Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2017-08-25 07:41:14

Tatka
Contributor
From: Czech rep., EU
Registered: 2017-08-21
Posts: 21

[solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?

Hello,
I had the opportunity of Snoop Mifare communication. I am looking for the key of my tag, but when I enter 'hf sheet 14a' I see only the UID tag and then just CRC!
My tag is MIFARE CLASSIC 1k | Plus 2k SL1 , UID:bbbe991d . Is there an antenna error?
I think it's unlikely. Maybe the signal is too strong or weak. How can I sniff TAG and Reader communication?
Where am I making a mistake?

Perhaps this is someone familiar and able to advise.
Thank you.

proxmark3> hw version
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-11-19 10:08:02
os: master/v3.0.1-71-g5c814c3-suspect 2017-08-23 21:35:43
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/07/13 at 08:44:13

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 198383 bytes (38%). Free: 325905 bytes (62%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hf tune
#db# Measuring HF antenna, press button to exit
#db# 31727 mV
#db# 31727 mV
#db# 31727 mV
proxmark3> hf search

 UID : bb be 99 1d
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

Valid ISO14443A Tag Found - Quiting Search
proxmark3> hf 14a snoop
#db# COMMAND FINISHED
#db# maxDataLen=3, Uart.state=0, Uart.len=1
#db# traceLen=39293, Uart.output[0]=00000026
proxmark3> hf list 14a
Recorded Activity (TraceLen = 39293 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        192 | Tag | 01                                                              |     |
     115456 |     115648 | Tag | 01                                                              |     |
     139200 |     139584 | Tag |00!                                                              |     |
     162368 |     164736 | Tag | 04  00                                                          |     |
     187072 |     189440 | Tag | 04  00                                                          |     |
     209104 |     210000 | Tag | 04                                                              |     |
     255824 |     256464 | Tag | 04                                                              |     |
     279952 |     280144 | Tag | 01                                                              |     |
 ...
    7431216 |    7433584 | Tag | 04  00                                                          |     |
    7449792 |    7452160 | Tag | 04  00                                                          |     |
    7459904 |    7465152 | Tag | bb  be  99  1d  01                                              |     |
    7490752 |    7493120 | Tag | 04  00                                                          |     |
    7500864 |    7506688 | Tag | bb  be  99  1d  81                                              |     |
    7522752 |    7526272 | Tag | 08  b6  dd                                                      |     |
    8923296 |    8927968 | Tag | 05  a9  bc  71                                                  |     |
    8940960 |    8945632 | Tag |c6!  a6  05  11                                                  |     |
    8955424 |    8976224 | Tag |76!  08 49!  c2  b3 43!  a6 53!  41 6a! eb!  4f  db e6! d0! 28!  |     |
            |            |     |b9!  36                                                          | !crc|
    8992048 |    8996784 | Tag | 15 37!  5a ac!                                                  |     |
    9009712 |    9014384 | Tag |ac!  a5 87! 86!                                                  |     |
    9023408 |    9044208 | Tag | 52 79!  1d  e9 04! 64! 80!  25 15!  e9 09! c1!  67 61!  34 45!  |     |
            |            |     |4a! 58!                                                          | !crc|
    9053872 |    9074736 | Tag | c3  50  12 1f! de! f0!  23 8b! 33!  75 01!  1a  05  6c 02! 90!  |     |
