Cmdpirx Corner

HID1KBrute

| Projects | Tags: python, rfid, hid, security 
 _   _ _____ _____  _ _  ______            _       
| | | |_   _|  _  || | | | ___ \          | |      
| |_| | | | | | | || |_| | |_/ /_ __ _   _| |_ ___ 
|  _  | | | | | | ||  _  | ___ \ '__| | | | __/ _ \
| | | |_| |_| |/ / | | | | |_/ / |  | |_| | ||  __/
\_| |_/\___/|___/  \_| |_/\____/|_|   \__,_|\__\___|

HID1KBrute: Comprehensive RFID Card Analysis and Badge Generation Toolkit

After spending some time in the physical security, I've found a gap in accessible tools for RFID badge analysis.

That's why I developed HID1KBrute, a comprehensive Python toolkit that democratizes RFID card analysis and badge generation through two powerful components: an intelligent card analyzer and a flexible badge designer.

The Challenge

RFID access control systems, particularly those using HID cards, dominate corporate and institutional environments. However, understanding these systems presents several challenges:

Pattern Discovery Complexity: Determining how facility codes and card numbers are encoded within hex data requires deep bit-level analysis and pattern recognition across multiple card samples.

Format Identification: With dozens of HID card formats (26-bit, 34-bit, 35-bit, etc.), identifying which format a particular badge uses can be time-consuming and error-prone.

Badge Generation: Creating new badges for existing systems requires understanding the exact bit layout and encoding scheme, which traditional tools don't provide in an accessible format.

Batch Operations: Administrative tasks like generating sequential badge ranges or migrating between systems need efficient automation tools.

Solution Architecture

HID1KBrute addresses these challenges through a dual-component architecture:

RFID Card Analyzer (py1kbrute)

The analyzer component uses sophisticated pattern recognition algorithms to reverse-engineer card encoding schemes. It analyzes multiple cards simultaneously, looking for consistent bit patterns that indicate facility codes and card number positions.

Key Features: - Intelligent Pattern Discovery: Automatically identifies facility codes and card number patterns from raw hex data - Multi-card Analysis: Processes multiple cards to find consistent patterns and reduce false positives - Format Matching: Compares discovered patterns against known HID formats with confidence scoring - Interactive Exploration: Provides detailed analysis with bit positions, window offsets, and pattern validation

Badge Designer (py1encoder)

The designer component leverages discovered patterns to generate new badge data with precise control over facility codes and card numbers.

Key Features: - Pattern-based Generation: Uses predefined or custom-discovered patterns for accurate badge creation - Built-in Format Support: Includes common HID formats (26-bit, 34-bit, 35-bit) with proper bit layout - Batch Generation: Efficiently creates sequential badge ranges for administrative tasks - Custom Pattern Support: Allows creation and testing of non-standard or proprietary formats

Technical Implementation

Pattern Recognition Algorithm

The core algorithm uses a sliding window approach to analyze bit patterns across multiple cards:

def analyze_patterns(cards, min_bits=32, max_bits=35):
    """
    Analyzes multiple cards to discover consistent bit patterns
    Uses sliding window technique with validation across all samples
    """
    for window_size in range(min_bits, max_bits + 1):
        for offset in range(len(binary_data) - window_size + 1):
            # Extract window and analyze for consistent patterns
            pattern = analyze_window(cards, offset, window_size)
            if validate_pattern(pattern, cards):
                yield pattern

Design Choice Explanation: I chose a sliding window approach because it's computationally efficient and naturally handles variable-length formats. The algorithm validates patterns across all input cards, ensuring discovered patterns are consistent rather than coincidental.

Format Confidence Scoring

The system includes a confidence scoring mechanism that evaluates discovered patterns against known HID formats:

def calculate_confidence(pattern, known_formats):
    """
    Scores pattern match against known formats
    Higher scores indicate better format alignment
    """
    score = 0
    for format_spec in known_formats:
        if pattern.window_size == format_spec.total_bits:
            score += 30  # Exact bit count match
        if pattern.fc_bits == format_spec.fc_bits:
            score += 25  # Facility code bit count match
        if pattern.cn_bits == format_spec.cn_bits:
            score += 25  # Card number bit count match
    return score

Design Choice Explanation: The confidence scoring system prevents false positives by validating that discovered patterns align with real-world HID specifications. This makes the tool more reliable for practical use.

Memory-Efficient Processing

The toolkit processes cards using generator functions and lazy evaluation to handle large datasets efficiently:

def process_cards_lazy(card_data):
    """
    Lazy processing of card data to minimize memory usage
    Yields results as they're discovered rather than building large lists
    """
    for card in card_data:
        binary = hex_to_binary(card.hex_data)
        yield analyze_card(binary, card.known_cn)

Design Choice Explanation: Using generators instead of lists reduces memory footprint significantly, especially important when analyzing large badge databases or performing batch operations.

Use Cases and Applications

Security Research

The toolkit enables security researchers to analyze badge systems without expensive specialized hardware. By understanding the encoding scheme, researchers can assess system vulnerabilities and develop proof-of-concept demonstrations.

Badge Administration

System administrators can use the toolkit to generate new badges for existing access control systems, particularly useful during employee onboarding or system migrations.

Penetration Testing

Security professionals can create test badges for authorized assessments, helping identify weaknesses in physical security implementations.

System Migration

Organizations upgrading access control systems can use the toolkit to understand their current badge format and generate compatible badges for new systems.

Architecture Benefits

No External Dependencies

The toolkit uses only Python's standard library, making it highly portable and reducing security concerns from third-party dependencies.

Design Choice Explanation: I deliberately avoided external dependencies to ensure the tool can be used in restricted environments and to minimize the attack surface for security-sensitive applications.

Modular Design

The analyzer and designer components are separate but interoperable, allowing users to employ only the functionality they need.

Design Choice Explanation: Modular design follows the Unix philosophy of "do one thing well" and makes the codebase more maintainable and testable.

Cross-Platform Compatibility

Pure Python implementation ensures the toolkit works consistently across Windows, macOS, and Linux systems.

Future Enhancements

The toolkit's modular architecture provides a foundation for several planned enhancements:

  • Database Integration: Support for badge databases and audit logging
  • Advanced Formats: Additional proprietary and regional card formats
  • Batch Processing: Enhanced automation for large-scale operations
  • GUI Interface: Graphical interface for non-technical users
  • Hardware Integration: Direct reader/writer hardware support

Getting Started

Installation is straightforward via pip:

pip install hid1kbrute

Basic usage for analyzing unknown cards:

py1kbrute -c 27bafc0864 32443 -c 1a2b3c4d5e 12345

Generate new badges using discovered patterns:

py1kencoder --pattern hid_26bit --fc 123 --cn-range 1000 1010

Conclusion

HID1KBrute represents a significant step forward in accessible RFID analysis tools. By combining intelligent pattern recognition with practical badge generation capabilities, it empowers security professionals, administrators, and researchers to work more effectively with access control systems.

The toolkit's focus on usability, reliability, and security makes it suitable for both educational purposes and real-world applications. As the access control landscape continues to evolve, tools like HID1KBrute help ensure that security analysis remains accessible to the broader community.

Whether you're conducting authorized security assessments, administering badge systems, or researching physical security implementations, HID1KBrute provides the functionality needed to work effectively with RFID access control systems.

Source code and documentation are available on GitHub. The project is open-source under the MIT license, encouraging community contributions and collaborative development.