Proxmark Adventures 101

I've been out to purchase a Proxmark for a long time, I've even checked out the fake ones on Taobao and AliExpress. I've recently moved to China to proceed with my YOLO start-up adventure towards spreading the good old “Red Team”, or attack mindset, practical, and technique driven services. Since arriving in Shenzhen and Hong Kong, I've met many new friends. One day, Kevin Mitnick introduced me to Dennis Goh and Olaf Tan – the creators of Proxmark 3 Rdv4.0.

The Proxmark 3 Rdv4.0 has been on Kickstarter for the past couple of months and had seen a surge of interest from both enthusiasts and security professionals.

Kickstarter - Proxmark3 Rdv4.0

Disclaimer

Not a mega RFID expert here, terminology may be incorrect but the post is aimed to help those new to RFID and Proxmark usage understand.

What is the Proxmark 3 Rdv4.0?

If you're in the security industry, you've probably already heard of the Proxmark. For those who haven't, here's a quick, simple background on the project and device. The Proxmark 3.0 Rdv4 is one of many revisions of the open-source Proxmark device project that is designed to allow for RFID reading, sniffing, and manipulation. RFID is widely used across many industries in many implementations – even more so in China. It's difficult to pass by a single day without having been in contact with at least multiple RFID technology enabled devices. The most common device I'd often see are doors, but there are also implementations in which RFID can be used to track purchases for next-generation stores that do not have tills. I've even found recently that some high-end luxury brands would use RFID for authenticity signatures.

In practical, yet simple terms, the Proxmark 3.0 RDv4 allows the user to read, and write the contents of RFID chips. One of the most common attacks that we'd utilise as an offensive security professional is cloning. Regardless of the encryption, as long as there's no time-based or OTP material, any encrypted contents, whether signed or not, can be simply cloned, replayed, and used to broadcast the same signal.

Some photos of the Proxmark 3.0 RDv4 project that Dennis and Olaf have been working on:

You might be thinking why there's no antenna. The RDv4 has an enclosure which prevents the device from being revealed. The device also supports standalone mode and can be concealed nicely for reading RFID data. The only issue is the proximity required to read. The current implementation and proximity can be utilised in an attack and would most definitely succeed. However, a long-range reader would be more effective given the theoretical transmission distances of each RFID type.

Low Frequency vs High Frequency RFID

In general, there's two main RFID categories we work with. Low Frequency and High Frequency. Key facts for us to digest and understand:

  • Low Frequency operates at 125kHz – 134.3 kHz and the theoretical read distance is usually 30cm to as low as 10cm.

    • Used for items such as door key fobs that we often see

  • High Frequency operates at 13.56Mhz and the theoretical read distance is generally about 1m.

    • Used for items such as hotel door keys, and certain store membership cards.

Other RFID categories that I don't think Proxmark supports, but we should know exists:

  • Ultra-High Frequency operates at 860 – 960 MHz. 1st generation read distance over 1m. 2nd generation read distance up to 12m. Newest generation read distance up to 50m.

Getting the Proxmark 3 Rdv4.0 working

I had some issues getting the Proxmark 3 working out of the box. I tried to run it in Linux and the firmware wasn’t working, or something along those lines. I went and plugged into Windows and ran a firmware flash from the latest Gator package available here: http://www.proxmark.net/forum/viewtopic.php?id=3975

After doing so, running the client was fine. Just execute: proxmark.exe <COM port> To get the COM port just open devmgmt.msc and check the port the device is connected on.

Cloning Low Frequency Tag

In this post I'll quickly go over a low frequency tag clone that I did for a target this week. I won’t go into high frequency in this blog post. Ensure device is working by using: hw tune Place target tag on reader. Type: hw tune If voltage goes down on either RF or LF, you know which frequency the tag is. If LF goes down, it's LF. To read the tag type: lf search Read the contents: lf em 410xwatch

Example:

Checking for known tags:

EM410x pattern found:

EM TAG ID      : A600YYYYY

Possible de-scramble patterns
Unique TAG ID  : 6C000215F5
HoneyWell IdentKey {
DEZ 8          : 0423xxxx
DEZ 10         : 000423xxxx
DEZ 5.5        : 000xx.xxxxx
DEZ 3.5A       : 05x.xxxxx
DEZ 3.5B       : 00x.xxxxx
DEZ 3.5C       : 06x.xxxxx
DEZ 14/IK2     : xxxx19xxxxxxxx
DEZ 15/IK3     : xxxxx38xxxxxxxx
DEZ 20/ZK      : xxxxxx000002xxxxxxxx
}
Other          : xxxx3_0x4_042xxxxx
Pattern Paxton : 9115xxxxx [0x36xxxxxx]
Pattern 1      : 840xxxx [0x80xxxx]
Pattern Sebury : 43xxx 6x 423xxxx  [0xAxxx 0x4x 0x4xxxx]

Valid EM410x ID Found!

Place the destination tag on the reader: lf em 410xwrite <EMTAGID> 1 lf em 410xwrite A600YYYYY 1

Conclusion

Okay, hope you all learned something. Hope to share more posts in the future as a result of Dennis and Olaf's work! They’ve got some pretty interesting gadgets in the pipeline – I'd definitely recommend looking out for!

Credits

Iceman - Proxmark 0xFFFF - Proxmark Vincent Yiu

Last updated