Oct 11, 2024 12:58:49 PM | Adversarial Simulation Social Engineers Best Friend – Part 2: Bruteforcing RFIDs

In a previous blog post, I talked about downloading, installing, and using the Proxmark3 for social engineering engagements. This post will build off of the content discussed previously and walk […]

In a previous blog post, I talked about downloading, installing, and using the Proxmark3 for social engineering engagements. This post will build off of the content discussed previously and walk through how to perform a successful bruteforce attack of RFID cards with the tools previously mentioned.

Let’s first determine which type of Proxmark3 device you currently have. Below are examples of the four models which can help you to identify which device you have available for use:

Proxmark3 Original:

Proxmark3 Original model screengrab by White Oak Security

Proxmark3 RDv2:

Proxmark3 RDv2 model, screen grab by White Oak Security - a penetration testing company.

Proxmark3 RDv3:

Proxmark3 RDv3 Model by White Oak Security’s pentesting blog

Proxmark3 RDv4:

Proxmark3 RDv4 Model screengrab by White Oak Security - a pentesting company with expert penetration testing services

While I personally utilize the Proxmark3 RDv2 for bruteforce attacks, I do own the RDv3 model as well but I haven’t used it for this functionality yet. The RDv4 is the latest release and from the functionality listing, it appears as though it can perform everything we would need.

Getting Started

This process can be performed while connected to a computer or in standalone mode, but I would recommend doing this while connected to a computer as you can see the key space being emulated. This is because if a valid card is emulated, you can utilize the key space to clone it to a blank RFID card.

Commands to enter bruteforce mode:

  1. Hold the side button until the lights flash then release
    • The C light should be lit
  2. Perform a short button press
    • The B&C lights should be lit
  3. Perform a short button press
    • The A light should be lit
  4. Hold the button until lights A&D are lit
  5. Scan a valid building badge
  6. Perform a short button press
    • Lights A&B&C should be lit

If you opted to connect the Proxmark3 to a computer, you should be seeing the Proxmark3 program attempt to emulate different card numbers. The screenshot below shows utilizing the Proxmark3 and initializing the ProxBrute mode.

If you opted to connect the Proxmark3 to a computer, you should be seeing the Proxmark3 program attempt to emulate different card numbers. The screenshot below shows utilizing the Proxmark3 and initializing the ProxBrute mode,as shown in this screenshot of code provided by White Oak Security.

Bruteforcing RFIDs RECAP

This process has proven to be very useful in some of the social engineering engagements I have performed. In one instance, my co-workers and I were able to obtain a low-privileged bank branch employee’s badge through various social engineering techniques. Traveling to the bank headquarters after hours, we were able to utilize the initial badge to then perform a successful bruteforce against an externally facing door. In less than 5 minutes, we had gained internal access to the building.

For anyone that might be affected by this type of RFID control system, I would strongly encourage people to review door access logs as this would generate a lot of failed access alerts. Implementing an additional factor (such as a pin code or fingerprint reader) would help mitigate some of the risks of bruteforcing RFID badges.

 

Written By: Brett DeWall