Our Proxmark 3 (and antennae) finally arrived, and we thought we’d take it for a spin. It’s a great little device for physical pentests, allowing us to capture, replay and clone certain RFID tags.
We started off by reading the contents of the Proxmark wiki, to understand (more or less) what we are up against. This proved to be a vitally important step, and we are thankful we had the insight to RTFM a tad bit before.
We opted to install the Proxmark development environment and client tools on Windows XP and the setup guides got us up and talking to our Proxmark in no time at all.
Once booted up, we saw there was an older revision of the bootrom and OS version installed. As we wanted a newer codebase, we decided to build the newest svn version (r621 at the time of this writing) and flash our Proxmark. We downloaded the latest svn code and tried to compile it. The first error we got looked like this:
This was fixed by modifying client/common/Makefile and changing:
The next error we encountered looked like this:
A quick google search suggested including sleep.h in cmdhfepa.c. With this final fix in place, the code compiled, creating client connectivity binaries as well as OS, FPGA and Bootrom images. By following the Proxmark Flashing guide we successfully managed to update the bootrom and OS/FPGA versions on our Proxmark
Once that was done, we verified that everything was updated as expected:
Our next step was to set up a quick testing environment in order to experiment with a few EM410x tags and a reader. We had already set up RFID tags based Windows 7 Log on system, using SparkFuns’ RFID tags experimenters kit and wanted to see if we could read authorized Logon RFID tags and then replay them with the Proxmark.
Once the tag was read by the Proxmark, we attempted to replay it. We issued the following command:
In a couple of seconds, the Proxmark orange led turned on, and our LF antenna was replaying the captured tag. We were able to log on to the Windows system using the Proxmark alone. The following video demonstrates this process.
Once we were able to replay our tag successfully, we started looking into the client code, to see how easy it would be to try to automate the capture and replay of an EM4x tag. This inevitably led us to the cmdlfem4x.c file, where we found the CmdEM410xWatch function. Based on this function, we were able to easily automate the capture and replay by introducing the following new function into cmdlfem4x.c:
We added access to this function by introducing it to the command line options and recompiled our client. Our new function worked as expected – once an em4x tag was identified, it was immediately replayed.
The built in Proxmark standalone mode is able to record and store 2 HID tags and replay them later on. Timing the button pressing is somewhat of an art, but after a bit of fiddling, you get the hang of it. Read more able this feature at the Proxmark Standalone Wiki Page and the source code of appmain.c
We posted a simple patch to demonstrate the addition of the em410xspoof command, as well as archived appmain.c from colligomentis.com on github.