HID Reader + Arduino = RFID Card Catcher

My previous post showed you the steps I took to get RFID cloning capabilities. The biggest problem I face with that implementation is distance. In order to read and RFID card you need to be practically touching it with the proxmark3’s antenna. This can be an issue, especially when you are trying to go unnoticed.

I got the idea of getting more distance from the site proxclone.com and this article. The problem I have is that I am not an Electronics Engineer and I can barely write code. I could probably assemble the cloner he demonstrates, but I would have no idea at all how to write the code for it. So I thought, maybe I can use an Arduino instead, thus this project started. I currently do not have the ability to clone cards using the Arduino so I gather the cards numbers and write them to a MicroSD card, then I can use my proxmark3 to create cloned cards (See previous article). The other issue I have is that the MaxiProx readers aren’t cheap and I am not currently willing to fork over the money to get one on EBay. (Update: With the ProxPro II at 5V I get a distance of about 5 inches, a bit better than the distance of the Proxmark3)

So without further ado, I will show you how to make this:
HID Reader Front

HID Reader Back

Parts List:
1 HID ProxPro II 5455 Reader
1 Arduino Pro Micro 5V
1 MicroSD Card Breakout Board for Arduino
1 MicroSD card
1 DPDT Switch, small enough to fit in mounting holes on HID reader
1 9V Battery
1 MicroUSB connector
1 9V Battery connector
1 16×2 Character Serial Enabled LCD screen 5V

The wiring is pretty simple. The HID reader has several wires that are coming out of it, the only ones we need are the GREEN, WHITE, RED, and BLACK wires. Here is the wiring for the different devices:

HID Green > Pin 2 Pro Micro
HID White > Pin 3 Pro Micro
HID Red > VCC Pro Micro
HID Black > GND Pro Micro
SD CS > Pin 10 Pro Micro
SD DI > Pin 16 Pro Micro
SD DO > Pin 17 Pro Micro
SD SCK > Pin 15 Pro Micro
LCD RX > Pin 4 Pro Micro
LCD 5V > VCC Pro Micro
LCD GND > GND Pro Micro

I mounted my Arduino to a PCB from RadioShack so that I could solder the wires in with the Arduino. This seemed necessary because of the multiple connections to Ground and 5V. I also drilled out one of the mounting holes in the HID reader and fed the cable into the inside of the reader as you can see in the picture. If the cable was stripped before then they can probably be laid flatter and you wouldn’t have to drill out the hole. Also, I am only using the previously mentioned wires, so I cut all the other wires off because I didn’t need them. The ProxPro II epoxy the circuit board and everything in the reader in order to make it less accessible and cheaper, but this gives us a perfect amount of space to package everything inside. The 9V battery is a little bulky so I am unable to complete close the cover, but its unnecessary for my use because the whole thing will be concealed in something inconspicious anyway.

Once you have everything wired up you can download my sketch here. I am not a professional programmer so my code is messy and could probably use some streamlining. I have several comments that tell you what the different sections are doing. I have also commented out the code for the LCD which I am currently not using, and some code for debugging. Feel free to modify it as you please and if you do make it better please send me a copy to admin [ at ] colligomentis [ dot ] com.

I would like to thank carl55 on proxmark.org for a TON of help understanding the HID card format, without his help I wouldn’t have been able to properly output the card ID values. I would also like to thank the guys who did this article which providing me with the starting point for my code.

My next project with this will be a “Honeypot” that I can mount to a wall and have people come up and scan their badges and input their PIN’s. If it happens I will be sure to post the results here. Until next time, have fun.

May 16th, 2012 by Colligo Mentis | Comments Off on HID Reader + Arduino = RFID Card Catcher

Proxmark3 T55x7 Cloning Standalone

I have been working with the proxmark3 now for a while. I was looking at it as a solution for RFID cloning for use in physical pentration tests. The card types that we typically encounter during tests are either HID ProxCard II clamshell style cards or the ISO-Thin ISOProx II or DuoProx II cards. The proxmark3, out of the box, supports reading and simulating HID cards by broadcasting the scanned card’s value on it’s antenna. However, it is kind of clunky to use the proxmark3 when you are trying to badge into a door, so we needed cloning capabilities.

I will go ahead and give my disclaimer, I am not an expert at all on RFID or embedded devices, including the proxmark3, which was completely new to me when I started less than a year ago. That being said, trying to add cloning capabilites with no understanding of how the proxmark3 works or how RFID tags are read and written is a HUGE mountain to climb. Luckily someone much smarter came along and added the ability to clone HID cards to the generic T5557/T5567 type cards. The T55x7 type cards are generic RFID cards that can be purchased for very cheap online, most likely from somewhere in China.

Many thanks go out to the user Cex on proxmark.org for adding this capability, saving me from countless hours of work and research. This capability meant that I could now scan a card and then write that card’s value to another blank card, but unfortunately I needed the proxmark3 connected to a computer in order to do all of this. This would prove difficult while doing a physical pentest, as I will most likely not be able to take the ID badge somewhere to clone, plus it wouldn’t be nearly as cool or Cyber!

I started looking over the proxmark3 code in order to add the cloning functionality to the proxmark3’s standalone mode. The standalone mode, provided by user Samy on proxmark.org, is useful because it allows you to read and simulate HID cards without needing to connect the proxmark3 to a computer. After some code review and understanding more of what the standalone mode does and also how Cex’s functions worked I was able to figure out how to combine the two. The only file I had to modify was appmain.c and then recompile and flash the proxmark3. So here’s what you need to do to add cloning capabilities to standalone mode for your proxmark3.

1) Download the latest version of Cex’s T55x7 Update from here. (Note: You will need to register on the site in order to download the file)

2) Do a SVN checkout on the proxmark3 code repository. I use Ubuntu so the command is:

svn co http://proxmark3.googlecode.com/svn/trunk proxmark3-t55x7

Note: If you use Windows you can follow the steps for downloading the SVN here, the flashing steps will be useful for you shortly as well.

3) Open the zip file you downloaded in step 1 and extract the contents to the proxmark3-t55x7 directory where your proxmark3 SVN files are, overwrite any files that already exist.

4) Download my updated appmain.c file here and save it in your proxmark3-t55x7 directory in the armsrc folder, overwrite the appmain.c file that exits there.

Note: Windows users will need to refer to the previously linked site in order to the next two steps.

5) Go to your proxmark3-t55x7 folder and do the following commands:

make clean && make all

6) Now you will flash the updated file to your proxmark3. Connect the proxmark3 to your computer using a micro USB cable and do the following commands from the client folder in /proxmark3-t55x7:

./flasher ../armsrc/obj/osimage.elf

You should now be able to clone cards in standalone mode. Here are the instructions on using the new features in standalone mode:

1) Enter standalone mode by holding the button on the top of the proxmark3 until the LED’s begin to flash.
2) Once one red LED is on, press and hold the button again until the second red LED comes on.
3) Present the card that you wish to clone, the second red LED will go out.
4) Place the blank T55x7 type card on the antenna and press and hold the button one more time until both the first red LED and the orange LED are lit.
5) Once the orange LED goes out the card has been cloned, Enjoy!

That’s it, we can now read and clone HID cards using the proxmark3 without the need of using a computer. The problem I face now is distance. I will start to address that problem with my next post when I use an HID reader and an Arduino to grab card numbers. For now, here is a look at how we use the proxmark3 discreetly:

Nothing to see here…
Day Planner Closed

Under the hood…
Day Planner Opened

May 9th, 2012 by Colligo Mentis | Comments Off on Proxmark3 T55x7 Cloning Standalone

Microsoft Trusted Folders… Not so trusted. (Repost)

(This is a repost of an article I wrote in May 2010 that I lost during an upgrade)

I was doing a penetration test a little while back and was kicking around some ideas for running code on a remote machine without putting an actual binary on the box. Our target was running a software suite called Bit9, which will prevent the introduction of any new binaries or scripts that aren’t in the white-list for the machine. One of the ideas that had crossed my mind was the good old macro enabled Office document. So I started working with that idea a little bit. I had Office 2007 running on my attack machine and I hadn’t ever tried working with macros in 2007 yet. While I was poking around in the options I came across some setting for Microsoft Office Trusted Folders. That got me thinking… I wonder what happens if I put a macro enabled file in one of those trusted folders. So I did just that, and to my surprise the macros in the file ran without any prompting at all to enable macros or anything.

