-
Notifications
You must be signed in to change notification settings - Fork 270
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stuck on the same distance 65439 #94
Comments
I'm facing the same issue. It may be that your card (and mine) use a static nonce generator, or somehow have the PNRG issue fixed. mfcuk doesn't work either EDIT: I have researched this further, and now I'm not so confident in my reply. |
Unfortunately, I stumbled upon the same issue and was using a Mifare Classic 1K tag with MFOC aswell, but with a PN532 board and a USB to UART cable. After a bit of digging I found a thread on reddit (link here: https://www.reddit.com/r/RFID/comments/m1qxv2/issues_with_mifarelibnfc/ ). So potentially the problem could have something to do with the wiring and the connections, but I doubt it. Try and run MFCUK and see if your Nt is constantly 1 (run verbose 3 and see what diff Nt reads). Also try mfoc hardnested and see if the nonces increase or remain the same. If Nt==1 and nonces stays at 1 then it's very likely that the card has a static/fixed nonce...which means it'll be tough to crack it (yeah, these cards are very annoying and the only ways I know of are either by using a Proxmark 3 with a type of a man-in-the-middle attack and the official card reader, or by brute forcing the nonce's key again with a proxmark). What i get from mfoc-harndested:
And MFCUK:
|
I am facing the same exact issue with a PN532. Have you found a solution by using the PN532? I would like to avoid buying the pm3 because of the high shipping time required. |
So far so good, the case is that I got my hands on a new card from this company and what was my surprise that when I try to read it with the proxmark3 and does not let me read sectors 1 and 2. This company has changed the passwords of sectors 0,3,4,5,6,7,8,9,9,10,11,12,13,14,15 and has put default keys FFFFFFFFFFFFFFFFFFFF. In the first one you only knew the password A of sector 0, which was A0A1A2A3A4A5. if I use hf mf keycheck, it comes out empty, it does not find any key. if use hf mf darkside pone runing darkside…- card is not vulnerable to darkside attack, doesn’t send NACK on authentication request. Another change that I have seen and I had not noticed is that the header 0 of sector 0, has also changed, that is to say, this the uid and other numbers, that in the old cards except for the uid, were all the same. In this new change in each card are not the same. [usb] pm3 → hf mf chk [=] testing to read key B… [+] found keys: [+] -----±----±-------------±–±-------------±— [usb] pm3 → hf mf autopwn [!!] Error: No response from Proxmark3. [usb] pm3 → hf mf darkside [=] Running darkside …[-] card is not vulnerable to Darkside attack (doesn’t send NACK on authentication requests) [usb] pm3 → hf mf hardnested --tblk 4 --ta [usb] pm3 → hf mf hardnested --blk 0 -a -k FFFFFFFFFFFF --tblk 4 --ta -f nonces.bin -w -s [usb] pm3 → script run hf_mf_keycheck.lua Testing block 60, keytype 1, with 84 keys [+] hf_mf_keycheck - Checkkey execution time: 332 sec |—|----------------|—|----------------|—| sec key A res key B res [+] enter nested key recovery [usb] pm3 --> hf mf nested --1k --blk 0 -a -k ffffffffffff --tblk 8 --ta I think it is a static encrypted nonces. Could it be? |
I also came across a card where mfoc solely shows the same difference as mentioned. however mfcuk doesn't show Nt 1 🤔 I use a ACR122u / PN532. (Luckily I already retrieved 1 of 3 missing keys by sniffing nonces from reader. Might be able to sniff other purpose readers tooti get remaining keys. Still would like to get mfoc working as an alternative) |
I did some debugging and for the moment want to note: for every probe, the nonces distances array, after
the first distance is always different but the rest are all the same 65439. I also tried different combinations of versions
maybe one of maintainers like @iceman1001 or @doegox have an idea. Edit: as Block 0 starts with 0x90 and also contains 0x03 at byte 9, it might be a Fudan clone with encrypted static nonce, if I interpret @iceman1001 comment in a Reddit thread correctly |
Close but no right, but the answer to this issue is "static encrypted nonce" and you will not be able to recover the keys. |
Thx @iceman1001 for verification. I'll just sniff the nonces from reader then. Which already worked for one of the three missing keys and I suspect to get the other keys from another reader there |
That is correct, sniffing will give you the keys from the blocks of which the reader is trying to read. |
I am having the same problem getting stuck with the nonces distances. I don't think static nonces are the problem, either it's my reader or some bug with libnfc version. The distance does not change at all, tested with several mifare cards that worked months ago. |
Is there a reason why im stuck on the same distance when running MFOC? Currently using ACR122U reader trying to find the keys to Mifare Classic 1K tag. Thanks.
Using sector 02 as an exploit sector
Sector: 0, type A, probe 0, distance 65439 .....
Sector: 0, type A, probe 1, distance 65439 .....
Sector: 0, type A, probe 2, distance 65439 .....
Sector: 0, type A, probe 3, distance 65439 .....
Sector: 0, type A, probe 4, distance 65439 .....
Sector: 0, type A, probe 5, distance 65439 .....
Sector: 0, type A, probe 6, distance 65439 .....
Sector: 0, type A, probe 7, distance 65439 .....
Sector: 0, type A, probe 8, distance 65439 .....
Sector: 0, type A, probe 9, distance 65439 .....
Sector: 0, type A, probe 10, distance 65439 .....
Sector: 0, type A, probe 11, distance 65439 .....
Sector: 0, type A, probe 12, distance 65439 .....
Sector: 0, type A, probe 13, distance 65439 .....
Sector: 0, type A, probe 14, distance 65439 .....
Sector: 0, type A, probe 15, distance 65439 .....
Sector: 0, type A, probe 16, distance 65439 .....
Sector: 0, type A, probe 17, distance 65439 .....
Sector: 0, type A, probe 18, distance 65439 .....
Sector: 0, type A, probe 19, distance 65439 .....
Sector: 0, type A, probe 20, distance 65439 .....
Sector: 0, type A, probe 21, distance 65439 .....
Sector: 0, type A, probe 22, distance 65439 .....
Sector: 0, type A, probe 23, distance 65439 .....
Sector: 0, type A, probe 24, distance 65439 .....
Sector: 0, type A, probe 25, distance 65439 .....
Sector: 0, type A, probe 26, distance 65439 .....
Sector: 0, type A, probe 27, distance 65439 .....
Sector: 0, type A, probe 28, distance 65439 .....
Sector: 0, type A, probe 29, distance 65439 .....
Sector: 0, type A, probe 30, distance 65439 .....
Sector: 0, type A, probe 31, distance 65439 .....
Sector: 0, type A, probe 32, distance 65439 .....
Sector: 0, type A, probe 33, distance 65439 .....
Sector: 0, type A, probe 34, distance 65439 .....
Sector: 0, type A, probe 35, distance 65439 .....
Sector: 0, type A, probe 36, distance 65439 .....
Sector: 0, type A, probe 37, distance 65439 .....
The text was updated successfully, but these errors were encountered: