[11] Real world ESPKey Attacks
ฝัง
- เผยแพร่เมื่อ 14 ก.พ. 2020
- Today we are going to use the ESP Key to read and replay a credential on a card reader.
Purchase the ESP Key here:
redteamtools.com/electronic-a...
Purchase the Punch Down tool here:
redteamtools.com/avx-9176-1-4...
![[60] I was Hired to Legally Break into a Company](http://i.ytimg.com/vi/4pD3AYYKbZg/mqdefault.jpg)
That was very interesting. Thanks for this video, I've not had any experience with electronics, I just learnt a lot, cheers
And now I'm thinking about all the RFID readers we use to protect entry into our multi million dollar data centers and saying oh boy we might need to rethink this. The only saving grace is that we have HD PTZ cameras trained on all of them so at least we can catch someone trying to install the ESP key. Nice vid, and always very informative!
This tool is there to demonstrate a theoretical attack.
Adding alarm systems or camera's are unlikely to be a solution. Proper solutions: Using more secure cards, 2FA, or just wiring a tamper switch.
@@amihirata Agreed: Lets write software better. Lets train our people better. :)
OSDP lets you encrypt the communication between the reader and the controller, which renders this moot.
Most rfid readers have a tamper switch inside which should be connected to an alarm at the controller. Usually it is not wired up.
In this case though it doesn't look like he opens the rfid pad at all, so the tamper switch would not have been tripped.
@@adammorris8112 I believe since the showed the j-box open at the begining of the video, he had just not shown taking the reader apart. Most readers are secured from the inside of the card reader.
Awesome content . Very Cool!
Thank you for this! What can the esp key do against high frequency/13.56mhz readers? Would it be able to pickup the transfer of encryption keys back and fourth between the rfid tag and reader such that you could emulate the key later on?
Did you have to practice for that perfect TH-cam voice?
thanks, i have 2 guys who just moved into an apartment and it only has rfid on it, i wanna show them this
Wow you dont even have to bust the beanies or cut the wire. Thats slick.
So it's called a AVX Wire-To-Board wire insulator connector. And the other screw down esp rfid tools use gpio pins do they make the AVX Wire-To-Board Connectors with gpio pins?
Thanks for this video! What wire punch do you recommend?
If you are interested in punching down low voltage wiring, just get the Fluke punch down tool with both the 66 and 110 blades.
@@PhilipAnderson Philip, despite being 10 months later I really appreciate your response. Fluke Networks has expensive tools, could I achieve the same results with a cheaper tool? Merry Christmas
Anther choice: www.homedepot.com/b/Electrical-Electronics-WiFi-Networking-Devices-Network-Cable-Testers/Klein-Tools/N-5yc1vZc33nZ3xg?storeSelection=
Hey dude. I think you should make a video of ESP vs BLE. As far as I could tell from what I've read they perform essentially the same task except one uses Wifi- the other uses Bluetooth and has it's own power source. I have 1 question though, let's say the Wifi that's available is open but requires some kind of confirmation- as all wifi does- on a guest network. Would the ESP be able to get onto the network? I know you can operate it without it being able to use wifi but it's a bigger pain in the ass, which would have me leaning towards BLE- as it doesn't require wifi. Thanks.
Also, though I like RRT website, HW sells it for 30- that's a bit of a mark up dude, though I'm a big fam of your's and Olum's.
The BLEKey is completely inferior and unusable in all practical applications for two reasons:
1. Size, it’s noticeably larger than the ESPKey and as a result it can’t fit behind a lot of readers
2. It doesn’t have punch down connectors, meaning you need splice clamps which take up a lot of room, again kneecapping you when trying to fit everything behind the reader.
The ESPKey is in all practical aspects the only legitimate solution, 10 out of 10 times id go with the ESPKey over the BLEKey
@@amihirata BLEKey does use the same IDC punch down connectors as the ESPKey. I actually got the part number from the BLEKey docs when I was designing the ESPKey. (Thanks Eric and Mark!)
As for getting the ESPKey through a captive portal, that would be a hassle. However, the default mode of the ESPKey is for it to provide an accesspoint that you connect to with your phone or other device. No need to use the local WiFi. Another configuration option is to set your phone as a hotspot and configuring the ESPKey to connect to you.