Very interesting find, however, I am having a hard time figuring out how that can be exploited. A user is not going to save an attachment they get in an email to that folder so that wouldn’t work. The only thing I have been able to come up with is that you could place a macro enabled document in that folder that drops a trojan or calls out to a website or whatever, and use that to maintain persistence once you are already on the box. Or maybe place a shortcut to it in the user’s startup folder.

I haven’t done any more research into how I could use this or if it is even useful at all. I just stumbled upon this little “feature” and thought it would be good to put out to the community. If you have any thoughts on useful ways to use this or anything at all leave a comment.

This brings to light a lot of different thoughts…

What other “trusted” folders exist in Microsoft products that might be vulnerable to this sort of attack?
What are the trusted folders for Bit9? (This is the first time I have come across this product so it is completely new to me)
What is the process of getting an binary or script “white-listed” in Bit9?
What are some sneaky ways to get around not being able to put binaries or scripts on a machine and get some sort of call out?

These are all things I plan on trying to find the answers to along with more research into Bit9 and similar products like maybe HBSS. More to follow?


It was brought to my attention that I had not included the actual paths for the trusted location. Below are the default locations for Office 2010, I am nearly 100% sure that they are the same in Office 2007.

C:\Program Files\Microsoft Office\Templates\

February 21st, 2012 by Colligo Mentis | Comments Off on Microsoft Trusted Folders… Not so trusted. (Repost)

Arduino based RFID Reader/Writer

It has been a while since I last posted and on top of that I lost part of my website, but I thought I would get back into some posting with some RFID work I have been doing lately. Hope you all enjoy.

I purchased a Parallax RFID Reader/Writer Serial Module from here because I have been working on coming up with an easy to use solution for someone doing physical pentesting to be able to emulate the threat of access badge replication. The module seemed straight forward and easy to use so I thought I would give it a shot. Below is the Arduino code I wrote and the diagram of the circuit I created. I am posting this because there is not a lot of information out for this particular RFID module and using it with the Arduino. The datasheet for the Parallax R/W module can be found here.

Here is the diagram of the circuit I put together. It has a standard 16×2 character display to show you whats going on, a switch in order to write information to an RFID tag, a potentiometer to control the contrast of the LCD, the Parallax module and, of course, the Arduino.

The layout is pretty straight forward and easy to put together. Below is the code that I put together that will constantly attempt to read an RFID tag and display it’s ID (depending on the address read). Then when the button is pressed it will write the last value read to the RFID tag you hold up to the Parallax module. The code I wrote used parts from a couple of posts/tutorials on www.arduino.cc (Credits in the code), but I modified it to combine the read and write functions and to write the results to the LCD screen. This would potentially allow this setup to be put into a project box or something and used standalone without the need for a computer. I may do this eventually and will post my results if I do.

Code to read data from Parallax RFID reader/writer 28440 via Arduino and display on LCD
character display and also write data to a different RFID card
Datasheet with details of all available commands, tag info, etc:

Program reads data from one of the 29 user-defined addresses (3-31) as defined by ADDR
variables. If button is pressed the value from the last card read will be written
to the same location on the new card.

Parallax reader/writer with LCD code written by M3nt1s based on code from:
Original read/write code writen by vgrhcp based on code by uberdude
Origianl LCD example code written by Tom Igoe

The circuit:
* LCD RS pin to digital pin 12
* LCD Enable pin to digital pin 11
* LCD D4 pin to digital pin 5
* LCD D5 pin to digital pin 4
* LCD D6 pin to digital pin 3
* LCD D7 pin to digital pin 2
* LCD R/W pin to ground
* LCD VSS and K (Pin 16) to ground
* LCD VDD and A (Pin 15) to +5V
* 10K variable resistor:
* ends to +5V and ground
* wiper to LCD VO pin (pin 3)
* 10k Ohm resister:
* ends to GND and DPST Push Button Switch
* DPST Push Button Switch:
* one side pin 1 to 10k resister and pin 3 to +5V
* other side pin 4 to digital pin 7
* Parallax module:
* VCC to +5V
* SIN to digital pin 6
* SOUT to digital pin 8
* GND to GND



// Define the two different states we will use for the parallax module, See datasheet for available commands
#define RFID_READ 0x01
#define RFID_WRITE 0x02

