THE PROBLEM
Extracting RFID & Keypad credentials via spliced implants is a well-known technique. However, these tools are rarely used in professional audits: installations are slow and complicated, and damage to wiring, hardware and infrastructure are rarely authorised in Scope of Engagement documents.
The implants themselves have limited functionality and protocol support, and only provide the "capture" part of an RFID Audit lifecycle. The analysis and cloning of a captured credential requires multiple manual steps, tools and skills.
THE SOLUTION
Imagine walking into an audit, placing an access control reader on a wall and instantly collecting credentials. Your phone gives you real-time notifications of skimmed badges and PIN codes, and directly writes a clone badge with your Proxmark.
You don't need a computer, you don't need to damage client property, you don't need to memorise arcane Proxmark commands. Everything is taken care of. When the audit is over, you've got a timestamped log of all operations, ready for export into a report. Your time and skills are spent on the audit, instead of the tools.
You've just imagined the Stealth Decoy Reader platform, a next-generation, non-destructive credential capture system designed specifically for red-teamers and pentesters. The Stealth Decoy Reader is an open-source, battle-tested hardware module built to collect and exfiltrate all known corporate access-control protocols and PIN codes.
Even better, the Stealth Decoy Reader is available pre-installed inside the most common access control readers for perfect camouflage. The readers come equipped with non-destructive mounting systems, ready for rapid placement in public areas, choke points, doorways, cabinets, etc.
Rapid deployment during public access
Credential capture
Instant notifications and credential management
One-click cloning via Proxmark 3
The Stealth Decoy Reader Platform covers the full RFID pentest life-cycle:
- Capture: Rapidly deployed, instant multi-factor credential skimming
- Control: Manage multiple devices, analyse, save, tag and exfiltrate captured credentials via the cross-platform WebUI.
- Clone: Emulate, clone and write captured credentials directly from the UI via Proxmark 3. One click & wireless: No command lines, no code.
- Access: Gain and escalate access via cloned RFID.
MULTI-PROTOCOL
Supports all corporate RFID and keypad protocols, including HID & Wiegand, iCLASS, Indala, Paxton..
UNDETECTABLE
Physical switch to deactivate WiFi for undetectable installation, NAC evasion, and reduced RF exposure.
NON-DESTRUCTIVE INSTALLATION
No need to remove readers, crimp cables or damage client hardware. Deploy and remove in seconds.
PROFESSIONAL TOOL & SUPPORT
Built by pentesters based on real-world requirements: modern hardware, software and frequent updates.
POWERED BY STEALTH
Inside every Stealth Decoy Reader is a Stealth Decoy Module - the high-performance, multi-protocol, wireless equipped RFID capture, analysis and cloning device. It works hand-in hand with the Doppelgänger Assistant, a cross-platform professional GUI application designed to handle every possible operation requirement.
Together, they allow for automated card capture and wireless credential exfiltration. Teams can collaborate and share credentials; credentials can be analysed, exported or cloned.
The Doppelgänger Assistant also works as a easy-to-use UI for the Proxmark 3, making credential writing, cloning and verification a one-click operation. Don't miss opportunities because of knowledge gaps or constrained time: the Doppelgänger Suite is a results-oriented system for complete RFID audits.
- 1
- 2
- 3
- 4
- 4
1. REAL HARDWARE
Legitimate readers with the Stealth Decoy Reader modules embedded inside are indistinguishable from your client's existing readers.
2. MULTI-FACTOR CREDENTIALS
Skim RFID and matching PIN credentials simultaneously. Handles all corporate protocols, including iCLASS SE/SEOS/SR.
3. NEVER MISS A CREDENTIAL
Support for all major corporate RFID systems. Frequent firmware and software updates. Never miss a credential.
4. NO RISK, NO DAMAGE INSTALLS
No risky, lengthy or destructive installation or hardware modifications required. Deploy in seconds. Runs on internal power.
5. BUILT FOR DISCRETION
Credential capture is silent, and can trigger notifications, SMS or emails. Hardware switch to disable all RF emissions.
FIELD-READY WORKFLOW
Unlike traditional approaches for RFID audits, the Stealth Decoy Reader system provides a full end-to-end workflow for RFID audits. What previously required highly technical knowledge, complicated wiring, fussy tools and unstable software is replaced by an all-in-one device and intuitive, cross-platform software.
Red-teamers and auditors can literally turn on the device, attach it to an appropriate wall / door / cabinet / public choke-point and instantly collect credentials. Captured cards can be detected, analysed and exported to other team-members, or effortlessly simulated or physically cloned wirelessly via a Proxmark - the included Doppelgänger Assistant handles everything.
The Long Range Reader and Doppelgänger ecosystem covers every step of an RFID Audit: acquisition, exfiltration & analysis, duplication and access / escalation.
- 1
- 2
- 3
- 4
1. MULTI-FACTOR ACQUISITION
Capture RFID & PIN Credentials, silently. Rapid deployment. No wiring or complex setup required. Turn on, drop and go.
2. CROSS-PLATFORM UI
Get instant notifications of captures, across multiple readers. Share readers and card data in real-time with colleagues.
3. PROXMARK3 INTEGRATION
Instantly emulate or clone captured credentials via the Proxmark 3 directly via the UI. No commands, no code, no wires.
4. FIELD-TESTED RESULTS
The Stealth Decoy Reader system is purpose-built by professional red-teamers to be results oriented. RFID Audits just got better and easier.
AVAILABLE MODELS & TECHNICAL DETAILS
Every major corporate reader is available - simply take the unit that your client uses for undetectable credential harvesting. Devices ships preconfigured with your choice of integrated reader hardware. For convenience, we have a product selection assistant to help you determine which model / device you require.
| Model | Type | Protocols |
|---|---|---|
| HID multiCLASS SE RP40 HID multiCLASS SE RP40 | RFID RFID+Keypad | HID iCLASS Legacy HID iCLASS SE/SEOS/SR MIFARE Classic (via SE) MIFARE DESFire HID Prox, AWID, EM4102, T5577 |
| HID Signo 20TKS HID Signo 20KTKS HID Signo 40TKS HID Signo 40KTKS | RFID RFID+Keypad | HID iCLASS Legacy HID iCLASS SE/SEOS/SR MIFARE Classic (via SE) MIFARE DESFire Indala HID Prox, AWID, EM4102, T5577 |
| Paxton P75 Paxton PK75 | RFID RFID+Keypad | Paxton Net2 |
The stand-alone module is compatible with all the above protocols and authentication methods.
| Feature | Notes |
|---|---|
| UI | Cross Platform App / WebUI |
| Integration | Integrates with Proxmark3 RDV4. One-click cloning and emulation. Wireless operation via Blueshark. |
BACKED BY REAL-WORLD TRAINING & CERTIFICATION
Beyond the professional support, highly-detailed documentation and active development - real-world training is available for all PPE products. Covering comprehensive product learning to in-the-field assignments simulating the toughest operating conditions, for individuals and teams.
On-site training is available in the US, Europe and the UK. For more information, please contact support@lab401.com
What's included
- Access Control Hardware of choice
- Stealth Decoy Reader (preinstalled)
- PPE 3.7V 1800mAh LiPo battery
- PPE Stealth Card
- HID iCLASS 2k card (HID Variants Only)
- T5577 card
- Magnetic mounting plate
- Hook-and-pile mounting strips
The "Module + Battery Only" variant includes:
- Stealth Decoy Reader (preinstalled)
- PPE 3.7V 1800mAh LiPo battery
Recommended Accessories
- Proxmark3 RDV4 (with optional Bluetooth Extension)
- PPE Dual Battery Charger