Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-02-18 12:58:37

squishy
Contributor
Registered: 2019-02-18
Posts: 4

HID simulation the correct way

Hi,

My HID tag:

HID Prox TAG ID: xxxxxxxxxx (4567) - Format Len: 26bit - FC: 240 - Card: 4567         
         
[+] Valid HID Prox ID Found!

Which i was able to simulate using the ff commands:
> lf sea
> lf hid sim xxxxxxxxxx

and it worked sometimes and sometimes it doesnt. Does anyone can tell me if this is the correct way to do an HID simulation?
also i have saved the data using the ff command,

> data save hid.pm3

Now, i would like to know if someone can guide me on why is my HID tag easily copied and simulated and what can I do to make this kind of HID secure and cannot be copied or simulated ? also, is there a way to know more details about the card that im reading using PM3?
I dont know most of this so i might mixing things up. I would appreciate the guide. For additional note i been checking out iceman's youtube channel and alot of iceman guides like this http://www.icedev.se/pm3cmds.aspx
Thanx

Last edited by squishy (2019-02-18 13:00:14)

Offline

#2 2019-02-23 22:30:47

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 38

Re: HID simulation the correct way

This is the main problem with the old proximity card systems. You can't secure them. They relied on the lack of hardware availability for reading, simulating, and copying, and then on security through obscurity. Even if you can't translate the data, replay attacks will still work. The bottom line is that the prox cards reveal their secrets the moment they're in range of a matching reader, and nothing can be done about it.

This is why many companies are going to a platform that requires a challenge-response from the cards (like DESFire, HID iClass, etc.) and away from the classic Proximity card technology. Properly hardened, the newer cards and systems can be set to rely on an encryption key and algorithm that is pre-loaded and selected by the company or agency producing the card. Since a card without this pre-loaded (and not transmitted) information can't respond to a challenge, the system is said to be "secure".

Offline

#3 2019-03-05 12:57:44

squishy
Contributor
Registered: 2019-02-18
Posts: 4

Re: HID simulation the correct way

thanx for the nice explanation. I havent been able to research much about prox card or RFID per say but I would like to know if there's a way to use the prox card reader for a different card, like DESFire or any HID iClass? but i guess that the prox card reader cant be use coz it's does not support challenge-response? thanx

Offline

#4 2019-03-05 13:49:50

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 38

Re: HID simulation the correct way

Unfortunately, you do need a reader designed to communicate with those cards. First and foremost, it needs to be able to transmit data as well as receive. Traditional prox card readers transmit only a stable RF field and are designed only to receive the data. Most of the newer cards are also operating at the HF range of 13.56MHz vs. classic prox using the LF frequency of 125kHz and animal ID tags at 134kHz. Although some enterprise-grade readers can read some LF and some HF tags (as can the Proxmark3), they use different antennas and have special programming and circuit designs to do so.

Offline

#5 2019-03-06 08:33:26

squishy
Contributor
Registered: 2019-02-18
Posts: 4

Re: HID simulation the correct way

grauerfuchs wrote:

Unfortunately, you do need a reader designed to communicate with those cards. First and foremost, it needs to be able to transmit data as well as receive. Traditional prox card readers transmit only a stable RF field and are designed only to receive the data. Most of the newer cards are also operating at the HF range of 13.56MHz vs. classic prox using the LF frequency of 125kHz and animal ID tags at 134kHz. Although some enterprise-grade readers can read some LF and some HF tags (as can the Proxmark3), they use different antennas and have special programming and circuit designs to do so.


Thanx a lot for the reply with all this info, can you recommend to me some reading material regarding HF and LF rfid cards, about implementation or benchmarks maybe. after this i wont bother you again smile

Offline

#6 2019-03-10 02:17:34

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 38

Re: HID simulation the correct way

Unfortunately, all of the documents I used are buried or moved at this point. Mostly, I spent time on this forum and others, gathering details on how the data is stored and handled. I borrowed some from the blogs regarding the original Proxmark and similar devices, the white papers from HID and other companies on their proximity card solutions, and an excessive amount of trial, error and observation with the real hardware. Given that most of that information is present in this forum over all the posts and in the documentation for the Proxmark itself, going through what's here will be an excellent start even if not organized in a really instructional manner.

You might also try looking over the RFID implementations and hardware available on the Arduino platform. Although it's typically a higher layer of implementation, it still applies here. If you're good with code, a look at the PM3 source code is also worth a look. You'll see the different layers of implementation all combined there as well.

Offline

Board footer

Powered by FluxBB