Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-02-01 12:15:23

Christian
Contributor
Registered: 2019-02-01
Posts: 4

Auth error despite hardnestetd attack

I try to dump my  NXP MIFARE Classic 4k

pm3 --> hf 14a info
 UID : 1A 38 43 97
ATQA : 00 02
 SAK : 18 [2]
TYPE : NXP MIFARE Classic 4k | Plus 4k SL1 | 4k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD
pm3 --> hf mf dump 4
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
[+] successfully read block  0 of sector  0.
[+] successfully read block  1 of sector  0.
[+] successfully read block  2 of sector  0.
[+] successfully read block  3 of sector  0.
[+] successfully read block  0 of sector  1.
[+] successfully read block  1 of sector  1.
[+] successfully read block  2 of sector  1.
[+] successfully read block  3 of sector  1.
#db# Auth error
#db# Auth error
#db# Auth error
#db# Auth error
#db# Auth error
#db# Auth error
#db# Auth error
#db# Auth error
#db# Auth error
#db# Auth error
[-] could not read block  0 of sector  2

Okay, lets try to read it manualy with my safed keys from (hf mf chk *4 A default_keys.dic)

pm3 --> hf mf rdbl 8 A 59454b57454e
--block no:8, key type:A, key:59 45 4B 57 45 4E
#db# Cmd Error: 04
#db# Read block error
isOk:00

Its not working, i try to hardnested the block:

pm3 --> hf mf hardnested 3 A a0a1a2a3a4a5 8 A
--target block no:  8, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0



 time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 8 threads and AVX SIMD core                 |                 |
       0 |       0 | Brute force benchmark: 504 million (2^28.9) keys/s      | 140737488355328 |    3d
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    3d
       6 |     112 | Apply bit flip properties                               |    469728788480 | 16min
       7 |     224 | Apply bit flip properties                               |    414756503552 | 14min
       9 |     335 | Apply bit flip properties                               |    192740671488 |  6min
      10 |     446 | Apply bit flip properties                               |    190245044224 |  6min
      11 |     558 | Apply bit flip properties                               |    190245044224 |  6min
      12 |     670 | Apply bit flip properties                               |    190208491520 |  6min
      13 |     782 | Apply bit flip properties                               |    190208491520 |  6min
      14 |     893 | Apply bit flip properties                               |    190208491520 |  6min
      14 |    1002 | Apply bit flip properties                               |    190208491520 |  6min
      15 |    1114 | Apply bit flip properties                               |    190208491520 |  6min
      16 |    1226 | Apply bit flip properties                               |    190208491520 |  6min
      16 |    1338 | Apply bit flip properties                               |    190208491520 |  6min
      19 |    1446 | Apply Sum property. Sum(a0) = 160                       |      3639393280 |    7s
      19 |    1555 | Apply bit flip properties                               |      3639393280 |    7s
      20 |    1665 | Apply bit flip properties                               |      3055864832 |    6s
      20 |    1775 | Apply bit flip properties                               |      2776153600 |    6s
      21 |    1775 | (1. guess: Sum(a8) = 0)                                 |      2776153600 |    6s
      22 |    1775 | Apply Sum(a8) and all bytes bitflip properties          |       542746240 |    1s
      22 |    1775 | Brute force phase completed. Key found: 59454b57454e    |               0 |    0s

Its total crazy. Hardnest found key "59454b57454e" but i if want to use it, it didnt work. (see above)

I try to remove the ant and set some space between the card and the reader regarding http://www.proxmark.org/forum/viewtopic.php?id=4271 but this was no solution.

I updated the proxmark and try different firmwares but it always the same.

[ CLIENT ]
 client: iceman build for RDV40 with flashmem; smartcard;

 [ ARM ]
 bootrom: iceman/master/ice_v3.1.0-1072-gfbc42bd7 2019-01-28 12:52:13
      os: iceman/master/ice_v3.1.0-1072-gfbc42bd7 2019-01-28 12:52:17

 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23

Can anybody help?

Offline

#2 2019-02-01 14:54:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Auth error despite hardnestetd attack

could also be accessrights,  the sector has two keys. Something to think about is that you should read datasheets on the tags you want to look at.  So you understand what you are trying to do.

Offline

#3 2019-02-02 17:42:14

Christian
Contributor
Registered: 2019-02-01
Posts: 4

Re: Auth error despite hardnestetd attack

Thanks for your quick answer.  Is this a hidden hint to the B Key?  That works but I don't know how to say the dump command that he should try it with the B key.  The help command doesn't help me.  So I tried to use the A key everywhere and get this error.

Offline

#4 2019-02-02 17:48:30

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Auth error despite hardnestetd attack

The dump command usually needs a key file... 
The help texts usually is a great place of information

Offline

#5 2019-02-08 12:53:12

Christian
Contributor
Registered: 2019-02-01
Posts: 4

Re: Auth error despite hardnestetd attack

Sure, the dump command needs a key file. I have generated it via hf mf chk *4 A default_keys.dic (See the post above)
Unfortunately, the command didn't work:

pm3 --> hf mf chk *4 ? default_keys.dic d
[+] Loaded 518 keys from default_keys.dic

Time in checkkeys: 0 seconds

testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ------------  | 0 |  ------------  | 0 |
|001|  ------------  | 0 |  ------------  | 0 |
|002|  ------------  | 0 |  ------------  | 0 |
|003|  ------------  | 0 |  ------------  | 0 |
.....

The command didnt find any key and lasts 0 seconds.

So I decided to run hf mf chk *4 A. That worked and gave me a keyfile:

|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  a0a1a2a3a4a5  | 1 |  ------------  | 0 |
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|002|  59454b57454a  | 1 |  ------------  | 0 |
|003|  93df2e5b58aa  | 1 |  ------------  | 0 |
|004|  93df2e5b58aa  | 1 |  ------------  | 0 |
|005|  93df2e5b58aa  | 1 |  ------------  | 0 |
|006|  93df2e5b58aa  | 1 |  ------------  | 0 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  a0a1a2a3a4a5  | 1 |  ------------  | 0 |
|012|  a0a1a2a3a4a5  | 1 |  ------------  | 0 |
|013|  a0a1a2a3a4a5  | 1 |  ------------  | 0 |
|014|  a0a1a2a3a4a5  | 1 |  ------------  | 0 |
|015|  a0a1a2a3a4a5  | 1 |  ------------  | 0 |
|016|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|017|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|018|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|019|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|020|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|021|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|022|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|023|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|024|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|025|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|026|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|027|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|028|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|029|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|030|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|031|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|032|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|033|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|034|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|035|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|036|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|037|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|038|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|039|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file hf-mf-9E384397-key.bin...
Found keys have been dumped to file hf-mf-9E384397-key.bin. 0xffffffffffff has been inserted for unknown keys. 

Exactly the same with the B key

pm3 --> hf mf chk *4 B default_keys.dic d
[+] Loaded 518 keys from default_keys.dic
..........................................................................................................
Time in checkkeys: 121 seconds

|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ------------  | 0 |  56cf3acd90ca  | 1 |
|001|  ------------  | 0 |  ffffffffffff  | 1 |
|002|  ------------  | 0 |  504353504351  | 1 |
|003|  ------------  | 0 |  3b1181ff34a1  | 1 |
|004|  ------------  | 0 |  3b1181ff34a1  | 1 |
|005|  ------------  | 0 |  3b1181ff34a1  | 1 |
|006|  ------------  | 0 |  3b1181ff34a1  | 1 |
|007|  ------------  | 0 |  ffffffffffff  | 1 |
|008|  ------------  | 0 |  ffffffffffff  | 1 |
|009|  ------------  | 0 |  ffffffffffff  | 1 |
|010|  ------------  | 0 |  ffffffffffff  | 1 |
|011|  ------------  | 0 |  9cffc7751693  | 1 |
|012|  ------------  | 0 |  c2444db5ee23  | 1 |
|013|  ------------  | 0 |  03cce7f6190a  | 1 |
|014|  ------------  | 0 |  acdcd7e3be45  | 1 |
|015|  ------------  | 0 |  a177712c89fa  | 1 |
|016|  ------------  | 0 |  ffffffffffff  | 1 |
|017|  ------------  | 0 |  ffffffffffff  | 1 |
|018|  ------------  | 0 |  ffffffffffff  | 1 |
|019|  ------------  | 0 |  ffffffffffff  | 1 |
|020|  ------------  | 0 |  ffffffffffff  | 1 |
|021|  ------------  | 0 |  ffffffffffff  | 1 |
|022|  ------------  | 0 |  ffffffffffff  | 1 |
|023|  ------------  | 0 |  ffffffffffff  | 1 |
|024|  ------------  | 0 |  ffffffffffff  | 1 |
|025|  ------------  | 0 |  ffffffffffff  | 1 |
|026|  ------------  | 0 |  ffffffffffff  | 1 |
|027|  ------------  | 0 |  ffffffffffff  | 1 |
|028|  ------------  | 0 |  ffffffffffff  | 1 |
|029|  ------------  | 0 |  ffffffffffff  | 1 |
|030|  ------------  | 0 |  ffffffffffff  | 1 |
|031|  ------------  | 0 |  ffffffffffff  | 1 |
|032|  ------------  | 0 |  ffffffffffff  | 1 |
|033|  ------------  | 0 |  ffffffffffff  | 1 |
|034|  ------------  | 0 |  ffffffffffff  | 1 |
|035|  ------------  | 0 |  ffffffffffff  | 1 |
|036|  ------------  | 0 |  ffffffffffff  | 1 |
|037|  ------------  | 0 |  ffffffffffff  | 1 |
|038|  ------------  | 0 |  ffffffffffff  | 1 |
|039|  ------------  | 0 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file hf-mf-9E384397-key.bin...
Found keys have been dumped to file hf-mf-9E384397-key.bin. 0xffffffffffff has been inserted for unknown keys.

So i try to dump the card with this keyfiles but i get the error from my first post.  Maybe anyone can tell me whats wrong with the command:

hf mf chk *4 ? default_keys.dic d

I didnt get any key (See the output in the first code block)

Last edited by Christian (2019-02-08 15:42:29)

Offline

Board footer

Powered by FluxBB