Skip to main content

RFID – A Social Engineers Best Friend – part 2 (Bruteforce)

In a previous blog post I talked about downloading, installing, and using the Proxmark3 for social engineering engagements. This post will build off of the content discussed previously and walk through how to perform a successful bruteforce attack of RFID cards with the tools previously mentioned.

Let’s first determine which type of Proxmark3 device you currently have. Below are examples of the four models which can help you to identify which device you have available for use:

Proxmark3 Original:

Proxmark3 RDv2:

Proxmark3 RDv3:

Proxmark3 RDv4:

While I personally utilize the Proxmark3 RDv2 for bruteforce attacks, I do own the RDv3 model as well but I haven’t used it for this functionality yet. The RDv4 is the latest release and from the functionality listing, it appears as though it can perform everything we would need.

Getting Started

This process can be performed while connected to a computer or standalone mode, but I would recommend doing this while connected to a computer as you can see the key space being emulated. This is because if a valid card is emulated, you can utilize the key space to clone it to a blank RFID card.

Commands to enter bruteforce mode:

  1. Hold the side button until the lights flash then release
    • The C light should be lit
  2. Perform a short button press
    • The B&C lights should be lit
  3. Perform a short button press
    • The A light should be lit
  4. Hold the button until lights A&D are lit
  5. Scan a valid building badge
  6. Perform a short button press
    • Lights A&B&C should be lit

If you opted to connect the Proxmark3 to a computer, you should be seeing the Proxmark3 program attempt to emulate different card numbers. The screenshot below shows utilizing the Proxmark3 and initializing the ProxBrute mode.

Recap

This process has proven to be very useful in some of the social engineering engagements I have performed. In one instance, my co-workers and I were able to obtain a low privileged bank branch employees’ badge through various social engineering techniques. Traveling to the bank headquarters afterhours, we were able to utilize the initial badge to then perform a successful bruteforce against an externally facing door. In less than 5 minutes we had gained internal access to the building.

For anyone that might be affected by this type of RFID control system, I would strongly encourage people to review door access logs as this would generate a lot of failed access alerts. Implementing an additional factor (such as a pin code or fingerprint reader) would help mitigate some of the risks of bruteforcing RFID badges.