by Rysc Corp

A handheld RFID & NFC test instrument optimized for untethered use in the field

View all updates May 22, 2019

Brute-forcing HID Tags

This post covers how to do a brute-force attack with an HID tag on the ProxmarkPro. A brute-force attack is done by trying to guess multiple tag UID’s similar to a known working tag UID to gain access.

For this post you will need the following:

  • ProxmarkPro
  • HID tag saved
  • Tag reader

There will be no client setup necessary for this action. All will be done on the ProxmarkPro using its buttons and LCD. We will be using an HID tag that is already saved on the SD Card to start the brute force process.

HID Brute with ProxmarkPro

  1. Connect the LF Antenna and navigate to the Load Tag Menu option. Select HID

and then your desired tag. We will be using a tag that we have named "Office" on the SD Card.

  1. Navigate to the HID menu and then the Brute option.

  2. In the Brute menu select Method, Card Random. Select From Current. The

current tag loaded will now be set for the brute-force attack.

  1. In the Brute menu select Start. The ProxmarkPro will now attempt to brute-force

the reader with card numbers similar to the tag you have loaded.

Note: In the Brute menu, you also have the option to manually change the HID tag UID, Facility Code, and format length. Some readers may require a faster or slower replay rate, and you can change this in the menu options as well.

$68,660 raised

of $25,000 goal

274% Funded! Order Below

Product Choices


ProxmarkPro Kit

Everything you need get started with your NFC and RFID experiments, including a ProxmarkPro main unit with enclosure and 1200 mAh battery, one low-frequency (LF) antenna, one high-frequency (HF) antenna, a bundle of three HF tags, a bundle of three LF tags, one 16 GB microSD card, and a carrying pouch.


ProxMark Pro Dual Band Antenna

The ProxmarkPro Dual Band Antenna includes one High Frequency (HF) and Low Frequency (LF) inductor along with tuning circuitry matched to the ProxmarkPro. The antenna is comprised of an on-board PCB trace HF antenna and a wound-wire LF antenna. The LF antenna is connected to the PCB via a JST 2-Pin connector to the board. The whole antenna is wrapped in black shrink wrap to keep everything solid in the field.


Rysc Corp

Rysc Corp is your one stop shop for security research hardware. We’ve been creating, distributing and supporting security research devices since 2009. Our commitment to customer service and quality means you can count on us when it counts.

See Also

Subscribe to the Crowd Supply newsletter, highlighting the latest creators and projects: