Some basic reminders on how to use the Proxmark 3.
Install
Proxmark 3 rdv4 repo
0 - WSL2 special
If you are using WSL2 you need some extra steps to access USB devices. The Microsoft doc
Windows side
On the Windows store install winget (Programme d’installation d’application)
On (root) Powershell, update then restart your linux install, then run the following command to install “USBIPD-WIN”
wsl --update
wsl --shutdown
winget install --interactive --exact dorssel.usbipd-win
Once it’s done, list the usb devices
usbipd wsl list
And attach it to your linux instance
usbipd wsl attach --busid previsously_found_usb_id
1 - Discard modemmanager
The issue is discussed here
sudo apt remove modemmanager
yay -R modemmanager
2 - Install and compile
The wiki
Clone :
git clone https://github.com/RfidResearchGroup/proxmark3.git
cd proxmark3
- Install dependancies :
Kali
sudo apt-get install --no-install-recommends git ca-certificates build-essential pkg-config \
libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev \
libbz2-dev liblz4-dev libbluetooth-dev libpython3-dev libssl-dev libgd-dev
Arch
sudo pacman -Syu git base-devel readline bzip2 lz4 arm-none-eabi-gcc \
arm-none-eabi-newlib qt5-base bluez python gd --needed
- Get permissions to use /dev/ttyACM0
make accessrights - Compile :
make clean && make -j - Install :
sudo make install - Flash :
./pm3-flash-allUsage
Recon
Identifying High-Frequency (hf) and Low-Frequency (lf) tags
proxmark3>hf search
proxmark3>lf search
Or
hf 14a info
Cracking the keys
The ol’ way
Using Dictionnary
Mifare key check
proxmark3>hf mf chk --1k -* --dump -f ext_keys.dic
hf : high-frequency
mf : mifare
chk : check keys
–1 : mifare 1k
-* : A and B keys
–dump : dump keys to a file (dumpkeys.bin)
-f ext_keys.dic : dictionary
Using Nested Attack
If all keys are not found using the previous dictionary attack, we should use the nested attack :
proxmark3>hf mf nested 1 0 A a0a1a2a3a4a5
hf : high-frequency
mf : mifare
nested : attack type
1 : mifare 1k
0 : block number of known key
A : key type of known key
a0a1a2a3a4a5 : known key
The new way
hf mf autopwn --suffix bite
If successful, that will generate three files in your home directory :
- hf-mf-XXXXXXXX-key-bite.bin
- hf-mf-XXXXXXXX-dump-bite.bin
- hf-mf-XXXXXXXX-dump-bite.json
The new errors
autopwn can be a bit greedy and dump more than what actually is on the tag. I had the case of a MIFARE Classic 1K (15 sectors, 64 blocks, 1024) that showed 17 or 18 sectors in the dump. If that is the case, trim.
ls -alh dump.bin wc -c dump.bin # should show 1024 dd if=dump.bin of=clean.bin bs=1 count=1024 # trim the noiseMIFARE Classic 1K
Before deep diving into data manipulation, a quick overview of how data are stored and what they represent seems relevent.
MIFARE CLassic 1K has 16 sectors, each composed of 4 blocks, each block being 16 octets.
1 sector = 4 blocks
1 block = 16 octets
1 sector = 64 octets
In each sector : - block 0,1,2 : data blocks
- block 3 : sector trailer (Key A,Access Bits,Key B)
In order to get the bloc number corresponding to the trailer of a given sector, you can apply this formula :
block_number = 4 * sector number + 3Play with the data
Reading the data
Now that we have the keys, we can easily read the data.
By doing this you can list all the data and the keys. Note that the keys will be necessary later on when we will want to access individual blocks.hf mf view # directly from the tag hf mf view -f your-dump.bin -v # read data from a fileOr if we want to read indivual blocks
hf mf rdbl --blk 46 -a -k A0A1A2A3A4A5option -a specify that we use key A, we could also use key B. This step is important to make sure that we can access essentials blocks and that our keys are correct.
Dumping new data
As we now have the keys, we can dump data from the tag very easily
hf mf dump -k key.bin -f output_name