[Music] [Applause] [Music] [Music] what's up Pro Marksman welcome to another tradecraft episode of hacker Warehouse TV I'm Troy and today I'm excited because we're going to dive into my favorite layer of security the physical layer we'll show you how to quickly and simply defeat an access control system using the proxmark 3 rdv2 we'll do some sniffing some emulating and a little RFID cloning so stick around the proxmark 3i is the gold standard of tools designed to read decode store and replay information from many low frequency Pro or Pro cards and highfrequency RFID cards these Pro cards are some of the most widely used physical security measures in corporate educational and even government facilities around the world the latest version of the proxmark the rdv2 has some additional capabilities to make it more portable and covert to site a few it allows for a lipo battery for Standalone mode updated cables updated antennas and a modular mounting system that allow you to customize a reader to fit into many covert configurations when you get a prox mark r B2 from hacker Warehouse the kit comes with everything you need to get started one LF and one HF mmcx antenna a cable for each two proxmark PCB protection shells and a six RFID tag bundle which includes one of each of the most popular types for our first demo we'll execute the classic Sniff and replay attack we'll first sniff a valid HF RFID and then replay the card in Standalone mode but before we can get started we're going to need to set up our proxmark switch the proxmark on and notice the LEDs now this version of firmware blinks specific LED patterns to tell you which mode you're in initially it'll be in normal mode ready to receive a command from the proxmark client application pressing the button will allow you to cycle through various modes in total there are two primary modes normal mode allows control of the proxmark through a command line client application connected via USB now this mode allows for Reading Writing cloning card inspection waveform protocol analysis decryption brute forcing and a whole slew of other applications Standalone mode allows for quick reading and emulation of RFID cards without the need of the bulky computer card info is read into one of two memory banks which can then be replayed or emulated back to a card reader this allows for covert security audits using only the battery Opera proxmark okay now that you know a little bit about modes let's continue let's enter Standalone mode in order to switch modes we just need to press and hold the prox Mark's only button for about 2 seconds the ABC lights will flash momentarily leaving the c and d light still on now this means the prox Mark is now in Standalone mode and is ready to skim the unique ID off of any RFID Card that happens across that antenna it'll then store the cards info into its internal Bank a for immediate replay now let's find and scan your target since we're in a lab setting we'll be using a card on hand that we know unlocks this device here's an official card enrolled to this door lock so it opens the lock but this one is enrolled so it won't work now let's read our working card with the proxar notice that the DED disappeared this means that proxmark successfully read the RFID and automatically switched into emulation mode now the ab and ceds will be lit which means the proxmark is currently emulating now let's replay the signal to the card reader since the proxmark automatically switches to emulation mode all we have to do is wave the proxmark by the reader and it'll chirp the same unique ID of the card we scanned back to the reader allowing as quick and easy entry into any door that the original badge had access to it's really that easy but there are a few things to note you may want to hide the prox mark in a small RFID friendly container to make it more covert circuit boards and antenna cables usually raise eyebrows also this particular Target was using the newer HF RFID Card the Standalone mode is HF cards only by default and most companies are still using the older low frequency cards which is the most widely used technology in Corporate America you'll need to reflash your proxmark with a different image to get default lowf frequency Standalone mode it can run on either mode just not both at the same time all right for our next demo we're going to show you how to clone an unknown access card this time we're going to connect the proxmark to a Raspberry Pi and run a few commands from the proxar console now I'm using the same Raspberry Pi from our previous tradecraft video a Model B running rasbian Jesse OS first download the latest proxmark source code from the GitHub repository and compile from the client directory once all the tools are built simply plug in proxmark and Run proxmark 3 from your usb you might have to adjust for your USB port number you should see some informational text about hardware specs followed by a proxmark prompt now that we have everything set up let's first place the unknown tag against a low frequency antenna and run the LF Search Command so if this had returned nothing or the application hangs then we would know that this is in fact not a LF card at all so we would need to try some other methods but since we see the tag ID we know that this is an em4100 let's go ahead and copy the tag ID onto our backup copy go ahead and run the LF m410 right command and cut and paste the original ID into the command be sure to set the flag for the type of card you're writing to in this case we use a one because we're writing to a t 5557 card easy the blank should now be a copy of the original card leave it on the antenna and search for it again type LF search now notice that it looks identical to the first so now you have an exact clone go use your backup copy with confidence here we have another demo lock setup now we didn't have time to set up the latch mechanism but the backend controller output shows the card IDs being scanned at the reader first we have our original card then the clo card and both show up as the same ID on the backend server now a good time to remind you that this is why using RFID serial numbers alone for Access Control is just a bad idea newer car Technologies are more secure since they use data stored on the memory of the card with challenge response encryption keys and not just the card's plain text ID as you can see the state of proximity card security is quite broken sniffing and cloning access cards is insanely easy with this tool now that's not to say there are some ways to thr thow a prox Mark here are a few tips to consider one consider keeping your card in RFID blacking case or badge holder that is appropriate for the type of card you have these disrupt or attenuate the RF coupling between the card and the antenna preventing the badge from being r or at least corrupting the read two consider updating from lowf frequency Pro cards to a high frequency RFID Card system that uses encryption three use that encryption if you don't use encryption on a highfrequency system then you're actually in worse shape than a low frequency proc System since the higher frequency systems are easier to ease drop on using encryption at least requires an attacker to listen in on a legitimate card to reader exchange and try to decrypt the cards key using offline tools such as this same proxmark tool in order to break the encryption four Implement dual validation readers that require a badge and a PIN number a badge is something you have adding something you know to the equation makes an attack much harder to execute okay that's it for now if you have a better way to make RFID access more secure tell us in the comments below that's it for this episode of tradecraft I'm Troy and remember please keep it between the laws [Music] [Music]