Proxmark3 Tutorial: Sniffing MIFARE DESFire Cards
ฝัง
- เผยแพร่เมื่อ 20 ก.ย. 2024
- In this insightful and educational video, we will be guiding you through the process of sniffing a MIFARE DESFire card using the Proxmark3. Our step-by-step tutorial aims to demystify the workings of DESFire cards and shed light on their inherent security measures.
Whether you are a tech enthusiast, a professional in the RFID field, or a curious observer, join us as we delve into the fascinating world of contactless card technology.
For my beloved patreons!
-------------------------------------------
Remember when I first announced that I was working on a special project? A stretch goal video that was all about high-frequency (HF) sniffing in the world of RFID tech? You've been incredibly patient and supportive over these past months, and I can't thank you enough for that. Today, it's with genuine excitement and a touch of relief that I get to say: the wait is over!
High-frequency sniffing might sound like something out of a science fiction movie, but trust me, it's very much a reality - and an incredibly fascinating one at that. In the simplest of terms, HF sniffing involves intercepting and decoding the radio waves that RFID devices use to communicate. It's like eavesdropping on a conversation, only the chatter you're listening in on comes from microchips and readers.
Disclaimer!
-------------------
Please note, this video is strictly intended for educational purposes. We want to promote a deeper understanding of RFID technology.
If you enjoy our content and want more educational tech videos, make sure to hit the like button, share, and subscribe to our channel. Don't forget to turn on notifications by clicking the bell icon so you won't miss our latest videos!
Smash that like button! Destroy that subscribe button!
Get your Iceman Swag iceman-channel-shop.fourthwall.com
Get 5% discount on LAB401.COM by using the code ICEMAN at checkout.
Works on all but the flipper zero category.
Follow me on Twitter / herrmann1001
The community discord server
RFID Hacking by Iceman / discord
RRG/Iceman repository for Proxmark3
github.com/rfi...
#Proxmark #MIFAREDESFire #desfire #RFIDTechnology #SniffingTutorial #EthicalHacking #techguide
Literally was googling this stuff about 3 hours ago. Thanks iceman :)
Glad to hear you found it useful!
Hey Iceman thanks for the informative video, where could I begin to learn all about the abilities that the proxmark offers and nfc systems?
The wiki has some fun things. If you run the pm3 client you find all commands has help texts with practical samples. There are some blogs posts and some TH-cam videos around.
The old proxmark3 forum is still good.
Hit the discord up and learn to search it.
Loving the new videos. Would be love to see an exploration and breakdown of mifare ultralight and ultralight C cards.
Noted!
@@iceman1001 Did you ever get to these? No hurry! hehe Thanks for taking the time to do vids
@@zymon. Not yet but I get there.
Hi Iceman, after capturing the trace, is it possible to emulate or construct this trace to reader. Like I was thinking making a script or something to reply the reader when it asks for rats, pps like that. If yes, can you provide a sample script or something. Thank you
Not at this moment is it possible to replay a trace
Thanks for great video Iceman ... I have one question ... Is it possible to sniff data when application is "uploaded" to blank desfire card ?
Of course, sniffing captures the data over the air. So you can sniff when encoding a tag :)
Iceman, Thank you for everything. Question I have a proxmark3 easy. Should I get rdv 4?
and if so where is best place to buy?
It comes down to money. You can run the proxmark3 repo on an Easy and experience it all for way less money.
Take note that you need to have the 512 kb version to get all functions of the firmware.
If you need a smaller form factor, some extra stuff and most important not money restricted (corporate expense) you can buy a RDV v4.01
Where to buy? It comes down to which region in the world you are.
The shopping channel in the RFID hacking discord server is a good place.
@@iceman1001 I have the easy and have upgraded the firmware with your excellent code. I just wanted to get into this deeper
Hey there, its kinda late but I wanna shoot my shot anyways, I have an DesFire EV1 that has 3 applets inside it right now. It's used for transportation. Is there any way for me to sniff the traffic or possibly dump the entire applet? I currently don't have an pm3 but planning to get one soon!
Thanks!
For desfire if you are lucky you can sniff it.
Normally it’s locked down with keys.
But if the transportation mode is in plain comms, you can read what was read out from the card.
Is it possible to decrypt the key from the trace and to use it as authenthication to access the file and therefore to change the data? This would be intresting if there is an user defined app with value stored on the chip.
When it comes to Desfire or UL-C there are no public known key recovery out of the box.
If the master AID allows for it you can add your own aid / files w your own set of keys.
Very sandboxed in that sense
Hint: when you watch at 1.75x speed, the guy actually talks normally.
I guess that depends on what you define as normal :) :) :)
Lmao, you need to stop smoking crack
@@fastmot1on idk it still seems like he just printed out --help and tried some cmds out
Would a HID Omnikey 5023 Contactless Card Reader be suitable for this job?
For sniffing you need a device like the proxmark3 which is capable of it.
I have the pm3 easy but am new to it, I am hoping to learn Rfid and hopefully contribute at some point
Edit - Sorry should have been more specific, the reader I asked about would be used with pm3 for sniffing
@@jimbean6697 the Reader is just a Reader. You need specific software to run which uses the reader to talk with card.
You will need to gather more information about the task at hand.
I already have correct drivers and software to control reader. It seems I just need the reader to activate (power up) the card and rest can be done with proxmark just select correct protocol we are sniffing for.
@@jimbean6697 sounds that you are all set.
Mr Iceman, a quick question, is possible to read write Legic Prime Tag mm256?
Yes it is.
Hi Iceman, what is the best Proxmark Device to use?
My preference is the RDV4.01, you might do well with a known good PM3 Easy w 512kb.
can you get Keys out of the trace?
No.
@@iceman1001 sorry for questions that may not make sense. I’m a nooby. I have a mifare 1k classic round sticker. When I try to get keys I get all dashes in both columns. It says it’s a weak. Tried nest, nested, dark nothing works to get a key. I thought I had to sniff to get key. Not sure what to try. Thx. Your awesome. Will be donating money for you to have a drink on me. lol
@@jeffmorrison9905 We all were noobs once.
There are some more complications with MFC. One popular card manufacturer who makes a copy of MFC has some quirks.
Like a "static encrypted nonce"
By some fluke chance they are currently not able to recovery keys with the attacks you mentioned.
@@iceman1001 thanks. Do you have a link to instructions to update my iceman firmware to the latest release. I’m sure that can’t hurt
Follow the guides on the repo.
If you done it before, it is a simple as
git pull
make -j
./pm3-flash-fullimage
./pm3
Hey, I have the proxmark3 and im interested in the Mifare DESFire security. If you sniff the communication, if the communication is encrypted you cant read the information as a MitM, only the reader an the tag can.It is possible to emulate the tag,communicate with the reader and snifing the communication at the same time?. So you can decrypt the information that you already sniffed?
Pd: I like your videos
Glad to hear you like the videos.
DESfire is a different kind of beast when it comes to sniffing. If in plain comms mode you can sniff.
When it comes to MitM you need to take delays in consideration.
When it comes simulation you would need to have a device which can emulate all different protocol parts that desfire supports. And you would need to have it configured to how the system uses it. Same with the data onto it.
There is no simple answer. Its a complicated task to accomplish
I saw a paper called "An investigation of posible attacks on the Mifare DESFire EV1". This paper explain how the authentication method of the card works:
"both card and reader pick independent
random 64-bit nonces, then seek to prove to each other that they can decrypt encrypted
versions of each other’s nonce. The decrypted nonces are rotated right or left by 8 bits before being returned the other party for verification."
But they dont explain how card and reader encryp their nonces. Do they use some keys that they know before? Are there any key interchange that can be sniffed?
Thank you for answering!
@@iceman1001
You could read the MIFARE DESfire datasheet which explains a bit about the authentication process.
For Ev1 its still triple des / aes128
@@iceman1001 nicee thank you
@@iceman1001 Hey, do you know if proxmark3 detects CISA CT3 Contactless cards? Im trying but pm3 seems to not detect it.( I have the amazon one)
Nice video :). I have questions...is it possible to write that sniffed data to another MIFARE Desfire Card ( I am newbie...just curious)
Good question,
you can write the data to another desfire card of course but the reader will not be able to read the data since it expects the card to have been configure to use their keys.
