Overview
Proxmark3 is a comprehensive RFID and NFC research platform designed for reading, analyzing, cloning, and emulating proximity cards and contactless smart cards. Used in legitimate security research and penetration testing, it provides complete control over high-frequency (HF) and low-frequency (LF) RFID systems. The Proxmark3 enables security professionals to identify vulnerabilities in access control systems and physical security infrastructure.
Hardware Setup
Required Equipment
- Proxmark3 RDV4 or compatible device
- USB 2.0 cable (Type A to Micro-B)
- Computer with Linux/Windows/macOS
- Antenna (included with device)
Device Connection
# Connect Proxmark3 via USB
lsusb | grep Proxmark
# Check serial port
ls -la /dev/ttyACM*
# Set permissions
sudo chmod 666 /dev/ttyACM0
Installation and Setup
Linux Installation
# Clone repository
git clone https://github.com/RfidResearchGroup/proxmark3.git
cd proxmark3
# Install dependencies
sudo apt-get install -y build-essential git libreadline-dev libusb-0.1-4
# Build client
./install.sh
# Verify installation
proxmark3 --version
macOS Installation
# Install Homebrew dependencies
brew install libusb readline
# Clone and build
git clone https://github.com/RfidResearchGroup/proxmark3.git
cd proxmark3
make clean && make -j4
# Create alias
alias pm3='./client/proxmark3'
Windows Installation
# Download precompiled binary from GitHub
# Or build with MinGW/MSYS2
# Verify installation
proxmark3.exe -p COM3 --version
Basic Syntax
| Command | Description |
|---|
proxmark3 /dev/ttyACM0 | Connect to device |
proxmark3 --help | Show help information |
proxmark3 -p COM3 | Windows port specification |
hw status | Check device status |
quit | Exit Proxmark3 |
Low Frequency (LF) Operations
Connect and Check Status
# Connect to device
proxmark3 /dev/ttyACM0
# Check firmware and status
[proxmark3] hw status
# Verify tuning
[proxmark3] lf tune
LF Search and Detection
# Search for LF tags
[proxmark3] lf search
# Search with additional options
[proxmark3] lf search --125
# Search specific frequency
[proxmark3] lf search --lf
HID Card Operations
# Read HID card
[proxmark3] lf hid read
# Demod HID data
[proxmark3] lf hid demod
# Clone HID card
[proxmark3] lf hid clone --id 1234567890
# Emulate HID tag
[proxmark3] lf hid sim --id 1234567890
EM4100 Operations
# Read EM4100 tag
[proxmark3] lf em4x read
# Demod EM4100
[proxmark3] lf em 4x demod
# Clone EM4100 tag
[proxmark3] lf em 4x clone --hex 0123456789ABCDEF
# Simulate EM4100
[proxmark3] lf em 4x sim --hex 0123456789ABCDEF
| LF Command | Description |
|---|
lf search | Scan for LF tags |
lf hid | HID tag operations |
lf em4x | EM4100 operations |
lf t55xx | T55xx chip operations |
lf indala | Indala tag operations |
lf awid | AWID tag operations |
High Frequency (HF) Operations
HF Search and Detection
# Search for HF tags
[proxmark3] hf search
# Search with verbose output
[proxmark3] hf search -v
# Scan for specific tag types
[proxmark3] hf mf search
Mifare Classic Operations
# Read Mifare Classic card
[proxmark3] hf mf read
# Read with key brute force
[proxmark3] hf mf fread -f dumpfile.bin
# Write to Mifare card
[proxmark3] hf mf write -f data.bin -k 0xFF0000000000
# Dump card to file
[proxmark3] hf mf dump --1k
Mifare Ultralight Operations
# Read Mifare Ultralight
[proxmark3] hf mfu read
# Dump Ultralight card
[proxmark3] hf mfu dump -o ultralight.bin
# Write to Ultralight
[proxmark3] hf mfu write --magic -o output.bin -l 64
ISO14A Operations (Generic HF)
# Detect ISO14A cards
[proxmark3] hf 14a read
# Get card UID
[proxmark3] hf 14a uid
# Raw command exchange
[proxmark3] hf 14a apdu -s 00A4040007D2760000850101
# List known cards
[proxmark3] hf 14a list
| HF Command | Description |
|---|
hf search | Scan for HF tags |
hf mf | Mifare Classic operations |
hf mfu | Mifare Ultralight operations |
hf 14a | ISO14A generic operations |
hf 15 | ISO15 operations |
hf iclass | iClass card operations |
hf legic | Legic card operations |
Advanced Operations
Sniffing and Analysis
# Sniff LF communication
[proxmark3] lf sniff
# Sniff HF communication
[proxmark3] hf sniff
# Record data
[proxmark3] hf 14a sniff -c -r recording.bin
# Replay captured data
[proxmark3] hf 14a sniff -l
Dictionary Attack (Mifare)
# Nested authentication attack
[proxmark3] hf mf hardnested --1k
# Dictionary crack with wordlist
[proxmark3] hf mf hardnested --nested --sector 0 -k 0xFF0000000000 --dict keys.txt
Card Emulation
# Emulate Mifare Classic
[proxmark3] hf mf eco -n 0 -u 04112233445566 --4k
# Emulate Mifare Ultralight
[proxmark3] hf mfu eload -i ultralight_dump.bin
# Activate emulation
[proxmark3] hf 14a sim -u 04112233445566
Scripting and Automation
# Create automation script
cat > proxmark_script.lua << 'EOF'
-- Proxmark3 Lua script
local reader = require('read14a')
result = reader.read14a(true)
print("Card UID: " .. result.uid)
EOF
# Run script
[proxmark3] script run proxmark_script
Data Analysis
View Captured Data
# List captured frames
[proxmark3] hf list
# Display specific protocol
[proxmark3] hf list 14a
# Export data
[proxmark3] hf list -f output.txt
# Get detailed tag information
[proxmark3] hf 14a reader
# Full diagnostic
[proxmark3] trace list
# Analyze memory structure
[proxmark3] hf mf info
Convert and Export Data
# Export as hex
[proxmark3] hf mf dump -o carddata.bin
# Convert bin to hex
hexdump -C carddata.bin
# Create clone data
[proxmark3] hf mf cload -i carddata.bin
Practical Scenarios
Card Reading Workflow
# 1. Connect to device
proxmark3 /dev/ttyACM0
# 2. Search for cards
[proxmark3] hf search
# 3. Read specific type (Mifare example)
[proxmark3] hf mf read
# 4. Dump to file
[proxmark3] hf mf dump -o read_card.bin
# 5. Exit
[proxmark3] quit
# View dumped data
hexdump -C read_card.bin
Card Cloning Workflow
# 1. Read source card
proxmark3 /dev/ttyACM0
[proxmark3] hf mf dump -o source.bin
# 2. Prepare writable card
# (Insert blank card or card in writable sector)
# 3. Write data to target
[proxmark3] hf mf cload -i source.bin
# 4. Verify clone
[proxmark3] hf mf dump -o target.bin
# 5. Compare
diff source.bin target.bin
Access Control Testing
# 1. Search for cards in environment
[proxmark3] hf search
# 2. Read badge
[proxmark3] hf mf read
# 3. Analyze security
[proxmark3] hf mf hardnested
# 4. Test vulnerability
[proxmark3] hf mf eco -n 0 -u <UID> --4k
# 5. Document findings
[proxmark3] hf mf dump -o access_badge.bin
Advanced Techniques
Brute Force Operations
# HID Brute Force
[proxmark3] lf hid brute
# With range
[proxmark3] lf hid brute -w 1234
# Slow brute force
[proxmark3] lf hid brute --generator H10301
Frequency Analysis
# Detect modulation
[proxmark3] data tune
# Analyze signal
[proxmark3] lf tune
# Check antenna impedance
[proxmark3] hw antenna
Raw Commands
# Send raw ISO14A command
[proxmark3] hf 14a raw --crc -a 00A4040007D2760000850101
# Custom bit sequence
[proxmark3] hf 14a sim --apdu
Troubleshooting
Device Connection Issues
# Check USB connection
lsusb | grep Proxmark
# Verify permissions
sudo usermod -a -G plugdev $USER
sudo usermod -a -G dialout $USER
# Reset device
proxmark3 /dev/ttyACM0
[proxmark3] hw reset
Card Reading Failures
# Test antenna
[proxmark3] lf tune
[proxmark3] hw antenna
# Adjust power
[proxmark3] hw power on
# Retry with different distance
# (Move card closer to antenna)
Firmware Issues
# Check firmware version
[proxmark3] hw version
# Update firmware
proxmark3 /dev/ttyACM0
[proxmark3] hw flashmem --file proxmark.elf
File Management
Data Files
# List command outputs
ls -la *.bin *.txt
# Backup captured data
cp *.bin backup/
# Archive session
tar -czf proxmark_session.tar.gz *.bin *.txt
Documentation
# Log session
[proxmark3] log c test.log
# Export findings
hexdump -C card.bin > card_hex.txt
# Create report
cat > assessment.txt << EOF
Card Type: Mifare Classic 1K
UID: 04112233445566
Sector 0 Key A: 0xFF0000000000
Status: Vulnerable to nested authentication
EOF
Best Practices
- Authorization: Obtain explicit written authorization before testing
- Documentation: Record all findings and procedures
- Data Privacy: Secure all captured card data
- Non-Destructive: Test on authorized cards only
- Backup: Always backup original card data before cloning
- Safety: Keep device away from pacemakers and medical devices
- Compliance: Follow applicable laws and regulations
- Reporting: Document vulnerabilities found during assessment
Safety Considerations
- Device generates RF signals
- Operate in controlled environment
- Keep away from people with pacemakers
- Avoid operating near critical systems
- Ensure proper electrical safety
- Test only on authorized targets
- Maintain chain of custody for evidence
- NFC Tools — Mobile NFC reading and writing
- Chameleon Mini — Portable RFID emulator
- ACR122U — USB NFC reader/writer
- YARD Stick One — RF transceiver tool
- HackRF One — Software-defined radio
- nfcpy — Python NFC library
