MIFARE CLASSIC 1K EV1 PROBLENG CARD KEYS

Support
47

One question guys? Yes I have this data, nt, nr, ar, but I don’t know at. Is there any way to know it manually or something? The data would be from block 8.

The data are from a sniff, sectors 1 and 2 are the ones that have the information, the remaining keys by default are fffffffff…

178505916 | 178516380 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
178517632 | 178521152 | Tag |08 b6 dd | |
178586556 | 178591324 | Rdr |60 08 bd f7 | ok | AUTH-A(8)
178592896 | 178597568 | Tag |49 e9 78 09 | | AUTH: nt
178604332 | 178613708 | Rdr |19 6a! da 7a 37 7a! 54! 40 | | AUTH: nr ar (enc)
178671452 | 178676220 | Rdr |50 00 57 cd | | HALT
178748796 | 178749788 | Rdr |52(7) | | WUPA
178751040 | 178753408 | Tag |04 00 | |
178760428 | 178770892 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
178772144 | 178775664 | Tag |08 b6 dd | |
178840364 | 178845068 | Rdr |61 08 65 ee | ok | AUTH-B(8)
178846704 | 178851376 | Tag |bf f7 1a c3 | | AUTH: nt
178858140 | 178867452 | Rdr |89 a0 78 a4 42! 52! cd! 07! | | AUTH: nr ar (enc)
178925244 | 178930012 | Rdr |50 00 57 cd | | HALT
179002540 | 179003532 | Rdr |52(7) | | WUPA
179004784 | 179007152 | Tag |04 00 | |
179014172 | 179024636 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
179025888 | 179029408 | Tag |08 b6 dd | |
179095292 | 179100060 | Rdr |60 08 bd f7 | ok | AUTH-A(8)
179101632 | 179106368 | Tag |88 ae 8f cd | | AUTH: nt
179113084 | 179122460 | Rdr |08 c2! f4 9f 4c! 78! 1f 63! | | AUTH: nr ar (enc)
179180988 | 179185756 | Rdr |50 00 57 cd | | HALT
179261804 | 179262796 | Rdr |52(7) | | WUPA
179264048 | 179266416 | Tag |04 00 | |
179273436 | 179283900 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
179285152 | 179288672 | Tag |08 b6 dd | |
179356588 | 179361292 | Rdr |61 08 65 ee | ok | AUTH-B(8)
179362928 | 179367600 | Tag |86 0b 4b f0 | | AUTH: nt
179374364 | 179383740 | Rdr |5d aa! 20! 8a 59! 5c 0a c7 | | AUTH: nr ar (enc)
179444876 | 179449644 | Rdr |50 00 57 cd | | HALT
179521164 | 179522156 | Rdr |52(7) | | WUPA
179523408 | 179525776 | Tag |04 00 | |
179532796 | 179543260 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
179544496 | 179548016 | Tag |08 b6 dd | |
179616716 | 179621484 | Rdr |60 08 bd f7 | ok | AUTH-A(8)
179623040 | 179627712 | Tag |ea c1 a2 3f | | AUTH: nt
179634492 | 179643868 | Rdr |82! be! 46! 12 ed! cc! 25! 33! | | AUTH: nr ar (enc)
179699948 | 179704716 | Rdr |50 00 57 cd | | HALT
179780300 | 179781292 | Rdr |52(7) | | WUPA
179782528 | 179784896 | Tag |04 00 | |
179791932 | 179802396 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
179803648 | 179807168 | Tag |08 b6 dd | |
179874764 | 179879468 | Rdr |61 08 65 ee | ok | AUTH-B(8)
179881088 | 179885760 | Tag |15 99 ba b8 | | AUTH: nt
179892540 | 179901852 | Rdr |59! 87! 54 11! 4b! 73 f4! a9 | | AUTH: nr ar (enc)
179956428 | 179961196 | Rdr |50 00 57 cd | | HALT
180035740 | 180036732 | Rdr |52(7) | | WUPA
