Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-01-20 03:32:44

maurice
Contributor
Registered: 2017-01-19
Posts: 6

MIFARE crack, my whole approach till 1 key and then fail

hi Im new to this forum
spent around 8 hours today to crack my MIFARE card.
tried to read first relevant posts etc. but I always feel the detailed point is missing.

So i Chedcked my card with: hf 14a reader
UID : 0e f8 0e 85           
ATQA : 00 04         
SAK : 08 [2]         
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1         
proprietary non iso14443-4 card found, RATS not supported         
Answers to chinese magic backdoor commands: NO   

Then I went to: hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
Card is not vulnerable to Darkside attack (its random number generator is not predictable).

I then did: hf mf chk * ?

No key specified, trying default keys         
chk default key[ 0] ffffffffffff         
chk default key[ 1] 000000000000         
chk default key[ 2] a0a1a2a3a4a5         
chk default key[ 3] b0b1b2b3b4b5         
chk default key[ 4] aabbccddeeff         
chk default key[ 5] 4d3a99c351dd         
chk default key[ 6] 1a982c7e459a         
chk default key[ 7] d3f7d3f7d3f7         
chk default key[ 8] 714c5c886e97         
chk default key[ 9] 587ee5f9350f         
chk default key[10] a0478cc39091         
chk default key[11] 533cb6c723f6         
chk default key[12] 8fd0a4f256e9         
--sector: 0, block:  3, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector: 1, block:  7, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector: 2, block: 11, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector: 3, block: 15, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector: 4, block: 19, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector: 5, block: 23, key type:A, key count:13           
--sector: 6, block: 27, key type:A, key count:13           
--sector: 7, block: 31, key type:A, key count:13           
--sector: 8, block: 35, key type:A, key count:13           
--sector: 9, block: 39, key type:A, key count:13           
--sector:10, block: 43, key type:A, key count:13           
--sector:11, block: 47, key type:A, key count:13           
--sector:12, block: 51, key type:A, key count:13           
--sector:13, block: 55, key type:A, key count:13           
--sector:14, block: 59, key type:A, key count:13           
--sector:15, block: 63, key type:A, key count:13           
--sector: 0, block:  3, key type:B, key count:13           
Found valid key:[ffffffffffff]         
--sector: 1, block:  7, key type:B, key count:13           
Found valid key:[ffffffffffff]         
--sector: 2, block: 11, key type:B, key count:13           
Found valid key:[ffffffffffff]         
--sector: 3, block: 15, key type:B, key count:13           
Found valid key:[ffffffffffff]         
--sector: 4, block: 19, key type:B, key count:13           
Found valid key:[ffffffffffff]         
--sector: 5, block: 23, key type:B, key count:13           
--sector: 6, block: 27, key type:B, key count:13           
--sector: 7, block: 31, key type:B, key count:13           
--sector: 8, block: 35, key type:B, key count:13           
--sector: 9, block: 39, key type:B, key count:13           
--sector:10, block: 43, key type:B, key count:13           
--sector:11, block: 47, key type:B, key count:13           
--sector:12, block: 51, key type:B, key count:13           
--sector:13, block: 55, key type:B, key count:13           
--sector:14, block: 59, key type:B, key count:13           
--sector:15, block: 63, key type:B, key count:13

So seems I found 1 key which is ffffffffffff.
So here is were I get stuck, I did then: hf mf rdbl 0 A FFFFFFFFFFFF

--block no:0, key type:A, key:ff ff ff ff ff ff           
#db# READ BLOCK FINISHED                 
isOk:01 data:0e f8 0e 85 7d 88 04 00 c8 48 00 20 00 00 00 14 

How to proceed from here?
I dont udnerstand honestly, i read often if you find 1 key you can get the other with mf ... but no detail on how to do so...
appreciate any response!!

Offline

#2 2017-01-20 16:17:31

pk926
Contributor
Registered: 2017-01-08
Posts: 19

Re: MIFARE crack, my whole approach till 1 key and then fail

hello,

so far you discovered some keys from your card.

you can read the sector 0,1,2,3,4. The rest you cant because you didn't discovered yet.

For example:

if you do hf mf rdsc 0 A ffffffffffff
hf mf rdsc <sector number> <key A/B> <key (12 hex symbols)>

you will be able to read all sector 0.

About the rest of the keys you can get them by doing and nested or hardnested attack.

about nested you can do something like:
hf mf nested 1 0 A FFFFFFFFFFFF d
by doing this you will try to discover other keys on the card.

if you discovered all of them, it will create a file with all the keys of your card.

Then you can do hf mf dump.

It will create a file called dumpdata.bin with all the info of your card.