            |            |     |e2! 44!                                                          | !crc|
    9084336 |    9105200 | Tag | 69  e6  d7  ca  aa 24!  69 64! 4e!  bb b0! 82!  97  75 31!  cc  |     |
            |            |     |d7!  df                                                          | !crc|
    9123632 |    9128368 | Tag |28!  9b  83  f1                                                  |     |
    9141296 |    9145968 | Tag |0c! 72! 45! 0b!                                                  |     |
    9154992 |    9175792 | Tag |26! 26! a4!  a0  3a  e4 9e! 1b!  df  e9  0d  1b 0a!  39 2c! 7a!  |     |
            |            |     | 8c 8f!                                                          | !crc|
    9192384 |    9197056 | Tag |ce! 0c!  b2 bf!                                                  |     |
    9210048 |    9214720 | Tag |3b! 3d! 25! fe!                                                  |     |
    9224512 |    9245376 | Tag |81! 0f!  ae  a8  39  64  88 f2! d0! b8! 73! 8c! 66! 8b!  c9 3b!  |     |
            |            |     | 1b 77!                                                          | !crc|
    9254976 |    9275840 | Tag | 65  76 19! ac! 3b!  b8 c0!  9b ff!  49 21!  f5  98  1f  09 3b!  |     |
            |            |     |7f! 9f!                                                          | !crc|
    9285440 |    9306304 | Tag |63!  60  d6 7a! 63! 47!  9d 2b!  43 bf! aa! 35! 5c! 50!  a7 5a!  |     |
            |            |     |2c! a5!                                                          | !crc|
    9453264 |    9457936 | Tag | 4d fb! ab!  dd                                                  |     |
    9470928 |    9475664 | Tag |57! 78!  98  d0                                                  |     |
    9484624 |    9505488 | Tag |1a!  f2 d3!  d8 5e! f0!  2d  4e 7d! f2! 8c! 8a! 32! 2a!  60  52  |     |
            |            |     | 0b  31                                                          | !crc|
    9521232 |    9525968 | Tag | e3 7a! 1c!  16                                                  |     |
    9538896 |    9543632 | Tag |2b!  2c 62!  c1                                                  |     |
    9552592 |    9573392 | Tag | cd  3e  ae 15! 25!  b4 88!  5c fa!  da fc!  4f 26! ce! 87! 5d!  |     |
            |            |     |ba! ea!                                                          | !crc|
    9583056 |    9603920 | Tag |c9! 3b!  5d f3! e4!  62 bb!  ec  a3 d8!  f0 12! 4a!  36  df fd!  |     |
            |            |     | 55 a3!                                                          | !crc|
    9613536 |    9634336 | Tag |8d!  2f  9b 13! 39!  d4  e3  88  c4 35!  7d 6e!  f8 8a! 52!  83  |     |
            |            |     |59!  d1                                                          | !crc|
    9653344 |    9658080 | Tag |f6!  42  e9  dc                                                  |     |
    9671136 |    9675808 | Tag |f8! 1c!  06  2e                                                  |     |
    9685600 |    9706400 | Tag | 10 86!  f9 f8! 29!  f6 ae! 49!  b2  61 7c!  1a a4! 16! cd! 0c!  |     |
            |            |     |99!  7d                                                          | !crc|
   15347328 |   15352064 | Tag |2e! fc!  fa  da                                                  |     |
   15364992 |   15369664 | Tag | 9a  1f e0!  55                                                  |     |
   15378688 |   15399552 | Tag |83! 53! 76!  14 31! 88! 27!  b6 43!  19  9c d6! a1! 42! 56! c1!  |     |
            |            |     |84! 6f!                                                          | !crc|
   15417088 |   15421760 | Tag |46! ff! 5e!  1e                                                  |     |
   15434752 |   15439424 | Tag | 46 1d!  25 15!                                                  |     |
