HID Badge Cloning – Proxmark Fun

Now that everything was setup, it was time to try some HID badge cloning with the Proxmark.

While this won't cover configuring the software, here are a few helpful references:

After some tweaking and tutorials, I got the software running on my workstation.

HID Badge Cloning - Software

DISCLAIMER

This is a badge of mine, and the proprietor of the establishment knew that I was attempting to clone the badge. Do not use this guide to attempt to break into anywhere that you are not authorized access.

Cloning

First things first, I needed to read the badge that I wanted to clone.

Looking at the back of the badge, I could tell that it was an HID badge. After a little research, I found that it was quite simple to read the TAG ID using the LF antenna.

HID Badge Cloning - HID

HID Badge Cloning - Reading

proxmark3> lf hid fskdemod
proxmark3> 
proxmark3> #db# TAG ID: 2baxxxxxxx (2059)

Once I had the Tag ID, it was time to clone it to my blank badge. Note that I've blanked out the last 7 digits of this badge, just to prevent attempts to reuse this specific case.

I was able to use the T5577 blank that came with my kit as an appropriate clone.

HID Badge Cloning - Blank

With my blank selected, I wrote the original's TAG ID to my new badge.

HID Badge Cloning - Cloning

proxmark3> lf hid clone 2baxxxxxxx
Cloning tag with ID 2baxxxxxxx          
proxmark3>
proxmark3> #db# DONE!   

To verify that the clone worked, I read the Tag ID of the new badge as well.

proxmark3> lf hid fskdemod
proxmark3> 
proxmark3> #db# TAG ID: 2baxxxxxxx (2059)

Once I cloned my badge, I had to test it out!

I took this to a location that I knew my original badge worked, and I tested out the "blank".

HID Badge Cloning - Reader 1

HID Badge Cloning - Reader 2

HID Badge Cloning - Access Granted

The badge worked in both locations, and I was ecstatic!

This was a surprisingly simple experiment, and I'm looking forward to more fun with RFID and the Proxmark.

If anyone has any suggestions for increasing the reading/writing range, then I may look into that for a future project as well.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration tester for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.