Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-08-05 16:31:23

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

a Funny mifare classic 1K card!It isn't vulnerable to Nested Attack!

read and got this:
UID : Ax xx xx xx
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD

[+] Valid ISO14443-A Tag Found

==================================
then chk dictionary as following:

testing to read key B...
Reading block 11
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ------------  | 0 |  ffffffffffff  | 1 |
|001|  2a2c13cc242a  | 1 |  ffffffffffff  | 1 |
|002|  a0a1a2a3a4a5  | 1 |  ------------  | 0 |
|003|  ------------  | 0 |  ffffffffffff  | 1 |
|004|  ------------  | 0 |  ffffffffffff  | 1 |
|005|  ------------  | 0 |  ffffffffffff  | 1 |
|006|  ------------  | 0 |  ffffffffffff  | 1 |
|007|  ------------  | 0 |  ffffffffffff  | 1 |
|008|  ------------  | 0 |  ffffffffffff  | 1 |
|009|  ------------  | 0 |  ffffffffffff  | 1 |
|010|  ------------  | 0 |  ffffffffffff  | 1 |
|011|  ------------  | 0 |  ffffffffffff  | 1 |
|012|  ------------  | 0 |  ffffffffffff  | 1 |
|013|  ------------  | 0 |  ffffffffffff  | 1 |
|014|  ------------  | 0 |  ffffffffffff  | 1 |
|015|  ------------  | 0 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|

==================================
Then use nested as following:
pm3 --> hf mf nested 1 0 b FFFFFFFFFFFF d
[+] Testing known keys. Sector count=16
..
[-] Chunk: 5.8s | found 16/32 keys (21)
[+] Time to check 20 known keys: 6 seconds

[+] enter nested attack
[-] Tag isn't vulnerable to Nested Attack (PRNG is not predictable).

pm3 --> hf mf nested 1 1 b FFFFFFFFFFFF d
[+] Testing known keys. Sector count=16
..
[-] Chunk: 5.8s | found 16/32 keys (21)
[+] Time to check 20 known keys: 6 seconds

[+] enter nested attack
[-] Tag isn't vulnerable to Nested Attack (PRNG is not predictable).
================================================================

anyone got any idea? LOL so funny this card is....

Offline

#2 2018-08-05 16:51:14

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: a Funny mifare classic 1K card!It isn't vulnerable to Nested Attack!

There is nothing special or funny with this card. It simply has a fixed Random Number Generator ("[+] Prng detection: HARD"). Attacks which are based on the broken PRNG of the older Mifare chips (hf mf mifare, hf mf nested) don't work.

Offline

#3 2018-08-05 18:27:11

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: a Funny mifare classic 1K card!It isn't vulnerable to Nested Attack!

piwi wrote:

There is nothing special or funny with this card. It simply has a fixed Random Number Generator ("[+] Prng detection: HARD"). Attacks which are based on the broken PRNG of the older Mifare chips (hf mf mifare, hf mf nested) don't work.

hi piwi
anything can we do with it? hardnested?sniff?or throw it away and forget abt it?:::lol

Offline

#4 2018-08-05 20:25:24

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: a Funny mifare classic 1K card!It isn't vulnerable to Nested Attack!

Search the forum. Lol.

Offline

#5 2019-03-14 12:35:54

sher96
Contributor
Registered: 2019-03-06
Posts: 12

Re: a Funny mifare classic 1K card!It isn't vulnerable to Nested Attack!

I also have this problem, how did you solve it?

Offline

#6 2019-08-28 20:40:24

theguy
Contributor
Registered: 2017-08-08
Posts: 52

Re: a Funny mifare classic 1K card!It isn't vulnerable to Nested Attack!

@sher96
@yukihama

Do a series of hf mf hardnested commands like:

mf hardnested 0 B ffffffffffff 0 A
mf hardnested 0 B ffffffffffff 3 A
mf hardnested 0 B ffffffffffff 6 A

... etc to find all the missing A and B keys. You're feeding a known key (for example 0 block B key is ffffffffffff) and lots of processing power and math to crack the algorithm's weakness into revealing other keys, (like block 0 A key).

You have to find all the keys. They're usually in order, and blocks 0-2 have the same key, 3-5 have the same key, etc. Often there will only be ~5 keys total, like a different A and B key for block 3-5, then ffffffffffff for first and last blocks, and a unique key for all the middle blocks both A and B.

Then save all the keys in a text file (I save it like name_of_key.keys) with keys on each line like
ffffffffffff
2a2c13cc242a
a0a1a2a3a4a5

etc.

Then do read from original card with the keyfile, and copy with the keyfile too. You can use Ikarus's MiFare Classic Tool android app, I feel it saves time with the actual cloning. But AFAIK you have to do the hardnested attacks with a proxmark.

Offline

Board footer

Powered by FluxBB