Proxmark3 Tutorial: Sniffing MIFARE DESFire Cards
In this insightful and educational video, we will be guiding you through the process of sniffing a MIFARE DESFire card using the Proxmark3. Our step-by-step tutorial aims to demystify the workings of DESFire cards and shed light on their inherent security measures.
Whether you are a tech enthusiast, a professional in the RFID field, or a curious observer, join us as we delve into the fascinating world of contactless card technology.
For my beloved patreons!
-------------------------------------------
Remember when I first announced that I was working on a special project? A stretch goal video that was all about high-frequency (HF) sniffing in the world of RFID tech? You've been incredibly patient and supportive over these past months, and I can't thank you enough for that. Today, it's with genuine excitement and a touch of relief that I get to say: the wait is over!
High-frequency sniffing might sound like something out of a science fiction movie, but trust me, it's very much a reality - and an incredibly fascinating one at that. In the simplest of terms, HF sniffing involves intercepting and decoding the radio waves that RFID devices use to communicate. It's like eavesdropping on a conversation, only the chatter you're listening in on comes from microchips and readers.
Disclaimer!
-------------------
Please note, this video is strictly intended for educational purposes. We want to promote a deeper understanding of RFID technology.
If you enjoy our content and want more educational tech videos, make sure to hit the like button, share, and subscribe to our channel. Don't forget to turn on notifications by clicking the bell icon so you won't miss our latest videos!
Smash that like button! Destroy that subscribe button!
Get your Iceman Swag iceman-channel-shop.fourthwall.com
Get 5% discount on LAB401.COM by using the code ICEMAN at checkout.
Works on all but the flipper zero category.
Follow me on Twitter / herrmann1001
The community discord server
RFID Hacking by Iceman / discord
RRG/Iceman repository for Proxmark3
github.com/rfidresearchgroup/...
#Proxmark #MIFAREDESFire #desfire #RFIDTechnology #SniffingTutorial #EthicalHacking #techguide
Пікірлер: 87
Literally was googling this stuff about 3 hours ago. Thanks iceman :)
@iceman1001
Жыл бұрын
Glad to hear you found it useful!
Loving the new videos. Would be love to see an exploration and breakdown of mifare ultralight and ultralight C cards.
@iceman1001
Жыл бұрын
Noted!
@zymon.
11 ай бұрын
@@iceman1001 Did you ever get to these? No hurry! hehe Thanks for taking the time to do vids
@iceman1001
11 ай бұрын
@@zymon. Not yet but I get there.
Hey Iceman thanks for the informative video, where could I begin to learn all about the abilities that the proxmark offers and nfc systems?
@iceman1001
5 күн бұрын
The wiki has some fun things. If you run the pm3 client you find all commands has help texts with practical samples. There are some blogs posts and some KZread videos around. The old proxmark3 forum is still good. Hit the discord up and learn to search it.
Thanks for great video Iceman ... I have one question ... Is it possible to sniff data when application is "uploaded" to blank desfire card ?
@iceman1001
Жыл бұрын
Of course, sniffing captures the data over the air. So you can sniff when encoding a tag :)
Mr Iceman, a quick question, is possible to read write Legic Prime Tag mm256?
@iceman1001
11 ай бұрын
Yes it is.
Iceman, Thank you for everything. Question I have a proxmark3 easy. Should I get rdv 4? and if so where is best place to buy?
@iceman1001
Жыл бұрын
It comes down to money. You can run the proxmark3 repo on an Easy and experience it all for way less money. Take note that you need to have the 512 kb version to get all functions of the firmware. If you need a smaller form factor, some extra stuff and most important not money restricted (corporate expense) you can buy a RDV v4.01 Where to buy? It comes down to which region in the world you are. The shopping channel in the RFID hacking discord server is a good place.
@Drforbin941
Жыл бұрын
@@iceman1001 I have the easy and have upgraded the firmware with your excellent code. I just wanted to get into this deeper
Hi Iceman, after capturing the trace, is it possible to emulate or construct this trace to reader. Like I was thinking making a script or something to reply the reader when it asks for rats, pps like that. If yes, can you provide a sample script or something. Thank you
@iceman1001
2 ай бұрын
Not at this moment is it possible to replay a trace
Is it possible to decrypt the key from the trace and to use it as authenthication to access the file and therefore to change the data? This would be intresting if there is an user defined app with value stored on the chip.
@iceman1001
Жыл бұрын
When it comes to Desfire or UL-C there are no public known key recovery out of the box. If the master AID allows for it you can add your own aid / files w your own set of keys. Very sandboxed in that sense
Hey there, its kinda late but I wanna shoot my shot anyways, I have an DesFire EV1 that has 3 applets inside it right now. It's used for transportation. Is there any way for me to sniff the traffic or possibly dump the entire applet? I currently don't have an pm3 but planning to get one soon! Thanks!
