Long Range Badge ID Cloning with Bishop Fox Tastic RFID Thief and Proxmark3

The purpose of this tutorial is to provide you with the resources and information necessary to acquire, assemble, create, configure, and run the hardware and software needed to capture and clone Low Frequency (LF) Badge ID information. This can then be used to test the adequacy of your physical security Badge ID system and hopefully mitigate identified vulnerabilities. 

THE INSTRUCTIONS AND INFORMATION CONTAINED WITHIN THIS DOCUMENT/PAGE/TUTORIAL ARE FOR EDUCATIONAL PURPOSES ONLY. CAPTURING BADGE INFORMATION THAT YOU DO NOT FULLY OWN AND CONTROL IS VERY LIKELY ILLEGAL WHEREVER YOU LIVE AND YOU WILL BE BREAKING THE LAW IF YOU DO SO. DON’T BREAK THE LAW.

Purchase the Parts & Components

  1. Tastic RFID Thief Hardware:
    Handy Amazon shopping list:https://amzn.com/w/WZG69O5IX6II
    or List of parts from Bishop Fox here: https://www.bishopfox.com/download/778/
  2. microSD Transflash Breakout from Sparkfun https://www.sparkfun.com/products/544
  3. Download the schematics from Bishop Fox: https://www.bishopfox.com/download/817/
    and upload them to Fritzing for manufacturing the circuit board (there are other manufacturers, I just chose Fritzing for this tutorial)
    http://fab.fritzing.org/fritzing-fab

    TASTIC - All Parts
    Bare bones HID MaxiProx Reader 5365 (reads cards from 3 ft away)

    TASTIC - HID Empty
  4. Purchase Proxmark3. Also reads LF/HF cards, but only from 2 inches away.
    https://store.ryscc.com/collections/all/products/new-proxmark3-kit

    Proxmark3 Image

Setup Arduino & Software

  1. Download Arduino Software: http://arduino.cc/en/Main/Software
  2. Download the SdFat library, extract the zip file, and put the SdFat directory only in the Arduino Contents –> Java –> libraries folder http://sdfatlib.googlecode.com/files/sdfatlib20111205.zip

    TASTIC - Arduino Library SDFAT

  3. Download the Tastic RFID code: http://www.bishopfox.com/download/814/
  4. You will likley need to download and install the USB FTD drivers – OR – the Chinese chip drivers if you’re using an Arudino clone
    1. http://www.ftdichip.com/Drivers/VCP.htm
    2. http://www.wch.cn/download/CH341SER_MAC_ZIP.html
  5. Connect the Arudino Microcontroller to the computer using the supplied USB cable
  6. Compile and Upload the code to the Arduino microcontroller. Make sure you can see and select the USB device as an option under “Tools –> Port” usually as COM port in Arduino software

    TASTIC - Ardino with Code

  7. You may need to change the LCD’s brightness and contrast. If you do, find the following lines in the code and change them to values that work for you. I changed the contrast to 15 and brightness to 2. Once you change them, you will need to compile and upload the code again to the Arduino.

    TASTIC - LCD Code

Connecting & Soldering the Hardware

  1. Solder the parts as shown in the image below, and make sure you have a solid soldering in the back or you will be doing a lot of troubleshooting later.

    TASTIC - Bishop Fox Soldered

  2. Change the jumpers on the HID to turn off beeping and to configure it to take in 18v. 

    SW1: Push jumper 4 down
    P2: Shunt Pins 1 & 2

    TASTIC - HID Jumpers

Wiring the Connectors

  1. MaxiProx (you can use any suitable wires you wish, these are just color coded ones I used for simplicity)

    TB1 – Brown on slot 1
    TB1 – Red on slot 3
    TB2 – Black on slot 1
    TB2 – White on slot 2

    TASTIC - HID Wires OutBishop Fox Card:  Red > Brown > Black > White

    TASTIC - HID Wires InBishop Fox LCD Connector: Black > Light Grey > Dark Grey
    LCD Panel (top left to right): Dark Grey > Light Grey > Black

    TASTIC - Setup Wires

Test Functionality

  1. You will need a microSD card formatted with FAT. Once you have that, insert it into the slot in your board.
  2. Turn on the HID MaxiProx using the on/off switches on the battery packs. If all goes well, you should see a set of green and red lights on the MaxiProx, and the LCD should read SC Card initialized. 

    Note: If something doesn’t work, make sure 1) your soldering is good, 2) you’ve mapped the wiring correctly, 3) you’re getting power from the batteries

    TASTIC - Final SD Card Initialized

  3. Scan the test card that came with the Proxmark3. You should see the info pop on the screen, and it should be written to the micro SD flash too.

    TASTIC - LCD Card Read

Cloning Cards

  1. Download and setup the Proxmark3 software. Follow instructions for your OS. https://github.com/Proxmark/proxmark3/wiki
  2. Remove the microSD card from the Tastic RFID Thief, and insert it into your computer so you can extract the Device ID needed for cloning.
    The Device ID I captured is 2004e202Bd

    TASTIC - cards_info

  3. Place the T5577 card that came with the proxmark3 kit on the LF antenna and plug in the proxmark3 to the computer

    TASTIC - T5577 Clone

  4. Navigate to the client directory and launch the proxmark3 client passing the usb or serial device name your computer recognized

    # ./proxmark3 /dev/cu.usbmodem1411

  5. Execute the lf command using the hid tag and clone command with the device ID

    proxmark3> lf hid clone 2004e2018d

    TASTIC - hid_clone

  6. Validate that the card has been cloned correctly by running while the cloned card is still sitting on the antenna

    proxmark3> lf hid fskdemod

  7. You should see a result similar to the one below
    #db# TAG ID: 2004e2018d (198) – Format Len: 26bit – FC: 113 – Card: 198

    TASTIC - hid_clone_validate

  8. That’s it, you’re done! The T5577 card has been cloned and can be used in place of the original card

The purpose of this exercise was to demonstrate that the use of old/legacy Badge ID cards to protect physical access to facilities leaves the location/premise vulnerable to attackers that can steal Badge ID information from employees and can use this information to create cloned cards and enter the facility and gain physical access to sensitive information or cause damage. The existence of compensating controls after hours such as motion sensors and intruder alarms can be helpful, but they do very little to stop imposters during the day. 

Leave a Comment