October 22, 2018

Badge Cloning: Clone HID Prox with Proxmark3 RDV4 - Standalone Mode

Badge Cloning: Clone HID Prox with Proxmark3 RDV4 - Standalone Mode

You see those folks badging into their secure facilities, and you think to yourself, "Self. I, too, would like to badge into those secure facilities... but I don't have a badge!!! WHY DON'T I HAVE A BADGE?!?"

You have a couple of options here:

  1. Get a job at the facilities, get an actual badge, and become an Insider Threat!
  2. Just ask to be let in, tailgate, or go through the myriad of open side doors.
  3. Be the special h4x0r that you are, do it the hard way, and CLONE A BADGE!!!

Let's go with 3. 'Cause 3 is fun.

(::sneezes:: Breaking and Entering ::wipes snot off face:: Official Physical Penetration Test with Permission Only ::clears throat in an unnaturally loud way:: Don't run from armed guards... ::hocks a loogie::)

Note: In order for this method to work, the "secure" facility must use an insecure badge protocol, such as HID Prox. But don't worry. Even though there are a multitude of secure protocols out there, all corporations use HID Prox. Unless they're hotels... in which case they use Mifare Classic 1K, which is insecure as well.

So what exactly is RFID?

Contactless access badges that you use to "badge into" secure (HAHAHAHAH!!!!) facilities use a mechanism called "RFID" to transmit your IDentification via Radio Frequency. RFID stands for "Reducing Fraudulent and Imitation Drugs" and was a failed effort by the US Government to create a bottleneck in the supply of pharmaceuticals by forcing technology for technologies sake through the implementation of easily bypassable mechanisms of authenticating drug packaging and has nothing to do with this article.

The badges become activated by a badge reader and transmit data back to the badge reader using magic. Ideally this wireless transmission of data would be encrypted. Many modern protocols do this. With HID Prox, however, the data is transmitted in the clear. The data is generally a string of 1's and 0's that indicate a facility code and a badge number. The number is tied to a database that determines if the person holding that badge can enter that specific door.

So... let's just pull that number out of the air and replay it to the badge reader ourselves!

Proxmark3 RDV4

The Proxmark3 is a small electronic device that facilitates RFID security research. In other words, it's a very powerful gadget that lets us hack and research methods to hack a large variety of RFID protocols using the latest software milspec repos. The most recent version of this device, the RDV4, was developed and supported by the RFID Research Group, which consists of ProxGrind, Iceman, 0xFFFF, and Dot.Com. The RDV4 builds upon an immense amount of knowledge and contributions which stem from original research by Jonathan Westhues. It has a dedicated community. Dive in here: http://proxmark.org/forum/index.php

Big thing to know about the Proxmark3 is it's not really a "beginner's tool." It's not meant to be turnkey. It's meant to be a robust platform to read various High and Low Frequency RFID protocols. It's meant to be extended upon, in software, firmware, and hardware. So if you dive in, learn a bit about RFID in general first. Radio Frequencies predate computers by quite a bit. Go down to your local Radio Shack and tool around. Don't just go over to their forums and shout out "Teach Me To Hack Badges!!! KTHXBYE!!!" Read everything you can. Then go for it.

All of that said and done with... they built in functionality to allow you to clone badges and replay the badge information into a badge reader. All without a computer! That was nice of them...

The UI consists of a string of four Red LEDs and four Blue LEDs. The red ones, above the letters A,B,C, and D, are the one's we'll pay attention to. The LEDs have three states: On (bright), On (dim/flickering), and Off.

Cloning Badges - Standalone Mode

Grab your Proxmark3 RDV4 and a battery pack. Find a target with a badge to clone. Eye your target with spite and malice. Let's do this.

  1. Power: Plug Proxmark3 RDV4 into a battery pack. Blue LEDs over the power symbol will be lit.
  2. Turn On: Press and hold the white button for two seconds to turn on Standalone Mode. Release button when red LEDs begin to blink. Red LEDs (A,B,C,D) will begin blinking. When ready, the Red 'C' LED will remain on.
  3. Set to Record: Press and hold the white button for two seconds then release to turn on "Recording". Red 'C' LED will be on and bright. Red 'D' LED will be dim and flickering.
  4. Clone Badge: Bring badge card and Proxmark3 together (less than 2 inches with built-in antenna). Red 'D' LED will turn off. Red 'C' LED will remain on and bright.
  5. Set to Playback: Press and release white button to turn on "Playback". Red 'B' LED and Red 'C' LED will be on and bright.
  6. Badge-In: Bring the Proxmark3 close to a badge reader to "badge-in" as the cloned card.

Troy over at Hacker Warehouse created a nice infographic that shows the various states. I've blatantly stolen his image and posted it below. He can't stop me. No one can stop me.

You'll notice that there's room for a second badge to be cloned in "Card Bank 2". Don't get greedy. Grab one card. Badge in. PrivEsc and Pivot.

Attack Methodology and Conclusion

The Proxmark3 RVD4 is a streamlined, elegant, and small research device that comes with a built in antenna. In a "field attack", it has pros and cons. It's small footprint allows it to be hidden behind dummy ID badges, to be slipped in and out of a back pocket. The built-in antenna allows both high and low frequency readings and replays. It has to be close to the target badge, however. You'll only have about 1 to 2 inches.

Perhaps someone will leave the badge on a cafe table. Perhaps you'll be sly enough to brush past them while on an elevator or standing in line. Perhaps you'll spend an hour talking to a team of security guards, imprinting your face into their memory and security footage, and then hugging one of them in a brazen display of folly and sloppiness, resulting in your entire operation being blown, and you being caught and arrested. But you had a Get Out of Jail Free card, you had pentester's permission, so you didn't care about actual Threat Emulation, did you. DID YOU?!

Anyhow. If you'd like a bit more range than 1 or 2 inches. You'll need to buy, steal, or build a larger antenna. We'll leave that for another day.

Hack the Planet.