How to Train Your RFID Tools
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Alternativer Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 109 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/36345 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 2382 / 109
12
19
20
23
24
29
32
33
36
51
58
60
62
66
67
68
69
70
71
77
82
84
85
88
89
92
98
99
103
104
107
00:00
ComputersicherheitWellenpaketInhalt <Mathematik>FirmwareHackerRFIDInhalt <Mathematik>ComputersicherheitSoftwareschwachstellePortscannerGruppenoperationFunktionalObjekt <Kategorie>Konfiguration <Informatik>FreewareQuellcodeRFIDMathematikFigurierte ZahlFrequenzPatch <Software>Projektive EbeneWiderspruchsfreiheitMultiplikationsoperatorNumerische MathematikHochdruckWeb SiteDifferenteHackerComputeranimation
01:30
RFIDFrequenzWhiteboardNeuroinformatikMinimum
01:58
Field programmable gate arrayARM <Computerarchitektur>Physikalisches SystemBefehlsprozessorComputerQuellcodeStatistische HypotheseThumbnailHochdruckNeuroinformatikWhiteboardWürfelOffice-PaketFrequenzMereologiePlastikkarteGruppenoperationStatistische Hypothese
02:30
Interface <Schaltung>Serielle SchnittstelleBefehlsprozessorElektronischer ProgrammführerBimodulAnalog-Digital-UmsetzerField programmable gate arrayDatenfeldVerknüpfungsgliedArray <Informatik>VerschlingungMAPDivergente ReiheQuellcodeAuflösung <Mathematik>Ein-AusgabeAnalogieschlussKontrollstrukturFunktion <Mathematik>Interface <Schaltung>MultiplikationsoperatorTelekommunikationRFIDFrequenzSoundverarbeitungMereologieZweiNeuroinformatikCodeCodierung <Programmierung>StichprobenumfangMikrocontrollerBitAnalogieschlussMAPBimodulBitrateWhiteboardFitnessfunktionRechter Winkel
03:30
Serielle SchnittstelleLeistung <Physik>FirmwareATMBootenTotal <Mathematik>KontrollstrukturOperations ResearchEinfache GenauigkeitFunktion <Mathematik>Numerische MathematikDifferenteFrequenzBenutzeroberflächeWhiteboardDatentransferEin-AusgabeGraphfärbungInterface <Schaltung>
03:59
WellenformDatenfeldImplementierungStandardabweichungHardwareFamilie <Mathematik>DatentypElektronisches ForumPeer-to-Peer-NetzWärmeübergangPlastikkarteKlassische PhysikWellenformChiffrierungStandardabweichungLesen <Datenverarbeitung>Spannweite <Stochastik>Programmbibliothek
04:34
CLIFunktion <Mathematik>AbzählenSkriptspracheEmulatorBetafunktionLesen <Datenverarbeitung>EmulatorProgrammbibliothekKalkülFuzzy-LogikSkriptspracheHumanoider RoboterSoftwaretestMessage-PassingRFIDWhiteboard
04:57
Große VereinheitlichungSerielle SchnittstelleInterface <Schaltung>DigitalsignalSchwellwertverfahrenDateiformatSchnittmengeEchtzeitsystemSoftwareentwicklerComputersicherheitEmulatorHardwarePlastikkarteKlon <Mathematik>COMSchwellwertverfahrenLesen <Datenverarbeitung>DigitalisierungFunktion <Mathematik>MereologieWhiteboardProjektive EbeneSystemplattformGrundraumPlastikkarteComputeranimationVorlesung/Konferenz
05:35
InformationsspeicherungLeistung <Physik>ARM <Computerarchitektur>ComputerLeistung <Physik>E-MailClientThumbnailATM
06:04
Konfiguration <Informatik>Betrag <Mathematik>Programmierbare logische AnordnungVolumenServerMaterialisation <Physik>WürfelFlächeninhaltWhiteboardHochdruckEndliche ModelltheorieCADGebäude <Mathematik>Prozess <Informatik>Projektive EbeneRoboter
06:53
HochdruckVirtuelle MaschineWürfelRFIDTouchscreenSoftwarewartung
07:17
ZugriffskontrolleAbstandPlastikkarteRFIDPlastikkarteBasis <Mathematik>Klasse <Mathematik>GamecontrollerFrequenzRFIDSpannweite <Stochastik>
07:43
RFIDFrequenzFreier LadungsträgerWidgetDigitaltechnikDatenfeldBimodulWellenformLeistung <Physik>Frequenz
08:16
Informationsspeicherungp-BlockKlon <Mathematik>BimodulKartesische KoordinatenRFIDPlastikkarteKonfigurationsraumFlächeninhaltDifferenteNummernsystem
08:46
p-BlockProzessautomationBitrateNummernsystemTypentheoriep-BlockPuffer <Netzplantechnik>StichprobenumfangDateiformatVerkehrsinformationComputeranimation
09:17
p-BlockKonfiguration <Informatik>ThreadBitrateHochdruckPuffer <Netzplantechnik>Case-Moddingp-BlockKonfigurationsraumElektronisches ForumPlastikkarteInformationRechter Winkel
10:00
p-BlockProgrammverifikationTVD-VerfahrenChiffrierungWellenpaketSmartphoneSchreiben <Datenverarbeitung>Divergente ReiheInformationKlon <Mathematik>PlastikkarteQuick-SortSchlüsselverwaltungDateiformatComputersicherheit
10:33
PlastikkarteSchlüsselverwaltungKlassische PhysikLeistung <Physik>WellenpaketDateiformatMessage-Passing
11:03
TypentheorieQuellcodeKlon <Mathematik>Schreiben <Datenverarbeitung>Klon <Mathematik>PlastikkarteTabelleKartesische KoordinatenValiditätSchlüsselverwaltungElektronische Publikation
11:50
