Getting started with RFID, and NFC for noobs

I could make this a MEGA post from what you have asked, I am instead going to provide it to you in chunks, maybe an LF Post and an HF Post later when you have read and digested this one, you can ask for more…

of course the Search function is really quite good if you want to do your own research

Yeah Buddy you are playing with LF.

HID PROX

The ACR122U, and KBR1 wont work with the LF side
However they will work with the HF side when you start playing with that side.
including your phone ( Probably ) and the Proxmark

For now, you will solely be using the Proxmark3

FYI the Blue Cloner :blue_cloner: is also an option for the HID Prox, It does however put a password on it, which is not a problem if you only ever want to use the blue cloner, otherwise you will need the Proxmark to remove the password

BLUE CLONER
Not that you asked, but here are a couple of Blue Cloner threads that may be / become of interest

Firstly, when your NExT arrives in will be in EM mode, this will need to be changed to HID.
To do this, you are going to need to setup your Proxmark
Assuming you are using windows, you are going to want an install guide, such as this one

If you are using something else, let us know what and I / we can find you another guide

Once you have SUCCESSFULLY it installed, you will just need to learn the commands

I just grabbed you a guide from the interwebs

( just be aware, the syntax may be slightly different but we can step you through it if you get stuck, it will be pretty close )

it is contained within

HID ProxCard

Let’s take a look at the more popular HID ProxCard.

For the Proxcard the numbers on the card are the contents

On the front of the card it has some numbers and the words “HID Proximity”. With some Googling we can ascertain that this is an HID ProxCard which we can clone with some Proxmark commands.

To start off we can search for a supported tag with lf search :

proxmark3> lf search
#db# DownloadFPGA(len: 42096)
Reading 30000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
HID Prox TAG ID: 2004263f88 (8132) - Format Len: 26bit - FC: 19 - Card: 8132
Valid HID Prox ID Found!

Knowing that it’s definitely a ProxCard we can upgrade to the HID specific commands. We already know the Tag ID ( 2004263f88 ) but we can run lf hid fskdemod to read Proxcards continuously (Push the button on the PM3 to stop scanning):

proxmark3> lf hid fskdemod 
#db# TAG ID: 2004263f88 (8132) - Format Len: 26bit - FC: 19 - Card: 8132                             
#db# Stopped

This Tag ID is directly encoded from the Facility Code (19) and Card ID (8132). You can use some of the online 26 bit Wiegand calculators online to double check this for yourself.

This effectively means that you only need to know those numbers (which are printed on the card itself) to clone the card.

Most low frequency tags don’t have any kind of complex authentication scheme or any protection against replay attacks. It’s a simple matter to scan an existing working card and create a clone. With a high powered reader, one can steal RFID tags from multiple feet away.

With the Tag ID in hand, we now need a blank RFID card that we can clone the Tag ID onto. The best card for this is the T5577 which can emulate a variety of low frequency cards including the two being discussed here (HID ProxCard, EM41000).

I keep T5577 tags in a variety of forms but I get the most requests for keyfobs

With the Tag ID in hand and T5577 ready we can clone simply with:

proxmark3> lf hid clone 2004263f88 
Cloning tag with ID 2004263f88
#db# DONE!

Now the T5577 tag should function as an identical clone to the original ProxCard!

In addition to reading and writing, the PM3 is also capable of simulating an RFID tag but it really isn’t as intuitive as one would like. You generally need to have a computer of some sort connected to the PM3 and have the ability to run commands. The simulation could be useful to a pentester, but reading and writing is all most people need.

I think that is a good first CHUNK of info…

cookie monster

3 Likes