Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-11-24 15:58:43

XT4T1C
Contributor
Registered: 2019-10-12
Posts: 19

Mifare Classic 1k copying hadnested - shouldn't be that hard

Hi,

I'm obviously pretty new to this but I'm making some progress although I could use some help. I'm trying to make an exact copy of the card shown below. So the one below is the original.


proxmark3> hf search

UID : 72 38 59 5b
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: HARDENED (hardnested)

Valid ISO14443A Tag Found - Quiting Search]

I managed to change the UID of the card I'm going to use as a copy and this is the result:

proxmark3> hf search

UID : 72 38 59 5b
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK

Valid ISO14443A Tag Found - Quiting Search


I figured it wouldn't open any door yet because I only copied the UID and not the entire card. Trough following a couple of tutorials I learned that this card isn't furnerable to a so called nested attack, but is to a hardnested one. This is as far as I've come with the hardnested attack..

proxmark3> hf mf hardnested 0 A FFFFFFFFFFFF 4 A
--target block no:  4, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
Using AVX2 SIMD core.



time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 8 threads and AVX2 SIMD core                |                 |
       0 |       0 | Brute force benchmark: 935 million (2^29.8) keys/s      | 140737488355328 |    2d
       3 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    2d
       7 |     112 | Apply bit flip properties                               |    161966391296 |  3min
       8 |     223 | Apply bit flip properties                               |     20510554112 |   22s
       9 |     334 | Apply bit flip properties                               |      9413490688 |   10s
      10 |     445 | Apply bit flip properties                               |      4631179776 |    5s
      11 |     557 | Apply bit flip properties                               |      1287070592 |    1s
      12 |     669 | Apply bit flip properties                               |      1267456896 |    1s
      13 |     780 | Apply bit flip properties                               |      1267456896 |    1s
      13 |     892 | Apply bit flip properties                               |      1267456896 |    1s
      14 |    1001 | Apply bit flip properties                               |      1267456896 |    1s
      15 |    1110 | Apply bit flip properties                               |      1247843200 |    1s
      15 |    1220 | Apply bit flip properties                               |      1247843200 |    1s
      16 |    1330 | Apply bit flip properties                               |      1247843200 |    1s
      17 |    1440 | Apply bit flip properties                               |      1247843200 |    1s
      19 |    1550 | Apply Sum property. Sum(a0) = 120                       |       311395392 |    0s
      19 |    1550 | (Ignoring Sum(a8) properties)                           |       311395392 |    0s
      22 |    1550 | Starting brute force...                                 |       311395392 |    0s
      22 |    1550 | Brute force phase completed. Key found: a0a1a2a3a4a5    |               0 |    0s

This information might be usefull as well:

proxmark3> hf mf chk *1 ?
--chk keys. sectors:16, block no:  0, key type:?, eml:n, dmp=n checktimeout=471 us
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 1a2b3c4d5e6f
chk default key[ 6] 123456789abc
chk default key[ 7] 010203040506
chk default key[ 8] 123456abcdef
chk default key[ 9] abcdef123456
chk default key[10] 4d3a99c351dd
chk default key[11] 1a982c7e459a
chk default key[12] d3f7d3f7d3f7
chk default key[13] 714c5c886e97
chk default key[14] 587ee5f9350f
chk default key[15] a0478cc39091
chk default key[16] 533cb6c723f6
chk default key[17] 8fd0a4f256e9

To cancel this operation press the button on the proxmark...
--o
|---|----------------|----------------|
|sec|key A           |key B           |
|---|----------------|----------------|
|000|  ffffffffffff  |  ffffffffffff  |
|001|  a0a1a2a3a4a5  |        ?       |
|002|        ?       |        ?       |
|003|        ?       |        ?       |
|004|        ?       |        ?       |
|005|        ?       |        ?       |
|006|        ?       |        ?       |
|007|        ?       |        ?       |
|008|        ?       |        ?       |
|009|        ?       |        ?       |
|010|        ?       |        ?       |
|011|        ?       |        ?       |
|012|        ?       |        ?       |
|013|        ?       |        ?       |
|014|        ?       |        ?       |
|015|        ?       |        ?       |
|---|----------------|----------------|


I don't know what the next step in this process should be, since all tutorials I've found aren't exactly complying on this project. I feel like this shouldn't be that hard, but I'm not getting anywhere from this point.

I'm hoping someone can help me out with some tips, or give me an exact link to a page to follow since I've tried to search in the Wiki, Google and multiple tutorials but none seem to work out for me..

Thanks in advance!!

Offline

#2 2019-11-27 22:47:49

mazodude
Contributor
Registered: 2018-10-25
Posts: 10

Re: Mifare Classic 1k copying hadnested - shouldn't be that hard

There is a new command in the RRG version (which I suspect you are running).
hf mf autopwn

Offline

#3 2019-11-28 09:16:33

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Mifare Classic 1k copying hadnested - shouldn't be that hard

the prompt tells us that he is running offical repo.

Offline

#4 2019-11-28 10:36:42

JohnDoePM
Contributor
Registered: 2018-07-08
Posts: 49

Re: Mifare Classic 1k copying hadnested - shouldn't be that hard

@XT4T1C:

It seems to me that not all of your keys have been found (sectors 2-15).
Try the hardnested command on another block, for example

hf mf hardnested 5 A a0a1a2a3a4a5 8 A

and see what you get.
Best of luck,

JD.

Offline

#5 2019-11-28 19:37:41

XT4T1C
Contributor
Registered: 2019-10-12
Posts: 19

Re: Mifare Classic 1k copying hadnested - shouldn't be that hard

mazodude wrote:

There is a new command in the RRG version (which I suspect you are running).
hf mf autopwn

This autopwn command seems very promising. How/where to get this RRG/Iceman repo?

Offline

#6 2019-12-05 21:06:02

XT4T1C
Contributor
Registered: 2019-10-12
Posts: 19

Re: Mifare Classic 1k copying hadnested - shouldn't be that hard

XT4T1C wrote:
mazodude wrote:

There is a new command in the RRG version (which I suspect you are running).
hf mf autopwn

This autopwn command seems very promising. How/where to get this RRG/Iceman repo?

Anyone???

Offline

#7 2019-12-05 22:00:08

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Mifare Classic 1k copying hadnested - shouldn't be that hard

Offline

#8 2019-12-19 15:46:56

ulisse
Contributor
Registered: 2019-09-29
Posts: 8

Re: Mifare Classic 1k copying hadnested - shouldn't be that hard

Someone can tell me how to unlock a key make me classic that they put it on the blacklist

Offline

Board footer

Powered by FluxBB