Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
hi Im new to this forum
spent around 8 hours today to crack my MIFARE card.
tried to read first relevant posts etc. but I always feel the detailed point is missing.
So i Chedcked my card with: hf 14a reader
UID : 0e f8 0e 85
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
Then I went to: hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
Card is not vulnerable to Darkside attack (its random number generator is not predictable).
I then did: hf mf chk * ?
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--sector: 0, block: 3, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 3, block: 15, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 5, block: 23, key type:A, key count:13
--sector: 6, block: 27, key type:A, key count:13
--sector: 7, block: 31, key type:A, key count:13
--sector: 8, block: 35, key type:A, key count:13
--sector: 9, block: 39, key type:A, key count:13
--sector:10, block: 43, key type:A, key count:13
--sector:11, block: 47, key type:A, key count:13
--sector:12, block: 51, key type:A, key count:13
--sector:13, block: 55, key type:A, key count:13
--sector:14, block: 59, key type:A, key count:13
--sector:15, block: 63, key type:A, key count:13
--sector: 0, block: 3, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 3, block: 15, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 5, block: 23, key type:B, key count:13
--sector: 6, block: 27, key type:B, key count:13
--sector: 7, block: 31, key type:B, key count:13
--sector: 8, block: 35, key type:B, key count:13
--sector: 9, block: 39, key type:B, key count:13
--sector:10, block: 43, key type:B, key count:13
--sector:11, block: 47, key type:B, key count:13
--sector:12, block: 51, key type:B, key count:13
--sector:13, block: 55, key type:B, key count:13
--sector:14, block: 59, key type:B, key count:13
--sector:15, block: 63, key type:B, key count:13
So seems I found 1 key which is ffffffffffff.
So here is were I get stuck, I did then: hf mf rdbl 0 A FFFFFFFFFFFF
--block no:0, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:0e f8 0e 85 7d 88 04 00 c8 48 00 20 00 00 00 14
How to proceed from here?
I dont udnerstand honestly, i read often if you find 1 key you can get the other with mf ... but no detail on how to do so...
appreciate any response!!
Offline
hello,
so far you discovered some keys from your card.
you can read the sector 0,1,2,3,4. The rest you cant because you didn't discovered yet.
For example:
if you do hf mf rdsc 0 A ffffffffffff
hf mf rdsc <sector number> <key A/B> <key (12 hex symbols)>
you will be able to read all sector 0.
About the rest of the keys you can get them by doing and nested or hardnested attack.
about nested you can do something like:
hf mf nested 1 0 A FFFFFFFFFFFF d
by doing this you will try to discover other keys on the card.
if you discovered all of them, it will create a file with all the keys of your card.
Then you can do hf mf dump.
It will create a file called dumpdata.bin with all the info of your card.
If you didn't understood something just tell me that i will try to explain better.
Pedro Cabral
Offline
I suggest reading the wiki to understand more about the Mifare commands om PM3.
ref: https://github.com/Proxmark/proxmark3/wiki
Offline
based on the output he/she will also need to read up on the hardnested attack and learn how to obtain a build with it.
Offline
hey there, thanks for the answers, let me say first I respectfully read as much as I can in the manual and wiki.
Thanks Pedro, appreciate your answer in detail. I do understand what you stated, I just forgot to mention I was one step further.
i tried a nested attack already.
It returned:
Card is not vulnerable to Darkside attack (its random number generator is not predictable).
So seems my only option is the hardnested attack, i read some stuff but it seems this is a code extension-framework I need to get from ICeman, correct? because I coudlnt find the syntax for hardnested in the mf.
I looked at:
https://github.com/Proxmark/proxmark3/wiki/commands. &
https://github.com/Proxmark/proxmark3/wiki/Mifare%20Tag%20Ops
M.
Last edited by maurice (2017-01-20 17:37:10)
Offline
Hi pedro, any update to my last question?
Offline
hello,
sorry for taking me so much time to answer your question but I'm not having that much time.
so you did a dark side attack and not a nested one because the possible error messages are:
case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (its random number generator is not predictable).\n"); break;
case -4 : PrintAndLog("No valid key found"); break;
It's strange that nested doesn't work because I have one mifare card that I can't perform a darkside attack but I can do a nested. maybe try an hardnested.
But what kind of card are you trying to crack? Transportation? Access?
Best,
Pedro Cabral
Offline
its an access to the building im living in.
this is what i had case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (its random number generator is not predictable).\n"); break;
Now im looking for how to do hardnested attack.
But I cant find infirmation on this.
everyone says do a hardnested attack, but nobody tells me how or where to find infos.
Offline
Search the forum.
Offline
i dont really get the strong hostility towards my question.
I spent now quite a lot time goind through threads reading 11 pages about hardnested attacks.
Instead of "search the forum" you could as well have pointed me to the right thread!?
Im still not 100% sure. Its like fragments of infos in every thread, but no dedicated guide.
im a web developer and former assembler coder, so its not like im too stupid or something...
still appreciate any help if possible.
thanks
Offline
no hostility intended. and you are correct there is no dedicated guide and there likely won't be (at least for some time as it is still experimental and is not in the main pm3 code).
some key threads are:
http://www.proxmark.org/forum/viewtopic.php?id=2120
http://www.proxmark.org/forum/viewtopic.php?id=3736
http://www.proxmark.org/forum/viewtopic.php?id=4051
Offline
also on github there are various forks with the information you seek:
https://github.com/Proxmark/proxmark3/network
Offline
You are so friendly, @marshmellow, an example to the rest of us.
Offline
lol, at least i responded. most just looked at it and decided they didn't have the time even to do that..
I also figured if you wanted more attention to the iceman fork you'd have jumped on this one..
Offline