Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-04-16 23:02:36

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

[Solved] why clone isn't vulnerable to darkside, while genuine is it ?

Hello,

It's not really a problem, but I have a question that goes through my mind
after lots of test with mifare 1k clone, I observed that clone is not vulnerable to darkside Attack ... ? while genuine keyfob is vulnerable ...?
I don't understand why, however my clone tag work very well, and I don't see difference between both keyfobs.

--- Original keyfob ---
pm3 --> hf mf darkside
--------------------------------------------------------------------------------

executing Darkside attack. Expected execution time: 25sec on average
press pm3-button on the proxmark3 device to abort both proxmark3 and client.
--------------------------------------------------------------------------------

................................................................................................................
[+]found 1 candidate key.


[+]found valid key: 484558414354


--- Clone keyfob ---
pm3 --> hf mf darkside
--------------------------------------------------------------------------------

executing Darkside attack. Expected execution time: 25sec on average
press pm3-button on the proxmark3 device to abort both proxmark3 and client.
--------------------------------------------------------------------------------

...
card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
generating polynomial with 16 effective bits only, but shows unexpected behaviour.

is it normal ? I really don't understand
Thanks

my tag info :

--- Original keyfob ---
pm3 --> hf 14a info n
 UID : 25 D5 A0 47
ATQA : 00 04
 SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO
Prng detection: WEAK

NACK bug detected


--- Clone keyfob ---
pm3 --> hf 14a info n
 UID : 25 D5 A0 47
ATQA : 00 04
 SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN 1a): YES
Prng detection: WEAK

detection failed

PS : with clone keyfob, however if I launch nested Attack with original key, all is working
(hf mf nested 1 0 A 484558414354 d)

Last edited by Shashadow (2018-04-17 21:14:21)

Offline

#2 2018-04-16 23:21:16

dontlook
Contributor
Registered: 2017-01-28
Posts: 44

Re: [Solved] why clone isn't vulnerable to darkside, while genuine is it ?

If I understand correctly the Darkside attack is based on the problem with the probabilistic random number generator chip on the card, not the data on the card.  The clone physically is a different card and has a different chip, so it may not have the same vulnerability, regardless of what data you put on it.

Offline

#3 2018-04-17 06:14:46

piwi
Moderator
Registered: 2013-06-04
Posts: 498

Re: [Solved] why clone isn't vulnerable to darkside, while genuine is it ?

In this case both cards have the problem with the random number generator (hf 14a info shows "prng detection: WEAK" for both). But the clone doesn't show the NACK bug, which is also required by the darkside attack.

Offline

#4 2018-04-17 21:13:25

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [Solved] why clone isn't vulnerable to darkside, while genuine is it ?

Hello

thanks for your reply, and indeed it seems to be the right explain.
just no Lucky with my keyfobs, test with three different (gen1a magic, gen2 no magic and FUID) but all fail for darkside.
ok, so now I know why :-) thanks a lot.
++

Offline

#5 2018-04-18 07:08:57

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [Solved] why clone isn't vulnerable to darkside, while genuine is it ?

yup,  magic tag usually doesn't work with the original darkside attack.
However,  the all zero parity version (is implemented in current darkside on pm3)  attack,  or to be fare,  its a special case for darkside attack..   that one can solve a magic one.  But only if the prng is weak.


冰人
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Offline

#6 2018-04-19 11:56:02

atmel9077
Contributor
Registered: 2017-06-25
Posts: 34

Re: [Solved] why clone isn't vulnerable to darkside, while genuine is it ?

Shashadow wrote:

[+]found valid key: 484558414354

Excuse me if i'm offtopic, I see you try to copy an Intratone HEXACT keyfob, on some systems you can copy them on normal (non-magic) MIFARE tags. You can even leave the access conditions FF078069 so you can reuse your tag. You can find the keys here: https://pastebin.com/v7eL1HkR


Those who forget the past are doomed to repeat it.

Offline

#7 2018-04-19 22:15:23

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [Solved] why clone isn't vulnerable to darkside, while genuine is it ?

hello,

thanks atmel for your keys about intratone keyfob, I keep the link :-)

Iceman, when you speak about zero parity version Attack, do you speak about :
proxmark3> hf mf
...
mifare           Read parity error messages.

from official pm3 ?

because I tried but no more success, same output with official pm3 than iceman fork :
Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).

and prng is well weak
unless I need to flash firmware with official pm3 ?

Last edited by Shashadow (2018-04-19 23:03:42)

Offline

#8 Yesterday 06:13:34

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [Solved] why clone isn't vulnerable to darkside, while genuine is it ?

The general recommendation on the forum is,  never mix between forks/bransch/commits   its bound to not work.


hf mf mifare is the official pm3 repo command for darkside attack.  Its been renamed in iceman fork.


if your card never send NACK's the darkside attack will not work.


冰人
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Offline

Board footer

Powered by FluxBB