In my mind, the most significant difference between BLEKey and ESPKey is the user interface. The web interface served by the ESPKey is awfully convenient. And the larger logging capacity is nice too.
This works on credit cards ?
What happened to video 12? That’s what I was really searching for.
I mean this is definitely how the ESP key works and you can use it to read the data off cards that have swiped on the system. But you didn’t really show us that the white key didn’t already work to begin with. Gotta turn the handle haha.
how do you write the raw data to an proxmark3?
The esp key colors remind me of the usb protocol. Can it sniff sub traffic i.e. A key board?
I do not believe it has that capability
How to extract data from the ESP32 and write it to a new card ? cant find the video.
hey i just purchased an esp key and it looks like i need to connect the terminals that you punch down the wires into, did I just get the wrong type or is there a smoething to go along with it that that i need to buy?
Where did you purchase yours from? If it’s the one from hacker warehouse it does not have insulation displacement connectors, and you will have to manually splice it into the line with splice connections
@@amihirata so it'll work ,however it will be alot more tedious and less inconspicuous, oh well guess i should just buy the one off of Red Team Alliance . Are you aware of something I can splice on and then use the punch down toll for more efficency ?
Wire splice connectors. That said they are usually pretty big, almost the same size as the ESPkey and it’s hard to get four of them and the ESPkey to fit back into the wall once you have it all hooked up
LPL must have been inspired by this video on his recent video.
Lpl posted similar video , make him mention you in description
i know that is a HiLetgo ESP8266 Serial WIFI Wireless Module ESP-07 Wireless Module but what was added to that board? I would love to know if possible so i can make one for myself.
The insulation displacement connector seems to be the only real change.
hey you never made the "next video" explaining how to duplicate the credentials off of the ESPKEY using the proxmark. PLEASE HELP! thats where im stuck.
How did you know what the IP address of the ESP key was
the esp link shows up as 404 Error - Page not found.
didn’t realise they where so expensive
so this is basically using a wifi signal not a bluetooth?why is it using an ip on browser?
did you delete video 12?
Yeah, what happened to it?
Where is episodes 12 ?
Esp key for sale?
have u got one for sale ?
Its hardware and code is on git
were in the real world are you just going to get access to a card reader with no camera monitoring it? nice devices but only a company with terrible security wouldnt notice it being installed.
The fact that I’ve installed a lot of these tools while under a surveillance camera and never once was intercepted would beg to differ lol
I see that the ESP Key can't be operated at more than 18VDC. My ProxPro can operate up to 28V, and can operate with power polarity switched. It sounds like running the ProxPro hot and reversing polarity would be a pretty decent defense against credential capture using this 'man-in-the-middle' technique.
Running 28V reverse polarity would almost certainly fry an ESPKey, but it would not defend against the MITM technique. Coming back the next day with a DC buck converter and fresh ESPKey would make it clear that the actual problem here is the communication protocol.
Yeah all you'd need is a voltage divider for the signal and either a few diodes for a full bridge rectifier & wider range regulator, or just power it off a battery.
@@nyetloki YES, IF you knew that the voltage was off spec. But if you simple punched it down onto the wires you would fry iy. Do you think that hese folks bring a voltmeter to the job?
@@joeb3300 do you think these people don't research their targets beforehand?
That is a cool device, but it is WAY over priced. It's literally $5 worth of parts (I'm sure even cheaper when parts are purchased in bulk), and a little bit of modified open source code.
That depends on how willing you are to DIY it. For me I'd rather just buy them rather than make them. $80 per ESPKey is a drop in the bucket for a red team operation.
@@amihirata yeah that's true. I guess too if they maker of this device is only doing small batches and having to hand solder all of them (I don't if that's the case, but it's possible), then the price is more understandable.
@@amihirata presumably the esp key is retrieved later, or if not then would be charged as part of the engagement costs (or both)
You’d always want to recoup your ESPKeys, not just for the sake of keeping them but also so that you aren’t leaving any exposed access points
@@amihirata should be easy enough to add a self-destruct setting or timer so that no access point is left running. Or only have it turn on for a few minutes a day at prescheduled times.