Virtual Hands-On Hacking for NFC/RFID

$2,299.00

Duration

2 days

Delivery Method

virtual

Level

beginner

Seats Available

20

Duration

2 days

Delivery Method

virtual

Level

beginner

REGISTRATION CLOSED

Please contact hitbsectrain@hitb.org if you’d like to attend this training


This 2-day NFC/RFID course is part of a 4-day BLE & NFC/RFID course.


– To join the 2-day BLE course instead, click here.
– To join both BLE and NFC/RFID with a combo discount for 4 days, click here.
– To join only this 2-day NFC/RFID class, read further below.
– Want to attend this class virtually instead at early June? Sign-up here

 

REGISTRATION CLOSED

DATE: 11-12 May 2022

TIME: 09:00 to 17:00 CEST/GMT+2

Date Day Time Duration
11 May Wednesday 0900-17:00 CEST/GMT+2 8 Hours
12 May Thursday 0900-17:00 CEST/GMT+2 8 Hours

It is still surprisingly easy to clone so many access control tags used today.
RFID/NFC has been around us for quite some time now. However, many of its vulnerabilities pointed out since years ago probably won’t yet be resolved in the near future.

During this training’s practical hands-on exercises, we will clone, crack, simulate and brute-force both  “Low Frequency” 125kHz RFID (EM, HID Prox, …) as well as “High Frequency” 13.56MHz (Mifare, iClass, DESFire, ISO15693, …) – using dedicated hardware (trainees get to keep these!), or in some cases with just a typical smartphone. We will examine and attack communication between the reader and access controller.  We will also exploit reader vulnerabilities allowing to unlock without the need to have a valid card, and reverse-engineer a sample hotel system and create an “emergency” card that will unlock unconditionally all the doors in the facility – having nothing more than just a guest card and a phone.

The training aims not only to raise awareness about the weaknesses of legacy systems, but also provide a solid insight of current technologies which are regarded as more secure. We will abuse implementation flaws and perform remote relay and downgrade attacks on both latest HID SEOS as well as DESFire access control installations. Attendees will also learn how to approach modern contactless smart cards and analyse currently trending mobile access control systems (phone acting as an NFC tag) – based among others on real vulnerabilities of a sample system.

Each student will receive
  • Course materials – about 1000 pages, step by step instructions for hands-on exercies.
  • All required additional files: source code, documentation, installation binaries, virtual machine images.
  • Included hardware pack for hands-on exercises, consisting of Proxmark 3 with latest firmware, various sample tags (including “magic” ones), NFC PN532 board.
  • Don’t have an Android phone? Sign up for both 2-day trainings (click here), and we’ll hook you up with an Android phone with Bluetooth 4 and NFC support!

 

 

 

Agenda
Day 1

1. Short introduction
a) RFID/NFC – where do I start?
b) Frequencies, card types, usage scenarios.
c) How to recognize card type – quick walkthrough.
d) Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware.

2. UID-based access control
a) Introduction – simple, still surprisingly common technologies
b) Communication between a reader and tag.
c) What is stored on the tag?
d) Low Frequency EM410X (“unique”), HID Prox, …, High Frequecy Mifare UID
e) Cloning card’s UID – cloners, Proxmark, Chameleon, mobile phone, …
f) Simulating (Proxmark, Chameleon, mobile phone,…), brute-forcing.
g) Interpreting markings on the tag, decoding UID from the picture.
h) Sample vulnerability of simple access control reader that allows to unlock it without the need to have a valid card.
i) Countermeasures against attacks

3. Wiegand – typical transmission between the reader and access controller
a) Theory introduction, signal DATA0, DATA1
b) Wiegand sniffers, implants, transmitters – hardware, open source software
c) Decoding card UID from sniffed bytes, clone the card
d) Replay card data on the wire to open lock

4. Mifare Ultralight, NTAG
a) Data structure.
b) Reading, cloning, emulating.
c) Example data stored on a hotel guest card.
d) Ultralight EV1, C.

5. Mifare Classic & its weaknesses – practical exercises based on hotel door lock system, ski lift card, bus ticket
a) Mifare Classic – data structure, access control, keys, encryption.
b) Default, leaked keys.
c) Reading and cloning card data using just a mobile phone.
d) Cracking keys using various attacks and tools (Proxmark, libnfc, Chameleon).
e) Attacks on EV1 “hardened” Mifare Classic.
f) Online attacks against the reader.

 

Day 2

6. Reverse-engineering data stored on a sample hotel system guest card
a) Decoding access control data (room number, date) stored on the hotel guest card.
b) Creating hotel “emergency card” to open all the hotel doors unconditionally, having only sample guest card.

7. Mifare DESFire
a) Introduction, data format, access modes.
b) Creating sample tag for DESFire access control system.
c) Publicly known attacks (misconfiguration, implementation issues) in smart locks, access control, ticketing systems.

8. ISO15693/iCode
a) Cloning ISO15693 UID on a “magic UID” card, unlocking smart lock.
b) Data of several example ski passes.

9. HID iClass
a) Cloning “legacy” / “standard security” iClass.
b) Attacks on iClass Elite.
c) Downgrade attacks.

10. Remote relay attacks against NFC/ISO1443
a) Introduction: research, tools, possibilities and limitations.
b) Practical remote relay of iClass SEOS and DESFire access control.

11. Sample Hitag2 access contol – sniffing password mode, simulating tags

12. Host Card Emulation – smartphone as NFC tag
a) Hardware Secure Element vs software Host Card Emulation
b) Protocols, commands, applications – ISO14443-4, 7816-4, APDU, AID, …
c) Example vulnerable HCE access control system (unlocking door using your NFC phone) – sample vulnerabilities.
d) NFC communication analysis: sniffing using Proxmark, dumping on the phone.

13. Intercepting card data from distance – antennas, possibilities and limits.

 


This 2-day NFC/RFID course is part of a 4-day BLE & NFC/RFID course.


– To join the 2-day BLE course instead, click here.
– To join both BLE and NFC/RFID with a combo discount for 4 days, click here.
– Want to attend this class virtually instead at early June? Sign-up here

Agenda

  • Day 1

    1. Short introduction a) RFID/NFC – where do I start? b) Frequencies, card types, usage scenarios. c) How to recognize card type – quick walkthrough. d) Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware. 2. UID-based access control a) Introduction - simple, still surprisingly common technologies b) Communication between a reader and tag. c) What is stored on the tag? d) Low Frequency EM410X (“unique”), HID Prox, …, High Frequecy Mifare UID e) Cloning card’s UID – cloners, Proxmark, Chameleon, mobile phone, ... f) Simulating (Proxmark, Chameleon, mobile phone,...), brute-forcing. g) Interpreting markings on the tag, decoding UID from the picture. h) Sample vulnerability of simple access control reader that allows to unlock it without the need to have a valid card. i) Countermeasures against attacks 3. Wiegand – typical transmission between the reader and access controller a) Theory introduction, signal DATA0, DATA1 b) Wiegand sniffers, implants, transmitters – hardware, open source software c) Decoding card UID from sniffed bytes, clone the card d) Replay card data on the wire to open lock 4. Mifare Ultralight, NTAG a) Data structure. b) Reading, cloning, emulating. c) Example data stored on a hotel guest card. d) Ultralight EV1, C. 5. Mifare Classic & its weaknesses – practical exercises based on hotel door lock system, ski lift card, bus ticket a) Mifare Classic – data structure, access control, keys, encryption. b) Default, leaked keys. c) Reading and cloning card data using just a mobile phone. d) Cracking keys using various attacks and tools (Proxmark, libnfc, Chameleon). e) Attacks on EV1 “hardened” Mifare Classic. f) Online attacks against the reader.

