HID Badge Cloning – Proxmark Fun

Now that everything was setup, it was time to try some HID badge cloning with the Proxmark.

While this won’t cover configuring the software, here are a few helpful references:

• Proxmark3 Wiki – Windows Precompiled Binaries
• Win 8 and 10 Proxmark Driver Tips

After some tweaking and tutorials, I got the software running on my workstation.

DISCLAIMER

This is a badge of mine, and the proprietor of the establishment knew that I was attempting to clone the badge. Do not use this guide to attempt to break into anywhere that you are not authorized access.

Cloning

First things first, I needed to read the badge that I wanted to clone.

Looking at the back of the badge, I could tell that it was an HID badge. After a little research, I found that it was quite simple to read the TAG ID using the LF antenna.

proxmark3> lf hid fskdemod
proxmark3> 
proxmark3> #db# TAG ID: 2baxxxxxxx (2059)

Once I had the Tag ID, it was time to clone it to my blank badge. Note that I’ve blanked out the last 7 digits of this badge, just to prevent attempts to reuse this specific case.

I was able to use the T5577 blank that came with my kit as an appropriate clone.

With my blank selected, I wrote the original’s TAG ID to my new badge.

proxmark3> lf hid clone 2baxxxxxxx
Cloning tag with ID 2baxxxxxxx          
proxmark3>
proxmark3> #db# DONE!   

To verify that the clone worked, I read the Tag ID of the new badge as well.

proxmark3> lf hid fskdemod
proxmark3> 
proxmark3> #db# TAG ID: 2baxxxxxxx (2059)

Once I cloned my badge, I had to test it out!

I took this to a location that I knew my original badge worked, and I tested out the “blank”.

The badge worked in both locations, and I was ecstatic!

This was a surprisingly simple experiment, and I’m looking forward to more fun with RFID and the Proxmark.

If anyone has any suggestions for increasing the reading/writing range, then I may look into that for a future project as well.

Ray Doyle

Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.