Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-02-27 13:55:07

smeric
Contributor
From: Turkey
Registered: 2018-02-23
Posts: 4

nested || sniffing

Hi all,
Our card system did a private company before and now we dont have their sector keys to do something. there are more then 100.000 card now in use and I did a special machine to find old sector keys ( with nested attack ) delete them and write our algoritm.. we try our machine nearly more than 200 cards and worked perfect. but yesterday a friend give me a student card. and proxmark can not attack it with nested. ( all cards are 1k standart mifare ).
Proxmark is giving = "Card is not vulnerable to Darkside attack (its random number generator is not predictable)."

I have old card reader and writer program( only compailed file not source code ), I dont know can I sniff keys when that program communicating with cards? ( I did not do it before )

Aim :
cards has 16 sector. I know sector 1-2-3 keys ( student cards can use city traffic system so they has open key ) I wanna delete sector 0-4-5-... 16 )

ps : Totaly I have 26 Proxmark3.

Last edited by smeric (2018-02-27 14:35:31)

Offline

#2 2018-02-27 18:10:25

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: nested || sniffing

Use hf mf hardnested instead of hf mf nested.

Offline

#3 2018-03-01 07:40:50

smeric
Contributor
From: Turkey
Registered: 2018-02-23
Posts: 4

Re: nested || sniffing

My version :

Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-351-g51d51c6-suspect 2018-02-26 15:13:40
os: master/v3.0.1-351-g51d51c6-suspect 2018-02-26 15:13:44
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59

uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 199577 bytes (38%). Free: 324711 bytes (62%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory


After write hardnested I am taking some Auth1 error message
in card all A and B key is same.. as I said before I know sector 1,2,3 keys .


proxmark3> hf mf hardnested 1 A c025f10a1d34 19 A FFFFFFFFFFFF
--target block no: 19, target key type:A, known target key: 0xffffffffffff, file action: none, Slow: No, Tests: 0       
Using AVX2 SIMD core.



time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 4 threads and AVX2 SIMD core                |                 |
       0 |       0 | Brute force benchmark: 482 million (2^28.8) keys/s      | 140737488355328 |    3d
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    3d
#db# Authentication failed. Card timeout.
#db# AcquireNonces: Auth1 error
#db# Authentication failed. Card timeout.
#db# AcquireNonces: Auth1 error
#db# Authentication failed. Card timeout.
#db# AcquireNonces: Auth1 error
#db# Authentication failed. Card timeout.

I am using official firmware .. must I use iceman release ?

Offline

#4 2018-03-01 07:55:45

smeric
Contributor
From: Turkey
Registered: 2018-02-23
Posts: 4

Re: nested || sniffing

card info which can not attackable
proxmark3> hf search

UID : 83 0d 29 e0
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: HARDEND (hardnested)

Valid ISO14443A Tag Found - Quiting Search


card info which can attackable
proxmark3> hf search

UID : 2c b7 cf f0
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK

Valid ISO14443A Tag Found - Quiting Search

Offline

#5 2018-03-01 08:19:47

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: nested || sniffing

#db# Authentication failed. Card timeout.
#db# AcquireNonces: Auth1 error

c025f10a1d34 is a valid key A for block 1?
If yes, try adding option s to the hardnested command. Or play with the reader-to-card distance.
If no, you need to use another block/key pair.

Offline

Board footer

Powered by FluxBB