TransaktionSystemprogrammierungPlastikkarteTransaktionKlon <Mathematik>
12:18
Klon <Mathematik>Demo <Programm>FirmwareHackerSchlüsselverwaltungHackerFirmwarePlastikkarteATMKartesische KoordinatenFrequenzKlon <Mathematik>SichtenkonzeptCodeProjektive EbeneGarbentheorieMereologie
13:00
GruppoidMehrrechnersystemATMDatenflussKlon <Mathematik>
13:25
Klon <Mathematik>Visuelles SystemDateiformatAuthentifikationFunktionalARM <Computerarchitektur>CoprozessorQuellcodeFokalpunktFrequenzKlassische PhysikPlastikkarte
14:04
QuellcodeFrequenzFunktionalATMMereologieDatensatzPunktEntscheidungsmodellWechselsprungPlastikkarteDifferenteDatenflussDemo <Programm>
14:57
Demo <Programm>ATMKlon <Mathematik>HackerFirmwareMultiplikationsoperatorDemo <Programm>RechenschieberZusammenhängender GraphOrdnung <Mathematik>DateiformatFirmware
15:33
Reelle ZahlEmulatorBildschirmfensterQuellcodeMathematische LogikGerade ZahlBitrateDatentransferDatenstrukturClientInformationPlastikkarteBitNumerische MathematikCodeParametersystemWeb SiteDatenstrukturTouchscreenFrequenzTabelleGerade ZahlDateiformatFunktionalDreiecksfreier GraphKontextbezogenes SystemBitrateATMElektronische Publikation
17:12
LoopARM <Computerarchitektur>DatenstrukturMathematische LogikQuellcodeArray <Informatik>Dichte <Stochastik>Streaming <Kommunikationstechnik>ClientAdditionFunktion <Mathematik>Hydrostatikp-BlockPasswortFunktionalCodeVerzweigendes ProgrammOrdnung <Mathematik>Case-ModdingRechenschieberComputersimulationMinkowski-MetrikClientEntscheidungsmodellNumerische MathematikÜberlagerung <Mathematik>ARM <Computerarchitektur>Klon <Mathematik>
18:05
Klon <Mathematik>ParametersystemEinflussgrößeIdeal <Mathematik>SystemprogrammMeterFunktionalPlastikkartep-BlockParametersystemKonstruktor <Informatik>CodeClientARM <Computerarchitektur>BitBildschirmmaskeFehlermeldungKartesische KoordinatenHochdruckProjektive EbeneEichtheorie
19:12
DigitaltechnikSystemaufrufNichtlineares GleichungssystemShape <Informatik>DigitaltechnikFunktionalFrequenzStatistische SchlussweiseDimensionsanalyseNichtlineares GleichungssystemBildschirmmaskeFunktion <Mathematik>Numerische Mathematik
19:37
Notepad-ComputerCADWeb SiteCASE <Informatik>CADNichtlineares GleichungssystemNatürliche ZahlPhysikalisches SystemBit
20:12
ZählenFrequenzGlobale OptimierungVorlesung/Konferenz
20:37
VersionsverwaltungPlastikkartePunktWort <Informatik>Computeranimation
21:03
Element <Gruppentheorie>GenerizitätWort <Informatik>EichtheorieShape <Informatik>BildschirmmaskeWürfelEndliche ModelltheorieVierzigStörungstheorie
22:01
InformationsspeicherungProjektive EbeneSoftwaretestRFIDFitnessfunktionShape <Informatik>CASE <Informatik>Whiteboard
22:38
ClientSerielle SchnittstelleHauptidealringInformationsspeicherungQuick-SortClientWhiteboardSerielle SchnittstelleEindringerkennungCodeEinfach zusammenhängender RaumHumanoider RoboterARM <Computerarchitektur>Gebäude <Mathematik>Pi <Zahl>RFID
23:35
InformationGebäude <Mathematik>Endliche ModelltheorieZugriffskontrolleSimulationEbeneInformationsmodellProgrammierumgebungGebäude <Mathematik>DatenfeldBildschirmmaskeHochdruckEndliche ModelltheorieApp <Programm>Motion CapturingVorlesung/Konferenz
24:41
Endliche ModelltheorieCASE <Informatik>TransaktionHardwareCASE <Informatik>ExploitTypentheorieHumanoider RoboterTelekommunikationFunktional
25:28
Rechter WinkelSoftwaretestSchlüsselverwaltungExogene VariableDatenfeldMereologieATMPlastikkarteMultiplikationsoperatorImplementierungDemo <Programm>Shape <Informatik>Leistung <Physik>PunktFrequenzEinfach zusammenhängender Raum
29:48
Hausdorff-RaumInformationComputersicherheitSoftwareentwicklerFamilie <Mathematik>MehrwertnetzComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
My name is Craig. I'm a security researcher with the Tripwire Vert Group. I write vuln content for our IP 360 scanner and I also do a lot of vulnerability research on my free time and at work. But today I'm actually going to be talking to you not about vulnerabilities but rather about how to work with some of the tools that are out there for RFID hacking. So I've accumulated with Vert a
00:22
number of tools for working with high frequency and low frequency RFID and I've noticed that there's not really a lot of consistent documentation out there for some of these tools. People release patches for adding new functionality for various things but doesn't often get a lot of documentation for it. I mean you can definitely read through the source code and figure things out but I wanted to
00:41
make things easier for people. And then I also wanted to look at ways that I could use the 3D printer that we have to try and enhance some of the practical attacks that you have with RFID tools and also look at some of the different options that you have or opportunities for research through that. So what we're going to go through here, I'm going to overview the tools that I'm working with for this
01:02
project, go through some of the basics of how RFID functions, some of the basics of how 3D printing functions and then we'll get into firmware changes that I've made to the Proxmark 3 and how these changes were made. This is actually documented in a lot more detail in a white paper that's going to be available on the DEF CON site and then
01:22
we'll get into the 3D printing stuff and look at how you can make antennas and how you can conceal different tools with 3D printed objects. So these are the tools that we have going on for this. You've got the RFID tools over here. The Proxmark 3 is kind of your Swiss Army knife for all things RFID in the low frequency and high frequency
01:43
bands at least. I've got below that the PN533 USB stick. That's an NXP chipset on a USB stick. And finally on the bottom there is the RFIDLR V22 board which I obtained at DEF CON last year. Moving over to the embedded computing tools, we
02:02
have the USB armory which is a little thumb stick sized computer and also raspberry pi board that I was looking at. Finally for the 3D printing I was using primarily a cube pro 3D printer which we acquired in the office. So getting right into it, the Proxmark 3 for anybody who doesn't know, this is
02:21
a board that was developed as part of a PhD thesis by someone who is analyzing the transit cards in their city. As I said, it does low frequency and high frequency support. And at the heart of it you've got a Xilinx Spartan II FPGA. This is what's used for doing the precise timings that are needed to do effective NFC communication or high frequency
02:41
RFID communication. It also is providing spy interface and an SSP interface for transferring data and commands. The heart of that is the APMEL microcontroller. So something very similar to what you might find on our Arduino board. This is actually what's handling the communication from the computer
03:01
and relaying commands over the FPGA as needed and doing demodulation and decoding. Most of the heavy lifting actually does happen in C code in there so you don't really have to worry so much about the Verilog that goes on in the FPGA unless you really want to do some low level stuff with changing around the NFC modulations. You've got an 8
03:22
bit ADC on there, an analog to digital converter which gives you a 40 mega sample per second bit rate on there. And it receives its commands over a spy interface. The connector is on the board. You've got mini USB that you're using for powering it and also for data transfer. And then you've got a high rose connector. This has four wires on it, two
03:42
for a low frequency coil, two for a high frequency coil. And then you've got a number of different human interfaces for it. You've got a push button which gives you input to it and four LEDs for taking output from it of different colors. So this tells you the status that the device is in while you're working with it. Some of the commands that are very helpful
04:02
for this have been added recently like the LF search and HF search. These give you opportunities for identifying a tag that you don't know what kind of tag it is. We've also got the commands here for reading in a wave form for a low-frequency tag, reading NFC tags, the ISO14A standard and also some commands here for cracking the encryption on my
04:21
fair classic cards. The USB stick that we're talking about here, this is one of many lib NFC compatible USB sticks. It supports a wide range of NFC and not a whole lot to say about that. Some commands here that you might find helpful for working with lib NFC for doing various emulation, reading
04:42
tags, relay attacks and also you can use lib NFC to do more advanced functionality through scripting of course, sending out NDF messages if you want to do fuzz testing on Android. The RF Fiddler board finally on the RFID tools. This is a low-frequency tool. You've got a lot of LEDs for output.
05:01
A PIC32 is the heart of it. And then you've got two banks or a bank of digital potentiometers which you use for adjusting thresholds on the reads. Here's some of the common commands that you would find on that. This is of course in the white paper as well. A late comer to this project though was the Chameleon Mini. This is a platform for
05:22
