Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-10-17 16:20:08

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

hf mf sim instead of hardnesting

Hi all

I was just again at an entrance system with my proxmark
card was not vul to the basics and I would have to go and try hardnested instead.

As I recently thought about uid bruteforcing at an other site, I had a closer look at the hf mf sim commands and saw there is a cracking command too.
I found in the forum here the post of iceman where he wrote that he integrated the command in the 14a commands, as for him the hf mf sim did not work quite good.

I thought lets give it a try anyhow.


so I started with hf mf sim x ...

Auth failed for sector 13 with key A. cardrd=a954d863, succ=20f8ed56
Auth failed for sector 13 with key A. cardrd=8a09313f, succ=20f8ed56
..
Collected to pairs of AR/NR which can be used to extract keyA from reader for sector13:
... then the details of what he found
and a second time same stuff with different pairs
Emualtor stopped Tracing: 1 trace length 532


was like,.. uhm? and now?
where is it?

funny thing to notice: only if you do a hf mf sim x i you are going to see the last line that says:
Found KeyA for sector 13: [the fixed company key]
so documentation is missing that this implies i or otherwise you wont see the result.
guess as you need it anyhow fixing to automatically adding the i wouldnt be too bad anyhow :-P

ok so I thought, as I got now the key lets sim and test..
nope? failed? just nothing happening when I held the proxmark to the reader.

so as the help says "load the keys found" with e, I extended and ran hf mf sim x e

does more or less the same and then says
Setting Emulator Memory Block 55: [thekey+FF078069000000000000]

but it did not search for more or other keys. same with n 0


so I thought ok, iceman said its not working proper..
funny thing about hf 14a sim... the documentation does not say anything about x but it seems to work (not).

for me it just ends with a lot of auth attemps and then says 1000 commands later... 0 0 3e8 and ends.



.. so back to basics and hf mf hardnesting this card
did it
did my classical test scenario of removing sector based content to see whats needed really
I ended with just sector 0 and non info else.

so whats the difference then? why does hf mf sim u card-Id does not work while a blank card with nothing than sector 0 works ?
is it the timing again, you mentioned already so often @iceman?


as i already stated somewhere else i am not very good in programming and i never learned c/c++

When I have a look at cmdhfmf.c I assume its line1377 where this find key stuff starts.
this line before with "enter reader attack" isnt showing up in my cmd, so thats why I am not sure if I am right there.
Btw there is a space missing in PrintAndLog("Found Key%s for sector ..... as its resulting in KeyA smile so I guess I am at the right place.

so ok.. when I analyze whats going on there, the break seems to be what stops further searches??

I tried to recompile this and it seems to be stuck then.
when I manually cancle by button press or key it jumps in the " enter reader attack and known hf mf chk "diagram" and shows the fond key plus two which i did not know until now. dont know if these are false positives?
but I guess something can be improved there, like linking to the already known key if you use it with u <id>.. because here i see auth failed even as I already got the keys in the dumpedkeys.



btw: simulating and reading it with my acr122u does work fine.
interesting, isnt it?

Offline

#2 2016-10-17 19:16:06

gator96100
Contributor
From: Austria
Registered: 2016-03-25
Posts: 177

Re: hf mf sim instead of hardnesting

I noticed that my proxmark has problems emulating nfc cards as well. The problem seems to be a very "noisy" connection between the proxmark and the reader. On my acr122u it seems to work but not on my phone/cheaper readers. I tried different distances between proxmark and reader but never got it working and I stopped looking any further.

Offline

#3 2016-10-17 19:31:41

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

Re: hf mf sim instead of hardnesting

for the lf commands I assume its something with timing/clock
for the hf commands I am not sure what the problem is.. just as you said the acr122u works fine.
I think its more something like what is beeing read or expected to see.

otherwise the reader attack wouldnt work anyhow.. know what I mean?
so best example is what I wrote in the post above. How can it be that the acr122u shows the uid while the "real reader" doesnt react anyhow to the emu. When I write a magic card just with sector 0 the "real reader" accepts the card.

same can be tested rather easy:
if you e.g. load UIDs from a txt file with the sim command, you will see that the proxmark does not detect the acr as valid reader (look at the flags) - you will have to button press, mine wont progress automatically.

I checked today the em4x tokens in our company and found that only the last 3 digits are changing. should be kinda easy to bruteforce.. as far as emulating would work on the readers lol
we´ve got 2 different for the time system and one for the door - non of them recognizes the proxmark, while proxmark with hw commands to measure sees like between 5000 and 12000 mv (I think it was mv? was it?)

