Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-04-05 22:31:10

Rema78
Contributor
Registered: 2020-04-04
Posts: 20

Proxmark3 (edit and copy mf classic 1k tag)

1. Run command - hf search

proxmark3> hf search
          
 UID : 96 8d 1b 2a          
ATQA : 00 04          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
proprietary non iso14443-4 card found, RATS not supported          
No chinese magic backdoor command detected          
Prng detection: HARDENED (hardnested)          

Valid ISO14443A Tag Found - Quiting Search

2. Run command - hf mf chk * ?

proxmark3> hf mf chk * ?
--chk keys. sectors:16, block no:  0, key type:?, eml:n, dmp=n checktimeout=471 us          
No key specified, trying default keys          
chk default key[ 0] ffffffffffff          
chk default key[ 1] 000000000000          
chk default key[ 2] a0a1a2a3a4a5          
chk default key[ 3] b0b1b2b3b4b5          
chk default key[ 4] aabbccddeeff          
chk default key[ 5] 1a2b3c4d5e6f          
chk default key[ 6] 123456789abc          
chk default key[ 7] 010203040506          
chk default key[ 8] 123456abcdef          
chk default key[ 9] abcdef123456          
chk default key[10] 4d3a99c351dd          
chk default key[11] 1a982c7e459a          
chk default key[12] d3f7d3f7d3f7          
chk default key[13] 714c5c886e97          
chk default key[14] 587ee5f9350f          
chk default key[15] a0478cc39091          
chk default key[16] 533cb6c723f6          
chk default key[17] 8fd0a4f256e9          

To cancel this operation press the button on the proxmark...          
--o          
|---|----------------|----------------|          
|sec|key A           |key B           |          
|---|----------------|----------------|          
|000|  a0a1a2a3a4a5  |        ?       |          
|001|        ?       |        ?       |          
|002|        ?       |        ?       |          
|003|        ?       |        ?       |          
|004|        ?       |        ?       |          
|005|        ?       |        ?       |          
|006|        ?       |        ?       |          
|007|        ?       |        ?       |          
|008|        ?       |        ?       |          
|009|        ?       |        ?       |          
|010|        ?       |        ?       |          
|011|        ?       |        ?       |          
|012|        ?       |        ?       |          
|013|        ?       |        ?       |          
|014|        ?       |        ?       |          
|015|        ?       |        ?       |          
|---|----------------|----------------|          

One key A was found for block 0

3. Run command - hf mf nested 1 2 A a0a1a2a3a4a5
"1" is mode to a 1k card,
"2 A" is we need find key for block 2 and that it is a A key
"a0a1a2a3a4a5" is key we already know

proxmark3> hf mf nested 1 2 A a0a1a2a3a4a5
--nested. sectors:16, block no:  2, key type:A, eml:n, dmp=n checktimeout=471 us          
Testing known keys. Sector count=16          
nested...          
-----------------------------------------------          
Tag isn't vulnerable to Nested Attack (random numbers are not predictable).

But I got a negative result using the nested method and then I started using the hardnested method

4. Run command - hf mf hardnested 0 A a0a1a2a3a4a5 0 B
"0 A a0a1a2a3a4a5" is block 0 for A key and we already know key a0a1a2a3a4a5
"0 B" is we need find key for block 0 for key B

proxmark3> hf mf hardnested 0 A a0a1a2a3a4a5 0 B
--target block no:  0, target key type:B, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0           
Using AVX SIMD core.          
          
 time    | #nonces | Activity                                                | expected to brute force          
         |         |                                                         | #states         | time           
------------------------------------------------------------------------------------------------------          
       0 |       0 | Start using 4 threads and AVX SIMD core                 |                 |          
       0 |       0 | Brute force benchmark: 312 million (2^28,2) keys/s      | 140737488355328 |    5d          
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    5d          
       4 |     112 | Apply bit flip properties                               |    107508375552 |  6min          
       5 |     224 | Apply bit flip properties                               |     10412818432 |   33s          
       6 |     335 | Apply bit flip properties                               |      9926791168 |   32s          
       7 |     447 | Apply bit flip properties                               |      8909449216 |   29s          
       8 |     559 | Apply bit flip properties                               |      8811363328 |   28s          
       9 |     671 | Apply bit flip properties                               |      8248473600 |   26s          
      10 |     781 | Apply bit flip properties                               |      7844591616 |   25s          
      11 |     892 | Apply bit flip properties                               |      7844591616 |   25s          
      11 |    1003 | Apply bit flip properties                               |      7844591616 |   25s          
      12 |    1114 | Apply bit flip properties                               |      7844591616 |   25s          
      12 |    1225 | Apply bit flip properties                               |      7844591616 |   25s          
      13 |    1336 | Apply bit flip properties                               |      7844591616 |   25s          
      15 |    1447 | Apply Sum property. Sum(a0) = 112                       |       674141504 |    2s          
      16 |    1557 | Apply bit flip properties                               |       674141504 |    2s          
      16 |    1667 | Apply bit flip properties                               |       674141504 |    2s          
      17 |    1774 | Apply bit flip properties                               |       455468096 |    1s          
      18 |    1774 | (Ignoring Sum(a8) properties)                           |       455468096 |    1s          
      19 |    1774 | Starting brute force...                                 |       455468096 |    1s          
      21 |    1774 | Brute force phase completed. Key found: 4babeb790368    |               0 |    0s

