Proxmark3

# Install client (RRG/Iceman fork)
git clone https://github.com/RfidResearchGroup/proxmark3
cd proxmark3
make clean && make all
sudo make install

# Connect
pm3          # Auto-detect
pm3 /dev/ttyACM0

# Auto-detect card
pm3 --> auto

# LF (125 kHz) operations
pm3 --> lf search          # Detect LF card
pm3 --> lf hid read        # Read HID ProxCard
pm3 --> lf em 410x read    # Read EM4100

# HF (13.56 MHz) operations
pm3 --> hf search          # Detect HF card
pm3 --> hf mf info         # Mifare Classic info
pm3 --> hf 14a info        # ISO 14443A info

# Clone HID card
pm3 --> lf hid read                     # Read original
pm3 --> lf hid clone --raw 2006EC0C86   # Write to T5577

# Mifare Classic attack
pm3 --> hf mf autopwn     # Automatic key recovery
pm3 --> hf mf dump        # Dump all sectors
pm3 --> hf mf restore     # Write to blank card

# Simulate card (no write needed)
pm3 --> lf hid sim --raw 2006EC0C86
pm3 --> hf mf sim --uid DEADBEEF

# Brute force facility codes
pm3 --> lf hid brute --fc 1 --cn 1-65535

# Sniff communication
pm3 --> hf sniff
pm3 --> lf sniff

# Physical pentest card cloning
pm3 --> lf search    # or hf search
pm3 --> lf hid read  # Read badge
pm3 --> lf hid clone --raw <ID>  # Clone to T5577
# Test at target access point