RFID cloning with Proxmark3 Easy

In this post, I would like to explain how in a recent Red Team engagement, I successfully managed to clone an RFID Access Control card and gained entry into the premise.

#TheKit


The client was using HiD 125khz cards. I used "Proxmark 3 Easy" which is a low cost RFID cloning kit, is a stripped down version of the real “Proxmark 3 RDV 2”. The "Proxmark3 easy" does not support several things like battery, relaying and doesn't have an amplifier, also it has a smaller memory. But the device is quite sufficient during a Red Team Physical engagement.

It looks something like this when you order on Amazon.


I wanted to build a mobile RFID cloning kit and use it for my Red Team engagements, but note with this setup the scanning distance of 6cm is useless in real engagements, I'm not that brave enough and you really have to get up close to clone a card so the setup initially didn't work, however I got lucky and me and my partner found a lost target organisation HiD card on the pavement during the recon work. So more than kit keep the eyes open really pays off! :-)


The one I built initially looked something like this :-) with rubber bands etc it looked a bit amateurish (top arrow points to Proxmark3 easy underneath is the Raspberry PI and below that is the battery pack).



#UpdatingFirmware

Ok a bit of research about the Proxmark on the forums and several sites led to install a specific firmware before operations. I went for Christian Herrmann's (Iceman) firmware and client software, mainly because he's extended the firmware to include bruteforcing (more on that later).

So the first thing is to download the client and firmware update software from the Proxmark github repository. If you follow the steps to install on Ubuntu/Kali you could hit a problem like the firmware update will not fully complete this is likely caused when the modem-manager is conflicting with Proxmark. When I removed modem-manager I was able to install the firmware. 

Follow the instructions here, use the setup and build for Ubuntu guidelines:

https://github.com/Fl0-0/iceman1001-proxmark3

#Running the client


Just identify the port the proxmark is recognised and run the client as below:


#Cloning the card

Place the card on top of the Proxmark3 (you can check you need to get close like 1-6cm to see if card is read).

At the prompt you run the following command to read the card data by placing the card on top of the coil.

pm3 > lf hid read
HID Prox TAG ID: 0XXXXXX8 (8XXX8) - Format Len: 37bit - OEM: 000 - FC: XXXX - Card: 8XXX8 

Now that you have captured the TAG ID, to clone this to a T55xx card (T55xx cards are mostly used to write data), place the t55xx on the proxmark and issue the below command.

pm3 > lf hid clone 0XXXXXX8
Cloning tag with ID 0XXXXXX8

The card is now cloned.

#Creating more TAG IDs 

Now the interesting part, the card cloned could be limited privilege card / a visitor card etc. and using the data from the previous step you could generate some TAG IDs that should potentially give you access to more parts of the building. 

The following command generates the Weigand data and with this data, identify the newly generated raw TAG ID and viola! you have more TAG IDs/ID cards. Using this make more cards as appropriate, could get you access to more privy places in a building.

pm3 > lf hid wiegand 0 [Facilitycode] [Card Number]

Use the generated TAG IDs to write to more T55XX cards.

#Bruteforcing Card Reader with Proxmark3

Additionally, if you have a HiD / RFID reader which you are able to access you could even use it brute force and collect the TAG IDs, as seen below.


So if the mobile kit is working and this command is run against a HiD card reader you could open a door! which is what I did!

#Remediation (this is WIP)

  1. Consider implementing iClass cards however note even they can be exploited (source: https://scund00r.com/all/rfid/2018/06/05/proxmark-cheatsheet.html), at least make it hard for attackers. Consult your vendor.
  2. Use second factor authentication like a PIN, note even then and attacker could shoulder surf while tailgating. May be consider randomly generating PINs.
  3. Advise staff not to wear ID cards in public and store in a RFID tamper proof sleeve.
  4. Frequently monitor any bruteforce attempts at the entry points.
Hopefully this is useful.



Comments

Post a Comment

Popular posts from this blog

The correct way to install Jython (for Burpsuite)

You need to install Jython the correct way in order to ensure some of the Burp plugins work correctly. Some of these Burp plugins depend on Python libraries for e.g. requests, so installing Jython and then using  $ wget https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/jython-installer-2.7.2.jar $ java -jar jython-installer-2.7.2.jar -s -d /path/to/install/jython -t standard Further for e.g. if you need requests install it like this: Download requests-2.25.1.tar.gz from the official repo ( https://pypi.org/project/requests/#files ), then go to that directory in terminal, and type the following command, java -jar /Users/brutus/Downloads/jython-standalone-2.7.2.jar setup.py install
Read more

Extracting an IPA; App distributed through Testflight

So in one of my iOS app pentest the app was distributed on TestFlight, I needed a clean IPA to makesure, I review the app after unpacking it. The option was for me to use a Jailbroken device and use Ext3nder, which allows the app to be re-packaged. Once you do that you could use SCP to download the IPA and use it to analyse or side load through xCode.
Read more