In a previous blog post, I talked about downloading, installing, and using the Proxmark3 for social engineering engagements. This post will build off of the content discussed previously and walk through how to perform a successful bruteforce attack of RFID cards with the tools previously mentioned.
Let’s first determine which type of Proxmark3 device you currently have. Below are examples of the four models which can help you to identify which device you have available for use:
Proxmark3 Original:
Proxmark3 RDv2:
Proxmark3 RDv3:
Proxmark3 RDv4:
While I personally utilize the Proxmark3 RDv2 for bruteforce attacks, I do own the RDv3 model as well but I haven’t used it for this functionality yet. The RDv4 is the latest release and from the functionality listing, it appears as though it can perform everything we would need.
Getting Started
This process can be performed while connected to a computer or in standalone mode, but I would recommend doing this while connected to a computer as you can see the key space being emulated. This is because if a valid card is emulated, you can utilize the key space to clone it to a blank RFID card.
Commands to enter bruteforce mode:
- Hold the side button until the lights flash then release
- The C light should be lit
- Perform a short button press
- The B&C lights should be lit
- Perform a short button press
- The A light should be lit
- Hold the button until lights A&D are lit
- Scan a valid building badge
- Perform a short button press
- Lights A&B&C should be lit
If you opted to connect the Proxmark3 to a computer, you should be seeing the Proxmark3 program attempt to emulate different card numbers. The screenshot below shows utilizing the Proxmark3 and initializing the ProxBrute mode.
Bruteforcing RFIDs RECAP
This process has proven to be very useful in some of the social engineering engagements I have performed. In one instance, my co-workers and I were able to obtain a low-privileged bank branch employee’s badge through various social engineering techniques. Traveling to the bank headquarters after hours, we were able to utilize the initial badge to then perform a successful bruteforce against an externally facing door. In less than 5 minutes, we had gained internal access to the building.
For anyone that might be affected by this type of RFID control system, I would strongly encourage people to review door access logs as this would generate a lot of failed access alerts. Implementing an additional factor (such as a pin code or fingerprint reader) would help mitigate some of the risks of bruteforcing RFID badges.
MORE FROM WHITE OAK SECURITY
White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.