Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-07-29 21:11:46

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

Analyzing my company card

Hi

I am currently analyzing the cards used in our company.
First I was starting to do this with my ACR122u to give it a cheap try. (PS: yes, I own a proxmark now too)
The interesting thing about it was, that my "new" card was not able to be dumped. So Im talking first of all about the keys.
did run for hours without any result

As I have access to multiple cards, I was able to manage it, to dump the keys from an old card, which took like 10-15 mins. What do I mean when talking about old and new: basically the apperiance of the card is the same, but when you do the "flashlight test" and take e.g. the flash from your phone and hold it underneath the card, you will see that the chip is much bigger, than on the "new" cards. So just not affected to darkside attack?

After I found those keys from the old card, I ran it again with my own card and with those keys in addition suddenly I was able also to dump my card. (btw: since then a dump of no matter what card takes 40-60 sec´s)
So was this card kind of a newer model? How could I find out the difference without waiting forever to finish the dump?

---- The content and security

first of all: I am using okteta, any other suggestions?
what would you prefer?

our cards contain written to different sectors informations like the company id, card number / id printed on the card itself (printed on the card in decimal, written in hex across sector a and b) and stuff like this..
step by step I was removing relevant informations and writing the dumps to a china uid changable card for testing.
I ended up with having a blank card, with "nothing" on it.

Seems the system is only based on the UID found in sector 0 A.
As I got some cards in a row (Printed Card ID like 12001, 12002, 12003,..) I was trying to compare them.

I was checking the forum and net but couldnt find yet the answer i was looking for:
How could I generate / calculate an other UID and write it, so the system will accept is as a valid UID?
So I am basically talking about to extrapolate it from the numbers I have?


thanks in advance smile

Offline

#2 2016-07-29 21:33:20

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Analyzing my company card

the UID is likely associated in the access control system with an employee ID at the time the card is issued.  the UID is not calculated or generated per ID.

what do you mean by sector 0 A?  the 11th sector?  block number?

Last edited by marshmellow (2016-07-29 21:35:47)

Offline

#3 2016-07-29 21:45:05

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Analyzing my company card

OP seems to be a bit confused about Mifare classic memory layouts.

Since you have a magic tag, you'll need to figure out which generation it is.  Search this forum for plenty of threads on how to modify block0, the manufacturer block.

Meanwhile you can run "hf 14a reader" and see what it says.

If you are running the latest source code from Github (Pm3 Master) you will get a message when you run the darkside attack, if the tag is affected by this attack or not.

Happy hunting!

Offline

#4 2016-07-30 20:20:49

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

Re: Analyzing my company card

hi

yes, iceman, thats true.
Currently I am still little confused about the memory layouts as i did not find yet an good documentation or video and as I am new to NFC/RFID. any good recomendations?
until now I tried to find out the stuff on my own. Forum helped already a lot smile

I thought as there are A and B key´s that also the data is splitted into a "part a" and "b" in the different sectors.

my card states following when I type hf 14a reader

UID : my id
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): NO

and the crackable one does say rather the same with

UID : some other id
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): NO



when I compare 5 cards in the hex editor and have a look in the first line, which should be the sector 0 afaik, it says for one of the cards e.g.:

XX XX 84 86 70 88 04 00 C8 47 00 20 00 00 00 14
**  ** ** **

only the highlighted numbers change while the rest stays the same for all of them.
But I cant see yet how its generating the numbers.
The first values of this line are the UID when I read the card with nfc-list or hf 14a reader
(where I´ve set the * underneath)


The cards serial number, printed on it, was found at offset 0000:0047 to 48. But as I already stated, they are not crosschecking the number in their system


btw @ICEMAN: hf mf chk *1 ? t gives me a positive feedback with my "new" card as well as with the old one, even as I did not feed him with the keys I found. but he states for my card that all sectors, except 0 A are FF´ which ISNT true

so when I then try hf mf nested 1 0 A with the key he found, it replys with
Tag isn't vulnerable to Nested Attack (its random number generator is not predictable).

while it works with the old card and the same key fine (btw same result in hf mf chk *1 ? t)

had this problem before with mfoc, but as soon as I feed mfoc with the keys from the old card its fine and works.
too bad that hf mf nested does not allow like mfoc to load multiple keys.

is hf mf nested not the same as mfoc?

the strange thing about the hf mf nested is:
if I feed it with the key found earlier from mf chk it says the not predictable
If I feed it with one of my other already revealed keys it loops with
#db# Nested: Auth1 error
#db# Authentication failed. Card timeout.

mfoc with the same keys will dump this card. So whats the difference then?
mfoc == nested, isnt it?


emulate - my soluton for testing?
I just tried this real fun hf 14a sim t 1 u MYID and read it with nfc-list and the ACR122u.. cant see any difference there to what I see on the screen when reading my real card.
So I guess their system wont too? is it realy that easy? lol

Offline

#5 2016-07-30 20:56:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Analyzing my company card

There is enough guides about Mifare Classic when you google it.
You can read about the five first bytes and how to calc the bcc. Its a simple xor.

It looks like your company has a serie of cardnumber which they follow.  Very simple to clone onto a magic tag.

The 'hf mf chk' command only tests known default keys against a tag.  No attack or something.
It will print a table,  where the  0|1  in the colum res means if the key was succesfull found or not.
zero means fail.   FF FF FF FF FF FF is a default value as key,  the key is only valid is res = 1 for it.

You will need to run the "hf mf mifare" first,  it will tell you if the tag uses the newer hardend prng.
The nested attack will not work on those tags either as you seen.

To attack a hardend prng you need the new hardnested attack,  but you need a known key to use it.

Since your company tags seems only to look at uid,  emulate or clone is a simple way to get access to your company.

Your comparisions with mfuc/mfoc is something I can't comment on, since I never used them. If you have questions about those I suggest you do that in their forums over at libnfc.

Offline

Board footer

Powered by FluxBB