@iceman1001
6 ай бұрын
For desfire if you are lucky you can sniff it. Normally it’s locked down with keys. But if the transportation mode is in plain comms, you can read what was read out from the card.
Love it :)
@iceman1001
Жыл бұрын
Glad you like it!
@nu77byte49
Жыл бұрын
@@iceman1001 I have the RTA reader did you have to reflash it to work with Desfire
@iceman1001
Жыл бұрын
@@nu77byte49 I have an older model for trainers. That could be the difference if yours doesn't read Desfire. Have you asked RTA?
@nu77byte49
Жыл бұрын
@@iceman1001 I will send them an email :)
@iceman1001
Жыл бұрын
I'm sure they have an answer.
Nice video :). I have questions...is it possible to write that sniffed data to another MIFARE Desfire Card ( I am newbie...just curious)
@iceman1001
Жыл бұрын
Good question, you can write the data to another desfire card of course but the reader will not be able to read the data since it expects the card to have been configure to use their keys.
@1Aditya1
Жыл бұрын
@@iceman1001Ok so it also means that you can't tamper the values of the Desfire card with unknown key right?? Or just like the sniffing thing is it possible to manipulate the reader to write what we want?
@iceman1001
Жыл бұрын
@@1Aditya1 you need keys in the desfire world. Without them you can't do much. desfire doesn't have an known weakness for key recovery.
@1Aditya1
7 ай бұрын
@@iceman1001oh right! Now I got it! Thanks for answering!
I see you have the blueshark on there. Is there a specific reason you keep the PM3 attached via USB thhen? (e.g., sniffing more reliable etc.)
@iceman1001
Жыл бұрын
Good question, I am afraid It has nothing to do with sniffing. I tend to use the blueshark for the battery option and when I am at my desktop I am always using usb cable since its so much faster.
@bilmantender5812
Жыл бұрын
@@iceman1001 thanks for clarifying. I just got my blueshark and it was more of a "in case you need it" kinda purchase
@iceman1001
Жыл бұрын
Makes sense, you don't wanna stand there one day and not have the option.
@bilmantender5812
Жыл бұрын
@@iceman1001 Yeah that's the thing that makes physical security assessments Soo expensive. All that stuff that you need to shlep around just in case 😃
@iceman1001
Жыл бұрын
hopefully your employer pays for it.
Hi Iceman, what is the best Proxmark Device to use?
@iceman1001
5 ай бұрын
My preference is the RDV4.01, you might do well with a known good PM3 Easy w 512kb.
iceman, what is difference between trace and data in graph buffer?
@iceman1001
Жыл бұрын
Great question since the answer is more of a intuitive nature than a logic one. In the proxmark world the trace is a decoded communication stream of bytes. the ´data` part is a cleaned up interpretation of the raw communication layer. Usually seen in LF commands.
@Drforbin941
Жыл бұрын
@@iceman1001 That's what I thought. So the graph is like physical layer and trace is data 'raw' bytes and in turn protocol interpretation.
@iceman1001
Жыл бұрын
@@Drforbin941 more or less like that. The proxmark3 project was developed under almost 20 years and with several chiefs. Some things isn't consistent across the project.
@Drforbin941
Жыл бұрын
@@iceman1001 Ice, what does the [2] mean behind the sak value?
@iceman1001
Жыл бұрын
@@Drforbin941 good question, how about asking them in the discord server?
Hey, I have the proxmark3 and im interested in the Mifare DESFire security. If you sniff the communication, if the communication is encrypted you cant read the information as a MitM, only the reader an the tag can.It is possible to emulate the tag,communicate with the reader and snifing the communication at the same time?. So you can decrypt the information that you already sniffed? Pd: I like your videos
@iceman1001
5 ай бұрын
Glad to hear you like the videos. DESfire is a different kind of beast when it comes to sniffing. If in plain comms mode you can sniff. When it comes to MitM you need to take delays in consideration. When it comes simulation you would need to have a device which can emulate all different protocol parts that desfire supports. And you would need to have it configured to how the system uses it. Same with the data onto it. There is no simple answer. Its a complicated task to accomplish
@daniric111
5 ай бұрын
I saw a paper called "An investigation of posible attacks on the Mifare DESFire EV1". This paper explain how the authentication method of the card works: "both card and reader pick independent random 64-bit nonces, then seek to prove to each other that they can decrypt encrypted versions of each other’s nonce. The decrypted nonces are rotated right or left by 8 bits before being returned the other party for verification." But they dont explain how card and reader encryp their nonces. Do they use some keys that they know before? Are there any key interchange that can be sniffed? Thank you for answering! @@iceman1001
@iceman1001
4 ай бұрын
You could read the MIFARE DESfire datasheet which explains a bit about the authentication process. For Ev1 its still triple des / aes128
@daniric111
4 ай бұрын
@@iceman1001 nicee thank you
@daniric111
3 ай бұрын
@@iceman1001 Hey, do you know if proxmark3 detects CISA CT3 Contactless cards? Im trying but pm3 seems to not detect it.( I have the amazon one)
Would a HID Omnikey 5023 Contactless Card Reader be suitable for this job?
