Top Categories

Spotlight

todayJanuary 2, 2024

Red Teaming + Social Engineering krptyk

Reverse Proxy Phishing With Evilginx

Reverse proxy phishing with Evilginx is a technique where a phishing site acts as a proxy server, intercepting legitimate requests and forwarding them to the genuine website while capturing sensitive information from users. This approach allows us to create convincing phishing campaigns by seamlessly proxying the target site, making it [...]


Long Range RFID Thief

Red Teaming + Social Engineering + Physical Security krptyk todayOctober 21, 2023

Background
share close

The tastic RFID thief was created nearly ten years ago, and it only seemed fitting to bring this up again since, well, it still works today. Why does it still work? Well, replacing an entire buildings access control systems is extremely expensive so outdated technology is left since theoretically it does the job and still works fine.

It would be amiss of me if I didn’t call out the original creators of this idea, the groundwork for this whole project and props goes to Bishop Fox. The implementation that I am sharing below utilises a similar but easier way to grab the Weigand data from the victim. This implementation utilises an ESPKey as the method to take that data and store it for later use. Once taken, we can then write the data to a blank RFID card to gain credentialed access imitating the victims entry credentials. How does it work? The video below gives a pretty succinct overview of the process (Christian Slater didn’t need to actually bump into the person though):

For a quick primer on what we are doing, we have a long range RFID reader, the kind you find at apartment car parks – they’re setup to power up and read cards from a distance so it is easier to gain entry without exiting your vehicle. Find more details around the long range card reader here: HID Proximity MaxiProx 5375. Accompanying this is the ESPKey, which is how we will get the specific Weigand data.

What is an ESPKey? Well taken from one of the manufacturers it “is an advanced implantable logic analyzer and debugging tool designed for use with any device using the Wiegand communication protocol.  It has a built-in Wireless LAN communication module and can store up to 80,000 unique credential bitstreams in non-volatile memory, depending on credential bit format.  The credential bitstream may be retrieved or “replayed” on demand by connecting to the built-in web interface from any mobile device or computer with a web browser.

For those of you with a keen eye you may have noticed in the text that this little device can be replayed, well you are correct. You can actually implant this device onto data 0 and data 1 lines (don’t forget ground and power) of a live card reader unit and with a single tap of a button on your phone, you can enter that restricted building without even needing a credentialed card / tag (you’re just replaying the data across the lines of someone else’s credentials).

Safety and Legal Disclaimer: This project involves working with electronics and card scanning, which may have safety risks and legal restrictions. Prioritise safety precautions, and ensure that you adhere to all relevant laws and ethical standards regarding card scanning and data privacy. I am not responsible for your actions.

Parts Required:

  • HID Proximity MaxiProx 5375 125 kHz long range proximity reader
  • ESPKey
  • 2 x Rocker Switches
  • 6 x 18650 Rechargeable Batteries 2600mAh 3.7v
  • 3 x Dual 18650 Battery Holders
  • DC-DC Boost Module
  • DC-DC Buck Module

Schematic:

Below is the schematic with the connections that we need to make. You’ll notice below that mine differs slightly from this. I had issues using the exact same setup as this schematic, mainly with the range of the reader being too low to be acceptable with the batteries powering the reader and the ESPKey at the same time so I added two 18650’s to power the ESPKey separately and four 18650’s to power the reader. I also found a better read range putting the boost module at 24v as opposed to 12v (To do this you’ll have to move the P2 shunt to 2/3 from 1/2 – more details later). Also, I had issues getting clean Wiegand data without the ground line of the reader not connected to the ESPKey.

Credit: NETSPI

Internal View

This is the internal view of how everything will look once it is all wired (I wouldn’t say correctly since I am not a electrical engineer – so copy me at your own risk..). So lets break this down into manageable steps because it does not look as simple as it really is currently.

Step 1: Batteries, Boost Module and Reader

The first thing in this process is to setup the boost module and the batteries. for this step you’ll need:

  • HID Proximity MaxiProx 5375 125 kHz long range proximity reader
  • 1 x Rocker Switches
  • 4 x 18650 Rechargeable Batteries 2600mAh 3.7v
  • 2 x Dual 18650 Battery Holders
  • DC-DC Boost Module
  • Solder Iron & Solder

A quick note, before soldering anything, I’d suggest cutting the hole in the back plate and gluing your rocker switch in (not upside down like I did… If you wonder why the +, – and Ground are different on the rocker switches, I just installed one the opposite way by accident)

Remember: Do not do any of the following steps with batteries in the holders.

I have soldered the batteries in parallel but the holders are in series – so this effective doubles the voltage of the batteries from 3.7 to 7.4 and then putting them in parallel will keep the voltage the same. From here we boost to 24v using the potentiometer:

While I personally haven’t had any issues, I haven’t run this for extended periods of time so whether it is safe to convert from 7.4v in parallel to 24v I am not sure (that’s if my calculations are even correct in the first place! So again, do so at your own risk and if you can confirm my hypothesis above please let me know).

Ok so once you are done not copying me and actually researching whether it is safe and made your own decision, we connect the positive and ground to the rocker switch. Then we take the power out and ground out and connect them to the boost module. Before connecting anything to the reader, we need to set the boost module to 24v or 12v if you went that route and change the voltage shunt (P2)

This is the voltage shunt, currently set at 24v which is pins 2 & 3. If you are using the 12v configuration, put it on pins 1 & 2 – See the picture below:

Once you’ve set your boost module correctly, connect the power (+) and ground (-) out from the boost module and connect them into TB1-1 for power and TB1-3 for the ground on the reader.

Below is my very poor attempt to make the connections a little easier to understand:

With this setup, you should be able to turn your unit on now using the rocker switch, you will head the startup beeps and the lights turn on. At this point you will also be able to read card data, but it won’t go anywhere since there is nothing connected to data 0 and 1.

Step 2: Buck Module and ESPKey:

Now that we have successfully setup the first phase of this process, powering the reader, we need to have somewhere for the data that is read to be output to. For this part you will need:

  • 1 x Rocker Switches
  • 2 x 18650 Rechargeable Batteries 2600mAh 3.7v
  • 1 x Dual 18650 Battery Holders
  • DC-DC Buck Module
  • Solder Iron & Solder

I won’t go into much detail on how the ESPKey works but you can read all about it here. One thing I will call out is what wires to connect to the ESPKey with reference to this image:

You might be asking, why are my wires different colours to what is outlined in the image above? Truth is I just used what I had lying around but the reason I call out this image is if you find yourself working on a door unit, these colours will likely match what is outlined above. In our case it will be:

  • Data 1 | TB2-2 = Purple
  • Data 0 | TB2-1 = Blue
  • Ground | = Black
  • Power | = Red

I called out TB2-1/2 above as that is what they are defined as by the reader:

Follow the below schematic to connect the 18650’s to the buck module and set the voltage from the buck module to 5v (looking at the image above for the ESPKey the volatge it can handle is 4.5-18v so 5v will be safe. My buck module doesn’t have a display and if you are in the same boat, get your voltage meter out and struggle like I did to hold the voltmeter and adjust the voltage at the same time. For a close up of the correct wiring of this process see below. A few key points that I want to point out. I mentioned earlier that I had troubles getting clean data, once I added a second ground to TB1-3 and put that in the ESPKey as well as the ground from the buck module. (I spent a bit of time on the phone with HID trying to figure this out – they thought I was an apprentice installer from down under struggling to get the installation correct before my boss came back. I don’t think they would have helped if they knew what I was actually doing..).

So once that’s all finished the final product should look something similar to the following:

Once this is all complete, its time to test the unit and see if we can get the data and how far we can get it from. When the unit reads a card it should omit a loud beep, this will let you know your unit is reading correctly and the light will briefly flash green before going back to red.

Whenever the reader successfully reads a tag / pass this data will be sent to the ESPKey and we can use the ESPKey’s local WiFi and web interface to read the card data. This is where the ESPKey really shines, you can simply have your phone out and see the data collected in real time.

Now that we have scanned a pass, we can look at the ESPKey’s web interface and see the data:

There you have it, now you have the ability to read HID 26 Bit, H10301 format cards from a distance, but remember, scanning tags / passes / cards without consent is illegal.

Written by: krptyk

Tagged as: .

Rate it

Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *