Traditional RFID badge cloning methods require you to be within 3 feet of your target, so how can you conduct a socially distanced physical penetration test and clone a badge if you must stay at least 6 feet from a person? Since 2020, companies have increasingly adopted a hybrid work environment, allowing employees to partially work remotely which has decreased the amount of foot traffic in and out of a building at any given time. So after throwing around some ideas I thought, why not create a mobile long-range reader device that we could deploy early in the morning at a client site and let it do all the work for us. This project guide contains an entry-level hardware design that you can build in a day and deploy in the field in order to increase your chances of remotely cloning an RFID badge.
This is part of a full paper and talk given during DEFCON 30 in the Physical Bypass Village and Radio Frequency Village titled: Keeping Your Distance: Pwning RFID Physical Access Controls From 6FT and Beyond by myself and Twitter: @_badcharacters (YouTube Link Coming Soon). Here's the full build guide for making your own RFID Goosneck Long Range Reader!
Disclaimer: This guide is for educational and ethical hacking purposes ONLY. All penetrtation testing activities must be authorized by all relevant parties.
Ok, let's do this.
- MDF or Plywood (16"x16"x0.5")
- Non-Slip Furniture Feet: https://a.co/d/8oR8tHj
- Pedestal Pro 36"H Gooseneck: https://bit.ly/3bCz6go
- 3/8" x 1 1/4" Carriage Bolts and Wing Nuts and Washers (Quantity of 6 each)
- Black Spray Paint
- If you have access to a laser cutter or a ShopBot, feel free to download the "GooseneckBaseMK2Template_sh0ck" template file(s) or cut out your own 16"x16" piece of MDF or plywood.
- Center the gooseneck pedestal and place the edge of the base approximately 1.25" away from the edge of the base. The 1.25" (3.175cm) distance from the edge will counter-balance the weight of the long-range reader so it will not tip over when installed.
- Next trace and drill the 3/8" mounting holes.
- Spray the base with a matte black color of your choice.
- When the paint is dry, drill the non-slip furniture feet onto the bottom of the base.
Last, fasten the pedastal to the wooden base with bolts and wingnuts. Then place the pedastal cover over top to conceal the screws.
Let's build the long-range reader cloning device.
- ESP RFID Tool: https://hackerwarehouse.com/product/esp-rfid-tool/
- Low-Frequency Long Range Reader (e.g. HID MaxiProx 5375) OR High-Frequency Long Range Reader (e.g. HID iCLASS SE R90)
- Breadboard Jumper Wires - 3.9in (10cm): https://a.co/d/fja090p
- 22AWG Wire: https://a.co/d/h7bbBom
- 18AWG 12V 5A DC Power Pigtail Barrel Plug Connector Cable: https://a.co/d/7l56UFQ
- 12V 6000mAh/5V 12000mAh DC Battery: https://a.co/d/9czvggQ
- 3M Dual Lock Clear Velcro: https://a.co/d/gg4SzBd
Below is an example of the wiring guide to connect to a long-range reader with screw-in terminals using the ESP RFID Tool. Use the color coded male-to-male breadboard wires to connect the two terminal interfaces between the Wiegand system and the ESP RFID Tool as seen below.
- Then connect the 12V 5A DC Power Pigtail Barrel Plug Male Connector cable into the Wiegand system (HID iClass SE R90 pictured) and trail the cable to the outside of the reader so you can plug it into the 12V 6000mAh DC Battery.
Note: For various configurations, check out the official ESP RFID Tool wiring guide here: https://github.com/rfidtool/ESP-RFID-Tool/blob/master/Installation-Schematics/README.md
If you would like an alternative raspberry pi cloning device setup, I HIGHLY RECOMMEND checking out Mike Kelly's (Twitter @lixmk) Wiegotcha – RFID Thief guide: http://exfil.co/2017/01/17/wiegotcha-rfid-thief/
Depending onthe reader, you will need to find the correct mounting hole guide for each. You will have to manually drill holes into the back of the reader in order to center it to the gooseneck pedastal with carriage bolts and nuts. Below is an example mount guide for the HID iCLASS R90.
iCLASS SE Mounting and User Guide: https://fccid.io/JQ6-ICLASSU90/User-Manual/User-Manual-2360366
HID iClass R90 Gooseneck finished look:
To remain incognito while at the client site, cloning a card via an Android phone will keep the lowest profile rather than fidling with a laptop when you need to copy the card data.
- Android Phone or Tablet of your choice
- AndProx Android App: https://github.com/AndProx/AndProx
- Proxmark3 Easy (available on eBay or AliExpress)
- USB OTG Cable - Type C To Micro: https://a.co/d/4HGdBqh
- RFID T5557 Rewritable Cards: https://a.co/d/0NF2zJG
- 3D Printed Case (optional): https://www.thingiverse.com/thing:3123482
Once the implant is in place and a few employees have walked past the gooseneck reader, hop onto your phone and log into your the RFID ESP Key SSID to look for loot. The default SSID is "ESP-RFID-Tool" but it is recommended to change the name to something that will blend into the target environment. In order to change the SSID and password protect the ESP RFID Tool wifi (and not leak all your client's credentials to the world), jump over to the configuration page to customize the settings.
- Default SSID: ESP-RFID-Tool
- URL: http://192.168.1.1
Default credentials to access the configuration page:
- Username: admin
- Password: rfidtool
(Full ESP RFID Tool user guide here: https://github.com/rfidtool/ESP-RFID-Tool)
Once you're on the ESP RFID Tool WiFi, access HEX Code Data in the "List Exfiltrated Data" Page:
- Download and install AndProx (Root NOT required!): https://github.com/AndProx/AndProx
- Plug in your Proxmark3 via OTG cable
- Click Connect Via USB
- Begin sending commands!
Once your Proxmark3 Easy is connected copy your Hex Code and enter these commands:
lf hid clone [INSERT HEX CODE]
#Example:
lf hid clone 20043C0A73
Verify your card data:
lf search
Boom! Happy Hunting!
Special Shoutouts to the Bill Graydon of the Physical Security Village and Zero_Chaos of the Radio Frequency Village for hosting this talk during DEFCON 30!
- Dib, Alex. "RFID Thief v2.0." July 2018, https://scund00r.com/all/rfid/tutorial/2018/07/12/rfid-theif-v2.html
- Farrell, Michael and Boris Hajduk. "AndProx." July 2021, GitHub, https://github.com/AndProx/AndProx
- Harding, Cory. "ESP-RFID-Tool." March 2018, GitHub, https://github.com/rfidtool/ESP-RFID-Tool
- Kelly, Mike. “Wiegotcha – RFID Thief” January 2017, https://exfil.co/2017/01/17/wiegotcha-rfid-thief/
- Rumble, Rich. "RFID Sniffing Under Your Nose and in Your Face." DerbyCon IX, September 2019, https://www.youtube.com/watch?v=y37j6RDtybQ
- W., Viktor. "Enclosure For Proxmark3 Easy." Thingiverse, September 2018, https://www.thingiverse.com/thing:3123482
- White, Brent and Tim Roberts. "Breaking Into Your Building: A Hacker's Guide to Unauthorized Access." NolaCon 2019, May 2019, https://www.youtube.com/watch?v=eft8PElmQZM