// Define different address areas of EM Microelectronics EM4x50 1kbit R/W transponder tags, See datasheet for available commands
#define ADDR_Protect 1
#define ADDR_Control 2
#define ADDR_USER_Data 4
#define ADDR_Serial 32
#define ADDR_DeviceID 33

// Define pins used to talk to parallax module
#define txPin 6
#define rxPin 8

NewSoftSerial mySerial(rxPin, txPin);
LiquidCrystal lcd(12, 11, 5, 4, 3, 2);

// Specify initial values
int val = 0;
int inputPin = 7; // Pin connected to switch
int cardRead = 0;
int Byte1 = 0;
int Byte2 = 0;
int Byte3 = 0;
int Byte4 = 0;

void setup()
pinMode(txPin, OUTPUT);
pinMode(rxPin, INPUT);
pinMode(inputPin, INPUT);
lcd.print("Scan Card...");

void suppressAll() //suppresses the "null result" from being printed if no RFID tag is present
if(mySerial.available() > 0){

void readRFID() // Function to read RFID tag
int switchPressed = digitalRead(inputPin); // Check the state of the switch
if(switchPressed == HIGH){
if(cardRead == 1){

if(mySerial.available() > 0)
val = mySerial.read(); //The mySerial.read() procedure is called, but the result is not printed because I don't want the "error message: 1" cluttering up the serial monitor
if (val != 1){ //If the error code is not 1, then there has been an error and the RFID tag was not read correctly.In this case we don't really care about the resultant values, so they can be suppressed

mySerial.print(RFID_READ, BYTE);
mySerial.print(ADDR_USER_Data, BYTE);

if(mySerial.available() > 0)
// Get all 4 Bytes of information from the card
Byte1 = mySerial.read();
Byte2 = mySerial.read();
Byte3 = mySerial.read();
Byte4 = mySerial.read();

// Prints data to screen
lcd.print("Card Serial:");

cardRead = 1;



void writeRFID() // Function to write to RFID tags
lcd.print("Holdup Card");
lcd.print("to write...");

mySerial.print(RFID_WRITE, BYTE);
mySerial.print(ADDR_USER_Data, BYTE);
mySerial.print(Byte1, BYTE);
mySerial.print(Byte2, BYTE);
mySerial.print(Byte3, BYTE);
mySerial.print(Byte4, BYTE);

if(mySerial.available() > 0)
val = mySerial.read();
if (val == 1 || val == 2){ // Check for no error or LIW error, I have been getting LIW error, but write still successful so ignoring for now
lcd.print("Write Success!");
lcd.print("Error occurred");
lcd.print("Check card");

cardRead = 0;

void loop()
int switchPressed = digitalRead(inputPin); // Check the state of the switch
if(switchPressed == HIGH){
if(cardRead == 1){
lcd.print("Scan card first!");

lcd.print("Scan Card...");

mySerial.print(RFID_READ, BYTE);
mySerial.print(ADDR_USER_Data, BYTE);

if(mySerial.available() < 0 && cardRead == 0) { readRFID(); } delay(1000); readRFID(); }

This is pretty much it for setting this up and getting it working. A couple of notes, I did not realize until after I purchased the Parallax module that this only works with the EM Microelectronics EM4x50 1kbit R/W transponder tags and will not read other Low Frequency 125khz cards, which I was originally intending to use this for. Parallax sells the R/W tags which are the size of a credit card and have a lot of storage space and some decent security features like using a password which is required to be able to even read the tags. I was disappointed by this limitation as I was planning on using this to read and verify if cloning/emulating a tag with the Promark3 was working. Oh well. This setup could be used to setup a decent little security system to protect your house or whatever if you were so inclined, and it is relatively inexpensive and fun to implement.

Later on I will be posting some of the work I have done with the Proxmark3, but for now so long and I hope this post helped you in some way.

September 21st, 2011 by Colligo Mentis | Comments Off on Arduino based RFID Reader/Writer

Adito VPN, OpenSSH, and Squid setup (My Experience)

I recently set up a VPN server running on a Ubuntu 9.10 VM I have, so I thought I would write a little about how I set it up.  I had originally setup a proxy server so I could tunnel my traffic through when I am on the road or at work, but I wanted to be able to interact more with my computers at home.  A friend of mine suggested Adito because he had just set it up using his ASA.  I looked it up and and decided to give it a shot.  I have like it so far and I love some of the features that you get with the VPN, like the ability to setup SSL tunnels to whatever port you want, which I will talk about later.

