際際滷

際際滷Share a Scribd company logo

Skim Job Presentation

Download as PPTX, PDF
Brett DeWall
Brett DeWall

Brett DeWall presents his project called "Skim Job", a standalone RFID skimming tool designed to eliminate the need for employee interaction. The Skim Job uses a Raspberry Pi Zero Wireless, Proxmark3, voltage controlled USB hub, and custom wound antenna enclosed in a polycase. It is able to remotely cut power to an RFID reader using the USB hub, allowing it to overlay as a reader and extract card data from badges without damaging equipment or requiring physical access. The total cost is around $191 and it provides a proof-of-concept for a more refined standalone RFID skimming device.

1 of 39
Download to read offline
SKIM JOB: SKIMMING YOUR WAY IN BY: BRETT DEWALL / @XBADBIDDYX
INTRODUCTION BRETT DEWALL (OSCP, OSWP, GWAPT) GRADUATED FROM ST. CLOUD STATE UNIVERSITY (MINNESOTA) BACHELORS OF SCIENCE INFORMATION SYSTEMS STAFF SPECIALIST - WHITE OAK SECURITY SPARE TIME: SPOON FLOWER DYNASTY CAR ENTHUSIAST BUG BOUNTIES / RESEARCH PARTICIPATED IN DEFCON SECTF 2015 3RD PLACE HAS PERFORMED OVER 50 ONSITE SOCIAL ENGINEERING ENGAGEMENTS
WHAT AM I TALKING ABOUT INTRODUCTION RFID OVERVIEW CURRENT RFID SOCIAL ENGINEERING ATTACKS SKIM JOB QUESTIONS
RFID Overview WHAT IS RFID? RADIO-FREQUENCY IDENTIFICATION WIRELESS SYSTEM (TAG & READER) USES? TONS! (SUPPLY CHAIN VISIBILITY, TRACKING, ACCESS CONTROL, ETC..) IS THIS TALK SPECIFIC TO A RFID TECHNOLOGY? YES! SPECIFICALLY HID PROX PRODUCTS (125KHZ LOW FREQUENCY)
CURRENT RFID SOCIAL ENGINEERING ATTACKS PROXMARK3 BISHOP FOX LONG RANGE READER BLEKEY / ESPKEY
PROXMARK3 DEVELOPED BY JONATHAN WESTHUES SNIFFING, READING, CLONING OF RFID TAGS COMMUNITY DRIVEN OPENSOURCE! MODES CONNECTED STANDALONE
PROXMARK3 CONT. PROS SUPPORTS MULTIPLE RFID TECHNOLOGIES OPEN SOURCE BRUTEFORCE READ, WRITE, AND CLONE CONS READ RANGE VERY LIMITED 1-2 INCHES
BISHOP FOX LONG RANGE READER ROBERT FRANCIS PRESENTED LIVE FREE OR RFID HARD AT DEFCON 21 DESIGNED TO READ 125KHZ LOW-FREQUENCY RFID CARDS LONG RANGE - UP TO 36 INCHES
BISHOP FOX LONG RANGE READER CONT. PROS LONG RANGE OPEN SOURCE EASY TO USE STANDALONE CONS READER ONLY EXPENSIVE REQUIRES PHYSICAL INTERACTION
BLEKEY / ESPKEY ERIC EVENCHICK & MARK BASEGGIO PRESENTED THE BLEKEY AT DEFCON 23 DESIGNED TO BE INSTALLED IN LESS THAN 60 SECONDS (IDEAL SITUATION) INSTALLED IN-LINE WITH THE RFID READER UNIVERSAL SUPPORT WIRELESS LAN COMMUNICATION
BLEKEY / ESPKEY CONT. PROS SMALL FORM FACTOR ATTACKS THE PHYSICAL DEVICE CAN STORE MULTIPLE RFID CARDS (THOUSANDS) CONS CUTS THE WIRE SHEATH WHEN INSTALLING (PREMATURE FAILURE?) NEED TO GAIN ACCESS TO WIRING TO INSTALL
