Last updated
Last updated
Bruteforce RFID UID
Card cloning
Card read and simulation
Card write sector 0 (dos)
Card skimming by placing a reader next or on top of the existing reader. To execute a card cloning or card simulation attack.
A Bruteforce attack by trying multiple UID'S on a specific locker. This is not ideal because you will have to press a button each time before you can unlock it, this is not very realistic.
A Dos attack by rewriting sector 0 on users RFID cards. Only possible with writeable cards.
Steps for a card cloning/simulation attack.
Use card 1 to lock the locker.
Scan card 1 with a rfid reader to get the UID.
Write UID of card 1 to card 2.
Use card 2 to open the locker or simulate the UID of card 1 to open the locker by using the proxmark3.
Steps for a card cloning/Simulate attack using a proxmark.
Use card 1 to lock the locker.
Scan card 1 with proxmark using the command hf search to get the UID and type of card.
Check default keys of Mifare classic card using the command hf mf chk *1 ? (Go to step 9 for Simulate UID).
Create dump file with the command hf mf dump
Use card 2 to open locker.
Use the proxmark to open locker
Proxmark is handy for reading/writing data and to simulate RFID tags
RFID card 1 M1 S50 13,56 MHZ
RFID card 2 UID 13,56 MHZ (clone card)
Dumping keys for each sector to dumpkeys.bin using command hf mf nested 1 0 A ffffffffffff d
Get card 2 change UID with the command hf mf csetuid 795f17ad
Simulate card 1 using the command hf 14a sim t 1 u 795f17ad
Software and firmware used from the
This post is about a device that uses different types of RFID tags for opening and closing a personal locker.