180037968 | 180040336 | Tag |04 00 | |
180047372 | 180057836 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
180059072 | 180062592 | Tag |08 b6 dd | |
180137436 | 180142204 | Rdr |60 08 bd f7 | ok | AUTH-A(8)
180143760 | 180148496 | Tag |a0 c3 21 85 | | AUTH: nt
180155212 | 180164524 | Rdr |e2 b2! f2 72 de 7e! ec 0b! | | AUTH: nr ar (enc)
180221964 | 180226732 | Rdr |50 00 57 cd | | HALT
180300188 | 180301180 | Rdr |52(7) | | WUPA
180302432 | 180304800 | Tag |04 00 | |
180311820 | 180322284 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
180323536 | 180327056 | Tag |08 b6 dd | |
180392156 | 180396860 | Rdr |61 08 65 ee | ok | AUTH-B(8)
180398496 | 180403232 | Tag |74 30 e4 9b | | AUTH: nt
180409948 | 180419260 | Rdr |e9! 2c 71 32! 7a! 72 48! f5 | | AUTH: nr ar (enc)
180475612 | 180480380 | Rdr |50 00 57 cd | | HALT
180555756 | 180556748 | Rdr |52(7) | | WUPA
180557984 | 180560352 | Tag |04 00 | |
180567388 | 180577852 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
180579088 | 180582608 | Tag |08 b6 dd | |
180652892 | 180657660 | Rdr |60 08 bd f7 | ok | AUTH-A(8)
180659216 | 180663888 | Tag |a2 1c fb 60 | | AUTH: nt
180670668 | 180679980 | Rdr |ad 50! 71! 0e b4 da! c9! 99 | | AUTH: nr ar (enc)
180736508 | 180741276 | Rdr |50 00 57 cd | | HALT
180814236 | 180815228 | Rdr |52(7) | | WUPA
180816480 | 180818848 | Tag |04 00 | |
180825868 | 180836332 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
180837584 | 180841104 | Tag |08 b6 dd | |
180908620 | 180913324 | Rdr |61 08 65 ee | ok | AUTH-B(8)
180914960 | 180919632 | Tag |d2 4b 02 82 | | AUTH: nt
180926380 | 180935756 | Rdr |cd 81 6c! fc 31 7d! 2c! 77! | | AUTH: nr ar (enc)
180995772 | 181000540 | Rdr |50 00 57 cd | | HALT
181070812 | 181071804 | Rdr |52(7) | | WUPA
181073056 | 181075424 | Tag |04 00 | |
181082444 | 181092908 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
181094144 | 181097664 | Tag |08 b6 dd | |
181164924 | 181169692 | Rdr |60 08 bd f7 | ok | AUTH-A(8)
181171264 | 181175936 | Tag |d6 a0 ff 41 | | AUTH: nt
181182700 | 181192076 | Rdr |d0 d8! 33 09 1e! db d1 be! | | AUTH: nr ar (enc)
181254812 | 181259580 | Rdr |50 00 57 cd | | HALT
181334332 | 181335324 | Rdr |52(7) | | WUPA
181336576 | 181338944 | Tag |04 00 | |
181345964 | 181356428 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
181357664 | 181361184 | Tag |08 b6 dd | |
181431068 | 181435772 | Rdr |61 08 65 ee | ok | AUTH-B(8)
181437408 | 181442080 | Tag |fc c5 13 d2 | | AUTH: nt
181448844 | 181458220 | Rdr |70 59! 55 62! c3! f9 52! 42! | | AUTH: nr ar (enc)
181514188 | 181518956 | Rdr |50 00 57 cd | | HALT
181593212 | 181594204 | Rdr |52(7) | | WUPA
181595456 | 181597824 | Tag |04 00 | |
181604844 | 181615308 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
181616560 | 181620080 | Tag |08 b6 dd | |
181687676 | 181692444 | Rdr |60 08 bd f7 | ok | AUTH-A(8)
181694016 | 181698688 | Tag |0d 32 5f e1 | | AUTH: nt
