Traditional RFID badge cloning methods require you to be within 3 feet of your target, so how can you conduct a socially distanced physical penetration test and clone a badge if you must stay at least 6 feet from a person? Since 2020, companies have increasingly adopted a hybrid work environment, allowing employees to partially work remotely, which has decreased the amount of foot traffic in and out of a building at any given time. After throwing around some ideas, I thought, why not create a mobile long-range reader device that we could deploy early in the morning at a client site and let it do all the work for us. This project guide contains an entry-level hardware design that you can build in a day and deploy in the field in order to increase your chances of remotely cloning an RFID badge.
This is part of a full paper and talk given during DEFCON 30 in the Physical Bypass Village and Radio Frequency Village titled: Keeping Your Distance: Pwning RFID Physical Access Controls From 6FT and Beyond by myself and Twitter: @_badcharacters (https://www.youtube.com/watch?v=OLLaXOcuYfw).
The content has been updated for DEFCON 31 titled: Flipping Locks: Remote Badge Cloning with the Flipper Zero. In this tutorial, you'll learn how to clone the badge loot from your RFID Gooseneck reader quickly and easily!
Here's the full build guide for making your own RFID Goosneck Long Range Reader!
Disclaimer: This guide is for educational and ethical hacking purposes ONLY. All penetration testing activities must be authorized by all relevant parties.
Ok, let's do this.
- MDF or Plywood (16"x16"x0.5")
- Non-Slip Furniture Feet: https://a.co/d/8oR8tHj
- Pedestal Pro 36"H Gooseneck: https://bit.ly/3bCz6go
- 3/8" x 1 1/4" Carriage Bolts and Wing Nuts and Washers (Quantity of 6 each)
- Black Spray Paint
- If you have access to a laser cutter or a ShopBot, feel free to download the "GooseneckBaseMK2Template_sh0ck" template file(s) or cut out your own 16"x16" piece of MDF or plywood.
- Center the gooseneck pedestal and place the edge of the base approximately 1.25" away from the edge of the base. The 1.25" (3.175cm) distance from the edge will counter-balance the weight of the long-range reader so it will not tip over when installed.
- Next trace and drill the 3/8" mounting holes.
- Spray the base with a matte black color of your choice.
- When the paint is dry, drill the non-slip furniture feet onto the bottom of the base.
Last, fasten the pedestal to the wooden base with bolts and wingnuts. Then place the pedestal cover over the top to conceal the screws.
Let's build the long-range reader cloning device.
- ESP RFID Tool: https://hackerwarehouse.com/product/esp-rfid-tool/
- Low-Frequency Long Range Reader (e.g., HID MaxiProx 5375) OR High-Frequency Long Range Reader (e.g., HID iCLASS SE R90)
- Breadboard Jumper Wires - 3.9in (10cm): https://a.co/d/fja090p or 22AWG Wire: https://a.co/d/h7bbBom
- 18AWG 12V 5A DC Power Pigtail Barrel Plug Connector Cable: https://a.co/d/7l56UFQ
- 12V 6000mAh/5V 12000mAh DC Battery: https://a.co/d/9czvggQ
- 3M Dual Lock Clear Velcro: https://a.co/d/gg4SzBd
Below is an example of the wiring guide to connect to a long-range reader with screw-in terminals using the ESP RFID Tool. Use the color-coded male-to-male breadboard wires to connect the two terminal interfaces between the Wiegand system and the ESP RFID Tool, as seen below.
- Then connect the 12V 5A DC Power Pigtail Barrel Plug Male Connector cable into the Wiegand system (HID iClass SE R90 pictured) and trail the cable to the outside of the reader so you can plug it into the 12V 6000mAh DC Battery.
The same wiring applies to the low-frequency HID MaxiProx 5375 reader.
Close-up of HID MaxiProx 5375 Wiring:
WARNING: Ensure when you are working with the HID MaxiProx 5375 that you change the jumper on the Shunt Pins settings from 2 and 3 +21-2.85 VDC (Default) TO Shunt Pins 1 and 2 +11.6-20.9VDC) because we are using a 12V battery. If you do not switch the jumper, you will fry the unit! YOU'VE BEEN WARNED! Double-check this for any reader you are working with, just in case.
To remain as stealthy as possible, it is advised to turn off the audible "beep" if the reader allows you to. In this case, we can silence the beep on the HID MaxiProx 5375 reader by pushing down dipswitch #4 of SW1 (the farthest right of the switch sets).
Image Source: http://exfil.co/2017/01/17/wiegotcha-rfid-thief/
Note: For various configurations, check out the official ESP RFID Tool wiring guide here: https://github.com/rfidtool/ESP-RFID-Tool/blob/master/Installation-Schematics/README.md
If you would like an alternative raspberry pi cloning device setup, I HIGHLY RECOMMEND checking out Mike Kelly's (Twitter @lixmk) Wiegotcha – RFID Thief guide: http://exfil.co/2017/01/17/wiegotcha-rfid-thief/
Once you have wired everything, take 3M Dual Lock Velcro and affix it to the back of the battery and the back of the reader. This will ensure the battery will stay firm throughout the engagement and it looks like it is part of the unit.
HID MaxiProx 5375
HID R90
HID R90
Depending on the reader, you must find the correct mounting hole guide for each. You will have to manually drill holes into the back of the reader in order to center it to the gooseneck pedestal with carriage bolts and nuts. Below is an example mount guide for the HID iCLASS R90.
iCLASS SE Mounting and User Guide: https://fccid.io/JQ6-ICLASSU90/User-Manual/User-Manual-2360366
HID iClass R90 Gooseneck finished look:
To remain incognito while at the client site, cloning a card with a mobile phone and a Flipper Zero hidden away will keep the lowest profile rather than fiddling with a laptop when you need to copy the card data.
- Mobile Phone (Android or iOS)
- Flipper Zero: https://shop.flipperzero.one/
- Flipper Mobile App: https://docs.flipper.net/mobile-app
- RFID T5557 Rewritable Cards: https://a.co/d/0NF2zJG
Once the implant is in place and a few employees have walked past the gooseneck reader, hop onto your phone and log into your RFID ESP Key SSID to look for loot. The default SSID is "ESP-RFID-Tool" but it is recommended to change the name to something that will blend into the target environment. In order to change the SSID and password to protect the ESP RFID Tool wifi (and not leak all your client's credentials to the world), jump over to the configuration page to customize the settings and change all your default passwords.
- Default SSID: ESP-RFID-Tool
- URL: http://192.168.1.1
Default credentials to access the configuration page:
- Username: admin
- Password: rfidtool
(Full ESP RFID Tool user guide here: https://github.com/rfidtool/ESP-RFID-Tool)
Once you're on the ESP RFID Tool WiFi, access Data in the "List Exfiltrated Data" Page:
Copy the second half of the binary data:
- 10001111100000101001110011
REMOVE the leading and trailing parity bits:
- 000111110000010100111001
Take this and convert it into HEX using a Bin-HEX Converter on your phone:
- 000111110000010100111001 = 1F 05 39
On your Flipper, hit the center button and navigate to > 125 hHz RFID > Add Manually
Then Select HID H10301 > Enter the Data: 1F0539
Select Save > Name the card (Enter the desired name)
Select your saved card > Info (in order to look for your FC (Facility Code) and Card Number)
Select your saved card > Write it to a blank T5557 card In a few seconds...
Boom! Happy Hunting!
Special Shoutouts to the Bill Graydon of the Physical Security Village for hosting this talk during DEFCON 31!
For the sake of documentation, I will leave the old method on this page. But finding the exact firmware for the Proxmark3 Easy can be tricky with now, unsupported AndProx App - it is highly recommended to use the Flipper Zero in the field for the easiest approach.
To remain incognito while at the client site, cloning a card via an Android phone will keep the lowest profile rather than fiddling with a laptop when you need to copy the card data.
- Android Phone or Tablet of your choice
- AndProx Android App: https://github.com/AndProx/AndProx
- Proxmark3 Easy (available on eBay or AliExpress)
- USB OTG Cable - Type C To Micro: https://a.co/d/4HGdBqh
- RFID T5557 Rewritable Cards: https://a.co/d/0NF2zJG
- 3D Printed Case (optional): https://www.thingiverse.com/thing:3123482
Once the implant is in place and a few employees have walked past the gooseneck reader, hop onto your phone and log into your RFID ESP Key SSID to look for loot. The default SSID is "ESP-RFID-Tool" but it is recommended to change the name to something that will blend into the target environment. In order to change the SSID and password to protect the ESP RFID Tool wifi (and not leak all your client's credentials to the world), jump over to the configuration page to customize the settings and change all your default passwords.
- Default SSID: ESP-RFID-Tool
- URL: http://192.168.1.1
Default credentials to access the configuration page:
- Username: admin
- Password: rfidtool
(Full ESP RFID Tool user guide here: https://github.com/rfidtool/ESP-RFID-Tool)
Once you're on the ESP RFID Tool WiFi, access HEX Code Data in the "List Exfiltrated Data" Page:
- Download and install AndProx (Root NOT required!): https://github.com/AndProx/AndProx
- Plug in your Proxmark3 via OTG cable
- Click Connect Via USB
- Begin sending commands!
Once your Proxmark3 Easy is connected, copy your Hex Code and enter these commands:
lf hid clone [INSERT HEX CODE]
#Example:
lf hid clone 20043C0A73
Verify your card data:
lf search
Boom! Happy Hunting!
Special Shoutouts to the Bill Graydon of the Physical Security Village and Zero_Chaos of the Radio Frequency Village for hosting this talk during DEFCON 30!
- Dib, Alex. "RFID Thief v2.0." July 2018, https://scund00r.com/all/rfid/tutorial/2018/07/12/rfid-theif-v2.html
- Farrell, Michael and Boris Hajduk. "AndProx." July 2021, GitHub, https://github.com/AndProx/AndProx
- Harding, Cory. "ESP-RFID-Tool." March 2018, GitHub, https://github.com/rfidtool/ESP-RFID-Tool
- Hughes, Nathan. "Flipper Maker" May 2022, https://flippermaker.github.io
- Kelly, Mike. “Wiegotcha – RFID Thief” January 2017, https://exfil.co/2017/01/17/wiegotcha-rfid-thief/
- Rumble, Rich. "RFID Sniffing Under Your Nose and in Your Face." DerbyCon IX, September 2019, https://www.youtube.com/watch?v=y37j6RDtybQ
- W., Viktor. "Enclosure For Proxmark3 Easy." Thingiverse, September 2018, https://www.thingiverse.com/thing:3123482
- White, Brent and Tim Roberts. "Breaking Into Your Building: A Hacker's Guide to Unauthorized Access." NolaCon 2019, May 2019, https://www.youtube.com/watch?v=eft8PElmQZM