Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-03-18 17:49:33

rebu
Contributor
Registered: 2017-03-17
Posts: 4

Mifare 1K not vulnerable

Proxmark3 RFID instrument
bootrom: /-suspect 2015-11-19 10:08:02
os: iceman/master/release-build(no_git) 2017-03-17 17:21:43
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 214804 bytes (82%). Free: 47340 bytes (18%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hf 14a re
 UID : 80 B3 37 25
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO

Мifare classic 1k was found.
Try darkside attack

pm3 --> hf mf mi
-------------------------------------------------------------------------
Executing darkside attack. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.
Card isn't vulnerable to Darkside attack (its random number generator is not predictable).

Attack fails...
Try check

pm3 --> hf mf chk *1 ? t
No key specified, trying default keys
key[ 0] ffffffffffff
key[ 1] 000000000000
key[ 2] a0a1a2a3a4a5
key[ 3] b0b1b2b3b4b5
key[ 4] aabbccddeeff
key[ 5] 4d3a99c351dd
key[ 6] 1a982c7e459a
key[ 7] d3f7d3f7d3f7
key[ 8] 714c5c886e97
key[ 9] 587ee5f9350f
key[10] a0478cc39091
key[11] 533cb6c723f6
key[12] 8fd0a4f256e9
................................
Time in checkkeys: 10484 ticks 11 seconds

testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|001|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|002|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|003|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|004|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|005|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|006|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|007|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|008|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|009|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|010|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|011|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|012|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|013|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|014|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|015|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|---|----------------|---|----------------|---|
Found keys have been transferred to the emulator memory

... nothing found...

pm3 --> hf mf hardnested r
--target block no:  0, target key type:A, known target key: 0x000000000000 (not set), file action: read, Slow: No, Tests: 0
Allocating memory for partial statelists...
Generating partial statelists...
Generating bitflip statelist...
Could not open file nonces.bin

Where can I find this file?

Offline

#2 2017-03-18 18:31:29

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Mifare 1K not vulnerable

You have the wrong commands for hardnested.   Search the forum for answers about it, but you will need one known key to get to work.

The hf mf chk  command can also use a dictionary file with known keys.  Also here on forum, how to do it.

---
When all is tested,  you most likely will need to sniff that transaction between a valid reader / card to get the key.  (yeah, search the forum for that answer too)

Online

#3 2017-03-18 20:12:30

rebu
Contributor
Registered: 2017-03-17
Posts: 4

Re: Mifare 1K not vulnerable

OK, I can clone the tag do not know the key?

Offline

#4 2017-03-19 10:12:47

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Mifare 1K not vulnerable

no.

Online

#5 2017-04-11 00:28:38

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: Mifare 1K not vulnerable

good old days, this drove me nuts before, you can try the latest software or proxmarkEasy (if you speak Chinese ) it will work like a charm!

Offline

#6 2017-04-11 12:50:19

rebu
Contributor
Registered: 2017-03-17
Posts: 4

Re: Mifare 1K not vulnerable

an example of the "latter software"?

Offline

#7 2017-04-12 10:38:41

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: Mifare 1K not vulnerable

try ProxmarkEasy . Chinese software! one more thing, Mifare distant to proxmark matter when hard nesting!

Offline

#8 2017-05-19 03:21:03

brantz
Contributor
Registered: 2014-03-19
Posts: 50

Re: Mifare 1K not vulnerable

Danz wrote:

try ProxmarkEasy . Chinese software! one more thing, Mifare distant to proxmark matter when hard nesting!

Hi Danz,

I did a search on proxmarkEasy, but no result, the only matching result is from here.
Is there another name for this software?

Thank you

Offline

#9 2017-05-23 14:36:42

vishal36
Contributor
Registered: 2017-02-03
Posts: 18

Re: Mifare 1K not vulnerable

Hi,

Same problem with me, it bring me either here or takes me to PM3 v3 device, which has everything in chinese.
Has someone able to copy it?

Offline

#10 2017-05-25 13:18:42

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: Mifare 1K not vulnerable

Of course we have people who are able to copy it. Read my friends read. Some bread crumbs dropped.

1) Nested using a known key. (darkside attack)
2) Hardnested using a known key
(when card is not vulnerable to nested attack, use the chk* to check for known key like what iceman said)
3) Crapto method using the sniff method (don't get caught on camera) smile

Read guys read. Everything is in the forum.

Offline

Board footer

Powered by FluxBB