windows的环境搭建比较麻烦,有虚拟机的话可以用虚拟机,强烈安利WSL(Windows subsystem for Linux),非常友好。 接下来介绍基于Ubuntu的环境搭建,参考PM3Wiki 首先检查更新
sudo apt-get update && sudo apt-get upgrade然后安装所依赖的工具
sudo apt install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib libpcsclite-dev pcscd拉源码
git clone https://github.com/proxmark/proxmark3.git当然可以使用第三方的固件,如Iceman
git clone https://github.com/RfidResearchGroup/proxmark3.git然后获取最新的内容,进行权限配置
cd proxmark3 git pull sudo cp -rf driver/77-mm-usb-device-blacklist.rules /etc/udev/rules.d/77-mm-usb-device-blacklist.rules sudo udevadm control --reload-rules sudo adduser $USER dialout编译源文件
make clean && make all然后就可以插入PM3了,由于我用的是WSL,Ubuntu与主机共用串口,所以需要先确定端口号,为COM7,就可以直接连接了,
sudo ./proxmark3 /dev/ttyS7首先进行卡片类型识别,先查看没有卡的时候天线信号
proxmark3> hw tune Measuring antenna characteristics, please wait......... # LF antenna: 24.61 V @ 125.00 kHz # LF antenna: 29.84 V @ 134.00 kHz # LF optimal: 31.21 V @ 130.43 kHz # HF antenna: 24.53 V @ 13.56 MHz Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.将卡放在高频区,再进行天线信号检测
Measuring antenna characteristics, please wait......... # LF antenna: 25.16 V @ 125.00 kHz # LF antenna: 30.94 V @ 134.00 kHz # LF optimal: 32.31 V @ 130.43 kHz # HF antenna: 19.60 V @ 13.56 MHz Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.发现HF电压发生明显变化,则该卡为高频卡,同样也可用该方法识别低频卡,使用进一步的命令,识别该卡为M1卡
proxmark3> hf search UID : 60 64 7d 26 ATQA : 00 04 SAK : 08 [2] TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 proprietary non iso14443-4 card found, RATS not supported No chinese magic backdoor command detected Prng detection: WEAK Valid ISO14443A Tag Found - Quiting Search查看扇区是否采用默认密码,
proxmark3> hf mf chk *1 ? t --chk keys. sectors:16, block no: 0, key type:?, eml:y, dmp=n checktimeout=471 us No key specified, trying default keys chk default key[ 0] ffffffffffff chk default key[ 1] 000000000000 chk default key[ 2] a0a1a2a3a4a5 chk default key[ 3] b0b1b2b3b4b5 chk default key[ 4] aabbccddeeff chk default key[ 5] 1a2b3c4d5e6f chk default key[ 6] 123456789abc chk default key[ 7] 010203040506 chk default key[ 8] 123456abcdef chk default key[ 9] abcdef123456 chk default key[10] 4d3a99c351dd chk default key[11] 1a982c7e459a chk default key[12] d3f7d3f7d3f7 chk default key[13] 714c5c886e97 chk default key[14] 587ee5f9350f chk default key[15] a0478cc39091 chk default key[16] 533cb6c723f6 chk default key[17] 8fd0a4f256e9 To cancel this operation press the button on the proxmark... --o |---|----------------|----------------| |sec|key A |key B | |---|----------------|----------------| |000| ffffffffffff | ffffffffffff | |001| ? | ? | |002| ffffffffffff | ffffffffffff | |003| ? | ? | |004| ffffffffffff | ffffffffffff | |005| ffffffffffff | ffffffffffff | |006| ffffffffffff | ffffffffffff | |007| ffffffffffff | ffffffffffff | |008| ffffffffffff | ffffffffffff | |009| ffffffffffff | ffffffffffff | |010| ffffffffffff | ffffffffffff | |011| ffffffffffff | ffffffffffff | |012| ffffffffffff | ffffffffffff | |013| ffffffffffff | ffffffffffff | |014| ffffffffffff | ffffffffffff | |015| ffffffffffff | ffffffffffff | |---|----------------|----------------| 28 keys(s) found have been transferred to the emulator memory具体的命令使用说明,可以自行help 发现部分扇区采用默认密码。ffffffffffff M1卡存在漏洞,可以通过已知扇区的key破解加密扇区的key
