I have been working with the proxmark3 now for a while. I was looking at it as a solution for RFID cloning for use in physical pentration tests. The card types that we typically encounter during tests are either HID ProxCard II clamshell style cards or the ISO-Thin ISOProx II or DuoProx II cards. The proxmark3, out of the box, supports reading and simulating HID cards by broadcasting the scanned card’s value on it’s antenna. However, it is kind of clunky to use the proxmark3 when you are trying to badge into a door, so we needed cloning capabilities.
I will go ahead and give my disclaimer, I am not an expert at all on RFID or embedded devices, including the proxmark3, which was completely new to me when I started less than a year ago. That being said, trying to add cloning capabilites with no understanding of how the proxmark3 works or how RFID tags are read and written is a HUGE mountain to climb. Luckily someone much smarter came along and added the ability to clone HID cards to the generic T5557/T5567 type cards. The T55x7 type cards are generic RFID cards that can be purchased for very cheap online, most likely from somewhere in China.
Many thanks go out to the user Cex on proxmark.org for adding this capability, saving me from countless hours of work and research. This capability meant that I could now scan a card and then write that card’s value to another blank card, but unfortunately I needed the proxmark3 connected to a computer in order to do all of this. This would prove difficult while doing a physical pentest, as I will most likely not be able to take the ID badge somewhere to clone, plus it wouldn’t be nearly as cool or Cyber!
I started looking over the proxmark3 code in order to add the cloning functionality to the proxmark3’s standalone mode. The standalone mode, provided by user Samy on proxmark.org, is useful because it allows you to read and simulate HID cards without needing to connect the proxmark3 to a computer. After some code review and understanding more of what the standalone mode does and also how Cex’s functions worked I was able to figure out how to combine the two. The only file I had to modify was appmain.c and then recompile and flash the proxmark3. So here’s what you need to do to add cloning capabilities to standalone mode for your proxmark3.
1) Download the latest version of Cex’s T55x7 Update from here. (Note: You will need to register on the site in order to download the file)
2) Do a SVN checkout on the proxmark3 code repository. I use Ubuntu so the command is:
svn co http://proxmark3.googlecode.com/svn/trunk proxmark3-t55x7
Note: If you use Windows you can follow the steps for downloading the SVN here, the flashing steps will be useful for you shortly as well.
3) Open the zip file you downloaded in step 1 and extract the contents to the proxmark3-t55x7 directory where your proxmark3 SVN files are, overwrite any files that already exist.
4) Download my updated appmain.c file here and save it in your proxmark3-t55x7 directory in the armsrc folder, overwrite the appmain.c file that exits there.
Note: Windows users will need to refer to the previously linked site in order to the next two steps.
5) Go to your proxmark3-t55x7 folder and do the following commands:
make clean && make all
6) Now you will flash the updated file to your proxmark3. Connect the proxmark3 to your computer using a micro USB cable and do the following commands from the client folder in /proxmark3-t55x7:
You should now be able to clone cards in standalone mode. Here are the instructions on using the new features in standalone mode:
1) Enter standalone mode by holding the button on the top of the proxmark3 until the LED’s begin to flash.
2) Once one red LED is on, press and hold the button again until the second red LED comes on.
3) Present the card that you wish to clone, the second red LED will go out.
4) Place the blank T55x7 type card on the antenna and press and hold the button one more time until both the first red LED and the orange LED are lit.
5) Once the orange LED goes out the card has been cloned, Enjoy!
That’s it, we can now read and clone HID cards using the proxmark3 without the need of using a computer. The problem I face now is distance. I will start to address that problem with my next post when I use an HID reader and an Arduino to grab card numbers. For now, here is a look at how we use the proxmark3 discreetly:
Nothing to see here…
Under the hood…