mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-25 04:23:33 +00:00
91 lines
5.3 KiB
Markdown
91 lines
5.3 KiB
Markdown
|
# Proxmark 3
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
## Attacking RFID Systems with Proxmark3
|
|||
|
|
|||
|
The first thing you need to do is to have a [**Proxmark3**](https://proxmark.com) and [**install the software and it's dependencie**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux)[**s**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux).
|
|||
|
|
|||
|
### Attacking MIFARE Classic 1KB
|
|||
|
|
|||
|
It has **16 sectors**, each of them has **4 blocks** and each block contains **16B**. The UID is in sector 0 block 0 (and can't be altered).\
|
|||
|
To access each sector you need **2 keys** (**A** and **B**) which are stored in **block 3 of each sector** (sector trailer). The sector trailer also stores the **access bits** that give the **read and write** permissions on **each block** using the 2 keys.\
|
|||
|
2 keys are useful to give permissions to read if you know the first one and write if you know the second one (for example).
|
|||
|
|
|||
|
Several attacks can be performed
|
|||
|
|
|||
|
```bash
|
|||
|
proxmark3> hf mf #List attacks
|
|||
|
|
|||
|
proxmark3> hf mf chk *1 ? t ./client/default_keys.dic #Keys bruteforce
|
|||
|
proxmark3> hf mf fchk 1 t # Improved keys BF
|
|||
|
|
|||
|
proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF # Read block 0 with the key
|
|||
|
proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF # Read sector 0 with the key
|
|||
|
|
|||
|
proxmark3> hf mf dump 1 # Dump the information of the card (using creds inside dumpkeys.bin)
|
|||
|
proxmark3> hf mf restore # Copy data to a new card
|
|||
|
proxmark3> hf mf eload hf-mf-B46F6F79-data # Simulate card using dump
|
|||
|
proxmark3> hf mf sim *1 u 8c61b5b4 # Simulate card using memory
|
|||
|
|
|||
|
proxmark3> hf mf eset 01 000102030405060708090a0b0c0d0e0f # Write those bytes to block 1
|
|||
|
proxmark3> hf mf eget 01 # Read block 1
|
|||
|
proxmark3> hf mf wrbl 01 B FFFFFFFFFFFF 000102030405060708090a0b0c0d0e0f # Write to the card
|
|||
|
```
|
|||
|
|
|||
|
The Proxmark3 allows to perform other actions like **eavesdropping** a **Tag to Reader communication** to try to find sensitive data. In this card you could just sniff the communication with and calculate the used key because the **cryptographic operations used are weak** and knowing the plain and cipher text you can calculate it (`mfkey64` tool).
|
|||
|
|
|||
|
### Raw Commands
|
|||
|
|
|||
|
IoT systems sometimes use **nonbranded or noncommercial tags**. In this case, you can use Proxmark3 to send custom **raw commands to the tags**.
|
|||
|
|
|||
|
```bash
|
|||
|
proxmark3> hf search UID : 80 55 4b 6c ATQA : 00 04
|
|||
|
SAK : 08 [2]
|
|||
|
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
|
|||
|
proprietary non iso14443-4 card found, RATS not supported
|
|||
|
No chinese magic backdoor command detected
|
|||
|
Prng detection: WEAK
|
|||
|
Valid ISO14443A Tag Found - Quiting Search
|
|||
|
```
|
|||
|
|
|||
|
With this information you could try to search information about the card and about the way to communicate with it. Proxmark3 allows to send raw commands like: `hf 14a raw -p -b 7 26`
|
|||
|
|
|||
|
### Scripts
|
|||
|
|
|||
|
The Proxmark3 software comes with a preloaded list of **automation scripts** that you can use to perform simple tasks. To retrieve the full list, use the `script list` command. Next, use the `script run` command, followed by the script’s name:
|
|||
|
|
|||
|
```
|
|||
|
proxmark3> script run mfkeys
|
|||
|
```
|
|||
|
|
|||
|
You can create a script to **fuzz tag readers**, so copying the data of a **valid card** just write a **Lua script** that **randomize** one or more random **bytes** and check if the **reader crashes** with any iteration.
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|