Section 04
⚡ Intermediate
RFID & Access Control
Electronic access control is now a mix of legacy RFID, smartcards, mobile credentials, cloud-managed controllers, and still-too-common weak reader deployments. Offensive badge work is still central, but strong assessments should also explain why the architecture makes cloning, emulation, or downstream abuse possible.
Authorised Testing Only
Badge cloning, emulation, and reader attacks must be explicitly authorised. Carry your
scope letter, confirm which entrances are in play, and coordinate with security operations
before presenting a cloned credential to any door.
RFID / NFC Badge Types
| Frequency | Type | Common Use | Clone Difficulty |
|---|---|---|---|
| 125 kHz | HID ProxCard | Legacy access | Easy |
| 125 kHz | EM4100 | Basic access | Easy |
| 13.56 MHz | MIFARE Classic | Access/transit | Medium |
| 13.56 MHz | MIFARE DESFire | Secure access | Hard |
| 13.56 MHz | iCLASS | HID high security | Medium-Hard |
Modern Access-Control Review Points
Credential Questions
- • Is the site still using easily cloned 125 kHz credentials?
- • Are mobile credentials tied to strong device assurance or just convenience?
- • Are temporary badges controlled, logged, and reclaimed?
- • Do employees expose badges visually or carry them in scannable positions?
Reader and Controller Questions
- • Is reader wiring protected or physically exposed?
- • Does the environment still use Wiegand instead of OSDP Secure Channel?
- • Are door events monitored or only logged passively?
- • Can a cloned or emulated credential reach sensitive zones without secondary friction?
Proxmark3 Commands
Reading Badges
bash
proxmark3> lf search # Detect low frequency card
proxmark3> hf search # Detect high frequency cardproxmark3> lf search # Detect low frequency card
proxmark3> hf search # Detect high frequency cardClone HID ProxCard (125 kHz)
bash
proxmark3> lf hid read # Read card
proxmark3> lf hid clone [ID] # Write to T5577 blankproxmark3> lf hid read # Read card
proxmark3> lf hid clone [ID] # Write to T5577 blankClone EM4100 (125 kHz)
bash
proxmark3> lf em 410x read # Read card
proxmark3> lf em 410x clone [ID]proxmark3> lf em 410x read # Read card
proxmark3> lf em 410x clone [ID]MIFARE Classic Attack
bash
proxmark3> hf mf autopwn # Attempts various attacks
proxmark3> hf mf dump # Dump all sectors
proxmark3> hf mf restore # Write to blank cardproxmark3> hf mf autopwn # Attempts various attacks
proxmark3> hf mf dump # Dump all sectors
proxmark3> hf mf restore # Write to blank cardBrute Force Facility Codes
bash
proxmark3> lf hid brute [CN] # Try all FCs for card numberproxmark3> lf hid brute [CN] # Try all FCs for card numberFlipper Zero (Portable Alternative)
- 125kHz → Read → Save
- 125kHz → Saved → Emulate
- NFC → Read → Save & Emulate
Long-Range Reading Techniques
- Use directional antenna with Proxmark3 (25+ cm range)
- Concealed reader in bag/clipboard
- "Brush pass" technique in crowds
Badge Format (HID Example)
HID badges use: FC (Facility Code) + CN (Card Number)
Example: FC:100 CN:12345
What Strong Defenders Do Differently
Defensive Signals
- • DESFire EV2/EV3 or SEOS credentials on all perimeter doors
- • OSDP Secure Channel readers with encrypted wiring
- • Mobile credentials backed by device attestation (not just app-based)
- • Quarterly access reviews with automatic badge deactivation
High-Risk Signals
- • 125 kHz EM4100 / HID Prox still in use on perimeter doors
- • Reader wiring exposed in drop ceilings with Wiegand protocol
- • No anti-passback or door-held-open alerts configured
- • Temporary badges never reclaimed or audited
🛠️ Recommended Tools
📡
Proxmark3
The gold-standard RFID/NFC research tool. Reads, writes, and emulates 125 kHz and 13.56 MHz cards including HID, MIFARE, and iCLASS.
🐬
Flipper Zero
Portable multi-tool for quick badge reads, Sub-GHz capture, and NFC emulation. Great for initial access-control reconnaissance.
Related Topics
As an Amazon Associate I earn from qualifying purchases.