The purpose of this tutorial is to provide you with the resources and information necessary to acquire, assemble, create, configure, and run the hardware and software needed to capture and clone Low Frequency (LF) Badge ID information. This can then be used to test the adequacy of your physical security Badge ID system and hopefully mitigate identified vulnerabilities.
|THE INSTRUCTIONS AND INFORMATION CONTAINED WITHIN THIS DOCUMENT/PAGE/TUTORIAL ARE FOR EDUCATIONAL PURPOSES ONLY. CAPTURING BADGE INFORMATION THAT YOU DO NOT FULLY OWN AND CONTROL IS VERY LIKELY ILLEGAL WHEREVER YOU LIVE AND YOU WILL BE BREAKING THE LAW IF YOU DO SO. DON’T BREAK THE LAW.|
Purchase the Parts & Components
- Tastic RFID Thief Hardware:
Handy Amazon shopping list:https://amzn.com/w/WZG69O5IX6II
or List of parts from Bishop Fox here: https://www.bishopfox.com/download/778/
- microSD Transflash Breakout from Sparkfun https://www.sparkfun.com/products/544
- Download the schematics from Bishop Fox: https://www.bishopfox.com/download/817/
and upload them to Fritzing for manufacturing the circuit board (there are other manufacturers, I just chose Fritzing for this tutorial)
Bare bones HID MaxiProx Reader 5365 (reads cards from 3 ft away)
- Purchase Proxmark3. Also reads LF/HF cards, but only from 2 inches away.
Setup Arduino & Software
- Download Arduino Software: http://arduino.cc/en/Main/Software
- Download the SdFat library, extract the zip file, and put the SdFat directory only in the Arduino Contents –> Java –> libraries folder http://sdfatlib.googlecode.com/files/sdfatlib20111205.zip
- Download the Tastic RFID code: http://www.bishopfox.com/download/814/
- You will likley need to download and install the USB FTD drivers – OR – the Chinese chip drivers if you’re using an Arudino clone
- Connect the Arudino Microcontroller to the computer using the supplied USB cable
- Compile and Upload the code to the Arduino microcontroller. Make sure you can see and select the USB device as an option under “Tools –> Port” usually as COM port in Arduino software
- You may need to change the LCD’s brightness and contrast. If you do, find the following lines in the code and change them to values that work for you. I changed the contrast to 15 and brightness to 2. Once you change them, you will need to compile and upload the code again to the Arduino.
Connecting & Soldering the Hardware
- Solder the parts as shown in the image below, and make sure you have a solid soldering in the back or you will be doing a lot of troubleshooting later.
- Change the jumpers on the HID to turn off beeping and to configure it to take in 18v.
SW1: Push jumper 4 down
P2: Shunt Pins 1 & 2
Wiring the Connectors
- MaxiProx (you can use any suitable wires you wish, these are just color coded ones I used for simplicity)
TB1 – Brown on slot 1
TB1 – Red on slot 3
TB2 – Black on slot 1
TB2 – White on slot 2
Bishop Fox Card: Red > Brown > Black > White
Bishop Fox LCD Connector: Black > Light Grey > Dark Grey
LCD Panel (top left to right): Dark Grey > Light Grey > Black
- You will need a microSD card formatted with FAT. Once you have that, insert it into the slot in your board.
- Turn on the HID MaxiProx using the on/off switches on the battery packs. If all goes well, you should see a set of green and red lights on the MaxiProx, and the LCD should read SC Card initialized.
Note: If something doesn’t work, make sure 1) your soldering is good, 2) you’ve mapped the wiring correctly, 3) you’re getting power from the batteries
- Scan the test card that came with the Proxmark3. You should see the info pop on the screen, and it should be written to the micro SD flash too.
- Download and setup the Proxmark3 software. Follow instructions for your OS. https://github.com/Proxmark/proxmark3/wiki
- Remove the microSD card from the Tastic RFID Thief, and insert it into your computer so you can extract the Device ID needed for cloning.
The Device ID I captured is 2004e202Bd
- Place the T5577 card that came with the proxmark3 kit on the LF antenna and plug in the proxmark3 to the computer
- Navigate to the client directory and launch the proxmark3 client passing the usb or serial device name your computer recognized
# ./proxmark3 /dev/cu.usbmodem1411
- Execute the lf command using the hid tag and clone command with the device ID
proxmark3> lf hid clone 2004e2018d
- Validate that the card has been cloned correctly by running while the cloned card is still sitting on the antenna
proxmark3> lf hid fskdemod
- You should see a result similar to the one below
#db# TAG ID: 2004e2018d (198) – Format Len: 26bit – FC: 113 – Card: 198
- That’s it, you’re done! The T5577 card has been cloned and can be used in place of the original card
The purpose of this exercise was to demonstrate that the use of old/legacy Badge ID cards to protect physical access to facilities leaves the location/premise vulnerable to attackers that can steal Badge ID information from employees and can use this information to create cloned cards and enter the facility and gain physical access to sensitive information or cause damage. The existence of compensating controls after hours such as motion sensors and intruder alarms can be helpful, but they do very little to stop imposters during the day.