proxmark3> hf mf nested 1 0 A FFFFFFFFFFFF d --nested. sectors:16, block no: 0, key type:A, eml:n, dmp=y checktimeout=471 us Testing known keys. Sector count=16 nested... ----------------------------------------------- uid:60647d26 trgbl=4 trgkey=0 Setting authentication timeout to 103us ----------------------------------------------- uid:60647d26 trgbl=4 trgkey=1 Setting authentication timeout to 103us Found valid key:01206f340100 ----------------------------------------------- uid:60647d26 trgbl=12 trgkey=0 Setting authentication timeout to 103us ----------------------------------------------- uid:60647d26 trgbl=12 trgkey=1 Setting authentication timeout to 103us ----------------------------------------------- uid:60647d26 trgbl=4 trgkey=0 Setting authentication timeout to 103us Found valid key:112233445566 ----------------------------------------------- uid:60647d26 trgbl=12 trgkey=0 Setting authentication timeout to 103us ----------------------------------------------- uid:60647d26 trgbl=12 trgkey=1 Setting authentication timeout to 103us ----------------------------------------------- uid:60647d26 trgbl=12 trgkey=0 Setting authentication timeout to 103us ----------------------------------------------- uid:60647d26 trgbl=12 trgkey=1 Setting authentication timeout to 103us ----------------------------------------------- uid:60647d26 trgbl=12 trgkey=0 Setting authentication timeout to 103us Found valid key:50f6a442e26d ----------------------------------------------- uid:60647d26 trgbl=12 trgkey=1 Setting authentication timeout to 103us ----------------------------------------------- uid:60647d26 trgbl=12 trgkey=1 Setting authentication timeout to 103us ----------------------------------------------- uid:60647d26 trgbl=12 trgkey=1 Setting authentication timeout to 103us ----------------------------------------------- uid:60647d26 trgbl=12 trgkey=1 Setting authentication timeout to 103us ----------------------------------------------- uid:60647d26 trgbl=12 trgkey=1 Setting authentication timeout to 103us ----------------------------------------------- uid:60647d26 trgbl=12 trgkey=1 Setting authentication timeout to 103us ----------------------------------------------- uid:60647d26 trgbl=12 trgkey=1 Setting authentication timeout to 103us Found valid key:e59925b18b43 ----------------------------------------------- Nested statistic: Iterations count: 17 Time in nested: 8.851 (0.521 sec per key) |---|----------------|---|----------------|---| |sec|key A |res|key B |res| |---|----------------|---|----------------|---| |000| ffffffffffff | 1 | ffffffffffff | 1 | |001| 112233445566 | 1 | 01206f340100 | 1 | |002| ffffffffffff | 1 | ffffffffffff | 1 | |003| 50f6a442e26d | 1 | e59925b18b43 | 1 | |004| ffffffffffff | 1 | ffffffffffff | 1 | |005| ffffffffffff | 1 | ffffffffffff | 1 | |006| ffffffffffff | 1 | ffffffffffff | 1 | |007| ffffffffffff | 1 | ffffffffffff | 1 | |008| ffffffffffff | 1 | ffffffffffff | 1 | |009| ffffffffffff | 1 | ffffffffffff | 1 | |010| ffffffffffff | 1 | ffffffffffff | 1 | |011| ffffffffffff | 1 | ffffffffffff | 1 | |012| ffffffffffff | 1 | ffffffffffff | 1 | |013| ffffffffffff | 1 | ffffffffffff | 1 | |014| ffffffffffff | 1 | ffffffffffff | 1 | |015| ffffffffffff | 1 | ffffffffffff | 1 | |---|----------------|---|----------------|---| Printing keys to binary file dumpkeys.bin...已成功破解其他加密扇区的key,并且写到了dumpkeys.bin文件中,需要将该文件转化成PM3认识的格式才可进行门卡的复制
proxmark3> script run dumptoemul.lua --- Executing: ./scripts/dumptoemul.lua, args'' Wrote an emulator-dump to the file 2CF0550B.eml -----Finished proxmark3>然后将白卡放在高频区,把数据写到白卡里
proxmark3> hf mf cload 60647D26 Chinese magic backdoor commands (GEN 1a) detected Loading magic mifare 1K Loaded from file: 60647D26.eml大功告成!!!
参考链接: https://github.com/Proxmark/proxmark3/wiki/Ubuntu-Linux https://www.cnblogs.com/k1two2/p/5706516.html https://lzy-wi.github.io/2018/07/26/proxmark3/