When I first looked up how to setup and Adito VPN server it was suggested to use Ubuntu Server and configure it as an OpenSSH server and a LAMP server.  I tried this, but I was having some issues with Ubuntu Server running in a VM and Adito wasn’t working correctly after setup.  So I decided to go with Ubuntu Desktop and I have not had any issues at all.

On to the setup.  First I started with a standard install of Ubuntu Desktop 9.10.

Ubuntu Download

Adito Install and Setup

First install the Sun Java JDK (Adito runs on Java)

sudo apt-get install sun-java6-bin sun-java6-jdk

Install Ant (An installer for Java applications)

sudo apt-get install ant ant-optional

Download Adito 0.9.1 from the /opt directory and extract

cd /opt

sudo wget http://downloads.sourceforge.net/project/openvpn-als/adito/adito-0.9.1/adito-0.9.1-bin.tar.gz

sudo tar zxvf adito*.tar.gz

cd /adito-0.9.1

Install Adito using Ant

sudo ant install

During the install it will prompt you to open a web browser and point it to the Adito server on port 28080


Go through the wizard to setup Adito

Set the keystore passphrase

Create a new certificate, just fill out the information

Configure the user database, I chose Built-In

Configure the Administrator for Adito, you can create additional users later

Configure the web server, just leave the defaults

Configure proxies, leave blank unless you use a proxy

Summary Page

Setup Adito as a service

sudo ant install-service

sudo ant start

Adito is now installed and running.

**UPDATE: I have been having issues logging into Adito when the server is rebooted. To fix the login issue do the following:

sudo nano /opt/adito-0.9.1/conf/wrapper.conf.base

Remove the ‘#’ from the line that says:


This should fix the problem of not being able to login to Adito after the server was rebooted.

You can control the Adito service by using the commands below.

Restart Adito service:

sudo /etc/init.d/adito restart

Start Adito service:

sudo /etc/init.d/adito start

Stop Adito service:

sudo /etc/init.d/adito stop

To configure Adito open a web browser and go to https://aditoIPaddress  and login with the Administrator account you specified before.

Create a user account

Go to Accounts under Access Control

Click Create Account at the top right

Fill in the information to create an account

You can add SSL tunnels, Web tunnel, or add applications like RDP or SSH under Resources. Some things that I have setup are:

  • Access to shares on my file server
  • SSL tunnel to the RDP port of my server (I just run the tunnel and then connect to my localhost using my RDP port)
  • SSL tunnel to my proxy server

Setup a SSL tunnel

Go to SSL Tunnels under Resources

Click Create Tunnel at the top right

Give it a name and description then hit next

The Source Address and Port are what you will use when you connect to the VPN, leave it set to and set the port for whatever port you want to use

The Destination Address and Port are the service, like SSH or your Proxy, that you wish to connect to and the port it is using

Everything else can be default, click next

Click Everyone and click add then click next

Click Finish

You can now run your SSL tunnel when you login to the VPN using your user that you created.  When you click on the SSL tunnel it runs a local listener on the machine you are on.  All you do from there is point your machine to that port using whatever you setup the SSL tunnel for.  If you setup SSH or RDP you just point Putty or MSTSC to localhost:port# and your request gets forwarded over the SSL tunnel to the destination address and port you specified when you created the tunnel.  If you setup a SSL tunnel for your proxy you just set your browser’s proxy to localhost and the port you specified when you created the tunnel.

There are a lot of options with Adito I encourage you to look around the configuration page and see all the options you have.  If you find a cool way of doing something post it in the comments below.

SSH Server setup

To setup the SSH server I used this page as a basis.

