Professional Documents
Culture Documents
Presented by:
Francis Brown
Bishop Fox
www.bishopfox.com
BADGE ATTACKS
ICLASS BADGE READING/CLONING
Methodology
3 STEP APPROACH
iCLASS Cloner
XFPGA.COM - FROM CHINA
http://www.xfpga.com/html_products/iclasscard-cloner-en-82.html
Read/Write iCLASS cards using Standard
Security only (not High or Elite)
Requires older 32bit driver, and wont let you
run in a VM (so Win32 actual install necessary)
Built from original ContactlessDemoVC.exe
USB hardware licensing dongle shipped
~$218 USD
Uses: OmniKey CardMan 5321 USB - RFID Reader (13.56 Mhz)
iCLASS Cloner
NEW Bishop Fox FREE Edition
UPDATE
https://blog.kchung.co/reverse-engineering-hid-iclass-master-keys/
https://github.com/ColdHeat/iclass
BADGE ATTACKS
BACKDOOR DEVICES
Raspberry Pi
MAINTAINING ACCESS
Raspberry Pi cheap alternative (~$35) to Pwn Plug/Power Pwn
Tastic 3D Case for RaspPi Backdoor Hidden Backdoor Device
10
READER ATTACKS
BADGE READER MITM IMPLANTS
Reader Attacks
TASTICMITM ATTACK
+
Insert in door reader of target
building record badge #s
Tastic RFID Thiefs PCB could be
used similiarly for MITM attack
12
Reader Attacks
TASTICMITM ATTACK
13
CONTROLLER
ATTACKS
VERTX CONTROLLER SEACH/EXPLOIT
Controller Attacks
JACKED IN
Port Scanning and Banner Grabbing - Targetting HID Controllers Over Network
15
Controller Attacks
JACKED IN
Port Scanning and Banner Grabbing - Targetting HID Controllers Over Network
16
Controller Attacks
JACKED IN
Port Scanning and Banner Grabbing - Targetting HID Controllers Over Network
17
Controller Attacks
JACKED IN
Port Scanning and Banner Grabbing - Targetting HID Controllers Over Network
18
Introduction/Background
G E T T I N G UP T O S P E E D
19
Badge Basics
FREQUENCIES
20
21
22
Wiegand output
Card
Reader
Card
Reader
Controller
Host PC
Ethernet
Host PC
23
24
T55x7 Cards
Q5 cards (T5555)
Proxmark3
25
26
27
Kali NetHunter
NEXUS 7 PENTEST DEVICE
Nexus7 (2013 WiFi) Android
Tablet Non-PwnPad2014
28
Proxmark3 on Android
MOBILERFID HACKING
29
30
Proxmark3
RFID HACKING TOOLS
RFID Hacking swiss army knife
Read/simulate/clone RFID cards
31
RFIDiot Scripts
RFID HACKING TOOLS
32
RFIDeas Tools
RFID HACKING TOOLS
$269.00
No software required
Identifies card type and data
Great for badges w/o visual
indicators of card type
33
Methodology
3 STEP APPROACH
Distance Limitations
A$$ GRABBING METHOD
Existing RFID hacking tools only work when
a few centimeters away from badge
35
Tastic Solution
LONG RANGE RFID STEALER
37
38
39
Custom PCB
TASTIC RFID THIEF
Custom PCB easy to plug into any type of RFID badge reader
40
Wiegand Input
TASTIC RFID THIEF
Tastic Custom PCB reads from Wiegand output of RFID badge reader:
Wiegand Interface
https://en.wikipedia.org/wiki/Wiegand_interface
41
Commercial Readers
TASTIC RFID THIEF
Long-range commercial RFID readers to weaponize:
3 out of 4 HID RFID
product families covered
42
Bluetooth Other
Bluetooth Modules:
43
Commercial Readers
TASTIC RFID THIEF
~$345 on ebay
44
45
iCLASS
TASTIC RFID THIEF
46
47
iCLASS Cloner
XFPGA.COM - FROM CHINA
http://www.xfpga.com/html_products/iclasscard-cloner-en-82.html
Read/Write iCLASS cards using Standard
Security only (not High or Elite)
Requires older 32bit driver, and wont let you
run in a VM (so Win32 actual install necessary)
Built from original ContactlessDemoVC.exe
USB hardware licensing dongle shipped
~$218 USD
Uses: OmniKey CardMan 5321 USB - RFID Reader (13.56 Mhz)
48
iCLASS Cloner