   15449216 |   15470080 | Tag |35! f6!  20  4d  e3 db! 29! d1! 25! f7! 35! 95! de! a3! 84!  43  |     |
            |            |     |e5!  fe                                                          | !crc|
   15486736 |   15491408 | Tag |d2!  a8 92!  33                                                  |     |
   15504400 |   15509136 | Tag |f3!  60 06!  a1                                                  |     |
   15518608 |   15539472 | Tag | d8 b9! e5! 02! f1!  4a  d7  81  f0 6f!  e2  4e 41!  35  b1 00!  |     |
            |            |     |d5! 5c!                                                          | !crc|
   15556112 |   15560848 | Tag |75! d4! 14!  91                                                  |     |
   15573776 |   15578448 | Tag | c6 df! ee!  41                                                  |     |
   15587472 |   15608272 | Tag |86! 13! ed! 0b! e3! b0! d4!  fe c5!  ac 3d!  00 99! f9! ba! b2!  |     |
            |            |     |3f!  f9                                                          | !crc|
   15624976 |   15629648 | Tag | 4d  85  98  d8                                                  |     |
   15643536 |   15648208 | Tag |b7!  7b bb!  48                                                  |     |
   15657232 |   15678032 | Tag | 6d ce!  b5 e7! e4! af! 33!  80 ab!  93  3d 11!  e0  c9 53!  15  |     |
            |            |     | 97  ff                                                          | !crc|
   15694752 |   15699488 | Tag |0e!  28  70  92                                                  |     |
   15712544 |   15717280 | Tag | be c6!  0c 7b!                                                  |     |
   15726240 |   15747040 | Tag |34!  c1  a2 cd!  85 57! 20!  11 d8! ae! 2d!  63 63! 77! 42!  6b  |     |
            |            |     | 2f 0b!                                                          | !crc|
   15764640 |   15769376 | Tag |99!  03  19 4b!                                                  |     |
   15782304 |   15786976 | Tag |d9! 6d!  76  1e                                                  |     |
   15796000 |   15816800 | Tag |8a! 19!  25 5d! ef!  20 f1!  3b e3!  9d  60  ec  62  47  f3 a2!  |     |
            |            |     | 5c 98!                                                          | !crc|
   15834400 |   15839136 | Tag | 4f e4!  2c 4e!                                                  |     |
   15852064 |   15856736 | Tag | 35  b0  26 43!                                                  |     |
   15865760 |   15886624 | Tag | 8e 17! 54!  6e  30  0e a1! fb! f2!  25  0c  a0 21!  5f  ef ed!  |     |
            |            |     |33! 09!                                                          | !crc|
   15904176 |   15908912 | Tag |a2! 53!  54 95!                                                  |     |
   15921840 |   15926576 | Tag | f2 05! d8!  ce                                                  |     |
   15935536 |   15956336 | Tag |0e!  23  a4 13!  83  e5 7d! 0a! 09! f4! bf! 46!  cb 2f!  65  b2  |     |
            |            |     | e2  6c                                                          | !crc|
   15973936 |   15978608 | Tag |b7! 25! 92!  3f                                                  |     |
   15991600 |   15996336 | Tag |0a!  32 aa! b8!                                                  |     |
   16006064 |   16026864 | Tag |17!  da  64  ed 0b! 8a! 80! 53! 21!  5c  cb  05 7f! 6a!  d8 92!  |     |
            |            |     |48! d5!                                                          | !crc|
   16043568 |   16048304 | Tag |1a!  22  70 4e!                                                  |     |
   16061232 |   16065904 | Tag | 4b be! 67! ea!                                                  |     |
   16074928 |   16095728 | Tag | 0c  31  56 ec! 35!  99  0a  15  5d fc! ca!  77 79! 0c!  78 e8!  |     |
            |            |     |23! 10!         
(more)

