Proxmark3 is a comprehensive RFID and NFC research platform designed for reading, analyzing, cloning, and emulating proximity cards and contactless smart cards. Used in legitimate security research and penetration testing, it provides complete control over high-frequency (HF) and low-frequency (LF) RFID systems. The Proxmark3 enables security professionals to identify vulnerabilities in access control systems and physical security infrastructure.
- Proxmark3 RDV4 or compatible device
- USB 2.0 cable (Type A to Micro-B)
- Computer with Linux/Windows/macOS
- Antenna (included with device)
# Connect Proxmark3 via USB
lsusb | grep Proxmark
# Check serial port
ls -la /dev/ttyACM*
# Set permissions
sudo chmod 666 /dev/ttyACM0
# Clone repository
git clone https://github.com/RfidResearchGroup/proxmark3.git
cd proxmark3
# Install dependencies
sudo apt-get install -y build-essential git libreadline-dev libusb-0.1-4
# Build client
./install.sh
# Verify installation
proxmark3 --version
# Install Homebrew dependencies
brew install libusb readline
# Clone and build
git clone https://github.com/RfidResearchGroup/proxmark3.git
cd proxmark3
make clean && make -j4
# Create alias
alias pm3='./client/proxmark3'
# Download precompiled binary from GitHub
# Or build with MinGW/MSYS2
# Verify installation
proxmark3.exe -p COM3 --version
| Command | Description |
|---|
proxmark3 /dev/ttyACM0 | Connect to device |
proxmark3 --help | Show help information |
proxmark3 -p COM3 | Windows port specification |
hw status | Check device status |
quit | Exit Proxmark3 |
# Connect to device
proxmark3 /dev/ttyACM0
# Check firmware and status
[proxmark3] hw status
# Verify tuning
[proxmark3] lf tune
# Search for LF tags
[proxmark3] lf search
# Search with additional options
[proxmark3] lf search --125
# Search specific frequency
[proxmark3] lf search --lf
# Read HID card
[proxmark3] lf hid read
# Demod HID data
[proxmark3] lf hid demod
# Clone HID card
[proxmark3] lf hid clone --id 1234567890
# Emulate HID tag
[proxmark3] lf hid sim --id 1234567890
# Read EM4100 tag
[proxmark3] lf em4x read
# Demod EM4100
[proxmark3] lf em 4x demod
# Clone EM4100 tag
[proxmark3] lf em 4x clone --hex 0123456789ABCDEF
# Simulate EM4100
[proxmark3] lf em 4x sim --hex 0123456789ABCDEF
| LF Command | Description |
|---|
lf search | Scan for LF tags |
lf hid | HID tag operations |
lf em4x | EM4100 operations |
lf t55xx | T55xx chip operations |
lf indala | Indala tag operations |
lf awid | AWID tag operations |
# Search for HF tags
[proxmark3] hf search
# Search with verbose output
[proxmark3] hf search -v
# Scan for specific tag types
[proxmark3] hf mf search
# Read Mifare Classic card
[proxmark3] hf mf read
# Read with key brute force
[proxmark3] hf mf fread -f dumpfile.bin
# Write to Mifare card
[proxmark3] hf mf write -f data.bin -k 0xFF0000000000
# Dump card to file
[proxmark3] hf mf dump --1k
# Read Mifare Ultralight
[proxmark3] hf mfu read
# Dump Ultralight card
[proxmark3] hf mfu dump -o ultralight.bin
# Write to Ultralight
[proxmark3] hf mfu write --magic -o output.bin -l 64
# Detect ISO14A cards
[proxmark3] hf 14a read
# Get card UID
[proxmark3] hf 14a uid
# Raw command exchange
[proxmark3] hf 14a apdu -s 00A4040007D2760000850101
# List known cards
[proxmark3] hf 14a list
| HF Command | Description |
|---|
hf search | Scan for HF tags |
hf mf | Mifare Classic operations |
hf mfu | Mifare Ultralight operations |
hf 14a | ISO14A generic operations |
hf 15 | ISO15 operations |
hf iclass | iClass card operations |
hf legic | Legic card operations |
# Sniff LF communication
[proxmark3] lf sniff
# Sniff HF communication
[proxmark3] hf sniff
# Record data
[proxmark3] hf 14a sniff -c -r recording.bin
# Replay captured data
[proxmark3] hf 14a sniff -l
# Nested authentication attack
[proxmark3] hf mf hardnested --1k
# Dictionary crack with wordlist
[proxmark3] hf mf hardnested --nested --sector 0 -k 0xFF0000000000 --dict keys.txt
# Emulate Mifare Classic
[proxmark3] hf mf eco -n 0 -u 04112233445566 --4k