PREVIOUS TECHNOLOGIES RECAP NONE OF THESE DEVICES ARE BAD THEY ALL WORK IN THEIR OWN WAY THIS IS NOT TO DETER ANYONE FROM USING THEM
SKIM JOB
SKIM JOB WHY? WANTED TO ELIMINATE THE EMPLOYEE INTERACTION SOMETIMES NOT ABLE TO GET NEAR A BADGE PROJECT TIMEFRAME (SHORT DURATION) RFID ENABLED DOORS ARE BECOMING THE NORM FOR EMPLOYEES ACCESSING BUILDINGS
SKIM JOB WHY? CONT. DIDNT WANT TO DAMAGE THE READER WIRING BLEKEY / ESPKEY QUICK TO DEPLOY TRYING TO TAKE AN IDEA AND MAKE IT REAL
SKIM JOB. SO WHAT IS IT? 100% STANDALONE DEPLOYABLE TOOL SMART OR SOMEWHAT I GUESS EQUIPMENT INCLUDES: PROXMARK3 VOLTAGE CONTROLLED USB HUB RASPBERRY PI ZERO WIRELESS CUSTOM WOUND ANTENNA POLYCASE ENCLOSURE HAND MADE USB CABLES
SKIM JOB SMART? HOW IS THIS TOOL SMART? OVERLAYING A RFID READER ON TOP OF A RFID READER DOESNT WORK CAN WE CUT POWER ON THE FLY? VOLTAGE CONTROLLED USB HUB (THANK YOU SWITCHDOC LABS) REMOTELY CONTROL THE DEVICE WIFI NETWORK INITIAL ACCESS WEB SERVER- PROJECT EXECUTION / LOG VIEWER / RFID SIMULATOR
SKIM JOB SMART?
SKIM JOB FORM ITERATIONS RASPBERRY PI ZERO WITHOUT WIFI NEEDED A SEPARATE USB ADAPTER RASPBERRY PI ZERO WITH A WIFI HAT RASPBERRY PI ZERO WIRELESS (CURRENT)
SKIM JOB - EQUIPMENT RASPBERRY PI ZERO WIRELESS THE BRAINS TONS OF CAPABILITIES FOR FUTURE IMPLEMENTATION PROXMARK3 RDV2 KIT RFID READER EASY INTERFACE DETACHABLE ANTENNA
SKIM JOB - EQUIPMENT SWITCHDOC USB POWERCONTROL BOARD CUT THE POWER REMOTELY VIA VOLTAGE SIGNAL LIPO BATTERY GIVE ME SOME JUICE! ADAFRUIT POWERBOOST SUPPLY THE JUICE POLYBASE COVER CONCEAL THE COMPONENTS
SKIM JOB - COST RASPBERRY PI ZERO W - $10.00 PROXMARK3 RDV2 - $115.00 SWITCHDOC POWERCONTROL USB BOARD - $15.99 ADAFRUIT POWERBOOST - $9.95 LIPO BATTERY - $14.95 POLYCASE - $10.31 MISC ITEMS (USB CONNECTORS / CABLES) - $15.00 TOTAL: $191.20
SKIM JOB PUTTING IT TOGETHER LOW FREQUENCY ANTENNA CREATION CREATED A NAIL SQUARE THE SIZE OF THE POLYCASE COVER UTILIZED PROXMARK3 TO TUNE THE ANTENNA
SKIM JOB PUTTING IT TOGETHER
SKIM JOB PUTTING IT TOGETHER
SKIM JOB HOW IT WORKS The Schematics
SKIM JOB HOW DOES IT WORK? RASPBERRY PI ZERO THE BRAIN CONTROLLER OF ALL THE THINGS WIFI NETWORK PYTHON SCRIPT PROXMARK3 THE READER RFID MAGIC SWITCHDOC USB POWERCONTROL BOARD SWITCHABLE POWER CUTS POWER THROUGH VOLTAGE OUTPUT
SKIM JOB IN USE
SKIM JOB IN USE
SKIM JOB - VIDEO VIDEO
TROUBLES NOT A SOLDERING EXPERT (50$ MISTAKE) RESULTED IN A BROKEN USB HUB PAD BEING RIPPED OFF OF BOARD NEEDED TO CREATE MULTIPLE SHORTENED USB CABLES CONDENSING THE ENTIRE PROJECT SLIMMING ALL OF THE ELECTRONICS
TROUBLES CONT. TIME WAS PUT ON THE BACK BURNER FOR MULTIPLE YEARS LIFE, FAMILY, OTHER HOBBIES IDENTIFYING CASES TO USE 3D PRINT?