Last edited by Tatka (2017-08-28 17:45:49)


I do not know what to say. I think I'm a normal person.

Offline

#2 2017-08-25 11:03:32

iceman
Administrator
Registered: 2013-04-25
Posts: 5,610
Website

Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?

Yes,  your trace doesn't show the READER parts.  try different positions with your antenna.

You could try the sim command to try getting the key out if it.  Read the help text for instructions, or here on forum,  search is your friend.

hf 14a sim h  

Because you are trying to sniff/snoop a standard ISO14443a transaction, you will only get those parts out from your reader.
Mifare uses its own protocol about ISO14443a,  luckily there is a mifare sniff command.

hf mf sniff
hf list 14a

If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2017-08-27 13:34:18

Tatka
Contributor
From: Czech rep., EU
Registered: 2017-08-21
Posts: 21

Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?

Hello. Thank you for your advice.

proxmark3> hf 14a sim 1 bbbe001d x
Emulating ISO/IEC 14443 type A tag with 4 byte UID (bbbe001d)
#db# 1000 commands later...
#db# 0 0 3e8
proxmark3> hf list 14a
Recorded Activity (TraceLen = 21000 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |       1056 | Rdr | 26                                                              |     | REQA
       2228 |       4596 | Tag | 04  00                                                          |     |
      11776 |      12832 | Rdr | 26                                                              |     | REQA
      14004 |      16372 | Tag | 04  00                                                          |     |
      22912 |      23968 | Rdr | 26   

Worked but found no key. I was kicked right after the first two bytes. I used

Hf mf sniff

And now I see this communication.

proxmark3> hf mf dbg 1
#db# Debug level: 1
proxmark3> hf mf sniff
-------------------------------------------------------------------------
Executing command.
Press the key on the proxmark3 device to abort both proxmark3 and client.
Press the key on pc keyboard to abort the client.
-------------------------------------------------------------------------
......................................>
received trace len: 17546 packages: 35
tag select uid:bb be 99 1d  atqa:0x0004 sak:0x08
RDR(0):61 03 b6 50
TAG(1):6c cd eb b1
RDR(2):8e 8d 5a 92 66 bd 68 f9
TAG(3):cd 9f ac 2a
RDR(4):97 35 19 fd
TAG(5):34 93 34 80 34 c9 5f 98 b4 e2 5f af ea bb 67 5d 22 3f
RDR(6):f6 11 65 23
TAG(7):bf f1 0d 4b
RDR(8):9a 87 29 e9 12 81 66 b7
TAG(9):6b 1f 6c cb
RDR(10):21 5d 28 3b
TAG(11):cc fe 84 de 89 7f 3e 9a 08 87 0e 2e ac a4 49 72 24 d2
RDR(12):48 d5 f1 70
TAG(13):f5 e6 d7 07 a8 eb b4 b0 00 e6 b2 05 da a3 a9 99 9e 11
RDR(14):99 d7 5f 8d
TAG(15):91 d3 43 89 c7 ed 31 29 e5 b4 1c dc 62 be 9f 8b a9 3a
RDR(16):12 01 8a 6b
TAG(17):f6 92 02 19
RDR(18):a5 9a 2a 47 6e f4 7e e3
TAG(19):e3 7e 75 04
RDR(20):ab f4 e0 59
TAG(21):31 4c 0a 33 9b 12 d6 8c ae 8e e9 73 5d df 5e f2 7e 96
RDR(22):dd a8 5e 18
TAG(23):2d ac db 8e
RDR(24):89 e7 a7 84 6d 3b 89 0d
TAG(25):12 b5 49 ad
RDR(26):ac 1b c8 29
TAG(27):df 9e 8c e0 96 be a5 f7 75 00 4d 9d e8 8d 46 d0 77 6c
RDR(28):03 dd bf 7e
TAG(29):fb 00 00 22 53 ef 87 21 c1 72 04 7b 6d 85 b2 03 71 7b
RDR(30):52 8e e0 8e
TAG(31):b7 ac 19 6f 78 81 d0 1f d2 14 37 9d 9c 9f b9 49 5a c6
RDR(32):99 36 c9 15
TAG(33):1d e6 42 ba
RDR(34):32 9b 3a d5 6b 63 c4 db
TAG(35):98 18 ee 2c
RDR(36):38 c9 8b f4
TAG(37):50 2a ac 42 0d 7f 74 54 4a 1f 67 af 63 7b fa 5d 81 6c
RDR(38):6b 95 25 e3
TAG(39):ba 07 e9 57
RDR(40):e5 8d 94 05 01 7e a1 81
TAG(41):37 02 4c 25
RDR(42):16 77 fd 1b
TAG(43):84 7e a2 7f 1a 9e 2f 25 3a f3 f6 aa cf 66 3f 24 d5 1e
RDR(44):e3 0f 9d 32
TAG(45):a3 ba e7 86 88 35 f3 7d 42 15 08 23 25 46 e5 d1 30 27
RDR(46):b6 1c e5 17
TAG(47):77 6b 3a fa 15 e8 1d 98 a8 f4 54 df 5d a6 c6 db c2 f8
RDR(48):33 87 f1 7e
TAG(49):1e 2f 79 89
RDR(50):89 4c 87 78 eb a8 07 48
TAG(51):69 a7 7d 9f
RDR(52):bc c1 cf 30
TAG(53):4d b7 17 fe e1 56 54 f3 2f d8 e6 52 90 76 6c 69 7b 4a
RDR(54):bc 01 6a 74
TAG(55):3c 25 c5 d5
RDR(56):cd 0d c1 41 19 27 e8 cb
TAG(57):38 2f 34 23
RDR(58):54 36 8a 59
TAG(59):5b 35 6d c0 97 78 2e df b0 0e 87 1d 75 60 20 35 5c 03
RDR(60):a7 d7 58 8c
TAG(61):b6 6f 2d ab
RDR(62):3e 25 65 ea f7 28 c7 e0
TAG(63):5f c0 32 45
RDR(64):47 d3 3f e6
TAG(65):66 ed 44 b8 7f eb f5 49 9d 99 eb 00 22 b7 ba 8c df 82
RDR(66):85 42 ef 37
TAG(67):01 4c 58 8c
RDR(68):18 11 f0 62 f8 2e 81 3f
TAG(69):fd 3f 8e b0
...

The tag uses about more keys and I'm trying to find the right ones. So far, I found only one B valid key. He is only for zero sector where a key is used A=a0a1a2a3a4a5 OR B=1bacd1f05468
Other sectors are locked.

I use the parameters for Crypto1 as follows:

# ./mfkey64 bbbe991d 6ccdebb1 8e8d5a92 66bd68f9 cd9fac2a
MIFARE Classic key recovery - based on 64 bits of keystream
Recover key from only one complete authentication!

Recovering key for:
   uid: bbbe991d
    nt: 6ccdebb1
  {nr}: 8e8d5a92
  {ar}: 66bd68f9
  {at}: cd9fac2a

LFSR successors of the tag challenge:
  nt' : 149a0313
  nt'': 3b6dbb00
Time spent in lfsr_recovery64(): 0.06 seconds

Keystream used to generate {ar} and {at}:
   ks2: 72276bea
   ks3: f6f2172a

Found Key: [1bacd1f05468]

1bacd1f05468--> is valid for sektor 0 as key B

# ./mfkey64 bbbe991d bff10d4b 9a8729e9 128166b7 6b1f6ccb
MIFARE Classic key recovery - based on 64 bits of keystream
Recover key from only one complete authentication!

Recovering key for:
   uid: bbbe991d
    nt: bff10d4b
  {nr}: 9a8729e9
  {ar}: 128166b7
  {at}: 6b1f6ccb

LFSR successors of the tag challenge:
  nt' : 81299d2f
  nt'': f5689194
Time spent in lfsr_recovery64(): 0.07 seconds

Keystream used to generate {ar} and {at}:
   ks2: 93a8fb98
   ks3: 9e77fd5f

Found Key: [8d8d7e26d663]

8d8d7e26d663 is not valid for any sector.
...
Now I do not know how to continue to read sector 1-15

I tried 'mfoc' but the new keys were not found

$ mfoc -k 1bacd1f05468 -k a0a1a2a3a4a5 -T 30 -P 500 -O dumpkeys.bin
The custom key 0x1bacd1f05468 has been added to the default keys
The custom key 0xa0a1a2a3a4a5 has been added to the default keys
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): bb  be  99  1d  
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: 1bacd1f05468] -> [\...............]
[Key: a0a1a2a3a4a5] -> [x...............]
[Key: ffffffffffff] -> [x...............]
[Key: a0a1a2a3a4a5] -> [x...............]
[Key: d3f7d3f7d3f7] -> [x...............]
[Key: 000000000000] -> [x...............]
[Key: b0b1b2b3b4b5] -> [x...............]
[Key: 4d3a99c351dd] -> [x...............]
[Key: 1a982c7e459a] -> [x...............]
[Key: aabbccddeeff] -> [x...............]
[Key: 714c5c886e97] -> [x...............]
[Key: 587ee5f9350f] -> [x...............]
[Key: a0478cc39091] -> [x...............]
[Key: 533cb6c723f6] -> [x...............]
[Key: 8fd0a4f256e9] -> [x...............]

