Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I think to have a mifare1k, with ATQA 0400 and SAK 08... Some sectors are protected with default keys so with the help of MFOC I got the other keys.
With my own tool im trying to get a NACK answer, fixing the tagNonce, the readerNonce and the readerAnswer, I'm trying to change all the possibility parity bits (128possibilities for 8parity bits) and try a fake authentication to get the 4bits NACK answer from the tag.
I've tried it on another mifare1k and I usually get the NACK before reaching the 128 authentications.
On another mifare1k i have a NACK each time i try an authentication as explained on some online pdf...
But with the last mifare1k that i am testing I can't get any NACK answer! how its possible?
maybe its not a mifare classic? but MFOC worked well with it...
any suggest?
Thanks! and sorry for the crossposting from libnfc.org
Offline
With my own tool im trying to get a NACK answer, fixing the tagNonce, the readerNonce and the readerAnswer, I'm trying to change all the possibility parity bits (128possibilities for 8parity bits) and try a fake authentication to get the 4bits NACK answer from the tag.
Why? Do you want to get the keys or what?
I've tried it on another mifare1k and I usually get the NACK before reaching the 128 authentications.
On another mifare1k i have a NACK each time i try an authentication as explained on some online pdf...But with the last mifare1k that i am testing I can't get any NACK answer! how its possible?
maybe its not a mifare classic? but MFOC worked well with it...any suggest?
Maybe your second mifare classic tag is not original mifare(OEM), or it have protection from darkside and nested attacks(Newer mifare1k from NXP/Philips have this protection).
on some online pdf...
Sorry, our telepath is on vacation now.
Offline
Do you want to get the keys or what?
Yes, i'm trying to implement the darkside attack with my own NFC reader. So as first step I was trying to get a NACK answer from the tag.
Maybe your second mifare classic tag is not original mifare(OEM), or it have protection from darkside and nested attacks(Newer mifare1k from NXP/Philips have this protection).
The nested attack worked well, so probably It has some protection for darkside attack or its not an original card.
our telepath is on vacation now.
I was talking about the "THE DARK SIDE OF SECURITY BY OBSCURITY" pdf.
So without any NACK answer and any sector protected with default keys it's impossible to attack the card somehow, yes?
Offline
with my own NFC reader
What reader?
What card?
What is your setup?
So without any NACK answer and any sector protected with default keys it's impossible to attack the card somehow, yes?
No, you can still retrieve the keys by sniffing transaction between genuine reader and your card(using proxmark3) or by MITM attack using 2 NFC devices. Then just use crapto1 to decrypt sniffed/realyed data.
Offline
I'm using my homemade prototype of NFC reader based on the TRF7970A from Texas Instruments.
So, yes, the only way to attack the card in such cases is the transaction sniffing.
Thanks again for the reply
Offline
Greetings, axxe
I came across the same situation.
I also have my homemade reader, which is an NXP MFRC522 baseband driven by a STM32 mcu.
And i implemented part of the darkside attack on the device.
I find that there are five types of card behavior:
1) The card returns a small range of nT, and always answer with NACK no matter what spoof data (and parity bits) are. This type of card agrees with the description of weaker cards in the paper (the dark side of security by obscurity).
2) The card returns a medium range of nT, sometimes answer with NACK. (normal Mifare Classic Card)
3) The card returns a large range of nT, no NACK is returned, no matter what the parity is.
4) The card returns a different nT each time. There is a possibility when NACK is answered by the card.
5) The card returns the same nT each time. (UID changeable card)
in the above 5 behaviors, 3) is exactly what you described. I don't know what the card is, or what the manufacturer is.
I guess the type 3) card is also some kind of illegal or unlicensed mifare classic card.
Please feel free to reply below if you have further discovery
Offline