working with and emulating contactless smart cards. It was developed at the Royal University in Bucham and recently was started shipping from RISC Corp. But you can also grab the schematics and fab this board yourself. Looks like this. USB is for power and data and then also you've
05:41
got a reprogramming port, PDI headers but you don't generally need to use that so often. On the embedded devices, the raspberry pi I think everybody in this room is probably familiar with. The USB armory is the little thumb stick which also has an OTG host adapter. So you can use this to act as a client or a host in the USB mode. Now the 3D
06:05
printer that we had, the cube pro, this has got one of the best printers in the server market and it has the ability to go down to 70 micron layers and supports several different materials. When you're working with this printer, the first
06:20
step is going to be you want to draw up your model in a CAD program just like you would with any CNC or 3D printing process. But then unlike maybe the maker bot for example which many people are familiar with, on this one you're going to put down a coating of water soluble glue. You then have, you put that into the printer and you have extruder that's going back and forth, depositing one layer of
06:44
whatever thickness you wanted onto the board as the build plate moves down so that your project moves off from it. In the end you can just pull it off with some hot water that dissolves the glue. There are some problems with 3D printing. You can't just draw anything you want and print it and you do have to worry about machine maintenance. Up here
07:01
on the screen that's a picture of the extruder from, or the drive gears for the extruder on our cube pro. There's some debris in there. When you get debris in there it can lead to clogs within the print jet, which are not fun. But RFID, that's what we're here to talk about. So to build a
07:22
little basis of this, there's low frequency tags. These run around 125 kilohertz. Primarily access controls, also PET tags, some vehicle immobilizer technologies I think work in this range. And then you've got the high frequency class. This is where NFC falls in. Access control, contactless payment cards, the German identification card, US
07:43
passports, these all have high frequency tags in them. When you would open up one of these, what you're going to find is a coil of wires that is actually tuned to work and make an LC circuit with, or an LC tank with the little chip that you see in the top corner there. What this means
08:00
is that when you put this into a field that it's tuned for, like the 125 kilohertz, it's going to draw some power, power up the chip, and the chip is going to be able to dampen, undampen, or kind of open and close the circuit so that the reader on the other side is going to be able to see modulations in the wave form. These are common modulations for many RF applications, not going to get into that. When
08:22
you want to clone an RFID tag, you're going to work with the T55XX tags. These are, like, you can buy these over in the vendor area. I think you get ten cards for thirty dollars, so they're not too expensive. You've got a support for a couple different modulation schemes, and then
08:41
what you also have is reprogrammable EPROM, so you're able to throw on a configuration for this to tell it what type of data rate you want, what type of modulation scheme you want, and also how many blocks you're going to use for the demodulated buffer. If you want to work with one of these using the Proxmark to clone a tag that you don't
09:02
know, you can start by doing the RF search command. It's going to read in samples and try and demodulate until it finds the tag. When it does find it, you'll see a report letting you know what the tag format is, the ID. You can see here we have an HID tag with dead beef on it. And then we can use this print demod buffer command, which was recently
09:21
added in the past year to Proxmark. This will actually give you the bytes that the tag is sending out. You can break these down and split them up into the blocks that you need to put on the T55 tag. And then you still need the block 0, the configuration block. So you could obtain this by going
09:41
through the data sheets for your T55 card as well as the tag that you're working with, or you could try and decipher those values. But you generally don't need to do this because the Proxmark forums have lots of detailed information telling you the blocks that you need to set up for these. So you can see the configuration for the HID tag right there. And