If you didn't understood something just tell me that i will try to explain better.

Pedro Cabral

Offline

#3 2017-01-20 16:56:00

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: MIFARE crack, my whole approach till 1 key and then fail

I suggest reading the wiki to understand more about the Mifare commands om PM3.
ref: https://github.com/Proxmark/proxmark3/wiki

Offline

#4 2017-01-20 16:58:19

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: MIFARE crack, my whole approach till 1 key and then fail

based on the output he/she will also need to read up on the hardnested attack and learn how to obtain a build with it.

Offline

#5 2017-01-20 17:32:58

maurice
Contributor
Registered: 2017-01-19
Posts: 6

Re: MIFARE crack, my whole approach till 1 key and then fail

hey there, thanks for the answers, let me say first I respectfully read as much as I can in the manual and wiki.
Thanks Pedro, appreciate your answer in detail. I do understand what you stated, I  just forgot to mention I was one step further.
i tried a nested attack already.
It returned:
Card is not vulnerable to Darkside attack (its random number generator is not predictable).

So seems my only option is the hardnested attack, i read some stuff but it seems this is a code extension-framework I need to get from ICeman, correct? because I coudlnt find the syntax for hardnested in the mf.

I looked at:
https://github.com/Proxmark/proxmark3/wiki/commands. &
https://github.com/Proxmark/proxmark3/wiki/Mifare%20Tag%20Ops



M.

Last edited by maurice (2017-01-20 17:37:10)

Offline

#6 2017-01-21 20:49:11

maurice
Contributor
Registered: 2017-01-19
Posts: 6

Re: MIFARE crack, my whole approach till 1 key and then fail

Hi pedro, any update to my last question?

Offline

#7 2017-01-22 13:50:29

pk926
Contributor
Registered: 2017-01-08
Posts: 19

Re: MIFARE crack, my whole approach till 1 key and then fail

hello,

sorry for taking me so much time to answer your question but I'm not having that much time.

so you did a dark side attack and not a nested one because the possible error messages are:

case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (its random number generator is not predictable).\n"); break;
case -4 : PrintAndLog("No valid key found"); break;

It's strange that nested doesn't work because I have one mifare card that I can't perform a darkside attack but I can do a nested. maybe try an hardnested.

But what kind of card are you trying to crack? Transportation? Access?

Best,

Pedro Cabral

Offline

#8 2017-01-23 02:39:26

maurice
Contributor
Registered: 2017-01-19
Posts: 6

Re: MIFARE crack, my whole approach till 1 key and then fail

its an access to the building im living in.
this is what i had case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (its random number generator is not predictable).\n"); break;

Now im looking for how to do hardnested attack.
But I cant find infirmation on this.
everyone says do a hardnested attack, but nobody tells me how or where to find infos.

Offline

#9 2017-01-23 02:54:46

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: MIFARE crack, my whole approach till 1 key and then fail

Search the forum.

Offline

#10 2017-01-31 00:16:35

maurice
Contributor
Registered: 2017-01-19
Posts: 6

Re: MIFARE crack, my whole approach till 1 key and then fail

i dont really get the strong hostility towards my question.
I spent now quite a lot time goind through threads reading 11 pages about hardnested attacks.
Instead of "search the forum" you could as well have pointed me to the right thread!?
Im still not 100% sure. Its like fragments of infos in every thread, but no dedicated guide.
im a web developer and former assembler coder, so its not like im too stupid or something...

still appreciate any help if possible.
thanks

Offline

#11 2017-01-31 17:16:40

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: MIFARE crack, my whole approach till 1 key and then fail

no hostility intended.  and you are correct there is no dedicated guide and there likely won't be (at least for some time as it is still experimental and is not in the main pm3 code). 

some key threads are:
http://www.proxmark.org/forum/viewtopic.php?id=2120
http://www.proxmark.org/forum/viewtopic.php?id=3736
http://www.proxmark.org/forum/viewtopic.php?id=4051

Offline

#12 2017-01-31 17:20:48

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: MIFARE crack, my whole approach till 1 key and then fail

also on github there are various forks with the information you seek:
https://github.com/Proxmark/proxmark3/network

Offline

#13 2017-02-01 00:10:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: MIFARE crack, my whole approach till 1 key and then fail

You are so friendly, @marshmellow,  an example to the rest of us.

Offline

#14 2017-02-01 03:36:14

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: MIFARE crack, my whole approach till 1 key and then fail

lol, at least i responded.  most just looked at it and decided they didn't have the time even to do that..  wink 

I also figured if you wanted more attention to the iceman fork you'd have jumped on this one..  tongue

Offline

Board footer

Powered by FluxBB