Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
I’m going to cover some simple bulk badge cloning this week, as I’m still a little behind on my OSCE and vulnserver.
Bulk Badge Cloning – Introduction
A friend of mine needed to clone the last existing badge that his factory had, and I can help him out! Note that he had permission for this, and the person that previously configured the RFID system was no longer around.
First, he ordered a few bags of LF tags.
As you can see, he got the 125khz RFID Writable rewritable T5577 tags from Amazon. That said, you can definitely find better prices on Alibaba or something similar.
Installation and Configuration
I’m not going to cover the installation again, but you can always check my last post for some more information.
Additionally, the GitHub wiki is helpful for downloading the pre-compiled firmware.
Finally, this post helped a ton with configuration issues or gotchas.
That said, I made sure that my Windows installation was still working, before getting to work.
pm3 ~$ ./client/proxmark3.exe com3 #db# Prox/RFID mark3 RFID instrument #db# bootrom: svn 756 2013-07-13 08:11:47 #db# os: svn 756 2013-07-13 08:11:52 #db# FPGA image built on 2012/ 1/ 6 at 15:27:56 proxmark3> hw ver #db# Prox/RFID mark3 RFID instrument #db# bootrom: svn 756 2013-07-13 08:11:47 #db# os: svn 756 2013-07-13 08:11:52 #db# FPGA image built on 2012/ 1/ 6 at 15:27:56 proxmark3> lf search #db# buffer samples: ef 73 0b 00 00 8f fd ff ... NOTE: some demods output possible binary if it finds something that looks like a tag False Positives ARE possible
Cloning
The badge he was trying to clone was an HID ProxKey, which looked like the following.
Since I knew this was an unencrypted, low-frequency tag, I grabbed a handful of the blanks and got to work.
First, I grabbed his original copy, and read off the ID number.
proxmark3> lf read Checking for known tags: HID Prox TAG ID: 20xxxxxxxx (23876) - Format Len: 26bit - FC: 43 - Card: 23xxx Valid HID Prox ID Found! Waiting for a response from the proxmark... You can cancel this operation by pressing the pm3 button Command timed out #db# DONE! Waiting for a response from the proxmark... You can cancel this operation by pressing the pm3 button command execution time out proxmark3>
With the original ID obtained, it was time to make some clones!
proxmark3> lf hid clone 20xxxxxxxx Cloning tag with ID 20xxxxxxxx #db# DONE! proxmark3> lf hid clone 20xxxxxxxx Cloning tag with ID 20xxxxxxxx #db# DONE! proxmark3> lf search #db# buffer samples: 9b d8 f6 fe db 87 40 0f ... NOTE: some demods output possible binary if it finds something that looks like a tag False Positives ARE possible
Once I cloned these, he actually had me clone his apartment complex fob a few times as well.
Checking for known tags: HID Prox TAG ID: 21xxxxxxxx (52xxx) - Format Len: 26bit - FC: 10 - Card: 52xxx Valid HID Prox ID Found! Waiting for a response from the proxmark... You can cancel this operation by pressing the pm3 button Command timed out #db# DONE! Waiting for a response from the proxmark... You can cancel this operation by pressing the pm3 button command execution time out proxmark3> lf hid clone 21xxxxxxxx Cloning tag with ID 21xxxxxxxx #db# DONE! proxmark3> lf hid clone 21xxxxxxxx Cloning tag with ID 21xxxxxxxx #db# DONE! proxmark3> lf hid clone 21xxxxxxxx Cloning tag with ID 21xxxxxxxx #db# DONE! proxmark3>
Bulk Badge Cloning – Conclusion
While this was a shorter post, it was cool being able to use my Proxmark to help out a friend.
I’ve still got more vulnserver posts on the way, so stay tuned!
Let me know if you have any other fun ideas or uses for the Proxmark.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
