The following information, illustrations and design are for educational purposes, and the furtherance of protecting secure areas with the explicit permission of the owners. Please do not use such devices for any illegal purposes.
At Bitcrack, we often find ourselves conducting a red-team, or penetration test that involves access control assessment, Wi-Fi assessments, RFID and so forth.
One thing that often gets in the way of a successful assessment is having to stop and take stock of collected data, process logs and so forth. We have thus embarked on a project to consolidate our attack hardware into a platform that can be easily used and deployed in the field.
In this blog post we are detailing our HID RFID clone tool. It is loosely based on the Tastic RFID thief, with some modification.
We liked the Tastic RFID Thief (thanks to BishopFox) for our assessments, but it had some issues for us. A major one being that one has to capture HID tag IDs, then stop somewhere, eject the SD card and open it on a computer/laptop to clone the HID using a Proxmark or something similar.
Build an all-in-one solution to capture-and-write cards on demand with nothing more than your backpack and mobile phone/tablet.
To do this, we did the following;
1. Build our own Tastic version and modify it to suit our needs.
2. Build a central control unit to manage our “captured” RFID cards, and writing the cards on the fly.
3. All the necessary programs and scripts written to run it.
Below is a picture of our final products, shown individually:
The items above are;
1. a HID ProxPro II Reader
2. a 2.1A 5V Li-Ion Battery Pack
3. an Elec House Proxmark 3 RDV2
4. a custom-built Tastic RFID Thief with a home-made 3D-Printed box, LCD display. We removed the SD card and its associated program code. We also modified the code for our serial data requirements, and added a Li-On battery.
5. a Raspberry Pi with our code running on it.
The Tastic RFID unit close-up and on, looks like this:
We take all our components, and put them in a back-pack to create an easy-to-use walk-around HID read-and-clone system
The attack process is: