Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2018-04-16 23:02:36
- Shashadow
- Contributor
- Registered: 2018-03-13
- Posts: 58
[Solved] why clone isn't vulnerable to darkside, while genuine is it ?
Hello,
It's not really a problem, but I have a question that goes through my mind
after lots of test with mifare 1k clone, I observed that clone is not vulnerable to darkside Attack ... ? while genuine keyfob is vulnerable ...?
I don't understand why, however my clone tag work very well, and I don't see difference between both keyfobs.
--- Original keyfob ---
pm3 --> hf mf darkside
--------------------------------------------------------------------------------
executing Darkside attack. Expected execution time: 25sec on average
press pm3-button on the proxmark3 device to abort both proxmark3 and client.
--------------------------------------------------------------------------------
................................................................................................................
[+]found 1 candidate key.
[+]found valid key: 484558414354
--- Clone keyfob ---
pm3 --> hf mf darkside
--------------------------------------------------------------------------------
executing Darkside attack. Expected execution time: 25sec on average
press pm3-button on the proxmark3 device to abort both proxmark3 and client.
--------------------------------------------------------------------------------
...
card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
generating polynomial with 16 effective bits only, but shows unexpected behaviour.is it normal ? I really don't understand
Thanks
my tag info :
--- Original keyfob ---
pm3 --> hf 14a info n
UID : 25 D5 A0 47
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO
Prng detection: WEAK
NACK bug detected
--- Clone keyfob ---
pm3 --> hf 14a info n
UID : 25 D5 A0 47
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN 1a): YES
Prng detection: WEAK
detection failedPS : with clone keyfob, however if I launch nested Attack with original key, all is working
(hf mf nested 1 0 A 484558414354 d)
Last edited by Shashadow (2018-04-17 21:14:21)
Offline
#2 2018-04-16 23:21:16
- dontlook
- Contributor
- Registered: 2017-01-28
- Posts: 57
Re: [Solved] why clone isn't vulnerable to darkside, while genuine is it ?
If I understand correctly the Darkside attack is based on the problem with the probabilistic random number generator chip on the card, not the data on the card. The clone physically is a different card and has a different chip, so it may not have the same vulnerability, regardless of what data you put on it.
Offline
#3 2018-04-17 06:14:46
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: [Solved] why clone isn't vulnerable to darkside, while genuine is it ?
In this case both cards have the problem with the random number generator (hf 14a info shows "prng detection: WEAK" for both). But the clone doesn't show the NACK bug, which is also required by the darkside attack.
Offline
#4 2018-04-17 21:13:25
- Shashadow
- Contributor
- Registered: 2018-03-13
- Posts: 58
Re: [Solved] why clone isn't vulnerable to darkside, while genuine is it ?
Hello
thanks for your reply, and indeed it seems to be the right explain.
just no Lucky with my keyfobs, test with three different (gen1a magic, gen2 no magic and FUID) but all fail for darkside.
ok, so now I know why :-) thanks a lot.
++
Offline
#5 2018-04-18 07:08:57
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: [Solved] why clone isn't vulnerable to darkside, while genuine is it ?
yup, magic tag usually doesn't work with the original darkside attack.
However, the all zero parity version (is implemented in current darkside on pm3) attack, or to be fare, its a special case for darkside attack.. that one can solve a magic one. But only if the prng is weak.
Offline
#6 2018-04-19 11:56:02
- atmel9077
- Contributor
- Registered: 2017-06-25
- Posts: 46
Re: [Solved] why clone isn't vulnerable to darkside, while genuine is it ?
[+]found valid key: 484558414354
Excuse me if i'm offtopic, I see you try to copy an Intratone HEXACT keyfob, on some systems you can copy them on normal (non-magic) MIFARE tags. You can even leave the access conditions FF078069 so you can reuse your tag. You can find the keys here: https://pastebin.com/v7eL1HkR
Offline
#7 2018-04-19 22:15:23
- Shashadow
- Contributor
- Registered: 2018-03-13
- Posts: 58
Re: [Solved] why clone isn't vulnerable to darkside, while genuine is it ?
hello,
thanks atmel for your keys about intratone keyfob, I keep the link :-)
Iceman, when you speak about zero parity version Attack, do you speak about :
proxmark3> hf mf
...
mifare Read parity error messages.
from official pm3 ?
because I tried but no more success, same output with official pm3 than iceman fork :
Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).
and prng is well weak
unless I need to flash firmware with official pm3 ?
Last edited by Shashadow (2018-04-19 23:03:42)
Offline
#8 2018-04-20 06:13:34
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: [Solved] why clone isn't vulnerable to darkside, while genuine is it ?
The general recommendation on the forum is, never mix between forks/bransch/commits its bound to not work.
hf mf mifare is the official pm3 repo command for darkside attack. Its been renamed in iceman fork.
if your card never send NACK's the darkside attack will not work.
Offline