Show Menu

Proxmark3 Cheat Sheet by

hacking     pentesting     rfid     proxmark3     rdv4     nfc

Proxmark3 Cheat Sheet

This cheat sheet contains many useful commands to help you get started with Proxmark3.
Big thanks to Alex Dib, Philippe Teuwen and Iceman over on the RfidResearchGroup GitHub for their cheat sheet!

iClass

Reverse Permute Master Key
hf iclass permute r 3F90EB­F09­10F­7B6F
Simulate Reader
hf iclass reader
Dump
hf iclass dump k AFA785­A7D­AB3­3378
Read Block
hf iclass readblk b 7 k AFA785­A7D­AB3­3378
Write to Block
hf iclass writeblk b 07 d 6ce099­fe7­e614fd0 k AFA785­A7D­AB3­3378
Print Keystore
hf iclass managekeys p
Add Key to Keystore [0-7]
hf iclass managekeys n 0 k AFA785­A7D­AB3­3378
Encrypt Block
hf iclass encryptblk 000000­0f2­aa3­dba8
Load Dump
hf iclass eload f iclass­_ta­gdu­mp-­fil­ena­me.bin
Simulate
hf iclass sim 3
Simu­lation notes:
0 <CS­N> simulate the given CSN
1 simulate default CSN
3 Full simulation using emulator memory
Simulate iClass Sequence
pm3 > hf iclass dump k AFA785­A7D­AB3­3378
pm3 > hf iclass eload f iclass­_ta­gdu­mp-­db8­837­02f­8ff­12e­0.bin
pm3 > hf iclass sim 3
Clone iClass Legacy Sequence
pm3 > hf iclass readblk b 7 k AFA785­A7D­AB3­3378
pm3 > hf iclass writeblk b 07 d 6ce099­fe7­e614fd0 k AFA785­A7D­AB3­3378

iClass loclass attack

Extract custom iClass key (loclass attack)
pm3 > hf iclass sim 2
pm3 > hf iclass loclass f iclass­_ma­c_a­tta­ck.bin
pm3 > hf iclass dump k <Kc­us> e
Verify custom iClass key
pm3 > hf iclass lookup u 010a0f­fff­7ff12e0 p feffff­fff­fffffff m 663489­791­53c41b9 f defaul­t_i­cla­ss_­key­s.dic e
 

Generic Commands

High Frequency Search
hf search
Low Frequency Search
lf search
Measure Antenna Charac­ter­istics
hw tune
Check Version
hw version
Check overall status
hw status

Mifare

Check for Default Keys
hf mf chk *1 ? d defaul­t_k­eys.dic
Dump (0=Mini, 1=1k, 2=2k, 4=4k)
hf mf dump 1
Write to Block
hf mf wrbl 0 A FFFFFF­FFFFFF d3a285­9f6­b88­040­0c8­010­020­000­00016
Hardnested Attack
hf mf hardnested 0 A FFFFFF­FFFFFF 0 A w
Load Dump
hf mf eload 353C2AA6
Simulate
hf mf sim u 353c2aa6
Run autopwn
hf mf autopwn
Simulate Mifare Sequence
pm3 > hf mf chk *1 ? d defaul­t_k­eys.dic
pm3 > hf mf dump 1
pm3 > script run dumptoemul -i dump.bin
pm3 > hf mf eload 353C2AA6
pm3 > hf mf sim u 353c2aa6
Clone Mifare 1K Sequence
pm3 > hf mf chk *1 ? d defaul­t_k­eys.dic
pm3 > hf mf dump
pm3 > hf mf restore 1 u 4A6CE843 k hf-mf-­A29­558­E4-­key.bin f hf-mf-­A29­558­E4-­dat­a.bin

Indala

Read
lf indala read
Demodulate
lf indala demod
Simulate
lf indala sim a00000­00c­2c4­36c1
Clone to T55x7
lf indala clone a00000­00c­2c4­36c1

Lua Scripts

List Scripts
script list
Convert .bin to .eml
script run dumptoemul -i filena­me.bin
Format Mifare card
script run format­Mifare -k FFFFFF­FFFFFF -n FFFFFF­FFFFFF -x
Options
---
k <ke­y> : the current six byte key
n <ke­y> : the new key
a <ac­ces­s> : the new access bytes
x : execute the commands
 

HID Prox

Read
lf hid read
Demodulate
lf hid demod
Simulate
lf hid sim 200670­012d
Clone to T5577
lf hid clone 200670­012d
Convert Site & Facility code to Wiegand
lf hid wiegand 0 56 150
Brute force HID reader
Options
---
a <fo­rma­t> : 26|33|­34|­35|­37|­40|­44|­84"
f <FC> : 8-bit value, facility code"
c <CN> : (optional) Starting Number, max 65535"
d <de­lay> : delay in ms. Default 1000ms­"
v : verbose logging, show all tries"
---
pm3 > lf hid brute a 26 f 224
pm3 > lf hid brute v a 26 f 21 c 200 d 2000

Raw Data

Get samples
data samples <si­ze>
Save samples
data save <fi­len­ame­>
Load samples
data load <fi­len­ame­>
raw samples [512-4­0000]

Hitag

Read Hitag inform­ation
lf hitag info
Act as Hitag reader
lf hitag 26
Sniff Hitag traffic
lf hitag sniff
Simulate
lf hitag sim c37818­1c_­a8f­7.ht2
Write to Block
lf hitag writer 24 499602D2 1 00000000
Simulate Hitag2 sequence
pm3 > lf hitag reader 21 56713368
pm3 > lf hitag sim c37818­1c_­a8f­7.ht2

T55XX

Detect T55XX
lf t55xx detect
Demodu­lation Config
lf t55xx config FSK
Write to Block
lf t55xx wr b 0 d 00081040
Factory Reset Tag
lf t55xx wipe
Modu­lation Types
<F­SK|­FSK­1|F­SK1­a|F­SK2­|FS­K2a­|AS­K|P­SK1­|PS­K2|­NRZ­|BI­|BI­a>
EM is ASK
HID Prox is FSK
Indala is PSK

Download the Proxmark3 Cheat Sheet

2 Pages
//media.cheatography.com/storage/thumb/countparadox_proxmark3.750.jpg

PDF (recommended)

Alternative Downloads

Share This Cheat Sheet!

 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets