 So, who here is for the RFID talk? Everyone. It's going to be a quick 20 minute talk. It's something I've been working on for a while. It's not 100% complete yet, so you'll see a lot of kind of missing things or something where I'll say, hey, this is not perfect but I'm working on it. But yeah, so real-time RFID cloning in the field. This is not something new, but it's just, it's a different way of doing things. And you'll see me fiddling with this thing the whole time because I'm trying to get it to work before the demo slide comes on, so one second. Let me turn this one on. They sound really cool when they start up. I always get weird looks from people like I'm about to die, aren't I? So that may not be me stealing someone's badge. So who am I? I'm not going to spend too much time. I'm Dennis, a lot of you know me. Who here's been to one of my other talks before? I spoke twice, everyone. I'm an adversarial engineer at Lars Consulting and I'm a Houstonian, a current Houstonian, and I found at Houston Locksport, a lockpicking club, we just hang out, drink beers and pick locks. And haha, Houston Area Hackers Anonymous or Association or whatever you want to call it. For those who, if you're in Houston, you find yourself in Houston around the same time we do any of those meetups, totally stop by, it's awesome. I spoke previously at DEF CON 23 and DEF CON 24. Okay, so, yeah, demo is totally not going to work, but RFID, radio frequency identification, so you all know what RFID is, right? Who here has an RFID card on them? Don't lie, all of you guys. I mean, who here's staying at this hotel? All right? RFID cards. So just a little bit background what radio frequency identification is. It's electronic access control for many companies and organizations, hotels and what have you. Even some homes, personal homes have it if you have like one of those Samsung smart locks that supports RFID technology. It's a contactless form of authentication. So you have a wireless badge, kind of like what I have in my hand here. It's either a tag or a badge. They come in many different form factors and you present it to a reader on the wall or on the door, and if it's the correct card, it lets you in. As far as hard technology-wise, there's two different types of technologies that's going to require two different types of readers. You have the low frequency technology that runs on 125 kilohertz, and that's typically your HID prox and dollar flex IO prox and some other manufacturers and vendors that make that kind of technology. It's the older technology. It is commonly referred to as less secure because it doesn't support cool things like cryptography and stuff. But then you have high frequency which operates on a 13.56 megahertz, and that's where HID i-class comes in, my fair, and others that you've heard of. This is a technology that actually supports cryptography and mathematics and a lot of other things between the card reader to make it harder to clone a card and attack the reader. You'll hear commonly referred to as credentials, card stickers, tags. You guys have all different sorts of media that have this technology embedded in it, and a lot of devices may have an RFID tag in it and you may not even know it. If you have ever gotten a garage remote or a smart key from an apartment, there might be an RFID tag in there for the key management computer or something. So here's just some examples. You see employee badges, ISIS back when I was called ISIS. Now, what is it called? The serophagus detection thing? You see something like that, whatever. But you have these badges that people will wear on their person at all times even when they're not at work. You have people wearing it on their lanyard over the neck and it's swinging around or they have it on either left side or right side just pinned to their belt. And what that allows us to do as pen testers, I'm going to assume everyone here is legit. They're pen testers. They're not like black hat hackers. But as pen testers, if we're targeting a specific company we want to get in physically, then we can see how they're wearing their badges and target that. So if we have a device like one of these long range readers I'm going to talk about, and we see that they're wearing their badge on their left side hip, then we can put our pretty reader in a backpack and walk by someone passing by their left side and try to get a good badge read from that. So here's kind of who is there. Here's kind of sneaky little random person. I don't know who's sitting who knows this guy has a badge. So I sit next to it and in my backpack is one of these RFID readers. And I'm just close enough to get a quick read. And I'm acting nonchalant. I'm trying not to be suspicious other than the fact that I look like me. And just walk away. And now I have that person's badge. So what did I use? I used one of these long range readers. So there's a few different types of long range readers that you guys have probably seen. Like I said, this is nothing new. Bishop Fox did a talk like this what two, three years ago where they talked about weaponizing one of these long range readers. So you have the Maxi Prox 5 375. And that's the low frequency long range reader that HID manufactured and sold at some point. And it can read HID Prox cards and it can actually read it from a range of 18 to 24 inches. That's somewhere between like two to three feet. It's actually pretty good. It's a good read range. So you don't have to like get up to someone and touch their butt to get a card read. Damn, who said that? But you just have to be close enough like that bench. I was a few feet away from that person at that bench. Or maybe in an elevator. So here's what it looks like. Except I took it apart. It's got a big antenna coil that's energized and will constantly send out power like just, I'm not a physics major, but radio frequencies. I'm not going to try to fake it. And if a card is present within the field close enough, it will power that card and that card will respond back with its information and we get a read. Same thing with the R90. Those are for the high frequency cards, the eye class cards. And those, because of the technology and the physics and the science, it doesn't read as long of a range as the low frequency. So it's kind of 12 to 16 inches. But it's still good enough for what we want to do. And that's this one here. That's a cover. That's what it looks like. This