@@iceman1001Ok so it also means that you can't tamper the values of the Desfire card with unknown key right?? Or just like the sniffing thing is it possible to manipulate the reader to write what we want?
@@1Aditya1 you need keys in the desfire world. Without them you can't do much.
desfire doesn't have an known weakness for key recovery.
@@iceman1001oh right! Now I got it! Thanks for answering!
I see you have the blueshark on there. Is there a specific reason you keep the PM3 attached via USB thhen? (e.g., sniffing more reliable etc.)
Good question, I am afraid It has nothing to do with sniffing.
I tend to use the blueshark for the battery option and when I am at my desktop I am always using usb cable since its so much faster.
@@iceman1001 thanks for clarifying. I just got my blueshark and it was more of a "in case you need it" kinda purchase
Makes sense, you don't wanna stand there one day and not have the option.
@@iceman1001 Yeah that's the thing that makes physical security assessments Soo expensive. All that stuff that you need to shlep around just in case 😃
hopefully your employer pays for it.
Love it :)
Glad you like it!
@@iceman1001 I have the RTA reader did you have to reflash it to work with Desfire
@@nu77byte49 I have an older model for trainers. That could be the difference if yours doesn't read Desfire. Have you asked RTA?
@@iceman1001 I will send them an email :)
I'm sure they have an answer.
Piss poor tutorial. I guess we learned how to pointlessly tap in commands
Yeah, you are right, tapping in commands is major part of using the Proxmark3 client.
There is some GUI out but I never use them, maybe its more your thing?
@@iceman1001 well when they are useless. It becomes more of a waste of time than a tutorial because in reality, what did you show us to do?
@@ShayS-ln9ww feel free to spend your time elsewhere. Have a nice day!
Hey @iceman1001 im about to buy a chameleon ultra or proxmark.
What i want to do as a new redteamer to get into rfid hacking.
My first card i want to crack and sniff the reader is a desfire EV3.
What do you recommend me to do? :)
.... hack the door controller....
You will need readers, proxmark, gadgets ...
Desfire EV3.. well, good luck with that one.
Hey, thanks for your answer :)@@iceman1001 - i know its quite challenging but the learning will be huge i think even if it doesnt work.
so just the proxmark will not be enough? and which gadgets you mean? - btw hacking the door controller i have access to sniffing methods
@@iBetUrWet Leaning is fun but a challenge.
Failing will be something that you will do several times.
But you get the hang of it eventually.
Start to experiment, read datasheets and some excellent research papers.
Limit your scope down to a small thing and start there.
You will see that you need more and more gadgets when it comes to hacking....
@@iceman1001thank you for all your great vodeos! I am on the same path. Just with a EV1. I watched more or less all of your stuff, and also the great documentary on devcon 28 with your buddy. I guess you mean by hack the reader, to get data from the back side of the reader with some esp32 data line sniffer. Get the clear data put it on a mifare classic and do a downgrade of the reader? Is that about what you thought about, or am I running in the wrong direction?
I can not wait for my proxmark 3 and chamelion ultra to arrive to finally see whats really on our cards!
I hope I did right by not buying the icopy-x, but the proxmark instead.
@@MoppelMat you did right by buying a pm3 if you wanna try modern things.
And yes, that is how a downgrade attack works. Sniff the wiegand, extract pacs, put on lesser technology if possible.
iceman, what is difference between trace and data in graph buffer?
Great question since the answer is more of a intuitive nature than a logic one.
In the proxmark world the trace is a decoded communication stream of bytes.
the ´data` part is a cleaned up interpretation of the raw communication layer. Usually seen in LF commands.
@@iceman1001 That's what I thought. So the graph is like physical layer and trace is data 'raw' bytes and in turn protocol interpretation.
@@Drforbin941 more or less like that. The proxmark3 project was developed under almost 20 years and with several chiefs. Some things isn't consistent across the project.
@@iceman1001 Ice, what does the [2] mean behind the sak value?
@@Drforbin941 good question, how about asking them in the discord server?