Some time ago I came across Samy Kamkar’s Magspoof implementation and thought that would be a very helpful utility.
However in the current implementation it wasn’t mobile enough for me – Magspoof and MagspoofV2 itself are quite tiny and portable but I would need an ISP prog and computer to change the numbers it emulates.
Other Implementations are available – “BlueSpoof” use the phone and a modified speaker to emulate a magstripe to a card reader, however you would need to convert your numbers to a WAV file first.
So I digged a little more, found how idogendel thought about the requireness of magnetic reversal feature and some more information about magnetic cards.
I decided to build my very own implementation and call it “Magic Wand” but after I googled that term I found that it was an established name in a very different industry :)
So, here it is – “RedSpoof” – a portable MagSpoof implementation that can be programmed for different numbers via WiFi in just a matter of seconds.
Also it runs off of a standard 5v USB charger which make it perfect for my use case – official RedTeam engagements.
My requirements were:
- easy to configure
- easy to power – no fancy 3.7v LiPo with extra charger set that has to be carried around etc.
- secure – the WiFi should only be enabled when I want to change the numbers being spoofed
- Base upon ledunia (ESP8266) because I got it for free and needed a project for it ;)
Special thanks to Paessler for giving out a free ledunia to me, without the ledunia this project wouldn’t happen. Thank You!
For the portability part I implemented the magspoof code in Python, perfect for use with a ledunia
Further I reduced the required hardware to a very simple board that consists of:
- 2 simple push-buttons
- isolated wire from a motor (50 rounds around the board)
- 1 transistor
- jumper connectors to connect to the ledunia
The “attack” workflow is like that:
- Power on – Put into the power-bank (all ledunia lights on)
- press activate button (lights glow red)
- put it near (1-4 cm) to your target, spoof the number
- press activate button again to set it back to standby mode or just pull it out and back in to the battery (all lights on)
To change the stored number:
- Power on (all ledunia lights on)
- press the second button to activate WiFi (lights glow blue)
- connect phone, change number – it is stored permanently throughout reboots
- run through “attack” workflow
In my test environment it works like a charm, however you have to be careful as the BC547 transistor I use get’s very hot because it effectively shortens the coil to the battery power.
Feel free to contribute to the design.
The card readers I got in the hands easily accepted the spoofed numbers for track1 and track2, even with text where others have problems. I couldn’t test track3 yet.
The code is designed to spoof track1 and track 2 if both are input, if track1 or track2 is missing then the remaining track is spoofed as “track2” because that is the most important track and used by most readers to verify numbers.
If you have a fresh ledunia you should first install micropython firmware as described here: Micropython on ESP8266
I use mpfshell to connect to the ledunia and upload new code:
> open ttyUSB0
> put main.py
> put webserver.py
> put config.py
put the ledunia out of the USB Port and to a USB charger, see if the lights will light up.
If they do everything should be ready.
Press the wifi button, blue lights should turn on and you can connect to the Webinterface on IP 192.168.4.1.
After config, the system should reset and you can press the “spoof” button to start spoofing.
Press the “spoof” button again to stop spoofing.
– WARNING –
NEVER connect the ledunia with the coilboard attached to your computer, it could destroy your USB ports!!
– DISCLAIMER –
This project is made for people who want to learn about the insecurity of magnetic card readers.
It is for EDUCATIONAL PURPOSES ONLY.
Please do not do anything illegal with that. I mean I do not endorse any such behavior.
RedTeamers should always have a signed contract allowing such type of attacks on their clients. You are responsible for your actions.
If you rebuild it, let me know!
If you make it better, please send me a merge request ;)