proxmark3 icon indicating copy to clipboard operation
proxmark3 copied to clipboard

Published 20 hours ago verified publisher icon RfidResearchGroup

MFC reader only attacks?

Open doegox opened this issue 5 years ago • 9 comments

  • recovering from sniffed data
  • super magic2 read & break
  • super magic2 mode emulated in pm3? => hf mf sim x

doegox avatar Apr 19 '19 12:04 doegox

There are apparently at least two types of supercard:

  • https://github.com/nfc-tools/nfc-supercard
    • working with I think https://web.archive.org/web/20190204031026/http://www.xfpga.com/html_products/super-mifare-cracker-card-1k-115.html
  • https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c
    • see https://www.netscylla.com/blog/2018/05/17/cracking-mifare-with-the-super-card.html

Codes to deal with these cards are different, e.g. for mine I needed to decrypt card data with DES and key=1122334455667788 while I don't see anything like that in their code, and their code doesn't work on my card (well it returns no error but garbage key :D).

doegox avatar Jul 04 '19 08:07 doegox

I wouldn't be surprised if there is many supercards.
I have seen the card with a battery on it. And yours is just a card. The battery version has a heap of nonces to download and crack. Is a thread on forum about someone solving that one.

isn't supercard2 the same as these implemented reader only attacks hf 14a sim x hf mf sim x

iceman1001 avatar Jul 04 '19 09:07 iceman1001

yes indeed, btw pm3 needs to see many attempts (AUTH-A) before it breaks the key, 2 is never enough, sometimes I need 8 attempts. Strange. (and I see all attempts properly in mf list) My card needs exactly 2 attempts.

doegox avatar Jul 04 '19 09:07 doegox

And I've the impression I never reach https://github.com/RfidResearchGroup/proxmark3/blob/master/client/cmdhfmf.c#L2290 while I get

#db# Collected two pairs of AR/NR which can be used to extract keyB from reader for sector 0:          
#db# ../tools/mfkey/mfkey32v2 00000000 fc73e3da 26b2f085 bf96af82 013eb1df 6cd2d9f4 a9a340f3          
#db# Emulator stopped. Tracing: 1  trace length: 572

so the key is not broken automatically

doegox avatar Jul 04 '19 09:07 doegox

yeah, that is the crappy difference between 14a sim x and mf sim x. It is hooked up to interactive .. like sim x i
otherwise you only get the debugstatement. I think 14a sim x is behaving like I want it to (or like we want it to act)

Mceloff wanted to bring those debug statements back. I said no. Better to let x param execute the darn attack as soon as we got the responses. It should also use the Mobeious attack. Where 2 auth req should be enough

iceman1001 avatar Jul 04 '19 10:07 iceman1001

Bummer. Yeah got it working now. And hf 14a sim x much nicer

doegox avatar Jul 04 '19 12:07 doegox

Good.
This is also one of those quirks that proxmark client consists of. You have to know this in order to understand. You also need to know that you can get up to 8 nonce pairs.. (if I remember it correct) meaning we can get 8keys if reader is using it that way.
We can also make emulator key being updated with the found key. :) meaning the simulation can become smarter as the reader tries to authenticate... making it go to the next step in its process.

iceman1001 avatar Jul 04 '19 13:07 iceman1001

Another issue / wish on our list. Making sim x attack nicer and behaive the same on both 14a / mf

iceman1001 avatar Jul 04 '19 13:07 iceman1001

Speaking of which... @doegox this issue.. now that we added supercard to the client,...

iceman1001 avatar Nov 10 '20 14:11 iceman1001