Key for block 0 for key B was found successfully - 4babeb790368
Next, I ran the command

     
5. Run command - hf mf fchk 1 4babeb790368 d

proxmark3> hf mf fchk 1 4babeb790368 d
help             This help          
dbg              Set default debug mode          
rdbl             Read MIFARE classic block          
rdsc             Read MIFARE classic sector          
dump             Dump MIFARE classic tag to binary file          
restore          Restore MIFARE classic binary file to BLANK tag          
wrbl             Write MIFARE classic block          
auth4            ISO14443-4 AES authentication          
chk              Test block keys          
mifare           Read parity error messages.          
hardnested       Nested attack for hardened Mifare cards          
nested           Test nested authentication          
sniff            Sniff card-reader communication          
sim              Simulate MIFARE card          
eclr             Clear simulator memory          
eget             Get simulator memory block          
eset             Set simulator memory block          
eload            Load from file emul dump          
esave            Save to file emul dump          
ecfill           Fill simulator memory with help of keys from simulator          
ekeyprn          Print keys from simulator memory          
cwipe            Wipe magic Chinese card          
csetuid          Set UID for magic Chinese card          
csetblk          Write block - Magic Chinese card          
cgetblk          Read block - Magic Chinese card          
cgetsc           Read sector - Magic Chinese card          
cload            Load dump into magic Chinese card          
csave            Save dump from magic Chinese card into file or emulator          
decrypt          [nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace          
mad              Checks and prints MAD          
ndef             Prints NDEF records from card          
personalize      Personalize UID (Mifare Classic EV1 only)

But command 5 was incorrect. What am I doing wrong, what commands do I need to execute?

Offline

#2 2020-04-06 05:19:44

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Proxmark3 (edit and copy mf classic 1k tag)

you are trying to run a command that doesn't exist in offical repo.

Try hf mf chk instead

Offline

#3 2020-04-06 22:08:52

Rema78
Contributor
Registered: 2020-04-04
Posts: 20

Re: Proxmark3 (edit and copy mf classic 1k tag)

Hello, iceman!

I have previously run command - hf mf chk * ?
I found one key, then I found all the other keys using the hardnested method
How can I now dump the original tag and copy it to another new tag (make a copy of the tag)?

Offline

#4 2020-04-07 19:21:02

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Proxmark3 (edit and copy mf classic 1k tag)

I think there is a autopwn script in RRG repo, which can generate a key file which then can be used to dump a card. In general, the RRG repo the better choice für cloners.

Offline

#5 2020-04-07 23:47:00

Rema78
Contributor
Registered: 2020-04-04
Posts: 20

Re: Proxmark3 (edit and copy mf classic 1k tag)

Hello, piwi!

I installed my proxmark3 for Ubuntu 18.04 by official manual - https://github.com/Proxmark/proxmark3/wiki/Ubuntu-Linux

1. Run command -  hf mf autopwn

proxmark3> hf mf autopwn
help             This help          
dbg              Set default debug mode          
rdbl             Read MIFARE classic block          
rdsc             Read MIFARE classic sector          
dump             Dump MIFARE classic tag to binary file          
restore          Restore MIFARE classic binary file to BLANK tag          
wrbl             Write MIFARE classic block          
auth4            ISO14443-4 AES authentication          
chk              Test block keys          
mifare           Read parity error messages.          
hardnested       Nested attack for hardened Mifare cards          
nested           Test nested authentication          
sniff            Sniff card-reader communication          
sim              Simulate MIFARE card          
eclr             Clear simulator memory          
eget             Get simulator memory block          
eset             Set simulator memory block          
eload            Load from file emul dump          
esave            Save to file emul dump          
ecfill           Fill simulator memory with help of keys from simulator          
ekeyprn          Print keys from simulator memory          
cwipe            Wipe magic Chinese card          
csetuid          Set UID for magic Chinese card          
csetblk          Write block - Magic Chinese card          
cgetblk          Read block - Magic Chinese card          
cgetsc           Read sector - Magic Chinese card          
cload            Load dump into magic Chinese card          
csave            Save dump from magic Chinese card into file or emulator          
decrypt          [nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace          
mad              Checks and prints MAD          
ndef             Prints NDEF records from card          
personalize      Personalize UID (Mifare Classic EV1 only)  

But this command does not work!
Send me a link to configure and use the proxmark for Ubuntu in community "RfidResearchGroup", please

Offline

Board footer

Powered by FluxBB