Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-09-06 17:19:52

andrew892
Contributor
Registered: 2016-08-01
Posts: 3

I made a nonce bruteforce tool

hi,
i made a nonce bruteforce tool for recover key from sniffed nested authentications starting from J-Run's bruteforce tool.
Mine tool implements the information that leaks through the parity bits to speed up the attack.
With old prng can recover directly the key. (~1min)
With new prng can recover candidate key, that has to be used with J-Run's second phase to recover the correct one. (few minutes)

i don't know if it's useful for someone, if it's bug-free or anything else.
i just made it and i want to share with you.

https://github.com/andrew892/mf_bruteforce_nonce

Offline

#2 2016-09-06 17:48:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: I made a nonce bruteforce tool

Sweet work,
I was fiddeling with j-run's two parts about a month ago,  made the 2d part about 3-5times faster.  There is a thread about it somehwere here.  Also on github.

Offline

#3 2016-09-07 00:02:48

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: I made a nonce bruteforce tool

Its even faster now smile

pm3 ~/tools/mf_nonce_brute$ ./mf_nonce_brute fa247164 fb47c594 0000 71909d28 0c254817 1000 0dc7cfbd 1110
Mifare classic nested auth key recovery. Phase 1.
uid:            fa247164
nt encrypted:   fb47c594
nt parity err:  0000
nr encrypted:   71909d28
ar encrypted:   0c254817
ar parity err:  1000
at encrypted:   0dc7cfbd
at parity err:  1110

Now let's try to bruteforce encrypted tag nonce last bytes


**** Possible key candidate ****
thread #3
current nt(fb47c594)  ar_enc(0c254817)  at_enc(0dc7cfbd)
ks2:a842ccc6
ks3:549661c0
ks4:b028b50d

Key candidate: [ffffffffffff]

Time in mf_nonce_brute (Phase 1): 4758 ticks 4.0 seconds

Offline

#4 2016-09-07 00:12:15

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: I made a nonce bruteforce tool

Is it the one you mean @iceman? Is there a tutorial for the layman to learn this technique iceman?

  J-Run's bruteforce tool

oh sry mistake not layman... I mean lazy man!

"
Sorry if the question is primitive, but can you please explain how to choose parameters for mf_nonce_brute. I have a Mifare Classic 1K/4K card and ACR122u reader."

"
...
To use a mf_nonce_brute you must have a snoop(sniff) log of card and reader. It is all explained in a Readme file. If you have any trouble please post details about your input data (please don't post here real  deployed systems dump data) and what goes wrong. Feel free to ask any questions but give a info to help you :-)"

I think I have found the missing part.

Last edited by ntk (2016-09-07 00:23:01)

Offline

#5 2016-09-07 00:21:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: I made a nonce bruteforce tool

Not quite, 

Its based on J-Runs two tools.  His version takes a long time.  fbfuzier did a faster version but still very slow.
Now OP (andrew892) did a really fast version. Its fast because it doesnt need to check so many nonces.

The readme.md tells the story quite well.  Its for traces where the nested authentication is used. Now you can recover the keys also in two steps.  Phase1 one is a standalone program,  and you find an optimised phase2 in my fork. (hf mf )

Phase1
Andrew892  singelthread version https://github.com/andrew892/mf_bruteforce_nonce
iceman multithread version https://github.com/iceman1001/mf_nonce_brute


Look at this old thread for samples:
http://www.proxmark.org/forum/viewtopic … d=550#p550

Offline

#6 2016-09-07 00:31:56

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: I made a nonce bruteforce tool

thank for this old thread
http://www.proxmark.org/forum/viewtopic … d=550#p550

thanks you, Iceman.

Offline

#7 2016-09-07 00:44:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: I made a nonce bruteforce tool

Don't thank me,  thank @andrew892 who made this speedup possible.

Offline

Board footer

Powered by FluxBB