Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2015-04-12 13:44:42
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
idea: identify "weak" mifare classic tags.
According to Nicolas Courtois, http://www.nicolascourtois.com/papers/mifare_all.pdf
and the different attacks, there should be possible to identify a "weak" classic tag.
Here on the forum there is always the questions about "how do I crack this or that tag, its a classic"... And the answer is use the "mifare" or check default keys, (or reader attack via sim x) but still its just the usual answers.
I suggest we create a function that checks for the "nack" bug. And we can use it to see if how tags react to it. Especially the newer ones with better prng.. And we can see if the copied/fake mifare classic tags reacts aswell, http://www.proxmark.org/forum/viewtopic.php?id=169
I must admit, i'm not that good at the inner workings of the "hf mf mifare" attack.
But would this be interesting?
Maybe other mifare products has strange behaviors, but we don't know how to fuzzy them?
Offline
#2 2015-04-12 14:54:25
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: idea: identify "weak" mifare classic tags.
I agree with iceman! This will be a good feature feasible reusing existing code!!
Offline
#3 2015-04-12 19:29:13
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: idea: identify "weak" mifare classic tags.
In this method,
https://github.com/Proxmark/proxmark3/b … 3a.c#L1960
A possible idea would be to have a counter increasing for every time it returns -99999 from this method.
when the counter reaches a limit (say 2000?) we can exit the original call, since none of the collected nonces is repeating within 65536 loop.
Offline
#4 2015-04-13 20:08:58
- ikarus
- Contributor
- Registered: 2012-09-20
- Posts: 249
- Website
Re: idea: identify "weak" mifare classic tags.
Great idea, iceman!
Regarding the limit: I would prefer a default limit (maybe 2000 is perfect)
but also a optional parameter to tamper with this value.
Offline
#5 2015-06-23 22:01:22
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: idea: identify "weak" mifare classic tags.
If we have a sample of a authentication request with correct parity and wrong bits, we should quite easy implement this identification.
Offline
#6 2015-06-24 07:30:40
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: idea: identify "weak" mifare classic tags.
I am working on this one.
The Darkside attack doesn't only require the "NACK bug" but in addition it needs predictable "random" numbers. The latter is also required for the nested attack. It isn't difficult to identify both.
Offline
#7 2015-06-24 08:56:26
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: idea: identify "weak" mifare classic tags.
on the forum there are some suggestions for different approaches to darkside attack.
The one that is imp is using some of them. If that is better or bad, when it comes to tags who only have one of the both faults is the question.
To be able to identify the predictable random numbers and NACK bug, would be indeed a great addition.
Some ppl did have a good way of atticking the mifare clones (like fudan), which would be nice to have. Seeing a snoop from Marshmellow from a Fudan tag, shows the extra byte..
Last edited by iceman (2015-06-24 08:58:12)
Offline
#8 2015-06-25 02:09:36
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: idea: identify "weak" mifare classic tags.
in my experience i think the nested already works on the fudan chips.
not sure about the mifare (darkside attack)
Offline