Sector 00 - Found   Key A: a0a1a2a3a4a5 Found   Key B: 1bacd1f05468
Sector 01 - Unknown Key A               Unknown Key B
Sector 02 - Unknown Key A               Unknown Key B
Sector 03 - Unknown Key A               Unknown Key B
Sector 04 - Unknown Key A               Unknown Key B
Sector 05 - Unknown Key A               Unknown Key B
Sector 06 - Unknown Key A               Unknown Key B
Sector 07 - Unknown Key A               Unknown Key B
Sector 08 - Unknown Key A               Unknown Key B
Sector 09 - Unknown Key A               Unknown Key B
Sector 10 - Unknown Key A               Unknown Key B
Sector 11 - Unknown Key A               Unknown Key B
Sector 12 - Unknown Key A               Unknown Key B
Sector 13 - Unknown Key A               Unknown Key B
Sector 14 - Unknown Key A               Unknown Key B
Sector 15 - Unknown Key A               Unknown Key B

Using sector 00 as an exploit sector
Card is not vulnerable to nested attack
$_

.

I'm a newbie and I have a lot to learn. There is no sky without clouds.

Last edited by Tatka (2017-08-28 00:05:00)


I do not know what to say. I think I'm a normal person.

Offline

#4 2017-08-27 21:20:31

Tatka
Contributor
From: Czech rep., EU
Registered: 2017-08-21
Posts: 21

Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?

I also tried the 'nested':

proxmark3> hf mf nested 1 0 B 1bacd1f05468 d
Testing known keys. Sector count=16          
nested...          
-----------------------------------------------          
Tag isn't vulnerable to Nested Attack (random numbers are not predictable).

What else can I do to crack the card?


I do not know what to say. I think I'm a normal person.

Offline

#5 2017-08-28 03:26:36

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 178
Website

Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?

Go and read up about hardnest and how it works. smile

btw if you are unsure about the commands please feel free to type half the command.

Example: hf mf chk - will give you 
Usage:  hf mf chk <block number>|<*card memory> <key type (A/B/?)> [t|d] [<key (12 hex symbols)>] [<dic (*.dic)>]       
          * - all sectors
card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K
d - write keys to binary file

t - write keys to emulator memory
      sample: hf mf chk 0 A 1234567890ab keys.dic
              hf mf chk *1 ? t
              hf mf chk *1 ? d

Hf mf hardnest - will give you
Usage:
      hf mf hardnested <block number> <key A|B> <key (12 hex symbols)>
                       <target block number> <target key A|B> [known target key (12 hex symbols)] w s
  or  hf mf hardnested r [known target key]

Options:
      w: Acquire nonces and write them to binary file nonces.bin
      s: Slower acquisition (required by some non standard cards)
      r: Read nonces.bin and start attack

      sample1: hf mf hardnested 0 A FFFFFFFFFFFF 4 A
      sample2: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w
      sample3: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s
      sample4: hf mf hardnested r

Add the known target key to check if it is present in the remaining key space:
      sample5: hf mf hardnested 0 A A0A1A2A3A4A5 4 A FFFFFFFFFFFF 

smile good that you are learning, keep practising.

Last edited by Dot.Com (2017-08-28 03:27:25)


You live, you learn.
You give, you take.
You win, you lose.

Offline

#6 2017-08-28 17:45:12

Tatka
Contributor
From: Czech rep., EU
Registered: 2017-08-21
Posts: 21

Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?

It works great. It's amazing. It's like magic smile

pm3 --> hf mf hardnested 0 B 1bacd1f05468 4 A
--target block no:  4, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0

