Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-04-12 13:44:42

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

idea: identify "weak" mifare classic tags.

According to Nicolas Courtois, http://www.nicolascourtois.com/papers/mifare_all.pdf
and the different attacks,   there should be possible to identify a "weak" classic tag.

Here on the forum there is always the questions about "how do I crack this or that tag, its a classic"...  And the answer is use the "mifare" or check default keys,  (or reader attack via sim x)   but still its just the usual answers.

I suggest we create a function that checks for the  "nack" bug.  And we can use it to see if how tags react to it.  Especially the newer ones with better prng..   And we can see if the copied/fake mifare classic tags reacts aswell,  http://www.proxmark.org/forum/viewtopic.php?id=169

I must admit, i'm not that good at the inner workings of the "hf mf mifare" attack. 
But would this be interesting?   

Maybe other mifare products has strange behaviors,  but we don't know how to fuzzy them?

Offline

#2 2015-04-12 14:54:25

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: idea: identify "weak" mifare classic tags.

I agree with iceman! This will be a good feature feasible reusing existing code!!

Offline

#3 2015-04-12 19:29:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: idea: identify "weak" mifare classic tags.

In this method,

https://github.com/Proxmark/proxmark3/b … 3a.c#L1960

A possible idea would be to have a counter increasing for every time it returns -99999  from this method.
when the counter reaches a limit (say 2000?) we can exit the original call,  since none of the collected nonces is repeating within 65536 loop.

Offline

#4 2015-04-13 20:08:58

ikarus
Contributor
Registered: 2012-09-20
Posts: 249
Website

Re: idea: identify "weak" mifare classic tags.

Great idea, iceman!
Regarding the limit: I would prefer a default limit (maybe 2000 is perfect)
but also a optional parameter to tamper with this value.

Offline

#5 2015-06-23 22:01:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: idea: identify "weak" mifare classic tags.

If we have a sample of a authentication request  with correct parity and wrong bits,  we should quite easy implement this identification.

Offline

#6 2015-06-24 07:30:40

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: idea: identify "weak" mifare classic tags.

I am working on this one.

The Darkside attack doesn't only require the "NACK bug" but in addition it needs predictable "random" numbers. The latter is also required for the nested attack. It isn't difficult to identify both.

Offline

#7 2015-06-24 08:56:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: idea: identify "weak" mifare classic tags.

on the forum there are some suggestions for different approaches to darkside attack.
The one that is imp is using some of them.  If that is better or bad, when it comes to tags who only have one of the both faults is the question.

To be able to identify the predictable random numbers and NACK bug, would be indeed a great addition.

Some ppl did have a good way of atticking the mifare clones (like fudan), which would be nice to  have.  Seeing a snoop from Marshmellow from a Fudan tag, shows the extra byte..

Last edited by iceman (2015-06-24 08:58:12)

Offline

#8 2015-06-25 02:09:36

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: idea: identify "weak" mifare classic tags.

in my experience i think the nested already works on the fudan chips. 

not sure about the mifare (darkside attack)

Offline

Board footer

Powered by FluxBB