Offline

#4 2016-10-18 12:44:22

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

Re: hf mf sim instead of hardnesting

[ offtopic ]
I just went to master build and tested the lf em4x em410xsim uid command
works fine with the master

when I run master firmware and iceman build - which you shouldnt do - it works for the sim too but it ends up with a strange ID and screws up the reader lol

when I flash to iceman firmware my reader wont detect the sim´ no matter if with or without clock 64

Offline

#5 2016-10-18 12:55:19

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: hf mf sim instead of hardnesting

the timings is off since some breaking changes to the ticks-timer for LF.  Needs to be adjusted in my fork.
Open an issue and take it from there.

Offline

#6 2016-10-18 13:28:19

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

Re: hf mf sim instead of hardnesting

cool smile
thx

shall I open an issue for the search of further keys too?
Guess the problem with hf mf sim u <uid> will take some more than just a fast one line of code fix

Offline

#7 2016-10-18 13:48:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: hf mf sim instead of hardnesting

different questions,  different issues,  hf mf sim  should work, but could have issues with which data is transfered to client when auth req is found during sim.  Same there, open an issue with all details you got.

Offline

#8 2017-02-04 18:11:19

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: hf mf sim instead of hardnesting

I've tested both  hf 14a sim x and hf mf sim x i  in iceman fork.  They work now after given some more love and switch to moebius attack as default.

It should work too in PM3 Master after this PR https://github.com/Proxmark/proxmark3/pull/209

Offline

#9 2017-02-06 17:48:02

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

Re: hf mf sim instead of hardnesting

for the reader here it does not work
it says Reader is trying authentication with: Key A, Sector 13: [key]

when I run

hf mf sim x i this appears in more or less endless loop

when I run

hf mf sim x i e then this message will appear like 2 or 3 times

after this it will present me the list of keys found, which is only A13

no matter if I use u parameter and a valid uid or leave it away


for the ACR122u it still works fine to read the sim of proxmark

Offline

#10 2017-02-06 18:26:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: hf mf sim instead of hardnesting

it sounds that it works just like it should.   It finds the key the reader is trying to authenticate with.

Basics:  the reader is doing what it is programmed to do. It tries to read sector 13 (or specifically some blocks inside it).
When it doesn get the correct data it stops.   And start over again.

PM3: the device is simulating a classic tag,  completely empty without keys or anything.  Because thats what you told it to do.

With what you have posted, nothing implies that there is something wrong with the PM3 firmware/client.

A) ARC122u can read sim. ie read the UID for the simulation.
B) Valid reader can read UID, and tries to authenticate.

-
If you are trying to get the more keys with "sim x"?   You need to understand what the reader wants to continue.
loading the key into emulator memory, will only let the reader authenticate but the read/write command will get zeros.

From your valid tag, you need to extract sector13 data and load that onto emulator memory and try again.  This will enable to give the reader a correct read/write command.  And hopefully it does more work against other block which you can get the key from too.  rinse and repeat.

Now, sometimes the reader uses mifares "nested authentication",  that attack is not impl in "sim x",  however luckily you can use j-run's extra tool (phase1)  and "hf mf brutefor" (phase2) in my fork for that.  This is an offline card attack in phase1 and a online attack against tag in phase2.    WIth this you will get another key,  which you will rinse and repat again...

This method of attacking a hardnested without a known key takes its time but works at least.

limit:  "sim x" will only find those keys the reader are trying to use.  it is an reader-attack.

OPTION
With your known default company key Sector13, you can use hardnested to get other keys for your card.  This is a card only attack.

I know its confusing and hard to fully understand the different ways of getting all keys to a tag.
You'll make!

Offline

#11 2017-02-09 19:42:42

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

Re: hf mf sim instead of hardnesting

OK got it. that was the missing link to understand why the ARC does work and the valid reader wants to proceed

For a different test -just to see if sim works for me and the reader here- I loaded my complete dumped card and its keys to the memory. went then and checked if its there with hf mf eget and a block after all that - ok different data is showing up in different blocks.. all fine then

with a simple "hf mf sim" it brought up my uid - so it seems to be fine then too?

when I hold my prox to the reader, the light turns red, so it seems the magic happens smile
..but the reader doesnt react then?
when I restart it with "hf mf sim i v" or just i, or just v i see the same happening and still no feedback in the console.

the funny part is.. if I do the - I call it offline clone - so power on the proxmark with battery / powerbank attached and clone the card´s uid with button press to the memory, it just works fine at the same reader (at least it did last time, havent got my bank with me now to test it with this build)

so where is the difference here?
why is "hf mf sim u myid" or "hf mf sim" after loading the emulator asking for blocks/auth´s or not working, while the "offline-method" works fine?

strange, isnt it?

Offline

Board footer

Powered by FluxBB