@iceman1001
20 күн бұрын
For sniffing you need a device like the proxmark3 which is capable of it.
@jimbean6697
19 күн бұрын
I have the pm3 easy but am new to it, I am hoping to learn Rfid and hopefully contribute at some point Edit - Sorry should have been more specific, the reader I asked about would be used with pm3 for sniffing
@iceman1001
19 күн бұрын
@@jimbean6697 the Reader is just a Reader. You need specific software to run which uses the reader to talk with card. You will need to gather more information about the task at hand.
@jimbean6697
19 күн бұрын
I already have correct drivers and software to control reader. It seems I just need the reader to activate (power up) the card and rest can be done with proxmark just select correct protocol we are sniffing for.
@iceman1001
19 күн бұрын
@@jimbean6697 sounds that you are all set.
can you get Keys out of the trace?
@iceman1001
10 ай бұрын
No.
@jeffmorrison9905
10 ай бұрын
@@iceman1001 sorry for questions that may not make sense. I’m a nooby. I have a mifare 1k classic round sticker. When I try to get keys I get all dashes in both columns. It says it’s a weak. Tried nest, nested, dark nothing works to get a key. I thought I had to sniff to get key. Not sure what to try. Thx. Your awesome. Will be donating money for you to have a drink on me. lol
@iceman1001
10 ай бұрын
@@jeffmorrison9905 We all were noobs once. There are some more complications with MFC. One popular card manufacturer who makes a copy of MFC has some quirks. Like a "static encrypted nonce" By some fluke chance they are currently not able to recovery keys with the attacks you mentioned.
@jeffmorrison9905
10 ай бұрын
@@iceman1001 thanks. Do you have a link to instructions to update my iceman firmware to the latest release. I’m sure that can’t hurt
@iceman1001
4 ай бұрын
Follow the guides on the repo. If you done it before, it is a simple as git pull make -j ./pm3-flash-fullimage ./pm3
Hint: when you watch at 1.75x speed, the guy actually talks normally.
@iceman1001
Жыл бұрын
I guess that depends on what you define as normal :) :) :)
@zymon.
11 ай бұрын
Lmao, you need to stop smoking crack
Hey @iceman1001 im about to buy a chameleon ultra or proxmark. What i want to do as a new redteamer to get into rfid hacking. My first card i want to crack and sniff the reader is a desfire EV3. What do you recommend me to do? :)
@iceman1001
11 ай бұрын
.... hack the door controller.... You will need readers, proxmark, gadgets ... Desfire EV3.. well, good luck with that one.
@iBetUrWet
11 ай бұрын
Hey, thanks for your answer :)@@iceman1001 - i know its quite challenging but the learning will be huge i think even if it doesnt work. so just the proxmark will not be enough? and which gadgets you mean? - btw hacking the door controller i have access to sniffing methods
@iceman1001
11 ай бұрын
@@iBetUrWet Leaning is fun but a challenge. Failing will be something that you will do several times. But you get the hang of it eventually. Start to experiment, read datasheets and some excellent research papers. Limit your scope down to a small thing and start there. You will see that you need more and more gadgets when it comes to hacking....
@MoppelMat
9 ай бұрын
@@iceman1001thank you for all your great vodeos! I am on the same path. Just with a EV1. I watched more or less all of your stuff, and also the great documentary on devcon 28 with your buddy. I guess you mean by hack the reader, to get data from the back side of the reader with some esp32 data line sniffer. Get the clear data put it on a mifare classic and do a downgrade of the reader? Is that about what you thought about, or am I running in the wrong direction? I can not wait for my proxmark 3 and chamelion ultra to arrive to finally see whats really on our cards! I hope I did right by not buying the icopy-x, but the proxmark instead.
@iceman1001
9 ай бұрын
@@MoppelMat you did right by buying a pm3 if you wanna try modern things. And yes, that is how a downgrade attack works. Sniff the wiegand, extract pacs, put on lesser technology if possible.