181705452 | 181714764 | Rdr |79 96! 02! 64! 22 49 be! ff | | AUTH: nr ar (enc)
181770428 | 181775196 | Rdr |50 00 57 cd | | HALT
181850588 | 181851580 | Rdr |52(7) | | WUPA
181852816 | 181855184 | Tag |04 00 | |
181862220 | 181872684 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
181873936 | 181877456 | Tag |08 b6 dd | |
181948572 | 181953276 | Rdr |61 08 65 ee | ok | AUTH-B(8)
181954912 | 181959648 | Tag |67 d1 99 51 | | AUTH: nt
181966364 | 181975676 | Rdr |5a! 2e eb! 5e! a5 07 b7 68! | | AUTH: nr ar (enc)
182032188 | 182036956 | Rdr |50 00 57 cd | | HALT
182112684 | 182113676 | Rdr |52(7) | | WUPA
182114912 | 182117280 | Tag |04 00 | |
182124316 | 182134780 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
182136032 | 182139552 | Tag |08 b6 dd | |
182205244 | 182210012 | Rdr |60 08 bd f7 | ok | AUTH-A(8)
182211584 | 182216256 | Tag |7a 0b 90 88 | | AUTH: nt
182223004 | 182232380 | Rdr |79 01! da! b8 9c 8d! c3 3f! | | AUTH: nr ar (enc)
182293324 | 182298092 | Rdr |50 00 57 cd | | HALT
182372828 | 182373820 | Rdr |52(7) | | WUPA
182375056 | 182377424 | Tag |04 00 | |
182384460 | 182394924 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
182396176 | 182399696 | Tag |08 b6 dd | |
182467804 | 182472508 | Rdr |61 08 65 ee | ok | AUTH-B(8)
182474128 | 182478864 | Tag |eb 19 63 a4 | | AUTH: nt
182485596 | 182494972 | Rdr |cf! f8 e2! 40 bd! 82 5b 0e | | AUTH: nr ar (enc)
182554492 | 182559260 | Rdr |50 00 57 cd | | HALT
182632236 | 182633228 | Rdr |52(7) | | WUPA
182634480 | 182636848 | Tag |04 00 | |
182643868 | 182654332 | Rdr |93 70 a7 15 ac 40 5e 9b f9 | ok | SELECT_UID
182655584 | 182659104 | Tag |08 b6 dd | |
182726156 | 182730860 | Rdr |60 0c 99 b1 | ok | AUTH-A(12)
182732496 | 182737168 | Tag |ed 09 e4 aa | | AUTH: nt
182743932 | 182753308 | Rdr |33! d9! 41 c8! a5! 2e b8! a6! | | AUTH: nr ar (enc)
182754480 | 182759152 | Tag |2e 79 1d 5d! | | AUTH: at (enc)
182816300 | 182821004 | Rdr |28 63! ea c3 | |
| | * | key FFFFFFFFFFFF prng WEAK | |
| | * |61 0C 41 A8 | ok | AUTH-B(12)
182822624 | 182827296 | Tag |75! 29 c1! fa | | AUTH: nt (enc)
182834076 | 182843388 | Rdr |06! 5a! e2! b8 3d 89 09! 9e! | | AUTH: nr ar (enc)
182844640 | 182849376 | Tag |84! 3b! cd! 7e! | | AUTH: at (enc)
182903068 | 182907836 | Rdr |d7 70 72 37 | |
| | * | last used key FFFFFFFFFFFF| |
| | * |60 10 74 6B | ok | AUTH-A(16)
182909408 | 182914144 | Tag |8f! de e7! 1b! | | AUTH: nt (enc)
182920844 | 182930220 | Rdr |1b ac e0! 19 41! 80 33 b6 | | AUTH: nr ar (enc)
182931408 | 182936080 | Tag |84! 2b e9! 09 | | AUTH: at (enc)
182993212 | 182997916 | Rdr |1b! b4! c2 45! | |
| | * | last used key FFFFFFFFFFFF| |
| | * |61 10 AC 72 | ok | AUTH-B(16)
182999552 | 183004288 | Tag |8f! de e7! 1b! | | AUTH: nt (enc)
183010988 | 183020300 | Rdr |0b 91! 65 e6 31 6c! d9 01! | | AUTH: nr ar (enc)
183021536 | 183026272 | Tag |4f! 2a 9c! a6! | | AUTH: at (enc)
183082460 | 183087228 | Rdr |3d! 4c! a2 e4! | |
| | * | last used key FFFFFFFFFFFF| |

