Skip to content

sotoncyber/proxmark3-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
__pycache__
__pycache__
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
card_admin_tools.py
card_admin_tools.py
 
 
card_cloner.py
card_cloner.py
 
 
card_util.py
card_util.py
 
 
door.py
door.py
 
 

Repository files navigation

Wtf is this

This is a card cloning demo we use for bunfight, science and engineering day, and basically every other stall we ever have to do. The intended setup is one laptop running the door (door.py) and one laptop running the card cloner.

See below for instructions on how to set up and run the stall.

How to set up

  1. If you are on Windows, install WSL and follow all of the following instructions inside WSL. Then you will need to use usbipd to bind the proxmark serial port to WSL. You will need to do this every time you start WSL.

  2. Follow the relevant installation instructions under the proxmark3 repo to get a working installation of the Iceman Proxmark3 software in WSL. You must clone and compile the proxmark3 repository in this directory. When you are done, you should have a proxmark3 folder in this directory, containing the Proxmark3 executables (pm3, pm3-flash, pm3-flash-all, etc).

  3. Connect a proxmark.

  4. Ensure the firmware is up to date by running the pm3-flash-all script in proxmark3. (If this fails or hangs, disconnect the proxmark, run the script again, and then while it's running reconnect the proxmark).

  5. Ensure you have Python 3 installed (sudo apt-get install python3 if not).

  6. Install Pip and Tkinter with: sudo apt-get install python3-tkinter python3 -m ensurepip python3 -m pip install tkinter

  7. You should now be able to run all the scripts in this repository

How to run

  1. Decide whether you want to use the GUI for cloning cards or the CLI. Use GUI for young audiences (e.g. science and engineering day) and CLI for older audiences (e.g. bunfight).

  2. Get door.py running on one laptop and card_cloner.py (GUI) or ./proxmark/pm3 (CLI) running on another laptop.

  3. Write employee UIDs to a few of the cards, these are labelled 'CEO', 'Janitor', etc using python3 card_admin_tools.py setemployee. Make sure all the other cards have random UIDs using python3 card_admin_tools.py setrandom.

  4. When an attendee gets to you stall, show them that one of the employee cards (CEO) can open the door but one of the blank cards cannot.

  5. Briefly explain that they are a 'baddie' or something trying to get into the CEO's office or somewhere else they shouldn't be, and they have found the employee card on their desk. And they want to make a copy of the card so they can access the CEO's office whenever they want.

If using card_cloner.py:

  1. Get them to place the employee card onto the proxmark and then press the 'read' button to read the card's ID.

  2. Get them to place the blank card onto the proxmark and then press the 'write' button to write the ID on screen.

  3. Get them to unlock the door using their no-longer-blank ID card.

  4. Put the ID card back on the scanner and press 5 on your keyboard, this will reset the card to have a random ID and reset the GUI.

If using the command line:

(You should have these instructions on a sheet of paper or something which they can reference)

  1. Get them to place the employee card onto the proxmark and run hf mf rdbl --blk 0 to read the card's ID. Explain that the first 4 bytes (eg 00 56 78 BB) are the ID.

  2. Get them to place the blank card onto the proxmark and run hf mf csetuid -u <(the id they read)> - e.g. hf mf csetuid -u 115678bb

  3. Get them to unlock the door using their no-longer-blank ID card.

  4. Reset the card by running python3 card_admin_tools.py setrandom

Both GUI and CLI

  1. If asked, explain patiently to student/parent/whoever that no, you cannot in fact clone their ID card and it may be illegal to do it outside of a controlled environment.

Admin tools

There are some admin tools should for reading card IDs, setting random ID, setting ID, etc, in card_admin_tools

How it works

Useful to know a bit about this to answer any questions people may have

  • RFID cards actually have a microchip inside them

  • The microchip is actually powered on by the scanner when you touch the card to the scanner (I still cannot get over how cool this is like what the hell?)

  • Many RFID cards are pretty useless in terms of security

  • Variety of reasons for this

    • Mostly lack of encryption or weak encryption
    • Default or common IDs used e.g. ff ff ff ff
    • Good encryption is difficult
    • More secure cards tend to be expensive and management does not like hearing the word 'expensive'

  • Cards used in this session are still very widespread

    • They use the CRYPTO1 algorithm (which has been EXTENSIVELY REVERSE ENGINEERED and has a WIDE RANGE OF VULNERABILITIES) is used in many RFID cards TO THIS DAY

  • Important note: in reality it's often not as simple as just reading and writing the UID

    • You might need to break some encryption particularly on more secure cards
    • Some cards it might not be possible to break the encryption
    • You need a magic card to write the UID to

  • Oh also, you often can't just arbitrarily set the UID, many cards don't allow this to be changed after manufacture - you have to get a 'magic card' which allows the UID to be set

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages