Proxmark3 easy 사용법
펌웨어
https://www.proxmarkbuilds.org
Proxmarkbuilds.org
1. No COM port is showing up when I plug in my Proxmark Make sure you read the Find your COM port part in the Getting Started section first. If your Proxmark3 did loose its COM port during flashing you can try this method: 1. Disconnect your Proxmark3 2. H
www.proxmarkbuilds.org
설치
https://www.youtube.com/watch?v=n1Xt-1ZmjM0
사용법
https://tomvanveen.eu/cloning-mifare-classic-with-the-proxmark3/
How to clone MiFare Classic with the Proxmark 3 Easy - #Tom's Weblog
Last updated on March 14th, 2021 at 09:11 amIn this post I will share how to clone a MiFare Classic card using the Proxmark 3 Easy. Requirements: Hardware Proxmark3 Easy Software The RRG / Iceman git repo (found here: https://github.com/RfidResearchGroup/p
tomvanveen.eu
-
How to clone MiFare Classic with the Proxmark 3 Easy
- by Tom van Veen
- 9 September 2019
Last updated on March 14th, 2021 at 09:11 am
In this post I will share how to clone a MiFare Classic card using the Proxmark 3 Easy.
Requirements:
- Hardware
- Proxmark3 Easy
- Software
- The RRG / Iceman git repo (found here: https://github.com/RfidResearchGroup/proxmark3)
Process:
- Obtain keys
- Default keys
- Non-default keys
- Dump card content
- Write dump to empty card
Obtains keys
Before being able to dump the content of the card, the keys have to be obtained. There are some default keys that manufacturers use and that are never changed. Running fchk with the –dump option will test for default keys and will dump them if successful.
Default keys
카드 분석 후 덤프 뜨기 (파일명 기억)
[usb] pm3 --> hf mf fchk --dump
[+] No key specified, trying default keys
[ 0] ffffffffffff
[ 1] 000000000000
[ 2] a0a1a2a3a4a5
[ 3] b0b1b2b3b4b5
[ 4] c0c1c2c3c4c5
[ 5] d0d1d2d3d4d5
[ 6] aabbccddeeff
[ 7] 1a2b3c4d5e6f
[ 8] 123456789abc
[ 9] 010203040506
[10] 123456abcdef
[11] abcdef123456
[12] 4d3a99c351dd
[13] 1a982c7e459a
[14] d3f7d3f7d3f7
[15] 714c5c886e97
[16] 587ee5f9350f
[17] a0478cc39091
[18] 533cb6c723f6
[19] 8fd0a4f256e9
[20] 0000014b5c31
[21] b578f38a5c61
[22] 96a301bce267
[=] Running strategy 1
[=] Chunk: 0,3s | found 32/32 keys (23)
[=] time in checkkeys (fast) 0,3s
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 001 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 002 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 003 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 004 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 005 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 006 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 007 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 008 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 009 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 010 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 011 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 012 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 013 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 014 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 015 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] |-----|----------------|---|----------------|---|
[+] ( 0:Failed / 1:Success)
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-0EAE239A-key.bin
[=] FYI! --> 0xFFFFFFFFFFFF <-- has been inserted for unknown keys where res is 0
Non-default keys
Non-default keys
Dumping card content
암호화 돼 있지 않은 카드 덤프 뜨기 (파일명 기억)
After keys are dump we can move on with dumping the actual card content.
[usb] pm3 --> hf mf dump
[=] Reading sector access bits…
…………….
[+] Finished reading sector access bits
[=] Dumping all blocks from card…
[+] successfully read block 0 of sector 0.
[+] successfully read block 1 of sector 0.
[+] successfully read block 2 of sector 0.
[+] successfully read block 3 of sector 0.
[+] successfully read block 0 of sector 1.
[snip]
[/snip>
[+] time: 17 seconds
[+] Succeded in dumping all blocks
[+] saved 1024 bytes to binary file hf-mf-B4EE8234-data.bin
[+] saved 64 blocks to text file hf-mf-B4EE8234-data.eml
[+] saved to json file hf-mf-B4EE8234-data.json
Writing the dump to a new card* 새 카드에 쓰기
At this point I thought I hit the jackpot and could just write the dump to any blank MiFare card without issues but no. As I learned then the first block of any MiFare card is called the “Manufacturers block” and it is not writable by default. Therefore there is no way to change the UID on normal MiFare card. However there are some Chinese sellers that sell so called “Magic” or “UID block 0” modifiable cards where block 0 is (re)writable. The proxmark client will tell you if the card will answer to magic commands as highlighted in the command output:
[usb] pm3 --> hf search
[=] Checking for known tags…
UID : AA B5 11 02
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK
[+] Valid ISO14443-A tag found
At this point we can write the dump to the Chinese card:
(위에서 덤프해둔 파일을 읽어서 쓰는 부분 파일명은 위에서 체크한 부분 넣어줘야 함)
[usb] pm3 --> hf mf cload hf-mf-B4EE8234-dump.eml
[+] loaded 1024 bytes from text file hf-mf-B4EE8234-data.eml
[=] Copying to magic card
……………………………………………………….
[+] Card loaded 64 blocks from file
Running hf search again to check to see if the process was successful. As can be seen the UID has been changed to that of the target card:
(잘 write되었는지 체크)
[usb] pm3 --> hf search
[=] Checking for known tags…
UID : B4 EE 82 34
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK
[+] Valid ISO14443-A tag found
References:
- https://www.mouser.com/ds/2/302/MF1S503x-89574.pdf
- https://github.com/Proxmark/proxmark3/wiki
- https://github.com/RfidResearchGroup/proxmark3
- https://timdows.com/projects/using-a-mobile-phone-to-clone-a-mifare-card/
최초작성 2021년 9월
2022년 1월 11일 업데이트
댓글