This project guide contains an entry-level hardware design that you can build in a day and deploy in the field in order to increase your chances of cloning an RFID badge for your red team and ethical hacking engagements.
Use this build and a simple social engineering interaction with a target. "Hey, we're conducting a badge audit for our annual security audit. Can I see your badge?" Once your target gives you their badge, you can simply hover it over the clipboard and hand it back within 1 second - you instantly copied their badge without them knowing any wiser.
This is part of a full paper and talk given during DEFCON 30, 31 and 32 in the Physical Bypass Village Keeping Your Distance: Pwning RFID Physical Access Controls From 6FT and Beyond by myself and Twitter: @_badcharacters (https://www.youtube.com/watch?v=OLLaXOcuYfw). Each year the content is reiterated and improved upon, staying up on the latest techniques and gadgets to use in the field. The goal is to conduct a physical pen test without the need for a laptop, only a mobile phone and implant devices!
The content has been updated for DEFCON 32 titled: Flipping Locks (The Remix): Remote Badge Cloning with the Flipper Zero and More. In this tutorial, you'll learn how to clone the badge loot from your RFID Gooseneck reader quickly and easily!
NOTE: iCLASS SE/SEOS Downgrade Attack and Legacy Attack Methods are updated in the latest slide deck from DEF CON 32 (2024) - download the .pdf to review the attack methods.
In this tutorial, you'll learn how to build your own Clipboard Cloner and clone the badge loot quickly and easily!
Disclaimer: This guide is for educational and ethical hacking purposes ONLY. All penetration testing activities must be authorized by all relevant parties.
- Officemate Super Storage Supply Clipboard Case: https://www.amazon.com/gp/product/B07C66Z5RM/
- ESP RFID Tool: https://hackerwarehouse.com/product/esp-rfid-tool/
- Low-Frequency Reader (e.g., HID Prox Pro 5355AGN00 Reader): Check eBay for used units
- Breadboard Jumper Wires - 3.9in (10cm): https://a.co/d/fja090p or 22AWG Wire: https://a.co/d/h7bbBom
- Clipboard Battery - 9V Rechargeable battery: https://www.amazon.com/dp/B0B9G9RQG3/ and 9V Battery Clip Connector: https://www.amazon.com/gp/product/B07P9HK38C/
- Wall Implant Batteries - 2x 3.7V 500mAh LiPo Batteries:https://www.amazon.com/gp/product/B07BTV3W87/ with a JST connector: https://www.amazon.com/gp/product/B07NWD5NTN/ AND a UY connector: https://www.amazon.com/gp/product/B071R2J7JP/
- Low Voltage T-Connector: https://www.amazon.com/dp/B07114RK67/
- 3M Command Adhesive strip: https://www.amazon.com/dp/B004OKKVOC/
Here's an example of the wire connections:
To remain as stealthy as possible, it is advised to turn off the audible "beep" if the reader allows you to. In this case, we can silence the beep on the HID Prox Pro 5355AGN00 reader by pushing down dipswitch SW-1 #2.
Flip switch SW-1 #2 down to turn off the beeping sound.
Use the 3M strips to secure it to the badge reader and the 9V inside of the clipboard so nothing jostles around while you're carrying it.
Your final build will be sleek and sneaky.
Let's take a look at the Wall Implant Remote badge cloner setup. If you want to create a wall implant to stick on a building, use LiPo batteries listed above so you can create an enclosed, all-in-one unit.
Below is an example of the wiring guide to connect to a HID reader with screw-in terminals using the ESP RFID Tool. Use the color-coded male-to-male breadboard wires to connect the two terminal interfaces between the Wiegand system and the ESP RFID Tool, as seen below.
- Then connect the 2x 3.7V 600mAh LiPo Batteries in a series connection to power the reader and the ESP RFID Tool. These thin batteries will allow you to enclose all parts into the unit so it is nice and flat.
Here is a picture of the wiring with the batteries connected.
Here's a picture with the batteries connected with an ESPKey Wiegand Interception Tool installed. (https://www.redteamtools.com/espkey)
Note: For various configurations, check out the official ESP RFID Tool wiring guide here: https://github.com/rfidtool/ESP-RFID-Tool/blob/master/Installation-Schematics/README.md
To remain incognito while at the client site, cloning a card with a mobile phone and a Flipper Zero hidden away will keep the lowest profile rather than fiddling with a laptop when you need to copy the card data.
- Mobile Phone (Android or iOS)
- Flipper Zero: https://shop.flipperzero.one/
- Flipper Mobile App: https://docs.flipper.net/mobile-app
- RFID T5557 Rewritable Cards: https://a.co/d/0NF2zJG
Once the implant is in place and a few employees have walked past the gooseneck reader, hop onto your phone and log into your RFID ESP Key SSID to look for loot. The default SSID is "ESP-RFID-Tool" but it is recommended to change the name to something that will blend into the target environment. In order to change the SSID and password to protect the ESP RFID Tool wifi (and not leak all your client's credentials to the world), jump over to the configuration page to customize the settings and change all your default passwords.