FUTURE WORK CONDENSE MAKE EVERYTHING SMALLER FASTER BRAIN RASPBERRY PI ALTERNATIVES RFID MODULES MORE CONVINCING COVER OPEN FOR IDEAS!
FUTURE WORK CONT. LED LIGHTS SIMULATE A REAL RFID READER WEB SERVER CENTRAL COMMAND CENTER CURRENTLY IN PROGRESS
SUGGESTIONS ANY SUGGESTIONS / QUESTIONS / FEEDBACK PLEASE REACH OUT! HACKERS HELPING HACKERS EVERYTHING TALKED ABOUT IS AVAILABLE VIA GITHUB
SHOUTOUTS @W3S.H4RD3N @OCTETSTREAM DONQUIXOTE SLEESTAKOVERFLOW WHITE OAK SECURITY GROUP
THANKS! CONTACT: BRETT DEWALL BRETT.DEWALL@WHITEOAKSECURITY.COM @XBADBIDDYX LINKEDIN HTTPS://WWW.LINKEDIN.COM/IN/BRETT-DEWALL-912A8139 GITHUB HTTPS://GITHUB.COM/WHITEOAKSECURITY/SKIMJOB
QUESTIONS ?
REFERENCES HTTPS://PROXMARK.COM/ HTTPS://RESOURCES.BISHOPFOX.COM/RESOURCES/TOOLS/RFID-HACKING/ATTACK- TOOLS/ HTTPS://FRITZING.ORG/ A BEACON ANALYSIS-BASED RFID READER ANTI-COLLISION PROTOCOL FOR DENSE READER ENVIRONMENTS ALI ASSARIANA, AHMAD KHADEMZADEHB, MEHDI HOSSEINZADEHC, SAEED SETAYESHIE HTTPS://PASSIVE-COMPONENTS.EU/WHAT-IS-RFID-HOW-RFID-WORKS-RFID-EXPLAINED- IN-DETAIL/

More Related Content

Skim Job Presentation

  • 1. SKIM JOB: SKIMMING YOUR WAY IN BY: BRETT DEWALL / @XBADBIDDYX
  • 2. INTRODUCTION BRETT DEWALL (OSCP, OSWP, GWAPT) GRADUATED FROM ST. CLOUD STATE UNIVERSITY (MINNESOTA) BACHELORS OF SCIENCE INFORMATION SYSTEMS STAFF SPECIALIST - WHITE OAK SECURITY SPARE TIME: SPOON FLOWER DYNASTY CAR ENTHUSIAST BUG BOUNTIES / RESEARCH PARTICIPATED IN DEFCON SECTF 2015 3RD PLACE HAS PERFORMED OVER 50 ONSITE SOCIAL ENGINEERING ENGAGEMENTS
  • 3. WHAT AM I TALKING ABOUT INTRODUCTION RFID OVERVIEW CURRENT RFID SOCIAL ENGINEERING ATTACKS SKIM JOB QUESTIONS
  • 4. RFID Overview WHAT IS RFID? RADIO-FREQUENCY IDENTIFICATION WIRELESS SYSTEM (TAG & READER) USES? TONS! (SUPPLY CHAIN VISIBILITY, TRACKING, ACCESS CONTROL, ETC..) IS THIS TALK SPECIFIC TO A RFID TECHNOLOGY? YES! SPECIFICALLY HID PROX PRODUCTS (125KHZ LOW FREQUENCY)
  • 5. CURRENT RFID SOCIAL ENGINEERING ATTACKS PROXMARK3 BISHOP FOX LONG RANGE READER BLEKEY / ESPKEY
