Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2020-04-05 22:31:10
- Rema78
- Contributor
- Registered: 2020-04-04
- Posts: 20
Proxmark3 (edit and copy mf classic 1k tag)
1. Run command - hf search
proxmark3> hf search
UID : 96 8d 1b 2a
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: HARDENED (hardnested)
Valid ISO14443A Tag Found - Quiting Search2. Run command - hf mf chk * ?
proxmark3> hf mf chk * ?
--chk keys. sectors:16, block no: 0, key type:?, eml:n, dmp=n checktimeout=471 us
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 1a2b3c4d5e6f
chk default key[ 6] 123456789abc
chk default key[ 7] 010203040506
chk default key[ 8] 123456abcdef
chk default key[ 9] abcdef123456
chk default key[10] 4d3a99c351dd
chk default key[11] 1a982c7e459a
chk default key[12] d3f7d3f7d3f7
chk default key[13] 714c5c886e97
chk default key[14] 587ee5f9350f
chk default key[15] a0478cc39091
chk default key[16] 533cb6c723f6
chk default key[17] 8fd0a4f256e9
To cancel this operation press the button on the proxmark...
--o
|---|----------------|----------------|
|sec|key A |key B |
|---|----------------|----------------|
|000| a0a1a2a3a4a5 | ? |
|001| ? | ? |
|002| ? | ? |
|003| ? | ? |
|004| ? | ? |
|005| ? | ? |
|006| ? | ? |
|007| ? | ? |
|008| ? | ? |
|009| ? | ? |
|010| ? | ? |
|011| ? | ? |
|012| ? | ? |
|013| ? | ? |
|014| ? | ? |
|015| ? | ? |
|---|----------------|----------------| One key A was found for block 0
3. Run command - hf mf nested 1 2 A a0a1a2a3a4a5
"1" is mode to a 1k card,
"2 A" is we need find key for block 2 and that it is a A key
"a0a1a2a3a4a5" is key we already know
proxmark3> hf mf nested 1 2 A a0a1a2a3a4a5
--nested. sectors:16, block no: 2, key type:A, eml:n, dmp=n checktimeout=471 us
Testing known keys. Sector count=16
nested...
-----------------------------------------------
Tag isn't vulnerable to Nested Attack (random numbers are not predictable).But I got a negative result using the nested method and then I started using the hardnested method
4. Run command - hf mf hardnested 0 A a0a1a2a3a4a5 0 B
"0 A a0a1a2a3a4a5" is block 0 for A key and we already know key a0a1a2a3a4a5
"0 B" is we need find key for block 0 for key B
proxmark3> hf mf hardnested 0 A a0a1a2a3a4a5 0 B
--target block no: 0, target key type:B, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
Using AVX SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 4 threads and AVX SIMD core | |
0 | 0 | Brute force benchmark: 312 million (2^28,2) keys/s | 140737488355328 | 5d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 5d
4 | 112 | Apply bit flip properties | 107508375552 | 6min
5 | 224 | Apply bit flip properties | 10412818432 | 33s
6 | 335 | Apply bit flip properties | 9926791168 | 32s
7 | 447 | Apply bit flip properties | 8909449216 | 29s
8 | 559 | Apply bit flip properties | 8811363328 | 28s
9 | 671 | Apply bit flip properties | 8248473600 | 26s
10 | 781 | Apply bit flip properties | 7844591616 | 25s
11 | 892 | Apply bit flip properties | 7844591616 | 25s
11 | 1003 | Apply bit flip properties | 7844591616 | 25s
12 | 1114 | Apply bit flip properties | 7844591616 | 25s
12 | 1225 | Apply bit flip properties | 7844591616 | 25s
13 | 1336 | Apply bit flip properties | 7844591616 | 25s
15 | 1447 | Apply Sum property. Sum(a0) = 112 | 674141504 | 2s
16 | 1557 | Apply bit flip properties | 674141504 | 2s
16 | 1667 | Apply bit flip properties | 674141504 | 2s
17 | 1774 | Apply bit flip properties | 455468096 | 1s
18 | 1774 | (Ignoring Sum(a8) properties) | 455468096 | 1s
19 | 1774 | Starting brute force... | 455468096 | 1s
21 | 1774 | Brute force phase completed. Key found: 4babeb790368 | 0 | 0s
Key for block 0 for key B was found successfully - 4babeb790368
Next, I ran the command
5. Run command - hf mf fchk 1 4babeb790368 d
proxmark3> hf mf fchk 1 4babeb790368 d
help This help
dbg Set default debug mode
rdbl Read MIFARE classic block
rdsc Read MIFARE classic sector
dump Dump MIFARE classic tag to binary file
restore Restore MIFARE classic binary file to BLANK tag
wrbl Write MIFARE classic block
auth4 ISO14443-4 AES authentication
chk Test block keys
mifare Read parity error messages.
hardnested Nested attack for hardened Mifare cards
nested Test nested authentication
sniff Sniff card-reader communication
sim Simulate MIFARE card
eclr Clear simulator memory
eget Get simulator memory block
eset Set simulator memory block
eload Load from file emul dump
esave Save to file emul dump
ecfill Fill simulator memory with help of keys from simulator
ekeyprn Print keys from simulator memory
cwipe Wipe magic Chinese card
csetuid Set UID for magic Chinese card
csetblk Write block - Magic Chinese card
cgetblk Read block - Magic Chinese card
cgetsc Read sector - Magic Chinese card
cload Load dump into magic Chinese card
csave Save dump from magic Chinese card into file or emulator
decrypt [nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace
mad Checks and prints MAD
ndef Prints NDEF records from card
personalize Personalize UID (Mifare Classic EV1 only)But command 5 was incorrect. What am I doing wrong, what commands do I need to execute?
Offline
#2 2020-04-06 05:19:44
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Proxmark3 (edit and copy mf classic 1k tag)
you are trying to run a command that doesn't exist in offical repo.
Try hf mf chk instead
Offline
#3 2020-04-06 22:08:52
- Rema78
- Contributor
- Registered: 2020-04-04
- Posts: 20
Re: Proxmark3 (edit and copy mf classic 1k tag)
Hello, iceman!
I have previously run command - hf mf chk * ?
I found one key, then I found all the other keys using the hardnested method
How can I now dump the original tag and copy it to another new tag (make a copy of the tag)?
Offline
#4 2020-04-07 19:21:02
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: Proxmark3 (edit and copy mf classic 1k tag)
I think there is a autopwn script in RRG repo, which can generate a key file which then can be used to dump a card. In general, the RRG repo the better choice für cloners.
Offline
#5 2020-04-07 23:47:00
- Rema78
- Contributor
- Registered: 2020-04-04
- Posts: 20
Re: Proxmark3 (edit and copy mf classic 1k tag)
Hello, piwi!
I installed my proxmark3 for Ubuntu 18.04 by official manual - https://github.com/Proxmark/proxmark3/wiki/Ubuntu-Linux
1. Run command - hf mf autopwn
proxmark3> hf mf autopwn
help This help
dbg Set default debug mode
rdbl Read MIFARE classic block
rdsc Read MIFARE classic sector
dump Dump MIFARE classic tag to binary file
restore Restore MIFARE classic binary file to BLANK tag
wrbl Write MIFARE classic block
auth4 ISO14443-4 AES authentication
chk Test block keys
mifare Read parity error messages.
hardnested Nested attack for hardened Mifare cards
nested Test nested authentication
sniff Sniff card-reader communication
sim Simulate MIFARE card
eclr Clear simulator memory
eget Get simulator memory block
eset Set simulator memory block
eload Load from file emul dump
esave Save to file emul dump
ecfill Fill simulator memory with help of keys from simulator
ekeyprn Print keys from simulator memory
cwipe Wipe magic Chinese card
csetuid Set UID for magic Chinese card
csetblk Write block - Magic Chinese card
cgetblk Read block - Magic Chinese card
cgetsc Read sector - Magic Chinese card
cload Load dump into magic Chinese card
csave Save dump from magic Chinese card into file or emulator
decrypt [nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace
mad Checks and prints MAD
ndef Prints NDEF records from card
personalize Personalize UID (Mifare Classic EV1 only) But this command does not work!
Send me a link to configure and use the proxmark for Ubuntu in community "RfidResearchGroup", please
Offline