Doppelgänger Assistant

Command Generation, Card Writing & Verification, and Card Simulation

Card calculator and Proxmark3 Plugin for writing and/or simulating every card type that Doppelgänger Community, Pro, Stealth, MFAS, and Trainer support. This project is designed to streamline the card-writing process because every second counts in physical penetration testing. Why waste time digging through your disheveled notes to relearn how to write an iCLASS 2k card or fumble with the syntax for a 37-bit HID card? If you use doppelganger, let Doppelgänger Assistant do the work for you. That way, you can spend more time breaching your target facility.

Demo

The following video illustrates the writing of a captured Seos card to an iClass 2k card using a PPE MFAS Reader and Doppelgänger Assistant in GUI mode.


Installation

Below are one-liner installation commands for getting Doppelgänger Assistant up and running on MacOS, Linux, and Windows (WSL). For detailed steps or manual installation, reference the Doppelgänger Assistant GitHub project.

Installation: Linux

The command below will perform the following actions:

  1. Install the Iceman fork of Proxmark3, if it’s not already installed.
  2. Install Doppelgänger Assistant, and required dependencies.
  3. Create a Desktop shortcut for launching Doppelgänger Assistant in GUI mode.
curl -sSL https://raw.githubusercontent.com/tweathers-sec/doppelganger_assistant/main/doppelganger_install_linux.sh | sudo bash

Installation: Windows WSL

The command below will perform the following actions:

  1. Install / update WSL, if needed
  2. Install dependencies: usbipd, nuget, aria,
  3. Create a dedicated Ubuntu WSL instance for Doppelgänger Assistant. This will be created at c:\doppelganager_assistant
  4. Add additional scripts for auto passthrough of your Proxmark3 to WSL.
  5. Install the Iceman fork of Proxmark3, build, and update your Proxmark3 device (if desired)
  6. Create a Desktop shortcut for launching Doppelgänger Assistant in GUI mode.

The following command must be run as an Administrator in PowerShell. Note that if WSL is not already installed, you will need to run this script twice. Following the instructions provided in your terminal.

powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/tweathers-sec/doppelganger_assistant/main/doppelganger_install_windows.ps1' -OutFile 'C:\doppelganger_assistant_install.ps1'; & 'C:\doppelganger_assistant_install.ps1'"

Installation: MacOS

The following command will install Doppelgänger Assistant & the Iceman fork of Proxmark3 using brew:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/tweathers-sec/doppelganger_assistant/main/doppelganger_install_macos.sh)"

Commandline Operations

Assistant can be run in either GUI mode or via the commandline. Running doppelganger_assistant -h will provide you with a list of options.

$ doppelganger_assistant -h

--- About Doppelgänger Assistant ---
Author: @tweathers-sec
Version: 1.0.3

Usage: doppelganger_assistant -bl <bit length> -fc <facility code> -cn <card number> -t <card type> [-uid <UID>] [-hex <Hex Data>] [-w] [-v] [-s] [-version] [-g] [-c <csv file>]

  -bl int
    	Bit length
  -cn int
    	Card number
  -fc int
    	Facility code
  -g	Launch GUI
  -hex string
    	Hex data for EM cards
  -s	Card simulation
  -t string
    	Card type (iclass, prox, awid, indala, em, piv, mifare) (default "prox")
  -uid string
    	UID for PIV and MIFARE cards (4 x HEX Bytes in the Card_Number column)
  -v	Verify written card data
  -version
    	Show program version
  -w	Write card data

Supported card types and bit lengths:

  iclass: 26, 35
  prox: 26, 30, 31, 33, 34, 35, 36, 37, 48
  awid: 26
  indala: 26, 27, 28, 29
  em: 32
  piv: N/A
  mifare: N/A

Example: Generating commands for writing iCLASS cards

This command will generate the commands needed to write captured iCLASS (Legacy/SE/Seos) card data to an iCLASS 2k card:

 doppelganger_assistant -t iclass -bl 26 -fc 123 -cn 4567

 Write the following values to an iCLASS 2k card:

 hf iclass wrbl --blk 6 -d 030303030003E014 --ki 0
 hf iclass wrbl --blk 7 -d 0000000006f623ae --ki 0
 hf iclass wrbl --blk 8 -d 0000000000000000 --ki 0
 hf iclass wrbl --blk 9 -d 0000000000000000 --ki 0

Example: Simulating PIV/MF Cards

Using the UID provided by Doppelgänger (v1.2.0 Doppelgänger Pro, Stealth, and MFAS), you can simulate the exact wiegand signal with a Proxmark3.

doppelganger_assistant -uid 5AF70D9D -s -t piv

Handling PIV card...

Simulating the PIV card on your Proxmark3:

Executing command: hf 14a sim -t 3 --uid 5AF70D9D

[=] Session log /Users/tweathers/.proxmark3/logs/log_20240614152754.txt
[+] loaded `/Users/tweathers/.proxmark3/preferences.json`
[+] execute command from commandline: hf 14a sim -t 3 --uid 5AF70D9D

[+] Using UART port /dev/tty.usbmodem2134301
Stealth WDI Schrader REX Gun (Coming Soon)