XFPGA.COM - FROM CHINA
49
iCLASS Cloner
XFPGA.COM - FROM CHINA
VMWare settings 32bit MS Windows Vmware image with old HID drivers installed:
To avoid VMWare restrictions on xfpga software, add to your .vmx file:
isolation.tools.getVersion.disable = "TRUE
50
iCLASS Cloner
NEW Bishop Fox FREE Edition
UPDATE
https://blog.kchung.co/reverse-engineering-hid-iclass-master-keys/
https://github.com/ColdHeat/iclass
51
iCLASS Cloning
Ioclass Implementation of iCLASS Ciphers
http://martin.swende.se/blog/Elite-Hacking.html
https://github.com/holiman/loclass
52
bioCLASS Bypass
FINGERPRINT AND PIN
53
54
Reader Attacks
JACKED IN
Dump private keys, valid badge
info, and more in few seconds
Plant backdoor devices in reader
Brute-force badge numbers over
the wire via Wiegand (5x faster)
55
Reader Attacks
GECKOMITM ATTACK
http://www.blackhat.com/presentations/bh-dc-08/Franken/Presentation/bh-dc-08-franken.pdf
56
Reader Attacks
BLEKEYMITM ATTACK
57
Reader Attacks
TASTICMITM ATTACK
+
Insert in door reader of target
building record badge #s
Tastic RFID Thiefs PCB could be
used similiarly for MITM attack
58
Reader Attacks
TASTICMITM ATTACK
59
Controller Attacks
JACKED IN
60
Controller Attacks
JACKED IN
RFID Reader / Controller Attack Tools by Brad Antoniewicz
Open the Badge Reader to Attack the Controller Directly via Wiegand Interface:
VertX_WebOpen.py Physically Open Door via HTTP GET Request to the WebUI
VertX_CacheTool.c HID VertX V2000 Cache Dump and Insertion Tool
Shmoocon 2012 - Attacking Proximity Card Systems - Brad Antoniewicz
http://www.shmoocon.org/2012/videos/Antoniewicsz-AttackingCardAccess.m4v
http://blog.opensecurityresearch.com/2012/12/hacking-wiegand-serial-protocol.html
61
Controller Attacks
JACKED IN
MAC Address - Targetting HID Controllers Over Network
https://www.hidglobal.com/drivers/15654
62
Controller Attacks
JACKED IN
Port Scanning and Banner Grabbing - Targetting HID Controllers Over Network
63
Controller Attacks
JACKED IN
Port Scanning and Banner Grabbing - Targetting HID Controllers Over Network
64
Controller Attacks
JACKED IN
Port Scanning and Banner Grabbing - Targetting HID Controllers Over Network
65
Controller Attacks
JACKED IN
Mar 2016
66
67
Pwn Plug
MAINTAINING ACCESS
68
Pwn Plug
MAINTAINING ACCESS
Pwn Plug Elite: $995.00
Power Pwn: $1,995.00
69
Raspberry Pi
MAINTAINING ACCESS
Raspberry Pi - credit card sized, single-board computer cheap $35
70
Raspberry Pi
MAINTAINING ACCESS
Raspberry Pi cheap alternative (~$35) to Pwn Plug/Power Pwn
Pwnie Express Raspberry Pwn
Rogue Pi RPi Pentesting Dropbox
Pwn Pi v3.0
71
Raspberry Pi
MAINTAINING ACCESS
Raspberry Pi cheap alternative (~$35) to Pwn Plug/Power Pwn
Tastic 3D Case for RaspPi Backdoor Hidden Backdoor Device
72
74
Credit Cards
C O N T A C T L E S S P A Y M E N T S
75
76
Feb 2016
77
Passports (Book)
R F I D I N I D
78
Passport Books
RFID
79
Passport Books
RFID
80
UHF Hacking
U L T R A
81
Enhanced Licenses
RFID
82
83
84
Defenses
A V O I D B E I N G P R O B E D
85
Defenses
F L Y G E A R
86
Defenses
R E C O M M E N D A T I O N S
87
Defenses
R E C O M M E N D A T I O N S
88
Defenses
R E C O M M E N D A T I O N S
89
Defenses (Broken)
SOME DONT...EXAMPLE...
Shmoocon 2012 - Kristin Paget - Credit Card Fraud: The Contactless Generation
http://www.shmoocon.org/2012/presentations/Paget_shmoocon2012-credit-cards.pdf
90
Defenses
ACTIVE BLOCKING
91
Thank You
http://www.bishopfox.com/resources/tools/rfid-hacking/
92