 time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 8 threads and AVX2 SIMD core                |                 |
       0 |       0 | Brute force benchmark: 1121 million (2^30.1) keys/s     | 140737488355328 |   35h
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   35h
       5 |     112 | Apply bit flip properties                               |    363263426560 |  5min
       6 |     224 | Apply bit flip properties                               |    112237199360 |  2min
       7 |     335 | Apply bit flip properties                               |     88805146624 |   79s
       8 |     447 | Apply bit flip properties                               |     76838215680 |   69s
       8 |     559 | Apply bit flip properties                               |     76532318208 |   68s
       9 |     669 | Apply bit flip properties                               |     74550116352 |   67s
      10 |     779 | Apply bit flip properties                               |     74550116352 |   67s
      11 |     889 | Apply bit flip properties                               |     74550116352 |   67s
      11 |     997 | Apply bit flip properties                               |     74550116352 |   67s
      12 |    1106 | Apply bit flip properties                               |     74550116352 |   67s
      13 |    1215 | Apply bit flip properties                               |     74550116352 |   67s
      14 |    1324 | Apply bit flip properties                               |     74550116352 |   67s
      15 |    1434 | Apply bit flip properties                               |     74550116352 |   67s
      16 |    1541 | Apply bit flip properties                               |     74550116352 |   67s
      16 |    1649 | Apply bit flip properties                               |     74550116352 |   67s
      18 |    1759 | Apply Sum property. Sum(a0) = 64                        |     21144940544 |   19s
      18 |    1864 | Apply bit flip properties                               |      7027675648 |    6s
      19 |    1970 | Apply bit flip properties                               |      7027675648 |    6s
      20 |    2080 | Apply bit flip properties                               |      7877309440 |    7s
      21 |    2186 | Apply bit flip properties                               |      7027675648 |    6s
      22 |    2295 | Apply bit flip properties                               |      5142730752 |    5s
      23 |    2295 | (1. guess: Sum(a8) = 0)                                 |      5142730752 |    5s
      23 |    2295 | Apply Sum(a8) and all bytes bitflip properties          |      4239027712 |    4s
      23 |    2295 | Brute force phase completed. Key found: 0a65cb3eb977    |               0 |    0s
pm3 -->

Now I can play Proxmark again.
Thank you.


I do not know what to say. I think I'm a normal person.

Offline

#7 2017-08-28 19:13:13

iceman
Administrator
Registered: 2013-04-25
Posts: 5,610
Website

Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?

Impressive numbers!

8 threads and Brute force benchmark: 1121 million (2^30.1) keys/s


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#8 2017-08-29 13:40:36

Tatka
Contributor
From: Czech rep., EU
Registered: 2017-08-21
Posts: 21

Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?

I was flashing a new firmware yesterday. I hope this number does not show any problem wink


I do not know what to say. I think I'm a normal person.

Offline

#9 2018-04-15 02:38:25

rayway99
Contributor
Registered: 2018-04-08
Posts: 20

Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?

Hi sorry to piggyback on the old thread...  let me know if i shld open a new thread

playing around the hf mf sniff / hf 14a snoop function, i encountered the following problems

1) in iceman v3.1.0 folk there is 'no hf mf sniff' command , is the mf sniff combined into 'hf 14a sniff' ?

pm3 --> hw version
[[[ Cached information ]]]

Proxmark3 RFID instrument

 [ ARM ]
 bootrom: iceman/master/ice_v3.1.0-787-g192aa9ab 2018-04-08 11:49:32
      os: iceman/master/ice_v3.1.0-787-g192aa9ab 2018-04-08 11:49:37
 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 237727 bytes (45%) Free: 286561 bytes (55%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory
  
  
  
pm3 --> hf mf h
help             This help
darkside         Darkside attack. read parity error messages.
nested           Nested attack. Test nested authentication
hardnested       Nested attack for hardened Mifare cards
keybrute         J_Run's 2nd phase of multiple sector nested authentication key recovery
nack             Test for Mifare NACK bug
chk              Check keys
fchk             Check keys fast, targets all keys on card
decrypt          [nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace      
-----------
dbg              Set default debug mode
rdbl             Read MIFARE classic block
rdsc             Read MIFARE classic sector
dump             Dump MIFARE classic tag to binary file
restore          Restore MIFARE classic binary file to BLANK tag
wrbl             Write MIFARE classic block
setmod           Set MIFARE Classic EV1 load modulation strength
-----------
sim              Simulate MIFARE card
eclr             Clear simulator memory block
eget             Get simulator memory block
eset             Set simulator memory block
eload            Load from file emul dump
esave            Save to file emul dump
ecfill           Fill simulator memory with help of keys from simulator         
ekeyprn          Print keys from simulator memory
-----------
csetuid          Set UID for magic Chinese card
csetblk          Write block - Magic Chinese card
cgetblk          Read block - Magic Chinese card
cgetsc           Read sector - Magic Chinese card
cload            Load dump into magic Chinese card
csave            Save dump from magic Chinese card into file or emulator        
ice              collect Mifare Classic nonces to file

