Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2019-08-28 17:52:02
- squishy
- Contributor
- Registered: 2019-02-18
- Posts: 14
Mifare Classic 1k | Plus 2k SL1 hardnested not progressing
Hi,
Im in a hotel and tried to crack the key of my hotel room and it's not going anywhere, would like to be pointed in the right way.
Key info:
[usb] pm3 --> hf sea
[=] Checking for known tags...
UID : 96 CC 5F 32
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD
[+] Valid ISO14443-A tag found
also using "hf list" this shows a parity error but it pops up from time to time and not always there, I dont remember that much about this indication I have seen it in one of the videos of iceman but seems like i couldnt find it when i was searching again for it's explaination.
[usb] pm3 --> hf lis
[+] Recorded Activity (TraceLen = 130 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16580 | Tag |96 cc 5f 32 37 | |
19072 | 29600 | Rdr |93 70 96 cc 5f 32 37 f6 79 | ok | SELECT_UID
30788 | 34308 | Tag |08 b6 dd | |
36480 | 41248 | Rdr |61 01 a4 73 | ok | AUTH-B(1)
46004 | 50676 | Tag |61 38 c5 14 | |
59904 | 69280 | Rdr |89! bc! a7 50! d2! 9c 24 73 | !crc|
206080 | 207328 | Rdr |00 trying to get some keys from the Hard mifare card,
[usb] pm3 --> hf mf chk *2 ? default_keys.dic d
[+] Loaded 815 keys from default_keys.dic
....................................................................................................................................................................
....................................................................................................................................................................
.
[+] Time in checkkeys: 160 seconds
[=] testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ------------ | 0 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|016| 5c8ff9990da2 | 1 | d01afeeb890a | 1 |
|017| 75ccb59c9bed | 1 | 4b791bea7bcc | 1 |
|018| ------------ | 0 | ------------ | 0 |
|019| ------------ | 0 | ------------ | 0 |
|020| ------------ | 0 | ------------ | 0 |
|021| ------------ | 0 | ------------ | 0 |
|022| ------------ | 0 | ------------ | 0 |
|023| ------------ | 0 | ------------ | 0 |
|024| ------------ | 0 | ------------ | 0 |
|025| ------------ | 0 | ------------ | 0 |
|026| ------------ | 0 | ------------ | 0 |
|027| ------------ | 0 | ------------ | 0 |
|028| ------------ | 0 | ------------ | 0 |
|029| ------------ | 0 | ------------ | 0 |
|030| ------------ | 0 | ------------ | 0 |
|031| ------------ | 0 | ------------ | 0 |
|---|----------------|---|----------------|---|
[=] Printing keys to binary file hf-mf-96CC5F32-key.bin ...
[+] Found keys have been dumped to file hf-mf-96CC5F32-key.bin . 0xffffffffffff has been inserted for unknown keys. found several keys but seems like they dont work when i use hardnested.
[usb] pm3 --> hf mf hardne 16 A 5c8ff9990da2 0 A
[!] Key is wrong. Can't authenticate to block: 16 key type:A
Now, i tried using the key file created from the hf mf chk comand on the hardnested.
[usb] pm3 --> hf mf hardne r f hf-mf-96CC5F32-key.bin
--target block no: 0, target key type:A, known target key: 0x000000000000 (not set), file action: read, Slow: No, Tests: 0
[+] Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 986 million (2^29.9) keys/s | 140737488355328 | 2d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 2d
2 | 0 | Reading nonces from file hf-mf-96CC5F32-key.bin... | 140737488355328 | 2d
2 | 84 | Read 84 nonces from file. cuid = ffffffff | 140737488355328 | 2d
2 | 84 | (1. guess: Sum(a8) = 0) | 0 | 0s
7 | 84 | Apply Sum(a8) and all bytes bitflip properties | -nan | -nand
102 | 84 | Brute force phase completed. Key found: 3615e12b12c6 | 0 | 0s
[usb] pm3 --> I got the key of block 0 A but still like the previous key when i tried using it separately i cant seem to get authenticated.
[usb] pm3 --> hf mf hardne 0 A 3615e12b12c6 1 A
[!] Key is wrong. Can't authenticate to block: 0 key type:A would really love to know what im missing or doing wrong here. This is my first attempt on cracking an HF card hope someone will point me toward the right direction here. thanx
Offline
#2 2019-08-28 18:01:25
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Mifare Classic 1k | Plus 2k SL1 hardnested not progressing
yet again blocks vs sectors...
Offline
#3 2019-08-28 18:08:53
- squishy
- Contributor
- Registered: 2019-02-18
- Posts: 14
Re: Mifare Classic 1k | Plus 2k SL1 hardnested not progressing
this? sorry not really clear.
[usb] pm3 --> hf mf rdsc 0 A 3615e12b12c6
--sector no:0 key type:A key:36 15 E1 2B 12 C6
#db# Auth error
isOk:00
Offline
#4 2019-08-28 18:27:39
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Mifare Classic 1k | Plus 2k SL1 hardnested not progressing
read your output again. As a hint, maybe read the helptext for each command you are using.
Offline
#5 2019-08-28 19:39:48
- squishy
- Contributor
- Registered: 2019-02-18
- Posts: 14
Re: Mifare Classic 1k | Plus 2k SL1 hardnested not progressing
Cool, read a lot after you post. Corrent me if im wrong.
When i used the hf mf chk *2 ? dic what i got are the keys for a sector. A sector has number of blocks? right? Coz from the hf mf dump it shows that it dump block 0 on a sector.
So when i do, hf mf rdsc 17 B 4b791bea7bcc i was able to read the sector but similarly the other keys that i have from the hf mf chk was not able to read the sector.
[usb] pm3 --> hf mf rdsc 16 B d01afeeb890a
--sector no:16 key type:B key:D0 1A FE EB 89 0A
#db# Cmd Error: 04
#db# Read sector 16 block 0 error
isOk:00the one that i can only read is the key from sector 17 B
[usb] pm3 --> hf mf rdsc 17 b 4b791bea7bcc
--sector no:17 key type:B key:4B 79 1B EA 7B CC
isOk:01
data : 41 53 4C 36 34 33 01 52 18 AA D6 01 00 00 00 00
data : 0F E7 C4 C5 9D DF 02 6C 73 02 6C 1A E6 2B D1 09
data : 19 C4 A4 04 65 1E AC 36 16 7F EB 27 DC B6 2E CB
trailer: 00 00 00 00 00 00 70 F0 F8 69 00 00 00 00 00 00
Trailer decoded:
Access block 68: rdB
Access block 69: rdB
Access block 70: rdB
Access block 71: rdCbyAB
UserData: 69Also non of those key are able to authenticate when used in hardnested because they were all output from a sector but sector doesnt recognize them also 
I also found this awesome post having the similar faith as me but still too dumb to notice what im missing. http://www.proxmark.org/forum/viewtopic.php?id=5115
Offline