Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I have some cards here that I can't do an offline crack on, and I'm not quite sure why. They're Mifare Classic 1K cards from a hotel, with a manufacturer's mark on the card of "PLI". They're static nonce cards, which always answer up with "01 20 01 45". These are regular cards from a large chain hotel, not "magic" cards.
? Searching for ISO14443-A tag...
[+] UID: ED B7 ED 24
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[#] 1 static nonce 01200145
[+] Static nonce: yes
[#] Auth error
[?] Hint: try `hf mf` commandsThey are standard encoded Saflok keys, so I do have one known valid key in addition to the default FFFFFFFFFFFF.
[usb] pm3 --> hf mf chk --1k -f mfc_default_keys.dic
[+] Loaded 1142 keys from mfc_default_keys.dic
[=] Start check for keys...
[=] ..................................................................................
......................................................................................
........................................
[=] time in checkkeys 106 seconds
[=] testing to read key B...
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ------------ | 0 | ffffffffffff | 1 |
[+] | 001 | 2a2c13cc242a | 1 | ffffffffffff | 1 |
[+] | 002 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 003 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 004 | ------------ | 0 | ffffffffffff | 1 |
[+] | 005 | ------------ | 0 | ffffffffffff | 1 |
[+] | 006 | ------------ | 0 | ffffffffffff | 1 |
[+] | 007 | ------------ | 0 | ffffffffffff | 1 |
[+] | 008 | ------------ | 0 | ffffffffffff | 1 |
[+] | 009 | ------------ | 0 | ffffffffffff | 1 |
[+] | 010 | ------------ | 0 | ffffffffffff | 1 |
[+] | 011 | ------------ | 0 | ffffffffffff | 1 |
[+] | 012 | ------------ | 0 | ffffffffffff | 1 |
[+] | 013 | ------------ | 0 | ffffffffffff | 1 |
[+] | 014 | ------------ | 0 | ffffffffffff | 1 |
[+] | 015 | ------------ | 0 | ffffffffffff | 1 |
[+] |-----|----------------|---|----------------|---|
[+] ( 0:Failed / 1:Success )But when I try to use the hf mf staticnonce utility to recover the other keyA, it fails. I tried with keyB of FFFFFFFFFFFF as well, which also fails.
[usb] pm3 --> hf mf staticnested --1k --blk 5 -a -k 2a2c13cc242a
[#] 1 static nonce 01200145
[+] Testing known keys. Sector count 16
[=] .
[=] Chunk: 2.1s | found 19/32 keys (24)
[+] Time to check 23 known keys: 2 seconds
[+] enter static nested key recovery
[+] Found 86986 key candidates
336/86986 keys | 143.9 keys/sec | worst case 602.0 seconds
28560/86986 keys | 144.1 keys/sec | worst case 405.4 seconds
46620/86986 keys | 143.7 keys/sec | worst case 280.9 seconds
68460/86986 keys | 144.0 keys/sec | worst case 128.6 seconds
86940/86986 keys | 144.1 keys/sec | worst case 0.3 seconds
[+] target block: 0 key type: AThis repeats on for all unknown blocks and eventually exits unsuccessfully.
I was able to do a sniff and recover a key using mfkey, but I was hoping that staticnested would work for a sniff-less cracking option. Am I misunderstanding?