10:01
then now that we have that information, you just do a series of write commands and you've got a cloned tag. We can read it back in and we see that it is in fact cloned. So moving on quickly to the NFC end of things, one of the popular formats here is MyFair, which we're going to be working with today. These are tags that have some UID, 4
10:21
bytes or 7 bytes, and then some amount of data, possibly some security features. They get used in all sorts of places. Hotel key cards, which we'll look at cloning today. Payment cards, lots of places. For cracking these cards, one of the earliest formats of them were MyFair Classic. And it was
10:40
discovered that you could launch an attack whereby you power up the card and you could repeatedly get the same nonce and we can perform a cryptographic attack on it. Once you've recovered one of the keys, you could then launch a nested attack and actually in ideal circumstances you can recover all of the keys for one of these cards, like what you might find on a train pass in under a minute. And
11:03
then you can use what are called magic cards, which are fully reprogrammable to write the data that you found and make for all intents and purposes a clone of that original card. This is really why you don't want to ever use an application like that lock sitting on the table over there that's only going to use a UID for validation. If you
11:24
want to clone, for example, a MyFair ultralight card, something that you might see in hotel key cards, for example, you can use libNFC. It's a very effective tool. Commands up here using an MFLtralight. You can also, of course, scan a tag with your phone and you have the
11:41
bytes from it. You can then enter those bytes into a file, write that onto a tag that you want. I was using tags from clonemykey.com. So as I said, some of the things you can clone. You've got hotel cards. You've also got, as we learned this week at Black Hat, the possibility of being able
12:01
to use some of these tools to clone transactions on EMV credit cards because they have some legacy support in there. Also Android smart unlock tags and, as I mentioned, the Samsung NFC locks. These are only validating the UID so it's very easy to break those. You can see here what it looks like if
12:21
we're using a cloned key card. It's unmarked but clearly it opens the door. So now getting into the firmware hacking aspects of this project, one of the things that I wanted to do was work with both high frequency and low frequency and I figured that one of the useful applications for me would
12:40
be working with NFC tags in the standalone offline mode. So I went ahead and worked on writing code for capturing the tags and doing a clone to a magic card of the UID, also replaying of the UID. This can be extended fairly easily towards data sections on the card as well. So the initial
13:02
low frequency mode of the Proxmark standalone, this is flow charted out by the Proxbrute white paper. Basically you hold down a button, flashes some lights and then through either holding the button or pushing the button you can manipulate whether you're in a playback mode or if you are in a clone mode, cloning to a T55 tag. Now
13:26
when you look through the source code, this is all in the white paper of course, but you're going to find that everything runs on the ARM processor of course for this. There's a function Sammy run which makes use of various functions that are available to the ARM processor there for
13:41
the HID functionality. When we want to go over to high frequency, however, I wanted to try and reproduce as much of that functionality as possible with the focus on my fair cards, not just my fair classic of course though. The ability to clone the UID onto my fair classic only was
14:02
implemented though. Here are some of the setup functions that you need for working with high frequency tags, selecting them, getting yourself in reader mode, then for simulating. But the most interesting part of this I think was I decided to go ahead with a different work flow for how this was going to happen. In the low frequency mode for
14:22
Proxmark for anybody who's used it, you might have noticed that you can jump right into the playback mode with uninitialized data. So you're dropping into the stand alone mode but then you have to hit a button again before you're going to get into read mode. I decided to get rid of that and instead jump right into the record mode and then when you read a tag, jump into playback mode, use
14:43
this as the hopping point for your other functions through either a button press or a button hold and also added in some sanity checks so you would never use an uninitialized value and you also wouldn't inadvertently fill your banks with the same card. I do have a demo here of this but I'm going to hold off on doing that because I have a lot
15:02
of slides and not as much time. So if there's time at the end I'll come back to that. Otherwise if anybody would like to see this you can hit me up Twitter or tap me on the shoulder, whatever it might be. So the second component of my firmware hacking, I wanted to add support for a tag format
15:20
that wasn't in Proxmark. I wanted to learn how to do that and be able to document this with really a tutorial like example so that other people would be able to go back and add support for other tag formats that they might be interested in. So in order to do this I decided I would make the LF-AWID context for Proxmark. This means cloning
15:40
most of the functionality that you would have in the HID mode. Writing things to T55 tags based on the numbers printed on the tag because if you see here on the printout of that tag it's actually screen printed with all the information that you need for being able to clone it or simulate it. Whereas most tags you're going to have an ID
16:01
number but it's not going to disclose all of the information that you need like the facility code and the card number rather. So since there was no support in this when I started looking, I decided it would be a great place to work on. So the AWID 26-bit format, that's what I specifically targeted. This is comprised of an 8-bit facility
16:23
code and a 16-bit card number. Now that's only 24 bits but then the other two bits come from parity. And the card is going to work with the same parameters actually as an HID tag. It's got this FSK2A which means RF50 data rate
16:42
and it's specifying a certain number of cycles that you're going to go through with the higher frequency to indicate a logical low versus a logical high. And then when we want to start adding the commands into the Proxmark you have to understand that there is a command table structure, things are hierarchical so you just need to add a definition in your
17:02
file that you're creating and then within the functionality that's actually going to be called you're creating a USB command structure and sending that off to the FPGA. So you can see here how it looks. This code is all by the way in GitHub already in the master branch for Proxmark. You can see here the FSKD mod functionality and up on the
17:24
slide here are some of the functions that you need for working with that. In order to move beyond this into the clone and simulate functions, I needed to develop a function to take those numbers printed on the card and convert that into the wagon. For this I decided it should stay within the
17:43
client code. It doesn't make sense to have this down on the ARM chip where it's going to take up space and the ARM is never going to know anything about these numbers anyway. So I was then able to go right ahead into doing the clone functionality which is piggybacking on the T55XX
18:02
commands under the covers and also showing to you as you see the blocks that it's calculated that you need to program onto the card. The simulate function also has no purpose within the ARM so this lives in the client code and you can see up here the parameters that you need to
18:21
specify in the commands. There's a lot more detail about that in the white paper. But now the antenna construction, this is where we get into 3D printing and the applications there. So when I started, I was always interested in making antenna for my Proxmark and for other tools but I noticed that the DIY projects out there, they
18:42
felt a little bit too artsy-craftsy for me maybe. There's a bit of trial and error going on there. So I thought I might be able to do better with making 3D printed forms for that and that's what I did exactly. So to make a coil for the Proxmark, you take some wire very thin, thinner
19:02
than a strand of your hair like 40 gauge wire and you want to coil that around a form to make your coil or wind it around a coil. So you've got some functions that you can find for going between the function or the frequency and the inductance that you need based on the capacitance in your circuit. You've also got some functions or some
19:23
equations from white papers out there explaining the relationship between the number of turns and the dimensions of your form to the inductance. With all of that, I went and looked and I saw that there was a nice
19:41
design for an LF badge on the Proxmark website but it was using cutting out CD cases, gluing them together, stuff that I didn't really want to go through. So I took that design and I basically just drew it in some CAD software, printed it out and I found that it worked really quite well. In the end
20:00
it took around 87 turns for the Proxmark, about 57 turns for the RFiddler but you would find if you wanted to reproduce that it's going to vary a little bit due to the nature of the system. All those equations fortunately don't really matter all that much. As long as you've got enough turns, you plug it in, you try and tune your thing so you see
20:21
what frequency it's optimal at, what voltages you're getting out of it and then you simply unwind it one by one until you get to the frequency that you want. So you can see here the antenna that came out from this, I tuned it exactly for 125 kilohertz and it actually worked better than the commercial antenna that I had already paid $60 for. So
20:41
whereas that antenna was picking up at its optimal voltage, 29.43, I was getting 31.21. I know you can get a lot higher than that even but this badge worked very effectively for, or this card worked very effectively for me. So I then went ahead and added a lanyard clip to it and made something
21:03
that looks like this. This actually broke on me. A word to the wise that does that 40 gauge wire very, very thin. You want to do everything you can to reinforce that. Hot glue, higher gauge wire, these are your friends in this. But in the end, this was a very inexpensive build. Even going
21:23
out through Shapeways, you can use the model that's on GitHub now and have this printed for $7.68 before your shipping and handling. With the Cube Pro Printer, it costs maybe $4 to print out the form for it. And if you
21:40
actually had like a MakerBot that you can feed in generic filament to, you can do this for well under a dollar. And then I cut up a lanyard and RCA cable and made it so that I could have the cable going down through my shirt into the prox mark in my pocket out of sight and just kind of looking like an actual badge with a sticker with my picture on it.
22:02
The next project that I looked at here was the clip pone. So a lot of people talk about using clipboards in pen testing situations for RFID. So I decided to see what I could do with the fact that I now have 3D printable antennas that could be kind of fit into my thing. And you can see just by
22:24
printing out some simple shapes, you're able to make nice spacers to have a very clean, covert little board. You can hide this with some papers inside there in case somebody opens it up, it won't look so suspicious. And in general, if you want to make one of these, there are all sorts
22:42
of storage clipboards out there on Amazon. You just need to make sure that you find something that has enough depth to fit whatever it is that you're trying to hide in there. So you can also enhance this if you wanted to by adding in something like the USB armory or an RFID or I'm
23:02
sorry, raspberry pie board. And if say you had an RFID in there, all you need to do is connect something that's going to be listening with USB serial and logging that data very simply and you can walk around all day and then come back and have a log of all the UIDs you've captured. With the
23:20
Proxmark, you can of course take the client code and you can build this. It's already got an arm build for Android so that shouldn't be too much work. And then you can also move on to making fake readers and doing other things to hide your tools in the field. So one of the valuable resources for this,
23:44
you have building information models out there. So if you have AutoCAD, they have their seek environment which allows you to search for lots of things that you would find in different buildings. I found, for example, this HID reader enclosure which if my 3D printer hadn't failed on me, I
24:03
would have printed out to bring here but you could very easily hide inside of that a custom circuit board or a tool with an antenna and maybe put in an unexpected place, maybe conceal a legitimate reader and use that to try and capture badge swipes. So really what we're looking at
24:22
here is the fact that you can make realistic prints of things and you've got models out there but even if you don't, you can use something like a Kinect or even an Android phone or an iPhone with the 123D sketch app and actually just take pictures and get a very reliable 3D form out of this.
