Getting in with the Proxmark 3 and ProxBrute

As a member of the Physical Security team here at SpiderLabs, some of my job responsibilities include getting into a facility by any (non-destructive) means necessary. When a client has decided once and for all that they've trained their guards and fortified the gates, it's time to test those defenses to measure just how resilient they actually are to an attack. And that's where we come in.

Some organizations are finally starting to understand the risk behind "tail gating"; an unauthorized individual circumventing physical access controls by following an authorized user into a building before those controls have a chance to deny access. Often times they look to technology to minimize the level of human interaction required to challenge a potential tail-gater; not presenting an RFID badge to the reader by the door gives probable cause for a vigilant employee to challenge a potential tail gater.

01-badge01

RFID badge entry systems are becoming so commonplace these days that they're downright innocuous. This is partly because they're relatively inexpensive to implement and easy to deactivate if a badge is lost or an employee is seperated from an organization. You've probably seen them in your daily life, usually a little white badge slightly larger than a business card, sometimes with a photo on them. Each tag has a unique identifier that corresponds to an entry in an application; if the badge is granted access, the door unlocks. If there's no corresponding entry, or if the entry is explicitly denied access, the door does not unlock.

While getting challenged when attempting to tail gate is rare, I have to be prepared for the possibility that if I'm caught attempting to tail gate there's a chance that I will be challenged (and that's what I hope for, for the organizations' sake). If I've managed to physically procure a valid badge than this is not likely a problem. If I get challenged, I excuse myself, walk back outside, and badge myself in. If not, then things get a little trickier.

This is where the Proxmark 3 comes in. The proxmark 3 is an "open" device originally designed by Jonathan Westhues that acts as a sort of swiss-army knife for testing RFID. The fully assembled and programmed device allows a user to read, replay, and clone RFID tags. Because the device is "open", anyone is free to get the schematics and firmware for the proxmark and build or modify them to their heart's content. This is precisely what charliex and the hackers at Null Space Labs, a hackerspace in Los Angeles, did. They augmented the existing proxmark design with additional features, including an LCD display, a thumb joystick, an SD-Card slot, and other features.

Now, I'm fairly pragmatic when it comes to the tools I need to do my job. I do not (yet) possess the requisite soldering capabilities to reliably reproduce the [NSL] Proxmark3 LCD version, so I used a skillset I've honed over decades of practice. I used my wallet. Or, more accurately, another member of the SpiderLabs red team did. Our proxmark 3 was purchased from http://www.proxmark3.com/.

02-pm01

Obtaining a prebuilt Proxmark 3 is easy enough. The next step is to talk to it via a computer. After reading every single user guide, forum post, blog article, wiki, and smoke signal on the Internet about the proxmark I finally understood how the interaction process works. The Proxmark3.com "Downloads" page provides useful links to the User Guide, Client software and firmware, and even a Python API.

There is a client software package for Windows and Linux, and some users are having success building the client under OSX but I didn't. I opted instead to run the client in VMWare via a Linux guest machine. I used the Backtrack Linux security testing virtual machine image and the kernel recognized the proxmark without any additional tinkering. The most important thing with this method is to ensure that the virtual machine is configured to assume control over USB devices when the VM window has focus. Otherwise, there's a small chance that you might have an error when you flash your proxmark and be the proud owner of a $400 paper weight. I followed the relatively straightforward instructions included in the document bundle from proxmark3.com and was able to update the bootloader, FPGA code, and base operating system in just a few minutes.

Out of the box, the proxmark 3 is able to read, replay, and clone RFID cards with a few arcane command line programs and a computer running the client software. Very cool, but it's not always convenient to be carting around a backpack loaded down with a computer and software, stopping every so often to open the computer, verify that tags are being read properly, and then put the proxmark into replay mode. Definitely not something you want to be doing when you're in the field trying to covertly enter a target facility.

Samy Kamkar recognized this gap in usability and augmented the proxmark 3 firmware with "standalone mode". This mode allows a user to operate the proxmark 3 with just a battery pack and the required RFID antenna. By observing the sequence of lit or unlit LEDs it is pretty straight forward to determine which mode the proxmark 3 is in, and whether or not a tag has been successfully read.

Rig

In the picture above, I've attached an Energizer USB battery pack to the proxmark 3. This battery pack provides plenty of charge time to operate the proxmark and has the ability to be discreetly allocated throughout several pockets, with the battery in one pocket, the proxmark 3 in another, and a long cable going through a long shirt sleeve to the antenna in my hand. The antenna has a standard USB female connector so that you don't have to carry around the antenna the entire time you're working; adding or removing the antena is dead simple. I used the USB mini cable from an old hard disk enclosure I had laying around so that I can provide power to the proxmark and later connect to a laptop without having to power the proxmark down.

So, here's the skinny on how to operate the proxmark 3 in stand alone mode so that you don't have to go spend the time I did trying to learn the device. If you purchased your proxmark from proxmark3.com than you already have Samy's code flashed onto your device.

