Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hi guys,
I just happened experienced a new M1 classic that isn't vulnerable to nested and mifare attack.
Here is what it looks like
pm3 --> hf 14a reader
UID : 93 01 60 1B
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO
after checking the possible keys, it returns Fs for all sectors
testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 0 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 0 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
But when I dump it, it warns that "Could not read block 0 of sector 7"
So I tried nested and PM3 says
Tag isn't vulnerable to Nested Attack (its random number generator is not predictable).
Then I noticed the res on key A for sector 7 and 15 is both "0", compare to other sectors value "1"
tried to read all sectors with key A 12Fs, only 7 and 15 got authentication failed.
after that, using hardnested got key A for sector 7 and 15 cracked, read the sectors data out
pm3 --> hf mf rdsc 7 A 12xxxxxxxxxx
--sector no:7 key type:A key:12 xx xx xx xx xx
#db# READ SECTOR FINISHED
isOk:01
data : 51 00 F0 00 00 00 00 00 00 00 A1 07 08 99 12 30
data : 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF
pm3 --> hf mf rdsc 15 A 05xxxxxxxxxx
--sector no:15 key type:A key:05 xx xx xx xx xx
#db# READ SECTOR FINISHED
isOk:01
data : 93 01 60 9B 00 00 00 00 00 29 D4 00 00 00 04 01
data : 41 11 00 00 00 00 44 44 45 55 46 66 47 77 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF
Here are my questions
1. According to MIFARE Classic 1k Memory Structure, the first and last 12 hex symbols in each sector trailer should be key A and key B respectively. In my case, first 12 hex symbols from the output trailer are 0s, but clearly the valid key A is 12xxxxxxxxxx for sector 7 and 05xxxxxxxxxx for sector 15. How does this work?
Answer to myself after research: key A is not readable accoring to the transport configuration
2, I tired to read block and sector using key B, FFFFFFFFFFFF, none of them works. Again, according to memory structure, they should work. How does this work?
Answer to myself after research: "the access conditions "ff 07 80" (transport configuration) state that key B is readable. If key B is readable it is no longer considered a key but user data. Authenticating with key B will still work, but reading blocks will fail. This is the intended behavior.
3. what is the meaning of res in key table? Reset?
still unknown
4. Hence I know the first dumpkey.bin is incorrect, how can I modify the key A for sector 7 and 15 to make it valid for dump data?
Answer to myself after research: put these keys into default key table.
Thank you fellows for answering my questions. cheers
Last edited by brantz (2017-06-18 03:33:08)
Offline
3) res = result (?) ie, if nested succeed to find key. 0 = failure, 1 = success.
4) use a hexeditor
Offline
no key found on sector 7 and sector 15, pls check, perhap you need run several times and merge or use hardnested.
edit: Ah, I saw later on you did it
is the xxxx where you dont want to release the key on public forum? Read your next line...
Apropos could you pls. PM me why this mifare classic should be special?!
Last edited by ntk (2017-06-17 20:40:46)
Offline
no key found on sector 7 and sector 15, pls check, perhap you need run several times and merge or use hardnested.
edit: Ah, I saw later on you did it
is the xxxx where you dont want to release the key on public forum? Read your next line...
Apropos could you pls. PM me why this mifare classic should be special?!
Thanks for reminding me
Offline
You are welcome, but pls don't forget your second task.... thanks
Last edited by ntk (2017-06-18 13:11:37)
Offline
I have also come across this 'secured mifare' as one security company refers it to as. Not sure if OP's card is this type.
The tell tail sign it is one of these is 7 and 15 are unknown / can't get them by nested or hard nested. I was however able to get 7 via sniffing with the reader but not 15.
Secured Mifare
This is ***[security company]’s implementation of the Mifare standard. Card data is protected with a diversified authentication key and encrypted with an AES256 algorithm, effectively plugging the known security flaw in the Mifare standard. These cards are not as secure as DESFire but still provide high security against cloning.
Anyway is this "AES" claim even possible?
All i know is these cards from this one company seem to be these 'secured mifare cards' and act very strangely to the usual mifare tools.
This is marked as 'solved' did anyone successfully clone / dump?
Offline
@samburner3 did you use the full hardnested from the latest master repo?
also the data on the sector could very well be encrypted using AES256. (although i doubt very much @brantz card was)
it doesn't necessarily have to have anything to do with the authentication process.
Offline
@samburner3 did you use the full hardnested from the latest master repo?
Not the latest on master no, but used icman's fork hard nested version:
But I will use the hardnested on the latest master repo when I come across this type again (I know where uses it and could go back).
If I do come across it, what data is good to collect and paste on the forum? (Never used trace dump etc before).
the data on the sector could very well be encrypted using AES256.?
So in theory it could be referring to the data is encrypted for the purpose of the reader / door controller, but as long as the proxmark can read it and put onto another card it should work?
Unless it has some incrementing command on the card which is another method of defence.
I had come across a mifare 4k that I was able to crack (Auth'ed all keys) but changed the data on the card between reader scans, so was impossible to clone.
Offline
Mifare Plus tags has different security modes, which SL2 uses AES. So the claim could very much be true.
@samburner3, I recommend you try the v3.0.1 PM3 Master.
Offline
The hf search returned it as a classic 1k.
Ill try that master next time.
Offline
If it is a Mifare Plus it would be in SL1 mode - otherwise reading a sector would not have been possible. I.e. if there is AES encryption, it is the sector data which is encrypted by the back end.
Offline
@piwi got a point there. Its most likely the correct case for @samburner3. The improved hardnested in pm3 master will find the key.
Still this is beside the orginal post's intent. I suggest starting new thread with relevant information/question.
Offline
Pages: 1