First install the OpenSSH server

sudo apt-get install openssh-server

Modify the configuration for SSH

cd /etc/ssh

sudo nano sshd_config

Change the following lines in the config file

Port any_port_other_than_22

PermitRootLogin no

StrictModes yes

AllowUsers username_created_in_ubuntu

Now restart the SSH service

sudo /etc/init.d/sshd restart

That should be all you need.  You can use certificates to login to your SSH server, but that is outside the scope of this walkthrough.  You can setup an SSH application in your Adito VPN server now or create an SSL tunnel to your SSH server’s port.  I did the latter even though it is a bit redundant to have a SSL encrypted SSH connection to my server, but why not.

Squid Proxy Setup

To setup the Squid proxy I used this page as a basis.

First install Squid and Apache utils so you can use authentication

sudo apt-get install squid squid-common apache2-utils

Create a user for the proxy

sudo htpasswd -c /etc/squid.passwd username

Set the permissions on the Squid configuration file and the log directory

sudo chown -R proxy:proxy /var/log/squid/
sudo chown proxy:proxy /etc/squid/squid.conf

If you want to create more users you can use the same command without the “-c”

Edit the Squid configuration file

sudo nano /etc/squid/squid.conf

Set the allowed network/hosts and add support for users

acl internal_network src (Where is your IP range.)

http_access allow internal_network

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid.passwd

auth_param basic children 5

auth_param basic realm NFYE Squid proxy-caching web server

auth_param basic credentialsttl 3 hours

auth_param basic casesensitive off

acl users proxy_auth REQUIRED

http_access allow users

http_port 3128 (You can change this to a different port if you want)

Restart Squid

sudo /etc/init.d/squid restart

That should be it, you should now be able to set the proxy in your web browser to point to your Squid server using the port you specified and have all your traffic going through your proxy.  In Adito I setup an SSL tunnel pointing to my proxy so I can use the proxy when I am on the road and use the internet over SSL for more security.

March 20th, 2010 by Colligo Mentis | Comments Off on Adito VPN, OpenSSH, and Squid setup (My Experience)

FiOS WEP Calculator v2

Well I have been working on the new version of my FiOS WEP calculator since I last posted and I am happy to say that it is complete.  The new version has a changed visual layout, but most of all I have included the ability to scan the wireless networks for default FiOS SSID’s.

Once again I must make a disclaimer:

This application is provided for educational and testing purposes only. This application should not be used to calculate WEP keys for any networks that you do not own or do not have explicit permission to obtain the WEP keys for. I am not held responsible or liable for the manner in which you use this application.

Click below to download the updated application.  If you use it and have any problems or comments please leave them in the comments for this post.  I would appreciate any constructive feedback.

FiOS WEP Calculator v2 Download

February 27th, 2010 by Colligo Mentis | Comments Off on FiOS WEP Calculator v2

FiOS WEP Calculator for Android

This is the first real application that I have written for Android. I am just starting out trying to learn Android development and Java so I have gotten a lot of guidance and help from a friend of mine.

I first saw the information on calculating the FiOS WEP keys from a post by Kyle Anderson. So I thought I would try to write my own app to do these calculations.

This application for Android allows you to generate two possibilities for the default WEP key provided by Verizon for their FiOS Actiontec MI424 Wireless Routers. I have seen some discussion about this calculation only working on the C and D revision of routers and not working on the revision E router with the big white button on the front. I checked it against my own FiOS router, which is a revision E router, and it was not able to calculate the default WEP key printed on the label. I have confirmed that it works for the older revision routers though.

Below is a link to the application that I created for Android. This application is provided for educational and testing purposes only. This application should not be used to calculate WEP keys for any networks that you do not own or do not have explicit permission to obtain the WEP keys. I am not held responsible or liable for the manner in which you use the application.

That being said, I have some plans for future features for this application, but since I am new to the whole Android development I am still learning how to implement these features. So check back often or subscribe to my RSS feed to keep up to date with the changes to this application. I may try to do some more research later to see if I can figure out if a similar issue affects the newer revision E routers.

If you have any problems with the application or issues running it or anything feel free to leave a comment.

FiOS WEP Calculator Download

February 20th, 2010 by Colligo Mentis | Comments Off on FiOS WEP Calculator for Android


Went to Shmoocon this year for the first time.  I had a great time, went to some really good talks and got some cool schwag.  The snow sucked and made travelling home Sunday a pain.  Overall, I thought it was a great con and I will definitely try to attend regularly.

February 10th, 2010 by Colligo Mentis | Comments Off on Shmoocon