Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-08-28 17:52:02

squishy
Contributor
Registered: 2019-02-18
Posts: 14

Mifare Classic 1k | Plus 2k SL1 hardnested not progressing

Hi,
Im in a hotel and tried to crack the key of my hotel room and it's not going anywhere, would like to be pointed in the right way.

Key info:

 [usb] pm3 --> hf sea
[=] Checking for known tags...

 UID : 96 CC 5F 32
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD

[+] Valid ISO14443-A tag  found
 

also using "hf list" this shows a parity error but it pops up from time to time and not always there, I dont remember that much about this indication I have seen it in one of the videos of iceman but seems like i couldnt find it when i was searching again for it's explaination.

[usb] pm3 --> hf lis
[+] Recorded Activity (TraceLen = 130 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2244 |       4612 | Tag |04  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10692 |      16580 | Tag |96  cc  5f  32  37                                                       |     |
      19072 |      29600 | Rdr |93  70  96  cc  5f  32  37  f6  79                                       |  ok | SELECT_UID
      30788 |      34308 | Tag |08  b6  dd                                                               |     |
      36480 |      41248 | Rdr |61  01  a4  73                                                           |  ok | AUTH-B(1)
      46004 |      50676 | Tag |61  38  c5  14                                                           |     |
      59904 |      69280 | Rdr |89! bc! a7  50! d2! 9c  24  73                                           | !crc|
     206080 |     207328 | Rdr |00   

trying to get some keys from the Hard mifare card,

 [usb] pm3 --> hf mf chk *2 ? default_keys.dic d                                                                                                                     
[+] Loaded 815 keys from default_keys.dic                                                                                                                           
....................................................................................................................................................................
....................................................................................................................................................................
.                                                                                                                                                                   
[+] Time in checkkeys: 160 seconds                                                                                                                                  
                                                                                                                                                                    
[=] testing to read key B...                                                                                                                                        
|---|----------------|---|----------------|---|                                                                                                                     
|sec|key A           |res|key B           |res|                                                                                                                     
|---|----------------|---|----------------|---|                                                                                                                     
|000|  ------------  | 0 |  ffffffffffff  | 1 |                                                                                                                     
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |                                                                                                                     
|016|  5c8ff9990da2  | 1 |  d01afeeb890a  | 1 |                                                                                                                     
|017|  75ccb59c9bed  | 1 |  4b791bea7bcc  | 1 |                                                                                                                     
|018|  ------------  | 0 |  ------------  | 0 |                                                                                                                     
|019|  ------------  | 0 |  ------------  | 0 |                                                                                                                     
|020|  ------------  | 0 |  ------------  | 0 |                                                                                                                     
|021|  ------------  | 0 |  ------------  | 0 |                                                                                                                     
|022|  ------------  | 0 |  ------------  | 0 |                                                                                                                     
|023|  ------------  | 0 |  ------------  | 0 |
|024|  ------------  | 0 |  ------------  | 0 |
|025|  ------------  | 0 |  ------------  | 0 |
|026|  ------------  | 0 |  ------------  | 0 |
|027|  ------------  | 0 |  ------------  | 0 |
|028|  ------------  | 0 |  ------------  | 0 |
|029|  ------------  | 0 |  ------------  | 0 |
|030|  ------------  | 0 |  ------------  | 0 |
|031|  ------------  | 0 |  ------------  | 0 |
|---|----------------|---|----------------|---|
[=] Printing keys to binary file hf-mf-96CC5F32-key.bin ...
[+] Found keys have been dumped to file hf-mf-96CC5F32-key.bin . 0xffffffffffff has been inserted for unknown keys. 

found several keys but seems like they dont work when i use hardnested.

 [usb] pm3 --> hf mf hardne 16 A 5c8ff9990da2 0 A
[!] Key is wrong. Can't authenticate to block: 16 key type:A
 

Now, i tried using the key file created from the hf mf chk comand on the hardnested.

 [usb] pm3 --> hf mf hardne r f hf-mf-96CC5F32-key.bin                                                                                                               
--target block no:  0, target key type:A, known target key: 0x000000000000 (not set), file action: read, Slow: No, Tests: 0                                         
[+] Using AVX2 SIMD core.                                                                                                                                           
                                                                                                                                                                    
                                                                                                                                                                    
                                                                                                                                                                    
 time    | #nonces | Activity                                                | expected to brute force                                                              
         |         |                                                         | #states         | time                                                               
------------------------------------------------------------------------------------------------------                                                              
       0 |       0 | Start using 8 threads and AVX2 SIMD core                |                 |                                                                    
       0 |       0 | Brute force benchmark: 986 million (2^29.9) keys/s      | 140737488355328 |    2d                                                              
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    2d                                                              
       2 |       0 | Reading nonces from file hf-mf-96CC5F32-key.bin...      | 140737488355328 |    2d                                                              
       2 |      84 | Read 84 nonces from file. cuid = ffffffff               | 140737488355328 |    2d                                                              
       2 |      84 | (1. guess: Sum(a8) = 0)                                 |               0 |    0s                                                              
       7 |      84 | Apply Sum(a8) and all bytes bitflip properties          |            -nan | -nand                                                              
                                                                                                                                                                    
     102 |      84 | Brute force phase completed. Key found: 3615e12b12c6    |               0 |    0s                                                              
[usb] pm3 -->          

I got the key of block 0 A but still like the previous key when i tried using it separately i cant seem to get authenticated.

 [usb] pm3 --> hf mf hardne 0 A 3615e12b12c6 1 A
[!] Key is wrong. Can't authenticate to block:  0 key type:A 

would really love to know what im missing or doing wrong here. This is my first attempt on cracking an HF card hope someone will point me toward the right direction here. thanx

Offline

#2 2019-08-28 18:01:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Mifare Classic 1k | Plus 2k SL1 hardnested not progressing

yet again blocks vs sectors...

Offline

#3 2019-08-28 18:08:53

squishy
Contributor
Registered: 2019-02-18
Posts: 14

Re: Mifare Classic 1k | Plus 2k SL1 hardnested not progressing

this? sorry not really clear.

 [usb] pm3 --> hf mf rdsc 0 A 3615e12b12c6
--sector no:0 key type:A key:36 15 E1 2B 12 C6

#db# Auth error
isOk:00
 

Offline

#4 2019-08-28 18:27:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Mifare Classic 1k | Plus 2k SL1 hardnested not progressing

read your output again.  As a hint, maybe read the helptext for each command you are using.

Offline

#5 2019-08-28 19:39:48

squishy
Contributor
Registered: 2019-02-18
Posts: 14

Re: Mifare Classic 1k | Plus 2k SL1 hardnested not progressing

Cool, read a lot after you post. Corrent me if im wrong.
When i used the hf mf chk *2 ? dic what i got are the keys for a sector. A sector has number of blocks? right? Coz from the hf mf dump it shows that it dump block 0 on a sector.
So when i do, hf mf rdsc 17 B 4b791bea7bcc i was able to read the sector but similarly the other keys that i have from the hf mf chk was not able to read the sector.

[usb] pm3 --> hf mf rdsc 16 B d01afeeb890a
--sector no:16 key type:B key:D0 1A FE EB 89 0A

#db# Cmd Error: 04
#db# Read sector 16 block  0 error
isOk:00

the one that i can only read is the key from sector 17 B

[usb] pm3 --> hf mf rdsc 17 b 4b791bea7bcc
--sector no:17 key type:B key:4B 79 1B EA 7B CC

isOk:01
data   : 41 53 4C 36 34 33 01 52 18 AA D6 01 00 00 00 00
data   : 0F E7 C4 C5 9D DF 02 6C 73 02 6C 1A E6 2B D1 09
data   : 19 C4 A4 04 65 1E AC 36 16 7F EB 27 DC B6 2E CB
trailer: 00 00 00 00 00 00 70 F0 F8 69 00 00 00 00 00 00
Trailer decoded:
Access block 68: rdB
Access block 69: rdB
Access block 70: rdB
Access block 71: rdCbyAB
UserData: 69

Also non of those key are able to authenticate when used in hardnested because they were all output from a sector but sector doesnt recognize them also hmm
I also found this awesome post having the similar faith as me but still too dumb to notice what im missing. http://www.proxmark.org/forum/viewtopic.php?id=5115

Offline

Board footer

Powered by FluxBB