  • 6. PROXMARK3 DEVELOPED BY JONATHAN WESTHUES SNIFFING, READING, CLONING OF RFID TAGS COMMUNITY DRIVEN OPENSOURCE! MODES CONNECTED STANDALONE
  • 7. PROXMARK3 CONT. PROS SUPPORTS MULTIPLE RFID TECHNOLOGIES OPEN SOURCE BRUTEFORCE READ, WRITE, AND CLONE CONS READ RANGE VERY LIMITED 1-2 INCHES
  • 8. BISHOP FOX LONG RANGE READER ROBERT FRANCIS PRESENTED LIVE FREE OR RFID HARD AT DEFCON 21 DESIGNED TO READ 125KHZ LOW-FREQUENCY RFID CARDS LONG RANGE - UP TO 36 INCHES
  • 9. BISHOP FOX LONG RANGE READER CONT. PROS LONG RANGE OPEN SOURCE EASY TO USE STANDALONE CONS READER ONLY EXPENSIVE REQUIRES PHYSICAL INTERACTION
  • 10. BLEKEY / ESPKEY ERIC EVENCHICK & MARK BASEGGIO PRESENTED THE BLEKEY AT DEFCON 23 DESIGNED TO BE INSTALLED IN LESS THAN 60 SECONDS (IDEAL SITUATION) INSTALLED IN-LINE WITH THE RFID READER UNIVERSAL SUPPORT WIRELESS LAN COMMUNICATION
  • 11. BLEKEY / ESPKEY CONT. PROS SMALL FORM FACTOR ATTACKS THE PHYSICAL DEVICE CAN STORE MULTIPLE RFID CARDS (THOUSANDS) CONS CUTS THE WIRE SHEATH WHEN INSTALLING (PREMATURE FAILURE?) NEED TO GAIN ACCESS TO WIRING TO INSTALL
  • 12. PREVIOUS TECHNOLOGIES RECAP NONE OF THESE DEVICES ARE BAD THEY ALL WORK IN THEIR OWN WAY THIS IS NOT TO DETER ANYONE FROM USING THEM
  • 14. SKIM JOB WHY? WANTED TO ELIMINATE THE EMPLOYEE INTERACTION SOMETIMES NOT ABLE TO GET NEAR A BADGE PROJECT TIMEFRAME (SHORT DURATION) RFID ENABLED DOORS ARE BECOMING THE NORM FOR EMPLOYEES ACCESSING BUILDINGS
  • 15. SKIM JOB WHY? CONT. DIDNT WANT TO DAMAGE THE READER WIRING BLEKEY / ESPKEY QUICK TO DEPLOY TRYING TO TAKE AN IDEA AND MAKE IT REAL
  • 16. SKIM JOB. SO WHAT IS IT? 100% STANDALONE DEPLOYABLE TOOL SMART OR SOMEWHAT I GUESS EQUIPMENT INCLUDES: PROXMARK3 VOLTAGE CONTROLLED USB HUB RASPBERRY PI ZERO WIRELESS CUSTOM WOUND ANTENNA POLYCASE ENCLOSURE HAND MADE USB CABLES
  • 17. SKIM JOB SMART? HOW IS THIS TOOL SMART? OVERLAYING A RFID READER ON TOP OF A RFID READER DOESNT WORK CAN WE CUT POWER ON THE FLY? VOLTAGE CONTROLLED USB HUB (THANK YOU SWITCHDOC LABS) REMOTELY CONTROL THE DEVICE WIFI NETWORK INITIAL ACCESS WEB SERVER- PROJECT EXECUTION / LOG VIEWER / RFID SIMULATOR
  • 18. SKIM JOB SMART?
  • 19. SKIM JOB FORM ITERATIONS RASPBERRY PI ZERO WITHOUT WIFI NEEDED A SEPARATE USB ADAPTER RASPBERRY PI ZERO WITH A WIFI HAT RASPBERRY PI ZERO WIRELESS (CURRENT)
  • 20. SKIM JOB - EQUIPMENT RASPBERRY PI ZERO WIRELESS THE BRAINS TONS OF CAPABILITIES FOR FUTURE IMPLEMENTATION PROXMARK3 RDV2 KIT RFID READER EASY INTERFACE DETACHABLE ANTENNA
  • 21. SKIM JOB - EQUIPMENT SWITCHDOC USB POWERCONTROL BOARD CUT THE POWER REMOTELY VIA VOLTAGE SIGNAL LIPO BATTERY GIVE ME SOME JUICE! ADAFRUIT POWERBOOST SUPPLY THE JUICE POLYBASE COVER CONCEAL THE COMPONENTS
  • 22. SKIM JOB - COST RASPBERRY PI ZERO W - $10.00 PROXMARK3 RDV2 - $115.00 SWITCHDOC POWERCONTROL USB BOARD - $15.99 ADAFRUIT POWERBOOST - $9.95 LIPO BATTERY - $14.95 POLYCASE - $10.31 MISC ITEMS (USB CONNECTORS / CABLES) - $15.00 TOTAL: $191.20
  • 23. SKIM JOB PUTTING IT TOGETHER LOW FREQUENCY ANTENNA CREATION CREATED A NAIL SQUARE THE SIZE OF THE POLYCASE COVER UTILIZED PROXMARK3 TO TUNE THE ANTENNA
  • 24. SKIM JOB PUTTING IT TOGETHER
  • 25. SKIM JOB PUTTING IT TOGETHER
  • 26. SKIM JOB HOW IT WORKS The Schematics
  • 27. SKIM JOB HOW DOES IT WORK? RASPBERRY PI ZERO THE BRAIN CONTROLLER OF ALL THE THINGS WIFI NETWORK PYTHON SCRIPT PROXMARK3 THE READER RFID MAGIC SWITCHDOC USB POWERCONTROL BOARD SWITCHABLE POWER CUTS POWER THROUGH VOLTAGE OUTPUT
  • 28. SKIM JOB IN USE
  • 29. SKIM JOB IN USE
  • 30. SKIM JOB - VIDEO VIDEO
  • 31. TROUBLES NOT A SOLDERING EXPERT (50$ MISTAKE) RESULTED IN A BROKEN USB HUB PAD BEING RIPPED OFF OF BOARD NEEDED TO CREATE MULTIPLE SHORTENED USB CABLES CONDENSING THE ENTIRE PROJECT SLIMMING ALL OF THE ELECTRONICS
  • 32. TROUBLES CONT. TIME WAS PUT ON THE BACK BURNER FOR MULTIPLE YEARS LIFE, FAMILY, OTHER HOBBIES IDENTIFYING CASES TO USE 3D PRINT?
  • 33. FUTURE WORK CONDENSE MAKE EVERYTHING SMALLER FASTER BRAIN RASPBERRY PI ALTERNATIVES RFID MODULES MORE CONVINCING COVER OPEN FOR IDEAS!
  • 34. FUTURE WORK CONT. LED LIGHTS SIMULATE A REAL RFID READER WEB SERVER CENTRAL COMMAND CENTER CURRENTLY IN PROGRESS
  • 35. SUGGESTIONS ANY SUGGESTIONS / QUESTIONS / FEEDBACK PLEASE REACH OUT! HACKERS HELPING HACKERS EVERYTHING TALKED ABOUT IS AVAILABLE VIA GITHUB
  • 36. SHOUTOUTS @W3S.H4RD3N @OCTETSTREAM DONQUIXOTE SLEESTAKOVERFLOW WHITE OAK SECURITY GROUP
  • 37. THANKS! CONTACT: BRETT DEWALL BRETT.DEWALL@WHITEOAKSECURITY.COM @XBADBIDDYX LINKEDIN HTTPS://WWW.LINKEDIN.COM/IN/BRETT-DEWALL-912A8139 GITHUB HTTPS://GITHUB.COM/WHITEOAKSECURITY/SKIMJOB
  • 39. REFERENCES HTTPS://PROXMARK.COM/ HTTPS://RESOURCES.BISHOPFOX.COM/RESOURCES/TOOLS/RFID-HACKING/ATTACK- TOOLS/ HTTPS://FRITZING.ORG/ A BEACON ANALYSIS-BASED RFID READER ANTI-COLLISION PROTOCOL FOR DENSE READER ENVIRONMENTS ALI ASSARIANA, AHMAD KHADEMZADEHB, MEHDI HOSSEINZADEHC, SAEED SETAYESHIE HTTPS://PASSIVE-COMPONENTS.EU/WHAT-IS-RFID-HOW-RFID-WORKS-RFID-EXPLAINED- IN-DETAIL/