HID Badge Cloning – Proxmark Fun

Now that everything was setup, it was time to try some HID badge cloning with the Proxmark.

While this won't cover configuring the software, here are a few helpful references:

After some tweaking and tutorials, I got the software running on my workstation.

HID Badge Cloning - Software

DISCLAIMER

This is a badge of mine, and the proprietor of the establishment knew that I was attempting to clone the badge. Do not use this guide to attempt to break into anywhere that you are not authorized access.

Cloning

First things first, I needed to read the badge that I wanted to clone.

Looking at the back of the badge, I could tell that it was an HID badge. After a little research, I found that it was quite simple to read the TAG ID using the LF antenna.

HID Badge Cloning - HID

HID Badge Cloning - Reading

proxmark3> lf hid fskdemod
proxmark3> 
proxmark3> #db# TAG ID: 2baxxxxxxx (2059)

Once I had the Tag ID, it was time to clone it to my blank badge. Note that I've blanked out the last 7 digits of this badge, just to prevent attempts to reuse this specific case.

I was able to use the T5577 blank that came with my kit as an appropriate clone.

HID Badge Cloning - Blank

With my blank selected, I wrote the original's TAG ID to my new badge.

HID Badge Cloning - Cloning

proxmark3> lf hid clone 2baxxxxxxx
Cloning tag with ID 2baxxxxxxx          
proxmark3>
proxmark3> #db# DONE!   

To verify that the clone worked, I read the Tag ID of the new badge as well.

proxmark3> lf hid fskdemod
proxmark3> 
proxmark3> #db# TAG ID: 2baxxxxxxx (2059)

Once I cloned my badge, I had to test it out!

I took this to a location that I knew my original badge worked, and I tested out the "blank".

HID Badge Cloning - Reader 1

HID Badge Cloning - Reader 2

HID Badge Cloning - Access Granted

The badge worked in both locations, and I was ecstatic!

This was a surprisingly simple experiment, and I'm looking forward to more fun with RFID and the Proxmark.

If anyone has any suggestions for increasing the reading/writing range, then I may look into that for a future project as well.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.