i got 99 problems but your hid ain’t one…
TRANSCRIPT
I Got 99 Problems But Your HID Ain’t
One…
Jake Liefer – Senior Consultant – Security Risk Advisors
Dan Astor – Consultant – Security Risk Advisors
Jake Liefer
• Physical Testing – Badge Cloning Development
• Internal, External, Webapp, Mobile, Spear Phishing
Dan Astor
• Physical Testing – Social Engineering
• Internal, External, Webapp, Spear Phishing
The Dream Team & Project–
• 1 Company - 2 months - 15 locations – Never caught.
• Access to all locations, except for 1.
• Datacenters, Corporate Campuses, Skyscrapers,
Shared Offices
Our Backgrounds
- Online Recon Methods
- Social Engineering
- Low Frequency Badge Cloning
- High Frequency Badge Cloning
Today’s Topics
Think Like An
Employee, Not A Ninja
Location Categories
Site Location Types
Remote
Infrastructure
Retail
Location
Shared Office
Space
Dedicated
Space
Secured
Campus
Remote Site Recon –
Image Recon
Location Recon: Image Recon• Google Streetview – Useful for larger locations to identify perimeter
security weaknesses, access controls, and entrances.
Building entrance and badge reader. Hey that’s here!
Location Recon: Image Recon• Google Streetview – Useful for larger locations to identify perimeter
security weaknesses, access controls, and entrances.
Location Recon: Image Recon• Google Streetview – Inside views now as well, denoted by orange or
blue dot on StreetView
Google Streetview inside data center.
Location Recon: Image Recon• Google Satellite – Useful for suburban location to identify entrances,
some locations only offer overhead views.
Identified Building Entrances
Location Recon: Image Recon• Don’t Discount Bing – Identify entrances via birds eye view
Same location as previous slide, but using Bing’s Bird Eye View
Remote Site Recon –
Google Image Hacking
Google Image Searching• Google Search – Search the building’s address, company name + city,
Building name + lobby, etc.
Building lobby entrance identified via google search for building name + lobby
Google Image Search• Google Search – Search the building’s address, company name + city,
Building name + lobby, etc.
Detailed map of secured campus facility identified from Google searching
Identify Employees
• Utilize social
media
– Jigsaw
– FourSquare
• Company
Websites
Identify Employee Badges
• Search Engines
– Google, Bing, etc…
• Social Media
Create Replica Badges
• Design a replica badge
using Photoshop
• Purchase a real badge
printer
– $$$$$$
• FedEx Office…
– $3
– Place in front of a blank
badge in a sleeve…
Getting In From A Phone Call
Use identified employees for:
• Calling up corporate scheduling– Book yourself a conference
room
• Calling up the security desk– Ask to be put on the guest list
• Calling up the receptionist– Say your from another office
and need to use a conference
room for network access…
• GET CREATIVE!!!
Look For Events!!!
Try to get inside the building
• Search for public events
on search engines and
register
– May cost some $$
• Blood Drives???
– Sure why not…
• Networking events and
workshops
• Hint – Check out PRSA,
EventBrite
Wifi Recon
Crowdsourced Wardriving• Wigle – Search for wireless networks and zoom in on locations to
identify wireless networks.
Badge Cloning
Badge Cloning
Technology Market Share Encryption Cloneable
Low Frequency HID
(125khz)
>80% None Yes
Low Frequency –
Other 125khz
~5% None Probably
Low Frequency
134khz
? None Not yet encountered
High Frequency HID
iClass (13mhz)
~10% 3DES Probably
High Frequency –
Other (13mhz)
? Varies Not yet encountered
Identify the Badge Reader – Low Frequency HID
Identify the Badge Reader – Low Frequency Indala
Identify the Badge Reader – High Frequency HID iClass
Identify the Badge Reader – Misc.
ioProx
ioProx
CotagCasi
GE AWID
Our Cloning Equipment
Obtaining Badges -
Badge Reader
Best Covert Badge Reader: Bishop Fox’s
Blackhat / Defcon talk Live Free or RFID Hard
Cloning Badges - Proxmark
T5557
Rewriteable
Card
The Strategy – Cell Trance
Source:
http://www.boston.com/bostonglobe/ideas/brainiac/2013/02/the_digital_ges.
html
Standard Badge Format
Facility Code – Same for all cards at facility
Card Code – Unique for each badge, typically
sequential
Example: Facility Code – 613 Card Code –
39746
Process Flow
Obtain
Badges
Obtain
Badges
Read
Cards.txt
Read
Cards.txt
Clone
Badge
Clone
Badge
Confirm
Badge
Confirm
BadgeProfitProfit
Hid iClass
OpenPCB.org - HID iClass
Demystified
Proxclone.com – Thanks Carl!
HID iClass Encryption
Low Frequency
HID iClass
FC: 803
CC: 13692
FC: 803
CC: 13692
FC: 803
CC: 13692
FC: 2132321
CC: 136213123
Key: 987654321
HID iClass Encryption – The Problem
Key: 987654321 Key: 987654321 Key: 987654321
Key: 987654321
eBay’d Badge
Reader
HID Legacy iClass
iClass (High Frequency) + Prox (Low Frequency) Badge
HID iClass Cloning
FC: 803
CC: 13692
FC: 803
CC: 13692
FC: 2132321
CC: 136213123
FC: 2132321
CC: 136213123
HID iClass Cloning
FC: 803
CC: 13692
FC: 2132321
CC: 136213123
FC: 2132321
CC: 136213123
FC: 803
CC: 13692
Cards.txt
HID iClass Prep
• Install outdated software
• Old Software To Write: CardMan_Synchronous_API_V1_1_1_4.exe
CardMan was a software library provided to developers by HID to assist in understanding
iClass cards
• Old software for Omnikey: OMNIKEY5x21_V1_2_0_14.exe
Process Flow – High Frequency
Obtain BadgesObtain Badges
Read Cards.txt
Read Cards.txt
Encrypt Card InfoEncrypt
Card InfoWrite BadgeWrite Badge
ProfitProfit
Upcoming
Projects
Cloning a badge in ContactlessDemo
Prep: Encrypt your badge info using the extracted 3DES encryption key.
• Select the card: 80A60000
• Load the encryption key:808200F008XXXXXXXXXXXXXXXX
• Authenticate to the card: 808800F0
• Read Block 7: 80B0000700
• Write Block 7: 80D60007083b9ba12046fdb24
• Read Block 7: 80B0000700
• CLONED.
Mitigation Strategies
• Two-factor authentication (Pin pad least intrusive)
• HID iClass with unique keys
• Guards verify employees via company directory.
Upcoming
Projects
On-Site Badge Cloner
On-Site Badge Cloner