thing. And these aren't like hacker devices. These are devices, by the way, they're small enough to fit in the backpack and you can find them on eBay. They're probably expensive but you can find them on eBay. These devices aren't hacker devices. They are devices that manufacture or like building owners and anyone who has a facility can buy or vendor can buy to allow legitimate users to scan their badge from a distance. For example, if they're in the car, you don't want the user to have to get out and go to the reader and scan their badge. But if they can do it from their car, the long range reader is going to provide enough of a read range to do that. And so you see them all over the place. If you pay attention, go to like garages or some apartments that have those or are like parking lots for companies, they'll have those long range readers. Now don't go stealing those because they're connected somewhere so you'll create a lot of damage. But often like maybe a building gets decommissioned or demolished and they take these and they sell them or they donate them to some warehouse, electronic parts warehouse so you can go look for them. So what do one of these look like? So this is what one kind of looks like normally. You see it's got that big antenna coil and all that circuitry hidden behind that white piece of paper. That's the normal circuitry that it comes with to kind of power that coil and do all of its magic mumbo jumbo to make RFID reading work. And then there's just often there's four wires sometimes is more but the minimum is four. You got two wires for power on ground and you got two wires for the weekend data one and weekend data zero. And those will often feed all the way back to some wall through some wall through some controller that interprets that information. So what we can do is if we were to grab one of these we can modify it. So you can see here on this picture I put extra circuitry in there. The first one on the bottom being a battery source. In this case I'm using 18650 batteries. I'll kind of go into detail a little later. But that battery source is going to allow me to power this reader on its own and not have to be connected to an external source. And then there's a series of DC boost converters and buck converters. Sounds advanced but it really isn't. But just to kind of do power management like boost the voltage up to 12 volts to power the reader then back down to five volts to power Raspberry Pi. And then we have the Raspberry Pi which is the brains of this operation here. What the Raspberry Pi does is it allows for wireless connectivity so I can spin up a Wi-Fi access point. By the way that's the new Raspberry Pi Zero W. It's awesome. It's ten bucks and it has wireless built in. And I can host servers. It's a Linux operating system so I can host like web pages and servers and stuff. And what this Raspberry Pi will do is it's connected to the weekend data wires of this reader. And it'll interpret and automatically decode with Python code that has been released like ten minutes ago. I'll talk about it. It's terrible code. Don't clap. While you're clapping I'm going to see if my demo is going to work. Probably not. Turn off your Wi-Fi devices please. And whoever is trying to crack that network stop. So it's going to automatically decode and interpret and decode the weekend data. And it's going to get and present. Oh it worked. Present all the information for you. Don't clap yet because I haven't started the demo yet. So I'm going to speed through it to get to the demo. So the Raspberry Pi is the brains of the operation. It does everything. So let's see if this is going to work for me. So I'm connected to something. Oh yes. Boop. Let's see. Let's see. Open. Okay. So what I have here now is I had to use my backup reader. But this is the high frequency reader. And what it's, it's currently powered on, powered by these batteries. And there's a Raspberry Pi it's connected to. The Raspberry Pi has Wi-Fi enabled. So it has an access point and I'm connected to that access point. I'm just going to go ahead and get a read now just in case that work. Ah! It's something broke. So what happened, what's happening is every time it gets a read it's going to automatically, there's a web page that you connect to. So you connect to this over Wi-Fi via your phone or your laptop. And you go to this web page and it's just web sockets. What it has is it has a table with all the Wigan information in it. And that's going to be your Wigan binary, your Wigan hex data, and your card number, facility code. Right now this is an unknown card so let me get a quick legitimate card and see what happens. And what's cool about this is for those who remember or who have ever even made the Bishop Fox one, the Bishop Fox one is great. And it gave me kind of the incentive to make it better because with the Bishop Fox one when you get a card read you have to go back to your base wherever, take the SD card out, decode the Wigan binary data as you see there and just figure out how to decode that and go from there. But what mine does is if you see in the bottom reads here, I'm actually not going to read this card because I realize it's probably not a number I should be displaying. But if you see this over here you see this is the Wigan data stream. This is the Wigan binary you'll typically get with the Bishop Fox from the SD card. What it'll do is it'll give you the hex data and this is cool because you don't have to do anything. You don't have to automatically decode that by hand. It'll actually give you this and this is what you need for the Proxmark. All you do is you pass this code to the Proxmark and boom you've cloned a card. And then it'll even decode these numbers for you. 18, 221, that's the facility code, that's the card number and in case it's a specific format it's a card, this is a card number without the facility code. So this will automatically decode based on the specific format. For those who are familiar with HID there's different formats like 26-bit, 35-bit, 37-bit. This will do all that magic for you. All you got to do is get a card read and then copy and paste this into Proxmark. Super easy. What I also have if this didn't die on me, there we go. Oops. Oh. That's not my dog. That's Doug's dog. He's Doug from Austin. Her name is River. She's cute. So let's say I have this thing in my backpack. There's a bag here and I'm in the elevator and I want to get someone's read. But I don't know if I'm positioned right. So what you do is, this is an Android app. It's on my phone. And what I'll do is I will get close enough to that person to get a read. You can still see it. And let's, where's my card? Is this a good card or a bad card? So you get a read. And what happens is it automatically pops up on that screen and as you heard you get a notification. So even when you're not focused on it, I get a notification. Of course don't let it sound, let it vibrate. But now you have in your pocket, it's vibrating and yes I got a good read. And by the way I have a pebble watch and I got it on my pebble watch too. So I can see facility code and card number on there. So I know exactly who I just got. And that's pretty much, there's an Android app. The Android app we're still kind of working on. I haven't had time to finish it but that'll be released real soon once I get that finished. So that's pretty much to meet of it. Now there is another cool thing unfortunately, let me try to get it. One cool thing I really want to show you guys but I don't think it will be able to because the Wi-Fi is not working is with the low frequency reader and I'm slowly working on the high frequency reader. I have this. This is currently very big. There's a Raspberry Pi in there, a Proxmark in there and a battery. What this will do is it's the satellite system. It's when you turn this on, which I'm going to turn it on right now, it's a battery powered, oh five minutes, thank you. It's a battery powered Raspberry Pi. This wirelessly connects to that access point from that reader. So let's say Tim and I are in an assessment and Tim has the RFID reader and I have this satellite kind of at least 30 feet away from him. When he gets a read, it's going to automatically send that information to the satellite system, satellite Pi, and it's going to automatically write a card. So all you do is just take it out and you have a copy. So I'm going to try like for one second to see if this is going to work. Let's find out. Yeah, there's too much wireless here so unfortunately I can't demo it but what I can do is I will hmm someone if someone wants to offer a village I can hang out with tomorrow. I can have all this stuff up and you guys can all play with it. But it hit me up on Twitter. Tomorrow I'll have all this stuff and I'll bring it somewhere probably to Lockpick Village and I'll just let you guys see how all this works. But yeah, what this will automatically do is it will automatically clone that card and so in seconds you steal someone's badge and you have a complete copy and you just walk into the building. That's pretty much it for that. So I'm going to rush through making your own. I don't have a lot of detail here because the reason for that is I'm posting most of the detail on GitHub. I've already written quite a bit of detail on there. Once Tim, Tim right there, Tim McGuffin, once he helps me figure out how to draw a schematic diagram I'll draw a schematic diagram on how you can make one of these your own but it's fairly simple. So making your own all you need is you need of course you need one of these readers, Spider and eBay or whatever. If you pay me enough money I can give you that one but it's a lot of money. You need a battery source. Battery can be anything. It has to support three amps so if you just use like a few double A's probably not going to work but a bunch of double A's will work just like Bishop Fox's but I like to use 18650 batteries. My batteries support 10 amps each. They're awesome and they have a protection circuit so when you screw something up and I've screwed something up the protection circuit will hopefully prevent your reader from dying and that's happened that's another story for later. Then all you need it, I got to read. Who read my card? Then you need a DC boost converter so if you have a battery source like these two batteries here only support seven volts. The boost converter will boost it up to 12 volts so it can actually power the reader but then you need a buck converter so you don't burn your Raspberry Pi. That's going to bring the 12 volts down to five volts to power the Pi and then of course you get the Pi Zero with all the magic and of course wire. So with the Pi Zero just install Raspbian, Jesse Light. I see everyone taking pictures so I'm going to upload this to the GitHub after this. But there's a GitHub, yeah take a picture of that, fine. There's the GitHub link. Download Raspberry, Jesse Light, install on the SD card, put on the Raspberry Pi and there's Python code and a setup script. All you do is you run the setup script after you install Raspbian, Jesse Light and that should install everything for you. It should install and set up a Wi-Fi access point and install the Python code necessary to to to get all this to work and then on the GitHub I'll show you how to wire the GPIO pins to get that to go. It's five simple pins, power, ground, data one, data zero, four pins, not five. And then for the automatic cloning, none of that's going to be on GitHub yet because I'm still working on it, but it's simple. It's just a Proxmark, any version with the Raspberry Pi and a battery. That's all it is. So if you go to my GitHub, which I've just made this public, how do I switch tabs? I can't see my mouse. There it is. Here you'll see there is a setup script down here. So once you get Raspbian, Jesse Light on a Raspberry Pi, just run that setup script. It should do everything automatically. I'm going to be working on getting a Raspberry Pi, a Raspbian image that has all this done. I already have that image, but it's a 16 gig DD of a SD card. I have to figure out how to make it a 2 gig SD card without actually having, unless someone has a 2 gig SD card they can lend me. No? Okay. But down here there's a bunch of information on how to set it up and as the day, as the week, as time goes by, I'm going to be updating it, making it more clear and adding more diagrams to get it to work. It's been pretty busy last few months, so I haven't had a lot of time, but I'm going to focus on that. So that's pretty much it. I'm out of time. So questions. Questions. I guess I'm out of time, so I'm going to have to like step down here and I can answer questions or outside in the hall. So is there anything else I need to? All right. Thank you so much. Sorry for the demo fail, but I'll have it tomorrow. Thank you.