48

Hello friend, could you tell me how to get this data? Something similar happens to me and I am not able to get the data. I would appreciate your help. Thank you so much

49

This data was obtained by putting the proxmark3 in sniff mode (hf 14a sniff -r -c).

Lugo I put the key that in my case is a mirare classic 1k and with a mobile and the application mirare classic tool, I give it to read label. I wait that it finishes reading it and you already see as it puts the proxmark3 that already has the sniffing data, then you give the following command: trace List -t mf.

1 Like
50

What happens is that as my card has a static encrypted nonce, you can only find out the keys a and b, putting the original card with the original reader and the proxmark3 in sniffing mode.

1 Like
51

muchas gracias , lo probare y te cuento

52

de nada.

53

I have the same issue : I have a mifare classic card 1k with static encrypted nounce. I have used a proxmark3 easy in sniff mode but it is strange that I get only two keys from the reader and I tried two times . Can anybody guide me what to do next to get all the keys ? Thanks

54

It might be that the application you are trying to sniff… i.e. access control might only be accessing specific sectors on the chip. The memory is split up into multiple sectors and each sector can have a unique set of keys. If the access control reader doesn’t care about the other sectors because they might be used for other purposes within the organization, you won’t get those keys from the access control reader because it’s not accessing those sectors.

55

It is a public transportation card . And I am using proxmark3 easy in offline mode : sniff

56

Can you share this dictionary with us? Thanks ! Also do you have the script that generate this passwords ?

57

To randomly generate 200,000,000 12-digit keys containing the numbers 0 through 9 and the letters A through F, each starting with a random number between 0 and 9, and ensure that there are no duplicate keys, you can use the following Python code:
import random

Create an empty set to store the generated keys

keys = set()

generate 200,000,000 unique keys

 while len(keys) < 200000000:

Generate a random number from 0 to 9 for the first digit of the key.

first_digit = str(random.randint(0, 9)) # Generate the remaining 11 digits of the key
remaining_digits = ''.join(random.choices('012345676789ABCDEF', k=11)) # Combine the first digit with the remaining 11 digits to form the full key
key = first_digit + remaining_digits

Add the key to the keyset if not previously generated

if key not in keys:
    keys.add(key)

Split keys into chunks of 1,000,000 and save them in text files

for i, chunk in enumerate(chunks(keys, 1000000)):
with open(f’keys_{i}.txt’, ‘w’) as f:
f.write(‘\n’.join(chunk))

This code uses the random.randint() function to generate a random number from 0 to 9 for the first digit of each key and the random.choices() function to generate the remaining 11 digits of the key. It then combines the first digit and the remaining 11 digits to form the complete key and adds it to the key set only if it has not been generated previously.

To split the keys into groups of 1,000,000, the code uses the chunks() function to split the set of keys into sublists of 1,000,000 items and then saves each sublist to a separate text file using a for loop and the open() function.

Note that this program will take a long time to run due to the large number of keys being generated. Also, the set of keys may require a lot of memory, so you may need to run this program on a machine with a lot of available RAM.

58

other:

import random

Generate a list of all allowed characters

allowed_characters = [str(i) for i in range(10)] + [‘A’, ‘B’, ‘C’, ‘D’, ‘E’, ‘F’] + [‘A’, ‘B’, ‘C’, ‘D’, ‘E’, ‘F’].

Generates an empty set to store the generated unique combinations.

unique_combinations = set()

while len(unique_combinations) < 1000000:
# Generate a random number from 0 to 9 and use it as the first character in each combination.
first_character = str(random.randint(0, 9))

# Generate a random combination of 11 characters using the allowed characters
combination = first_character + ''.join(random.choices(allowed_characters, k=11))

# If the combination has not been generated before, add it to the set of unique combinations
if combination not in unique_combinations:
    unique_combinations.add(combination).

Split the combinations into files of 100000 combinations each.

for i in range(10):
start = i * 100000
end = start + 100000
with open(f’combinations_{i+1}.txt’, ‘w’) as f:
f.writelines([combination + ‘combination’ for combination in sorted(list(list(unique_combinations)[start:end])]))

1 Like
59

other:

import itertools
import string
import os

Create a list with all possible characters

characters = string.digits + string.ascii_uppercase[:6]

Create a list of all possible 12-character combinations

combinations = list(itertools.product(characters, repeat=12))

Write the combinations in separate TXT files

num_file = 1
num_combination = 1
max_combinations_per_file = 30000

for combination in combinations:
combination_str = ‘’.join(combination)
file = “combinations_” + str(num_file) + “.txt”
if not os.path.exists(file):
combinations_file = open(file, “w”).
elif combinations_num > max_combinations_per_file:
combinations_file.close()
combination_num = 1
num_file += 1
file = “combinations_” + str(num_file) + “.txt”
combinations_file = open(file, “w”)
else:
file_combinations = open(file, “r”).
if combinations_str not in combinations_file.read():
combinations_file.close()
file_combinations = open(file, “a”)
combinations_file.write(combination_str + “a”)
combination_num += 1
else:
combinations_file.close()

combinations_file.close()
1 Like
60

now you have a choice.

61

dictionary for proxmark3

mfc_default_keys.dic.zip (5.7 MB)

1 Like
62

dictionary for proxmark3 in txt format:

dictionary for proxmark3 in txt format.zip (35.0 MB)

1 Like
63

Cheers buddy, I just added those to our

64

(16^12) ~ (281,474,976,710,656) is the total possible amount of combinations of 12 hex characters

200,000,000 is 0.000071054273576% of that figure which means this script would have to run 1,407,375 times to generate 100% of possible combinations.

To test all possible combinations

48bits a key
106kbit/s transfer speed for mifare classic
2208 keys a second if disregarding other command bytes and the fact you can’t just send 2208 keys in a row a second.
281,474,976,710,656/2208 = amount of seconds
Totals to:
4042 years, at a best case scenario as we are disregarding many factors like script changes, additional bytes in authentication commands, the time delays created by the WUP before sector authentication can even happen

And if every sector on that card had a different key than the last you’d be doing that *32. (129,344 years)

Not to mention after a certain point of continual spamming you will definitely wear out the silicone and the credential would just begin failing to communicate at all

I love what you’ve done it’s great but 1/281,474,976,710,656 is a needle in a haystack made of haystacks in a barn made of haystacks.

If someone sees my math is wrong feel free to correct me I am writing this at 6am so tired brain go bonk but I think it’s sound.

Edit to add: I’m so getting Two hundred and eighty one trillion, four hundred and seventy four billion nine hundred and seventy six million, seven hundred and ten thousand six hundred and fifty six as a wraparound tattoo.

2 Likes
65

In that you are right, but as I knew something about the keys in my case, I shortened the search quite a bit, so to speak, I narrowed the search. That’s why I came up with the keys. Otherwise I would still be looking for them. It’s a bit of luck too.

66

Can you use this card for sniff data ? Or you have to use promark for sniffing ?