# Emulate Mifare Ultralight
[proxmark3] hf mfu eload -i ultralight_dump.bin
# Activate emulation
[proxmark3] hf 14a sim -u 04112233445566
# Create automation script
cat > proxmark_script.lua << 'EOF'
-- Proxmark3 Lua script
local reader = require('read14a')
result = reader.read14a(true)
print("Card UID: " .. result.uid)
EOF
# Run script
[proxmark3] script run proxmark_script
# List captured frames
[proxmark3] hf list
# Display specific protocol
[proxmark3] hf list 14a
# Export data
[proxmark3] hf list -f output.txt
# Get detailed tag information
[proxmark3] hf 14a reader
# Full diagnostic
[proxmark3] trace list
# Analyze memory structure
[proxmark3] hf mf info
# Export as hex
[proxmark3] hf mf dump -o carddata.bin
# Convert bin to hex
hexdump -C carddata.bin
# Create clone data
[proxmark3] hf mf cload -i carddata.bin
# 1. Connect to device
proxmark3 /dev/ttyACM0
# 2. Search for cards
[proxmark3] hf search
# 3. Read specific type (Mifare example)
[proxmark3] hf mf read
# 4. Dump to file
[proxmark3] hf mf dump -o read_card.bin
# 5. Exit
[proxmark3] quit
# View dumped data
hexdump -C read_card.bin
# 1. Read source card
proxmark3 /dev/ttyACM0
[proxmark3] hf mf dump -o source.bin
# 2. Prepare writable card
# (Insert blank card or card in writable sector)
# 3. Write data to target
[proxmark3] hf mf cload -i source.bin
# 4. Verify clone
[proxmark3] hf mf dump -o target.bin
# 5. Compare
diff source.bin target.bin
# 1. Search for cards in environment
[proxmark3] hf search
# 2. Read badge
[proxmark3] hf mf read
# 3. Analyze security
[proxmark3] hf mf hardnested
# 4. Test vulnerability
[proxmark3] hf mf eco -n 0 -u <UID> --4k
# 5. Document findings
[proxmark3] hf mf dump -o access_badge.bin
# HID Brute Force
[proxmark3] lf hid brute
# With range
[proxmark3] lf hid brute -w 1234
# Slow brute force
[proxmark3] lf hid brute --generator H10301
# Detect modulation
[proxmark3] data tune
# Analyze signal
[proxmark3] lf tune
# Check antenna impedance
[proxmark3] hw antenna
# Send raw ISO14A command
[proxmark3] hf 14a raw --crc -a 00A4040007D2760000850101
# Custom bit sequence
[proxmark3] hf 14a sim --apdu
# Check USB connection
lsusb | grep Proxmark
# Verify permissions
sudo usermod -a -G plugdev $USER
sudo usermod -a -G dialout $USER
# Reset device
proxmark3 /dev/ttyACM0
[proxmark3] hw reset
# Test antenna
[proxmark3] lf tune
[proxmark3] hw antenna
# Adjust power
[proxmark3] hw power on
# Retry with different distance
# (Move card closer to antenna)
# Check firmware version
[proxmark3] hw version
# Update firmware
proxmark3 /dev/ttyACM0
[proxmark3] hw flashmem --file proxmark.elf
# List command outputs
ls -la *.bin *.txt
# Backup captured data
cp *.bin backup/
# Archive session
tar -czf proxmark_session.tar.gz *.bin *.txt
# Log session
[proxmark3] log c test.log
# Export findings
hexdump -C card.bin > card_hex.txt
# Create report
cat > assessment.txt << EOF
Card Type: Mifare Classic 1K
UID: 04112233445566
Sector 0 Key A: 0xFF0000000000
Status: Vulnerable to nested authentication
EOF
- Authorization: Obtain explicit written authorization before testing
- Documentation: Record all findings and procedures
- Data Privacy: Secure all captured card data
- Non-Destructive: Test on authorized cards only
- Backup: Always backup original card data before cloning
- Safety: Keep device away from pacemakers and medical devices
- Compliance: Follow applicable laws and regulations
- Reporting: Document vulnerabilities found during assessment
- Device generates RF signals
- Operate in controlled environment
- Keep away from people with pacemakers
- Avoid operating near critical systems
- Ensure proper electrical safety
- Test only on authorized targets
- Maintain chain of custody for evidence
- NFC Tools — Mobile NFC reading and writing
- Chameleon Mini — Portable RFID emulator
- ACR122U — USB NFC reader/writer
- YARD Stick One — RF transceiver tool
- HackRF One — Software-defined radio
- nfcpy — Python NFC library