- Default SSID: ESP-RFID-Tool
- URL: http://192.168.1.1
Default credentials to access the configuration page:
- Username: admin
- Password: rfidtool
(Full ESP RFID Tool user guide here: https://github.com/rfidtool/ESP-RFID-Tool)
Once you're on the ESP RFID Tool WiFi, access Data in the "List Exfiltrated Data" Page:
Copy the second half of the binary data:
- 10001111100000101001110011
REMOVE the leading and trailing parity bits:
- 000111110000010100111001
Take this and convert it into HEX using a Bin-HEX Converter on your phone:
- 000111110000010100111001 = 1F 05 39
On your Flipper, hit the center button and navigate to > 125 hHz RFID > Add Manually
Then Select HID H10301 > Enter the Data: 1F0539
Select Save > Name the card (Enter the desired name)
Select your saved card > Info (in order to look for your FC (Facility Code) and Card Number)
Select your saved card > Write it to a blank T5557 card
In a few seconds...
Boom! Happy Hunting!
Special Shoutouts to the Physical Security Village team for hosting this talk during DEFCON!
For the sake of documentation, I will leave the old method on this page. But finding the exact firmware for the Proxmark3 Easy can be tricky with now, unsupported AndProx App - it is highly recommended to use the Flipper Zero in the field for the easiest approach. You can use a Proxmark3RDV4 and use the Proxmark HEX from the ESP RFID Tool.
To remain incognito while at the client site, cloning a card via an Android phone will keep the lowest profile rather than fiddling with a laptop when you need to copy the card data.
- Android Phone or Tablet of your choice
- AndProx Android App: https://github.com/AndProx/AndProx
- Proxmark3 Easy (available on eBay or AliExpress)
- USB OTG Cable - Type C To Micro: https://a.co/d/4HGdBqh
- RFID T5557 Rewritable Cards: https://a.co/d/0NF2zJG
- 3D Printed Case (optional): https://www.thingiverse.com/thing:3123482
Once the implant is in place and a few employees have walked past the gooseneck reader, hop onto your phone and log into your RFID ESP Key SSID to look for loot. The default SSID is "ESP-RFID-Tool" but it is recommended to change the name to something that will blend into the target environment. In order to change the SSID and password to protect the ESP RFID Tool wifi (and not leak all your client's credentials to the world), jump over to the configuration page to customize the settings and change all your default passwords.
- Default SSID: ESP-RFID-Tool
- URL: http://192.168.1.1
Default credentials to access the configuration page:
- Username: admin
- Password: rfidtool
(Full ESP RFID Tool user guide here: https://github.com/rfidtool/ESP-RFID-Tool)
Once you're on the ESP RFID Tool WiFi, access HEX Code Data in the "List Exfiltrated Data" Page:
- Download and install AndProx (Root NOT required!): https://github.com/AndProx/AndProx
- Plug in your Proxmark3 via OTG cable
- Click Connect Via USB
- Begin sending commands!
Once your Proxmark3 Easy is connected, copy your Hex Code and enter these commands:
lf hid clone [INSERT HEX CODE]
#Example:
lf hid clone 20043C0A73
Verify your card data:
lf search
Boom! Happy Hunting!
- Dib, Alex. "RFID Thief v2.0." July 2018, https://scund00r.com/all/rfid/tutorial/2018/07/12/rfid-theif-v2.html
- Farrell, Michael and Boris Hajduk. "AndProx." July 2021, GitHub, https://github.com/AndProx/AndProx
- Harding, Cory. "ESP-RFID-Tool." March 2018, GitHub, https://github.com/rfidtool/ESP-RFID-Tool
- Hughes, Nathan. "Flipper Maker" May 2022, https://flippermaker.github.io
- Kelly, Mike. “Wiegotcha – RFID Thief” January 2017, https://exfil.co/2017/01/17/wiegotcha-rfid-thief/
- Rumble, Rich. "RFID Sniffing Under Your Nose and in Your Face." DerbyCon IX, September 2019, https://www.youtube.com/watch?v=y37j6RDtybQ
- W., Viktor. "Enclosure For Proxmark3 Easy." Thingiverse, September 2018, https://www.thingiverse.com/thing:3123482
- White, Brent and Tim Roberts. "Breaking Into Your Building: A Hacker's Guide to Unauthorized Access." NolaCon 2019, May 2019, https://www.youtube.com/watch?v=eft8PElmQZM