Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2017-12-19 15:02:20
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
[SOLVED] hardnested attack nounces not increasing
Hello all,
When I run hardnested attack the nounce only increase by single digit, the most of the time it does not increase at all,.
When I see similar hardnested related posts here, I can see the nounces were increasing by thousands.
So what is happening with my Proxmark3? Can anyone please share your opinion?
My antenna is reasonably good and I'm running the latest master image, This issue is consistent when running on linux or windows PC.
C:\PM3\pm\win32>proxmark3.exe com4
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-222-g5e4932e-suspect 2017-12-19 12:19:41
os: master/v3.0.1-222-g5e4932e-suspect 2017-12-19 12:19:43
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 197738 bytes (38%). Free: 326550 bytes (62%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 38.23 V @ 125.00 kHz
# LF antenna: 21.04 V @ 134.00 kHz
# LF optimal: 38.23 V @ 125.00 kHz
# HF antenna: 31.87 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
proxmark3> hf mf hard 08 A FFFFFFFFFFFF 16 A <----( same issue with the w/s option )
--target block no: 16, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 4 threads and SSE2 SIMD core | |
0 | 0 | Brute force benchmark: 129 million (2^26.9) keys/s | 140737488355328 | 13d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 13d
5 | 2 | Apply bit flip properties | 140737488355328 | 13d
6 | 3 | Apply bit flip properties | 131447574757376 | 12d
7 | 4 | Apply bit flip properties | 131447574757376 | 12d
8 | 5 | Apply bit flip properties | 116318619566080 | 10d
9 | 5 | Apply bit flip properties | 116318619566080 | 10d
9 | 5 | Apply bit flip properties | 116318619566080 | 10d
10 | 5 | Apply bit flip properties | 116318619566080 | 10d
11 | 5 | Apply bit flip properties | 116318619566080 | 10d
12 | 5 | Apply bit flip properties | 116318619566080 | 10d
12 | 5 | Apply bit flip properties | 116318619566080 | 10d
13 | 5 | Apply bit flip properties | 116318619566080 | 10d
14 | 5 | Apply bit flip properties | 116318619566080 | 10d
15 | 5 | Apply bit flip properties | 116318619566080 | 10d
16 | 5 | Apply bit flip properties | 116318619566080 | 10d
16 | 5 | Apply bit flip properties | 116318619566080 | 10d
17 | 5 | Apply bit flip properties | 116318619566080 | 10d
18 | 5 | Apply bit flip properties | 116318619566080 | 10d
19 | 5 | Apply bit flip properties | 116318619566080 | 10d
19 | 5 | Apply bit flip properties | 116318619566080 | 10d
20 | 5 | Apply bit flip properties | 116318619566080 | 10d
21 | 5 | Apply bit flip properties | 116318619566080 | 10d
22 | 5 | Apply bit flip properties | 116318619566080 | 10d
23 | 5 | Apply bit flip properties | 116318619566080 | 10d
23 | 5 | Apply bit flip properties | 116318619566080 | 10d
24 | 5 | Apply bit flip properties | 116318619566080 | 10d
25 | 5 | Apply bit flip properties | 116318619566080 | 10d
26 | 5 | Apply bit flip properties | 116318619566080 | 10d
26 | 5 | Apply bit flip properties | 116318619566080 | 10d
27 | 5 | Apply bit flip properties | 116318619566080 | 10d
28 | 5 | Apply bit flip properties | 116318619566080 | 10d
29 | 5 | Apply bit flip properties | 116318619566080 | 10d
30 | 5 | Apply bit flip properties | 116318619566080 | 10d
30 | 5 | Apply bit flip properties | 116318619566080 | 10d
31 | 5 | Apply bit flip properties | 116318619566080 | 10d
32 | 5 | Apply bit flip properties | 116318619566080 | 10d
33 | 5 | Apply bit flip properties | 116318619566080 | 10d
33 | 5 | Apply bit flip properties | 116318619566080 | 10d
34 | 5 | Apply bit flip properties | 116318619566080 | 10dLast edited by Heru (2017-12-19 23:13:00)
Offline
#2 2017-12-19 15:55:39
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: [SOLVED] hardnested attack nounces not increasing
your nonces doesn' increase at all, they stay at 5. Why do you assume something happend with your device?
hf 14a infoOffline
#3 2017-12-19 23:11:08
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: [SOLVED] hardnested attack nounces not increasing
mr iceman, I think you'are spot on yet again on this,
Now, I think its nothing to do with the device, rather because of the gen2 chinese magic cards.
Apparently, hardnested attack does not work very well on those kinds of cards, ( nested attacks are also not very successful on them too).
I have tried several magic chinese gen2s card and fobs. this behaviour is consistent.
Gen2 hardnested
proxmark3> hf 14a info
UID : 15 32 3b 2d
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK
proxmark3> hf mf hardnested 04 A FFFFFFFFFFFF 18 A w
--target block no: 18, target key type:A, known target key: 0x000000000000 (not set), file action: write, Slow: No, Tests: 0
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 4 threads and SSE2 SIMD core | |
0 | 0 | Brute force benchmark: 155 million (2^27.2) keys/s | 140737488355328 | 11d
3 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 11d
6 | 0 | Writing acquired nonces to binary file nonces.bin | 140737488355328 | 11d
6 | 2 | Apply bit flip properties | 138731184979968 | 10d
7 | 3 | Apply bit flip properties | 138731184979968 | 10d
8 | 4 | Apply bit flip properties | 101969184161792 | 8d
9 | 5 | Apply bit flip properties | 101969184161792 | 8d
9 | 5 | Apply bit flip properties | 101969184161792 | 8d
10 | 5 | Apply bit flip properties | 101969184161792 | 8d
11 | 5 | Apply bit flip properties | 101969184161792 | 8d
12 | 5 | Apply bit flip properties | 101969184161792 | 8d
13 | 5 | Apply bit flip properties | 101969184161792 | 8d
13 | 5 | Apply bit flip properties | 101969184161792 | 8d
14 | 5 | Apply bit flip properties | 101969184161792 | 8d
15 | 5 | Apply bit flip properties | 101969184161792 | 8d
16 | 5 | Apply bit flip properties | 101969184161792 | 8d
16 | 5 | Apply bit flip properties | 101969184161792 | 8d
17 | 5 | Apply bit flip properties | 101969184161792 | 8d
18 | 5 | Apply bit flip properties | 101969184161792 | 8d
19 | 5 | Apply bit flip properties | 101969184161792 | 8d
20 | 5 | Apply bit flip properties | 101969184161792 | 8d
20 | 5 | Apply bit flip properties | 101969184161792 | 8d
21 | 5 | Apply bit flip properties | 101969184161792 | 8d
22 | 5 | Apply bit flip properties | 101969184161792 | 8d
23 | 5 | Apply bit flip properties | 101969184161792 | 8d
23 | 5 | Apply bit flip properties | 101969184161792 | 8d
24 | 5 | Apply bit flip properties | 101969184161792 | 8d
25 | 5 | Apply bit flip properties | 101969184161792 | 8d
26 | 5 | Apply bit flip properties | 101969184161792 | 8d
^CGenuine Mifare Fob
proxmark3> hf 14a info
UID : 43 42 b2 b0
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: HARDEND (hardnested)
proxmark3> hf mf hard 04 A 9829d000af76 17 A
--target block no: 17, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 4 threads and SSE2 SIMD core | |
0 | 0 | Brute force benchmark: 155 million (2^27.2) keys/s | 140737488355328 | 11d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 11d
6 | 112 | Apply bit flip properties | 567291609088 | 61min
7 | 223 | Apply bit flip properties | 212216512512 | 23min
8 | 334 | Apply bit flip properties | 112593805312 | 12min
9 | 444 | Apply bit flip properties | 112593805312 | 12min
10 | 556 | Apply bit flip properties | 95230607360 | 10min
11 | 666 | Apply bit flip properties | 84029210624 | 9min
12 | 776 | Apply bit flip properties | 57768505344 | 6min
13 | 887 | Apply bit flip properties | 57768505344 | 6min
14 | 997 | Apply bit flip properties | 57768505344 | 6min
16 | 1108 | Apply bit flip properties | 50472800256 | 5min
17 | 1220 | Apply bit flip properties | 48026288128 | 5min
18 | 1329 | Apply bit flip properties | 30841892864 | 3min
19 | 1440 | Apply bit flip properties | 30841892864 | 3min
20 | 1549 | Apply bit flip properties | 30841892864 | 3min
21 | 1660 | Apply bit flip properties | 30841892864 | 3min
22 | 1770 | Apply bit flip properties | 24645994496 | 3min
27 | 1879 | Apply Sum property. Sum(a0) = 112 | 1036809408 | 7s
28 | 1987 | Apply bit flip properties | 772810496 | 5s
31 | 2097 | Apply bit flip properties | 961295360 | 6s
32 | 2207 | Apply bit flip properties | 744710016 | 5s
32 | 2207 | (1. guess: Sum(a8) = 0) | 744710016 | 5s
33 | 2207 | Apply Sum(a8) and all bytes bitflip properties | 736145728 | 5s
34 | 2207 | Brute force phase completed. Key found: 9929d000af76 | 0 | 0s Offline
#4 2017-12-19 23:18:16
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: [SOLVED] hardnested attack nounces not increasing
The magic card doesn't have a very good prng, sometimes they are only returning one value.
In your case, it looks like that. The attack implemented are based on geniune tags behaviors. On clones (fudan, magic tags) this behavior can not be garanteed to be the same and the attack most likely will fail.
if the prng detection doesnt say HARDEND, don't run hardnested....
Prng detection: WEAK Offline