Skip to content

Introduction to the Proxmark3

The proxmark3 is a powerful general purpose RFID tool, designed to snoop, listen and emulate everything from Low Frequency to High Frequency tags, originally developed by Jonathan Westhues.

The usages for the Proxmark3 are endless as it can do anything involving low (125 kHz) to high (13.56 MHz) RFID Tags.

If you want to build it by yourself , the blueprint to the Proxmark3 is freely available.

Out of the box we can do a lot of actions with the Proxmark3 but as we go into deeper waters we may need to start enhancing the firmware.

As mention on the Proxmark3's website , it is pointed out that this device is not really for beginners.

But hopefully, the readers will be able to understand through our detailed articles about the aforementioned.

Reccomended resources

Test the security of MIFARE Classic with Proxmark3

Active Sniffing

Using the Proxmark3, any attacker is able to emulate any MIFARE card just by sniffing the communication between the card and reader and replaying it (including the UID value). Also the attacker will be able to recover all keys from sectors involved in this communication. But, as mentioned, this attack needs to sniff the communication between the card and a valid reader.

Card-only Attacks

  • Nested Attack Attack to find all keys when knowing only a single key.

  • Dark-Side Attack Attack to find the aforementioned key.

Examples

Cloning ID cards
  • Let's start by scanning our card.
proxmark3> hf search [=] Checking for known tags...
UID : 5A C3 1C 10
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: WEAK
[+] Valid ISO14443-A tag  found
  • From this we can see that our card is a MIFARE Classic 1k card. Now that we know it's a MIFARE Classic card, let's try using default keys.

proxmark3> hf mf fchk keys.dic
[+] Running strategy 1
[+] Chunk: 0.8s | found 31/32 keys (23)
[+] Running strategy 2
[+] Chunk: 0.2s | found 0/32 keys (23)
[+] Time in checkkeys (fast):  1.0s
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff | 1 |
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|
Surprisingly, all sectors use the default key ffffffffffff. Sector 0 is a read-only sector with the UID (a unique card ID number that normally is not changeable) and manufacturer's data.

  • Using the default keys, we found that we can dump the contents of the card into a .bin file.
proxmark3> hf mf dump
  • Now, let's set the UID of our ID card to another.
proxmark3> hf mf csetuid
  • Restore MIFARE classic binary file to BLANK tag.
proxmark3> hf mf restore
Simulating a 10-bit UID
  • It's quite simple actually. All we need to do is simulate a ISO 14-a card giving a 10 Bit UID as an argument.
proxmark3> hf 14a sim xxxxxxxxxx
Changing Card Contents
  • Let's start by scanning our card.

    proxmark3> hf search
    [=] Checking for known tags...
    UID : 5A C3 1C 10
    ATQA : 00 04
    SAK : 08 [2]
    TYPE : NXP MIFARE Ultralight | Plus 2k SL1 | 1k Ev1
    [=] Answers to magic commands: NO
    [+] Prng detection: WEAK
    

  • We can see that it's a NFC visitor recording card. Let's dump the contents into a . bin file again.

proxmark3> hf mf dump
  • On observing the .bin dump we can see that one line in the dump file is denoting the visitor number. Lets see how the number changes when we scan the card again. On observing the .bin file again we can see that the value has increased by one. Now, we can change the value to any number of our choice.

Burn and Use Proxmark Firmware

  • Open a terminal: download some essentials required to build the Proxmark from its source.
$ sudo apt install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib libpcsclite-dev pcscd
  • Now clone the Proxmark3 repository.
$ git clone https://github.com/proxmark/proxmark3.git
  • Enter the repository and get the latest commits
$ cd proxmark3
$ git pull
  • Install the blacklist rules:
$ sudo cp -rf driver/77-mm-usb-device-blacklist.rules /etc/udev/rules.d/77-mm-usb-device-blacklist.rules
$ sudo udevadm control --reload-rules
  • Make sure that your user rights are changed
$ sudo adduser $USER dialout

Compiling the proxmark3 source code

  • Install "make":
$ sudo apt-get install make
  • Clean and complete compilation:
$ make clean && make all

Plug in the Proxmark3

Insert the Proxmark and check dmesg.

$ dmesg | grep -i usb
Here, check out at the last row above and remember which tty your device got connected to.

Flashing CDC

$ client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf
Reccomended resources

Running the proxmark3 client

  • Change into the client folder:
$ cd client
  • Run the client:
$ ./proxmark3 /dev/ttyACM0
  • The terminal should now show something like this:
proxmark3>
  • Now, run the following commands to verify functionality:
proxmark3> hw status
proxmark3> hw version
proxmark3> hw tune
  • Leave the client:
proxmark3> quit