancelled by button          
#db# maxDataLen=4, Uart.state=0, Uart.len=0          
#db# traceLen=445, Uart.output[0]=00000000          
Recorded Activity (TraceLen = 445 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |       1056 | Rdr |26                                                               |     | REQA          
       2244 |       4612 | Tag |44  00                                                           |     |           
       8192 |      10656 | Rdr |93  20                                                           |     | ANTICOLL          
      11844 |      12356 | Tag |00!                                                              |     |           
  -77954912 |  -77954560 | Rdr |02                                                               |     | ?          
  -77954912 |  -77954304 | Rdr |0a!                                                              |     | ?          
      24192 |      34720 | Rdr |93  70  88  04  5c  95  45  09  2f                               |  ok | SELECT_UID          
      35908 |      36292 | Tag |00!                                                              |     |           
  -77954912 |  -77954560 | Rdr |02                                                               |     | ?          
      42880 |      45344 | Rdr |95  20                                                           |     | ANTICOLL-2          
      46532 |      52356 | Tag |4a  95  36  80  69                                               |     |           
      59008 |      69536 | Rdr |95  70  4a  95  36  80  69  3f  ae                               |  ok | ANTICOLL-2          
      70724 |      74308 | Tag |20  fc  70                                                       |     |           
      76160 |      80864 | Rdr |e0  88  79  ff                                                   |  ok | RATS          
      82116 |      83268 | Tag |0c!                                                              |     |           
  264517600 |  264544192 | Rdr |0a  08  a8  00  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  6a  55                                       |  ok | ?          
  -77954912 |  -77954560 | Rdr |02                                                               |     | ?          
  302950400 |  302976992 | Rdr |0b  08  a8  01  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  e1  9a                                       |  ok | ?          
  339622000 |  339648592 | Rdr |0a  08  a8  02  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  b5  ac                                       |  ok | ?          
  339657156 |  339658308 | Tag |0a!                                                              |     |           
  -77954912 |  -77953792 | Rdr |b6                                                               |     | ?          
  380835872 |  380862464 | Rdr |0b  08  a8  03  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  3e  63                                       |  ok | ?          
  424831552 |  424858208 | Rdr |0a  08  a8  04  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  c5  ae                                       |  ok | ?          
  425062832 |  425063376 | Rdr |00!                                                              |     | ?          
  -77954912 |  -77954624 | Rdr |00!                                                              |     | ?          
  542290240 |  542296096 | Rdr |0b  08  aa  22  48                                               |  ok | ?          
  542515460 |  542517124 | Tag |0b  00!                                                          |     |           
  542518848 |  542519264 | Rdr |00!                                                              |     | ?          
  -77954912 |  -77954624 | Rdr |00!                                                              |     | ?     

Offline

#8 2016-07-10 09:34:27

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Mifare Plus Attack Improvements

the first trace looks ok. You got reader sending and the card responses.
trace1, after the anticollision, the card answers then there is a long wait until reader requests again.  From there on its ISO7816 format.


   82152464 |   82179056 | Rdr |0a  08  a8  00  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  6a  55                                       |  ok | ?          
   82379460 |   82385348 | Tag |0a  08  90  27  8c                                               |     |           
  173839568 |  173866160 | Rdr |0b  08  a8  01  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  e1  9a                                       |  ok | ?          
  174066324 |  174072212 | Tag |0b  08  90  fb  d6                                               |     |           
  217195952 |  217222544 | Rdr |0a  08  a8  02  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  b5  ac                                       |  ok | ?          
  217230980 |  217236868 | Tag |0a  08  09  6f  85                                               |     |           
  261475936 |  261502528 | Rdr |0b  08  a8  03  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  3e  63                                       |  ok | ?          
  261702548 |  261708436 | Tag |0b  08  90  fb  d6                                               |     |           
  318566336 |  318592992 | Rdr |0a  08  a8  04  90  00  01  02  03  04  05  06  07  08  09  0a   |     |           
            |            |     |0b  0c  0d  0e  0f  c5  ae              

if you run " hf list 7816"  you'll get annotation for this part only..

Offline

Board footer

Powered by FluxBB