Step 1 is to connect your proxmark to a power supply and ensure that the power is turned on. A quick flash of the LEDs on the proxmark lets you know that it is receiving power.

Step 2 is to press and hold the button on the proxmark 3 for about 2 seconds. You'll know when to let go when you see the lights on the proxmark dance in a quick sequence. At this point, a single red LED should be lit. This lets you know that the proxmark is reading from internal storage slot 1.

Step 3, writing an RFID tag to slot 1. When a single red LED is lit, press and hold the button on the proxmark for about 2 more seconds. A second red led will light up, indicating the proxmark is in "read" mode for slot 1. Now when an RFID tag comes into the antenna's field, the second red LED will turn off. Note the configuration of the LEDs in the picture of the proxark above; two red LEDs are lit.

Step 4, replaying from slot 1. After the second red LED has turned off, quickly press the proxmark button for about 1 second. If you timed this right, a the red LED will remain lit and a green LED should come on. The proxmark is now replaying the RFID tag recorded into slot one.

From here you should be able to walk up to any badge reader that the copied RFID tag has access to open, place the RFID antenna to the reader, and the door should open. If it doesn't, something went wrong or the tag that was copied does not have access to that door.

By default, the proxmark has two internal slots in which to record an RFID tag. To write to the second slot, press the proxmark button again while the "slot 1" LED is lit and an orange LED should replace the red LED, indicating slot 2 is ready. Begin again at Step 3, although the primary red LED will now be orange.

So now you can store two different RFID badges in standalone mode. But what if the badges you copied were for lower level users, who doesn't have access to the area of the facility you need to access in order to fulfil your objective? You can try to grab different badges off of someone else, but sometimes there just isn't enough time allocated to start over. It's time to brute force.

Brute forcing the entire 44-bit keyspace of the RFID tag is not only impractical, it would likely take longer to perform than the penetration tester has left on the engagement. Even if you knew the proximity card "site id", the portion of the tag that's the same for every user of an RFID implementation, the remaining keyspace is still large.

But, not to worry, Brad Antoniewicz at McAffee Foundstone tackled this problem with a custom fork of the Proxmark firmware to create a tool called ProxBrute. I'll let Brad's excellent whitepaper speak for itself, but the bottom line is that you can download Brad's code from his github repository. You can then compile the firmware image yourself or you can flash the binary image of ProxBrute directly to the proxmark using the proxmark client software flasher tool. You'll need to flash the bootloader, FPGA code, and then the ProxBrute code in tandem and in that order.

Note that newer versions of the proxmark firmware code are generally not compatible with previous versions. Brad recommends flashing the stock Winter 2010 version of the proxmark 3 firmware, and then flashing Prox Brute on top of that.

So now what does this gain us? It's quite beautiful, really. The ProxBrute code reads from the recently-stored slot 1 tag, or the explicitly-written slot 2 tag, and then decrements through the keyspace until it finds a valid ID or reaches 0x00000000. By keeping the site id of the RFID tag static and starting in an area of the key space from a card issued to that site id, it is possible to more intellignetly guess at valid unique card IDs. According to the McAffee Foundstone whitepaper, Brad was seeing successful entry in around 5 minutes. That's definitely better than brute force guessing in the dark and places this attack squarely within the realm of practical.

So how do we perform an RFID brute force attack with ProxBrute? Picking up at Step 4, we've now read a tag ID into slot 1. At this point the red and green LEDs should both be lit.

Step 5 is to single press the button on the proxmark again, and the orange led alone will light. A quick single second press again and the proxmark goes into ProxBrute mode. You'll know you've done it right when the red, orange, and green LEDs are lit in sequence.

04-rainbow

If you have the proxmark connected to your client machine and are running the proxmark client, you may see debug output similar to the screen capture below. (Note, there are only 256 possible site IDs, and the 26 key bitspace listed in the screen capture below is from a dummy card ordered with the proxmark - you can try and clone my card but it probably won't get you anywhere.)

Screen Shot 2012-09-25 at 5.46.39 PM

If you're lucky, you'll land within a valid RFID tag range, the door will click, and you're on your merry way. If you're unlucky you'll get a series of loud beeps, one per second, until everyone in the building comes outside to see what all the beeping is about. There's also the strong possibility that all of these failed attempts will alert the building's security team and the game is over. Of course, it's also possible that it just plain won't work and you'll be forced to try something different. But if you're feeling brave and you've done your homework, you've got nothing to lose but 5 minutes standing at the door and possibly a few gallons in nervous sweat.

So there you have it. The Proxmark 3, standalone mode, and ProxBrute are welcome additions to the arsenal of any physical security tester. While certainly not an "autopwn" or "magic super rad spy button" for physical penetration tests, this setup is valuable when used tactically and in the right scenarios. I encourage you to read up on the links I've posted above thanks to the tireless efforts of a lot of individuals whose brilliant work makes my job more painless.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.