Autor
“Created”: “proxmark3”,
“FileType”: “mfcard”,
“Card”: {
“UID”: “64XXX26”,
“ATQA”: “0400”,
“SAK”: “08”
},
“blocks”: {
“0”: “64XXX26AE880400C806002000000020”,
“1”: “7B002688268800000000000000000000”,
“2”: “00000000000000000000000000000000”,
“3”: “A0A1A2A3A4A578778800164F86ED1174”,
"4": "0000FE0E0000000000003A000000006F",
"5": "0300000000000000000000000000C89B",
"6": "0B194F2E00000000000000000A0100A1",
"7": "07869C23FC6B7877880017FD0801A54F",
"8": "00000000FFFFFFFF0000000009F609F6",
"9": "3C000000C3FFFFFF3C00000009F609F6",
"10": "00000000FFFFFFFF000000000AF50AF5",
"11": "0403F8B9B9A508778F00147D99FE62C4",
Hasta aqui todo bien, el caso es que llego a mis manos una nueva tarjeta de esta empresa y cual fue mi sorpresa que cuando la intento leer con la proxmark3 no me deja leer los sectores 1 y 2. Esta empresa a modificado las contraseñas de los sectores 0,3,4,5,6,7,8,9,10,11,12,13,14,15 y le han puesto claves por defecto FFFFFFFFFFFF. Cosa que en la primera solo sabias la clave A del sector 0, que era A0A1A2A3A4A5.
si utilizo hf mf keycheck: sale todo vacio, no encuentra ninguna clave.
si utilizo hf mf fchk: me salen todas claves menos la del sector 1 y 2.
si utilizo hf mf autopwn: solo saca las FFFFFFFFFFF y pone al final
nested: 00000000 vs 00000000 error: no response from proxmark3.
si utilizo hf mf darkside: pone runing darkside…- card is not vulnerable to darkside attack, doesn’t send NACK on authentication request.
otro cambio que he visto y no me habia fijado antes, es que el cabecero 0 del sector 0, tambien ha cambiado es decir, esta el uid y otros numeros, que en las antiguas tarjetas a excepcion del uid, eran en todas las tarjetas iguales. En esta nuevas cambian en cada tarjeta no son iguales.
[usb] pm3 → hf mf chk
[=] Start check for keys…
[=] …
[=] time in checkkeys 3 seconds
[=] testing to read key B…
- found keys:
- -----±----±-------------±–±-------------±—
- Sec | Blk | key A |res| key B |res
- -----±----±-------------±–±-------------±—
- 000 | 003 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
- 001 | 007 | ------------ | 0 | ------------ | 0
- 002 | 011 | ------------ | 0 | ------------ | 0
- 003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
- 004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
- 005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
- 006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
- 007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
- 008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
- 009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
- 010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
- 011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
- 012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
- 013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
- 014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
- 015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
- -----±----±-------------±–±-------------±—
- ( 0:Failed / 1:Success )
[!] no known key was supplied, key recovery might fail
- loaded 45 keys from hardcoded default array [=] running strategy 1
- target sector 0 key type A – found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
- target sector 0 key type B – found valid key [ FFFFFFFFFFFF ]
- target sector 3 key type A – found valid key [ FFFFFFFFFFFF ]
- target sector 3 key type B – found valid key [ FFFFFFFFFFFF ]
- target sector 4 key type A – found valid key [ FFFFFFFFFFFF ]
- target sector 4 key type B – found valid key [ FFFFFFFFFFFF ]
- target sector 5 key type A – found valid key [ FFFFFFFFFFFF ]
- target sector 5 key type B – found valid key [ FFFFFFFFFFFF ]
- target sector 6 key type A – found valid key [ FFFFFFFFFFFF ]
- target sector 6 key type B – found valid key [ FFFFFFFFFFFF ]
- target sector 7 key type A – found valid key [ FFFFFFFFFFFF ]
- target sector 7 key type B – found valid key [ FFFFFFFFFFFF ]
- target sector 8 key type A – found valid key [ FFFFFFFFFFFF ]
- target sector 8 key type B – found valid key [ FFFFFFFFFFFF ]
- target sector 9 key type A – found valid key [ FFFFFFFFFFFF ]
- target sector 9 key type B – found valid key [ FFFFFFFFFFFF ]
- target sector 10 key type A – found valid key [ FFFFFFFFFFFF ]
- target sector 10 key type B – found valid key [ FFFFFFFFFFFF ]
- target sector 11 key type A – found valid key [ FFFFFFFFFFFF ]
- target sector 11 key type B – found valid key [ FFFFFFFFFFFF ]
- target sector 12 key type A – found valid key [ FFFFFFFFFFFF ]
- target sector 12 key type B – found valid key [ FFFFFFFFFFFF ]
- target sector 13 key type A – found valid key [ FFFFFFFFFFFF ]
- target sector 13 key type B – found valid key [ FFFFFFFFFFFF ]
- target sector 14 key type A – found valid key [ FFFFFFFFFFFF ]
- target sector 14 key type B – found valid key [ FFFFFFFFFFFF ]
- target sector 15 key type A – found valid key [ FFFFFFFFFFFF ]
- target sector 15 key type B – found valid key [ FFFFFFFFFFFF ]
- Nested: 00000000 vs 00000000 [!!] Error: No response from Proxmark3.
[=] Chunk 1.2s | found 28/32 keys (45)
[=] running strategy 2
[=] Chunk 1.2s | found 28/32 keys (45)
[=] Expected execution time is about 25seconds on average
[=] Press pm3-button to abort
[=] Running darkside …[-] card is not vulnerable to Darkside attack (doesn’t send NACK on authentication requests)
[usb] pm3 → hf mf hardnested --tblk 4 --ta
[!] Key is wrong. Can’t authenticate to block: 0 key type: A
[usb] pm3 → hf mf hardnested --blk 0 -a -k FFFFFFFFFFFF --tblk 4 --ta
[=] Target block no 4, target key type: A, known target key: 000000000000 (not set)
[=] File action: none, Slow: No, Tests: 0
[=] Hardnested attack starting…
[=] ---------±--------±--------------------------------------------------------±----------------±------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------±--------±--------------------------------------------------------±----------------±------
[=] 0 | 0 | Start using 16 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 2630 million (2^31.3) keys/s | 140737488355328 | 15h
[=] 5 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 15h
- AcquireEncryptedNonces finished [!!] Error: Static encrypted nonce detected. Aborted.
[=] Target block no 4, target key type: A, known target key: 000000000000 (not set)
[=] File action: write, Slow: Yes, Tests: 0
[=] Hardnested attack starting…
[=] ---------±--------±--------------------------------------------------------±----------------±------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------±--------±--------------------------------------------------------±----------------±------
[=] 0 | 0 | Start using 16 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 2304 million (2^31.1) keys/s | 140737488355328 | 17h
[=] 4 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 17h
- AcquireEncryptedNonces finished [!!] Error: Static encrypted nonce detected. Aborted.
- executing lua C:\Users\APOFIS\Downloads\ProxSpace\pm3\proxmark3\client\luascripts/hf_mf_keycheck.lua
- args ‘’
Testing block 0, keytype 0, with 84 keys
Testing block 0, keytype 0, with 84 keys
Testing block 0, keytype 0, with 84 keys
Testing block 0, keytype 0, with 84 keys
Testing block 0, keytype 0, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 78 keys
- hf_mf_keycheck - Checkkey execution time: 332 sec
|—|----------------|—|----------------|—|
sec key A res key B res
000 ------------ 0 ------------ 0
001 ------------ 0 ------------ 0
002 ------------ 0 ------------ 0
003 ------------ 0 ------------ 0
004 ------------ 0 ------------ 0
005 ------------ 0 ------------ 0
006 ------------ 0 ------------ 0
007 ------------ 0 ------------ 0
008 ------------ 0 ------------ 0
009 ------------ 0 ------------ 0
010 ------------ 0 ------------ 0
011 ------------ 0 ------------ 0
012 ------------ 0 ------------ 0
013 ------------ 0 ------------ 0
014 ------------ 0 ------------ 0
015 ------------ 0 ------------ 0
— ---------------- — ---------------- —
Do you wish to save the keys to dumpfile? [y/n] ?
[usb] pm3 → hf mf nested --1k --blk 0 -a -k FFFFFFFFFFFF
- Testing known keys. Sector count 16 [=] Chunk 1.3s | found 28/32 keys (46)
- Time to check 45 known keys: 1 seconds
- enter nested key recovery
- Nested: 00000000 vs 00000000 [!!] Command execute timeout
[-] Tag isn't vulnerable to Nested Attack (PRNG is not predictable).
Como puedo enfocar el tema?, que opinais?
En línea
