Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-07-26 10:21:53

bruno84
Contributor
Registered: 2016-07-25
Posts: 10

Crack HID password

I have a chinese card writer http://www.aliexpress.com/item/Handhold-Portable-125khz-RFID-H-ID-PROX-CARD-PROX-KEY-Card-Reader-Writer-Copier-Duplicate-Duplicator/32599892297.html
and when I copy a HID card using it, I can no longer clone the card using proxmark3. Reading the forums I discovered that the device may set a password on the card and then I'm unable to use proxmark to write to it.

proxmark3> lf search
Reading 30000 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:

HID Prox TAG ID: 2007fc00f7 (123) - Format Len: 26bit - FC: 254 - Card: 123

Valid HID Prox ID Found!
proxmark3> lf hid clone 1122334455
Cloning tag with ID 1122334455
#db# DONE!
proxmark3> lf search
Reading 30000 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:

HID Prox TAG ID: 2007fc00f7 (123) - Format Len: 26bit - FC: 254 - Card: 123

So my question is: is this possible to sniff the data writter to the card using lf snoop?

if I type lf snoop nothing happens... what's the correct way of using it?

Offline

#2 2016-07-26 10:26:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: Crack HID password

its known that some cloners sets the password on the t55xx card, locking it.

However due to some users there is two known passwords you can use to see if you can re-write your block0 on the t55xx card with.

Search and you will find here on the forum.

Offline

#3 2016-07-26 11:01:20

bruno84
Contributor
Registered: 2016-07-25
Posts: 10

Re: Crack HID password

Found it, but they don't work... Sniffing is not possible the?

Offline

#4 2016-07-26 11:05:37

bruno84
Contributor
Registered: 2016-07-25
Posts: 10

Re: Crack HID password

I tried:
lf t55xx wr b 0 d 0 p 51243648
lf t55xx wr b 0 d 0 p 000D8787

btw, I posted the wrong link to the card writer, the correct is: http://www.aliexpress.com/item/Updated-Version-English-10-Frequency-ID-IC-RFID-Copier-Reader-Writer-Copy-125KHZ-Keyfbobs-HID-Cards/32654441916.html?spm=2114.13010608.0.72.Ymg7fn

Last edited by bruno84 (2016-07-26 11:30:59)

Offline

#5 2016-07-26 12:06:31

bruno84
Contributor
Registered: 2016-07-25
Posts: 10

Re: Crack HID password

in case someone is interested...

I tried to manually enter the card number on the writer, and then I read using proxmark and here is the result:

proxmark3> lf hid fskdemod
#db# DownloadFPGA(len: 42096)
#db# TAG ID: 2007fc0002 (1) - Format Len: 26bit - FC: 254 - Card: 1
#db# TAG ID: 2007fc0004 (2) - Format Len: 26bit - FC: 254 - Card: 2
#db# TAG ID: 2007fc0064 (50) - Format Len: 26bit - FC: 254 - Card: 50
#db# TAG ID: 2007fc0379 (444) - Format Len: 26bit - FC: 254 - Card: 444
#db# TAG ID: 2007fc07cf (999) - Format Len: 26bit - FC: 254 - Card: 999

//here I entered 1234567890
#db# TAG ID: 2004721264 (2354) - Format Len: 26bit - FC: 57 - Card: 2354
#db# Stopped

Offline

#6 2016-07-26 12:13:29

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Crack HID password

Snooping the password is possible, but it is not automatic.  It will take a bit of manual work to demod the wave snooped.  Dig into the lf snoop cmd.   I helped someone use it in a post on here somewhere.  Sorry can't look for it atm.

Offline

#7 2016-07-26 12:17:44

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: Crack HID password

No,  don't do what you did there.
Never write all zeros to the block0 (configuration)  that could render your tag perma locked.

However,  do the snoop as @marshmellow mentioned,  thats how we found the previous passwords for cloners.

Offline

#8 2016-07-26 12:19:54

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Crack HID password

@iceman, I believe he is referring to writing the tag from his cloner not the pm3

Offline

#9 2016-07-26 12:41:47

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: Crack HID password

That looks like PM3 commands to me...

I tried:
lf t55xx wr b 0 d 0 p 51243648
lf t55xx wr b 0 d 0 p 000D8787

Offline

#10 2016-07-26 12:48:19

bruno84
Contributor
Registered: 2016-07-25
Posts: 10

Re: Crack HID password

yes yes... I tried those commands on the tags that I copied using the hand held writer but no success.
thanks for the hint about writing 0s

Offline

#11 2016-07-26 12:55:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: Crack HID password

@op, since you have both a PM3 and the cloner, this will be an perfect time to practise LF.  Go for the snoop while the cloner writes to a tag,  save the trace,  post it here (via a filesharing place, please)  so we all can join in.

Offline

#12 2016-07-26 13:02:31

bruno84
Contributor
Registered: 2016-07-25
Posts: 10

Re: Crack HID password

that's the problem iceman...

lf snoop does nothing:

proxmark3> lf snoop
proxmark3>

what am I missing here to capture the trace?

btw I have 3 different cloners...

Offline

#13 2016-07-26 13:12:51

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: Crack HID password

three cloners,  sweet,  even more to play with your PM3 then.


You'll need to configure the LF first. 

"lf configure h" will give you good starting point.

Offline

#14 2016-07-26 19:22:54

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Crack HID password

iceman wrote:

That looks like PM3 commands to me...

I tried:
lf t55xx wr b 0 d 0 p 51243648
lf t55xx wr b 0 d 0 p 000D8787

yep sorry. missed that.

Offline

Board footer

Powered by FluxBB