2) when I tried with the official firmware (v3.0.1)
          2.1) hf 14a snoop is capturing TAG only information ( i was using an Android TagInfo app to act as reader for ease purpose)
                    where info can be retrieved from hf list 14a / hf list mf

          2.2) when using hf mf sniff, there is not info captured at all .. while the Android app is able to retrieve tag UID etc
                    (position : Android Phone <--1cm--> PM3 Easy <--1cm--> Test Tag (IC)
                    should I try with the FDI reader at the lift or sth wrong local in my setup?

proxmark3> hw version
[[[ Cached information ]]]

Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-361-ge069547-suspect 2018-04-03 11:12:28
os: master/v3.0.1-361-ge069547-suspect 2018-04-03 11:12:31
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 199639 bytes (38%). Free: 324649 bytes (62%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

proxmark3> hf mf h
help             This help
dbg              Set default debug mode
rdbl             Read MIFARE classic block
rdsc             Read MIFARE classic sector
dump             Dump MIFARE classic tag to binary file
restore          Restore MIFARE classic binary file to BLANK tag
wrbl             Write MIFARE classic block
chk              Test block keys
mifare           Read parity error messages.
hardnested       Nested attack for hardened Mifare cards
nested           Test nested authentication
sniff            Sniff card-reader communication
sim              Simulate MIFARE card
eclr             Clear simulator memory block
eget             Get simulator memory block
eset             Set simulator memory block
eload            Load from file emul dump
esave            Save to file emul dump
ecfill           Fill simulator memory with help of keys from simulator         
ekeyprn          Print keys from simulator memory
cwipe            Wipe magic Chinese card
csetuid          Set UID for magic Chinese card
csetblk          Write block - Magic Chinese card
cgetblk          Read block - Magic Chinese card
cgetsc           Read sector - Magic Chinese card
cload            Load dump into magic Chinese card
csave            Save dump from magic Chinese card into file or emulator        
decrypt          [nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace   

proxmark3> hf mf dbg 3
#db# Debug level: 3
proxmark3> hf mf sniff
-------------------------------------------------------------------------
Executing command.
Press the key on the proxmark3 device to abort both proxmark3 and client.
Press the key on pc keyboard to abort the client.
-------------------------------------------------------------------------
.#db# ISO14443A Timeout set to 1060 (10ms)
.......#db# Canceled by button.
#db# COMMAND FINISHED.
#db# maxDataLen=2, Uart.state=0, Uart.len=0
Done.
proxmark3> hf list mf
Recorded Activity (TraceLen = 0 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
proxmark3> hf list 14a
Recorded Activity (TraceLen = 0 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|

Offline

#10 2019-02-28 09:22:13

mike
Member
Registered: 2018-10-11
Posts: 22

Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?

When i git the keys out off the reader and after that i used crypto 1 .But how you put the keys on a card after crypto 1 when i git keys out off the reader?

Offline

#11 2019-03-01 05:23:19

iceman
Administrator
Registered: 2013-04-25
Posts: 5,610
Website

Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?

@mike don't hijack threads.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#12 2019-03-02 09:57:17

mike
Member
Registered: 2018-10-11
Posts: 22

Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?

I can not get out with the proxmark3.I try to make a master key but I can not. I also try to get info from the reader  but I can not. I am new in this I am learning can someone helping me with that and explained me how?iceman can you help me out and what did you mean I'm dutch my english is not so good.

Offline

#13 2019-03-02 15:50:09

iceman
Administrator
Registered: 2013-04-25
Posts: 5,610
Website

Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?

Did you read the wiki?  ]https://github.com/Proxmark/proxmark3/wiki  its a good start.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#14 2019-03-02 17:49:04

mike
Member
Registered: 2018-10-11
Posts: 22

Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?

Iceman I read it .i know how to clone.but I whant to make a masterkey out off a other valid key and allso the reader attack i whant to know .i search every where but can find nothing so can you help me out iceman

Offline

Board footer

Powered by FluxBB