24:41
The next thing that I was looking at was using a phone case to actually hide an antenna inside of that and some of the things that I would envision doing with this, you could, of course, do exploits on the Android beam type functionality. Say somebody thinks it's just a phone but
25:01
really you've got some more sophisticated hardware on there. But also the initial intent that I had for this was being able to eavesdrop on the NFC communications for something like Apple Pay or Google Wallet. And there are so many phone cases out there that it really should be trivial to just take one of those and actually merge it with the design for a
25:22
coil in such a way that it's not going to be obvious. On the embedded side of things, some of the other things that I was looking at were adding in the support for the USB armory to be able to log keys, doing scriptable responses and also
25:40
being able to do something like if you use the OTG adapter on here with a little passive USB hub, you could have a Wi-Fi adapter in there and actually have a two-man team where one person is going to be using the device but not being able to see it, not knowing when it's read something, but somebody else maybe a couple hundred feet away is going to
26:03
be able to access it, monitor what's being scanned, trip it into simulate mode whenever it needs to be. So there are a lot of possibilities with that for pen testing. And actually at this point, I do have some time that I can try and do the demo of how the stand-alone mode works for
26:21
NFC. So I'm going to take the Proxmark out of the clipboard and plug it into a little battery here. And I need my high-frequency antenna for this. Just right here. So now, power that on. Also, add the extra battery back into
26:45
this. So it's let us know it's happy. And we've got to lock it. It's not so happy. Try that again. It thinks it's
27:08
locked. It's not the smartest smart lock. All right. So now it is in its locked mode. And if I take this card, we can
27:26
see this one does not open it. This one, however, will open it. And we'll relock it. This, however, is a magic tag. So if
27:41
I now power up the Proxmark by holding on this button, it flashes its lights for me, which I'm sure nobody in this room can see. But I can then go to the tag that works for it. When I touch it down, it is lighting up to let me know that it has scanned in a tag. Now it's in playback mode. Now, one of the problems with playback mode, either the
28:05
shape of the antenna or possibly the implementation of NFC on here isn't always so conducive for this. So what we're going to do is try it out. But this did work once
28:21
earlier today. But, yeah, generally, that's not happening. So we're going to clone it to a tag by holding down the button now, putting it on the field of the tag, and when I release it, it flashes to let me know it's written it. And with any luck now, we can go ahead and, oops, maybe not.
28:44
Let's try that again. Oh, my antenna was loose. The high rose connector on this is not always so great for holding
29:00
in cables. So let's just put it in stand-alone mode again. Go ahead and scan in this tag. And then we will clone it onto this one. Hopefully it hasn't been pricked. One of the risks with working with the magic cards is that if you
29:20
don't have a strong connection to the antenna while you're writing to it, you can't actually break it, which is why I stuck to just my fair classic where the tags are cheaper. But now we do have it working. So that's pretty much what I've got for you. If anybody wants to see any of this
29:41
stuff up close, you can definitely come up here or actually meet me outside afterwards. And just I want to say thanks for the Proxmark development team, Marshmallow and Iceman. Very, very great for being helpful with working with this stuff, being very patient. And also to my family
30:00
for putting up with all the crazy hours leading up to DEF CON. So, yeah, thank you. Oh, and I guess there are a few minutes for questions if anybody has questions now.