proxmark3/client/dictionaries/extras
2023-04-09 18:47:12 +02:00
..
4_byte_ascii_numbers.dic
4_byte_most_common_password.dic
4_byte_most_common_password_uppercase.dic
4_byte_words.dic
4_byte_words_uppercase.dic
6_byte_ascii_numbers.dic
6_byte_most_common_password.dic
6_byte_most_common_password_uppercase.dic
6_byte_words.dic
6_byte_words_uppercase.dic
8_byte_most_common_password.dic
8_byte_most_common_password_uppercase.dic
8_byte_words.dic
8_byte_words_uppercase.dic
12_byte_most_common_password.dic
12_byte_most_common_password_uppercase.dic
12_byte_words.dic
12_byte_words_uppercase.dic
16_byte_most_common_password.dic
16_byte_most_common_password_uppercase.dic
16_byte_words.dic
16_byte_words_uppercase.dic
iclass_other.dic
readme.md

These are text password lists that can be used to brute force RFID passwords. There are a lot better ways to find a password, but I haven't seen anyone talk about using normal password lists against RFID tags or publishing a list exclusively for this purpose.

_byte_most_common_password.dic files are extracted from the top 10 million password list.

_byte_words_uppercase files are extracted from a common English dictionary.

Since most evidence (how ever small) shows that uppercase passwords are normally used with RFID these lists have been converted to upper case added.

Two sets for ascii number lists have also been in the event the password is an ascii number.

A better dictionary to use is:

https://github.com/RfidResearchGroup/proxmark3/tree/master/client/dictionaries

These are shorter lists and known default keys. My lists are to be used after the dictionary lists have been exhausted, and after other possible attacks have failed.

Some examples on what my lists could be used for:

T55xx and the em4305 chips use a 4 character password

Mifare Classic uses a 6 characters password (which will be added soon)

iClass uses an 8 characters password

Mifare Pluse uses a 16 characters password

Examples where my list could have helped find:

50524F58 spells out PROX

50415353 spells out PASS

These wouldn't be found in the most common password list, but they would be in the uppercase dictionary. Again, the more efficient way to do this would have been to run the t55xx_default_pwds.dic from https://github.com/RfidResearchGroup/proxmark3/tree/master/client/dictionaries. If they had not published that great default password list, then we still would have been able to find these passwords without needing to try all possibilities which could take years.

When looking at the Mifare Plus list in mfp_default_keys.dic, we see that there is some corresponding to ASCII with the passwords:

404142434445464748494a4b4c4d4e4f = @ABCDEFGHIJKLMNO

303132333435363738393a3b3c3d3e3f = 0123456789:;<=>?

605F5E5D5C5B5A59605F5E5D5C5B5A59 = `_^]\[ZY`_^]\[ZY

Those would not appear in any of the above lists, but this just shows more evidence of an ASCII collocation.

iClass_Other.dic

When reviewing default passwords from other lists you start seeing common password schemes being using. For example:

a0a1a2a3a4a5 
b0b1b2b3b4b5
from mfc_default_keys.dic

a0a1a2a3a4a5a6a7a0a1a2a3a4a5a6a7
b0b1b2b3b4b5b6b7b0b1b2b3b4b5b6b7
from mfp_default_keys.dic

As you can see there are some common themes in the above case its a0 then a1 ect. In these default password lists I took those themes and expanded them to fit the iClass key space. If you combine this with the other list https://github.com/RfidResearchGroup/proxmark3/blob/master/client/dictionaries/iclass_default_keys.dic It still only takes 1 second to run through all 86 keys.