  • Day 2

    6. Reverse-engineering data stored on a sample hotel system guest card a) Decoding access control data (room number, date) stored on the hotel guest card. b) Creating hotel “emergency card” to open all the hotel doors unconditionally, having only sample guest card. 7. Mifare DESFire a) Introduction, data format, access modes. b) Creating sample tag for DESFire access control system. c) Publicly known attacks (misconfiguration, implementation issues) in smart locks, access control, ticketing systems. 8. ISO15693/iCode a) Cloning ISO15693 UID on a “magic UID” card, unlocking smart lock. b) Data of several example ski passes. 9. HID iClass a) Cloning “legacy” / “standard security” iClass. b) Attacks on iClass Elite. c) Downgrade attacks. 10. Remote relay attacks against NFC/ISO1443 a) Introduction: research, tools, possibilities and limitations. b) Practical remote relay of iClass SEOS and DESFire access control. 11. Sample Hitag2 access contol – sniffing password mode, simulating tags 12. Host Card Emulation – smartphone as NFC tag a) Hardware Secure Element vs software Host Card Emulation b) Protocols, commands, applications – ISO14443-4, 7816-4, APDU, AID, … c) Example vulnerable HCE access control system (unlocking door using your NFC phone) – sample vulnerabilities. d) NFC communication analysis: sniffing using Proxmark, dumping on the phone. 13. Intercepting card data from distance – antennas, possibilities and limits.

Why You Should Take This Course

Attendees will learn how to approach modern contactless smart cards and analyse currently trending mobile access control systems (phone acting as an NFC tag) – based among others on real vulnerabilities of a sample system.

Who Should Attend

  • Pentesters, red-teamers, security professionals, researchers.
  • Device designers, developers.
  • Anyone interested.

Key Learning Objectives

  • Solid understanding of NFC/RFID.

  • Ability to perform in practice typical attacks: cloning, cracking, remote relays

  • Point out common implementation pitfalls in both legacy and modern systems.

  • Analyse security of mobile access solutions.
  • Prerequisite Knowledge

    • Basic familiarity with Linux command-line; some pentesting experience will be helpful but not crucial.
    • No previous knowledge of NFC is required.

    Hardware / Software Requirements

    • Laptop capable of running Kali Linux in virtual machine (VirtualBox or VMWare), and at least two USB ports available for VM guest.
    • Android smartphone with NFC support (most current phones, with a few small exceptions of incompatible devices: https://github.com/ikarus23/MifareClassicTool /blob/master/INCOMPATIBLE_DEVICES.md). Root option will be an advantage, but not crucial.
    • Don’t have an Android phone? Sign up for both 2-day trainings (click here), and we’ll hook you up with an Android phone with Bluetooth 4 and NFC support!

    Your Instructor

    Trainer, speaker, pentester and IT security consultant with over 15 years of experience. Participated in countless assessments of systems’ and applications’ security for leading financial companies, public institutions and cutting edge tech startups. Has an MSc in automation&robotics, developed secure embedded systems certified for use by national agencies.  Currently Slawomir researches security of new technologies (especially Bluetooth Low Energy and NFC/RFID) and provides relevant trainings – based among others on electronic locks and access control systems (www.smartlockpicking.com). Beside research and training, he focuses on consulting and designing of secure solutions for various software and hardware projects, during all phases – starting from a scratch.

    Previously gave talks, workshops or trainings at HackInTheBox Amsterdam, BlackHat USA, HITB Cyberweek, HackInParis, multiple Appsec EU, Deepsec, BruCON, Confidence, Devoxx and many other events.

    Training score :

    Instructor: 90%
    Course material: 91%

    “Well prepared training, due to the amount of tools and equipment also easy to continue at home.”

    “Trainer did a good job in preparing all the labs. Really gorgeous.”

    “The best thing with this course is the instructor and our ability to do all exercise back at home.”

    “Great instructor, well maintained materials had a lot of experience.”

    ” I am amazed how well everything is prepared.”

     “Great instructor, lot’s of information, topics and exercise to practise at home.”