Bulk Badge Cloning – Easy as Proxmark 1, 2, 3!

I'm going to cover some simple bulk badge cloning this week, as I'm still a little behind on my OSCE and vulnserver.

Bulk Badge Cloning - Introduction

A friend of mine needed to clone the last existing badge that his factory had, and I can help him out! Note that he had permission for this, and the person that previously configured the RFID system was no longer around.

First, he ordered a few bags of LF tags.

Badge Cloning - Bag

As you can see, he got them from Amazon. That said, you can definitely find better prices on Alibaba or something similar.

Badge Cloning - Amazon

Installation and Configuration

I'm not going to cover the installation again, but you can always check my last post for some more information.

Additionally, the GitHub wiki is helpful for downloading the pre-compiled firmware.

Finally, this post helped a ton with configuration issues or gotchas.

That said, I made sure that my Windows installation was still working, before getting to work.

pm3 ~$ ./client/proxmark3.exe com3
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 756 2013-07-13 08:11:47
#db# os: svn 756 2013-07-13 08:11:52
#db# FPGA image built on 2012/ 1/ 6 at 15:27:56
proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 756 2013-07-13 08:11:47
#db# os: svn 756 2013-07-13 08:11:52
#db# FPGA image built on 2012/ 1/ 6 at 15:27:56
proxmark3> lf search
#db# buffer samples: ef 73 0b 00 00 8f fd ff ...
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible

Cloning

The badge he was trying to clone was an HID ProxKey, which looked like the following.

Badge Cloning - ProxKey

Since I knew this was an unencrypted, low-frequency tag, I grabbed a handful of the blanks and got to work.

Badge Cloning - Handful

First, I grabbed his original copy, and read off the ID number.

proxmark3> lf read

Checking for known tags:

HID Prox TAG ID: 20xxxxxxxx (23876) - Format Len: 26bit - FC: 43 - Card: 23xxx

Valid HID Prox ID Found!
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
Command timed out
#db# DONE!
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
command execution time out
proxmark3>

With the original ID obtained, it was time to make some clones!

proxmark3> lf hid clone 20xxxxxxxx
Cloning tag with ID 20xxxxxxxx
#db# DONE!
proxmark3> lf hid clone 20xxxxxxxx
Cloning tag with ID 20xxxxxxxx
#db# DONE!
proxmark3> lf search
#db# buffer samples: 9b d8 f6 fe db 87 40 0f ...
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible

Badge Cloning - Actual cloning

Once I cloned these, he actually had me clone his apartment complex fob a few times as well.

Checking for known tags:

HID Prox TAG ID: 21xxxxxxxx (52xxx) - Format Len: 26bit - FC: 10 - Card: 52xxx

Valid HID Prox ID Found!
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
Command timed out
#db# DONE!
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
command execution time out
proxmark3> lf hid clone 21xxxxxxxx
Cloning tag with ID 21xxxxxxxx
#db# DONE!
proxmark3> lf hid clone 21xxxxxxxx
Cloning tag with ID 21xxxxxxxx
#db# DONE!
proxmark3> lf hid clone 21xxxxxxxx
Cloning tag with ID 21xxxxxxxx
#db# DONE!
proxmark3>

Bulk Badge Cloning - Conclusion

While this was a shorter post, it was cool being able to use my Proxmark to help out a friend.

I've still got more vulnserver posts on the way, so stay tuned!

Let me know if you have any other fun ideas or uses for the Proxmark.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.