Strategic Access: Cloning Cards Without Employee Badges
Gaining access and maintaining persistence in a target building are critical components of a successful physical pentest, and while there are various methods to achieve this, one of the most effective approaches is cloning ID badges.
The general methods of cloning ID badges are usually attempting to clone the badge at a distance or getting a hold of a badge long enough to clone it with something like a flipper or proxmark. However, some pentest teams I meet may not have the budget for a long range reader, or for some reason the long range reader simply isn’t an option for a particular assignment.
In this blog post I will discuss a method of cloning and ID badge and gaining persistence without actually being able to copy directly from an employee, or use a long range reader. You may say lets just pull the card reader off and put an ESP key on the wires to grab the Wiegand data (which its likely using), but many clients won’t let you do this as it is “destructive”.
Before reading on, take a moment and think to yourself, “How would I clone an ID badge to a company, if I cannot get a hold of an employees badge, I cannot attack the card reader and I cannot use a long range reader?”
The Challenge of Cloning Employee ID Badges
Traditionally, the focus has been on cloning employee ID badges to gain access to secure facilities. However, this approach comes with its own set of challenges. Getting close enough to an employee to clone their badge without arousing suspicion can be a difficult task, even for the most seasoned penetration testers. Furthermore, the risk of stealing an employee's badge to clone it is high, as it can quickly raise alarms and compromise the entire operation.
Yes many employees will leave their ID badges on their desk when they go get coffee or head to the bathroom, but this assumes you’re already inside. Without a long range card reader, following employees on the train / bus / etc and getting their ID badge is very difficult. In fact, I have on many occassions been told by clients that I am not authorized to tail their employees to coffee shops, busses, etc.
Further, many clients will not allow you to take apart their card readers and damage them (yes the ESP key does damage the wires and is therefore a very small level of destruction).
The Strategic Advantage of Guest ID Badges
This is where cloning guest ID badges comes into play. In many organizations, guest badges are issued to visitors for temporary access. These badges often have lower security privileges, allowing access to public or semi-restricted areas. By obtaining a guest badge under false pretenses, penetration testers can clone it and gain a foothold in the building without drawing undue attention.
This is where a bit of social engineering comes into play. Depending on the building you are going after, you need to discover “who gets a guest badge?” This is where recon and common sense can really help. While enough recon will eventually tell you the kinds of people who get guest badges, you may not have time your engagement to discover this, or luck is against you and no guests show up during your recon phase, in which case you’re down to common sense.
A list of common people who would be granted guest badges:
delivery guys if the goods need to be taken into the building
repair technicians of various sorts (have fake work orders ready)
Someone with a real meeting
The final point here is an easy win that i have used many times. Use OSINT to find a list of employees, and find ANY reason to have a meeting with one of them at their office. If you can setup a real meeting at their office, this is a prime example of getting to do real embedded recon and possible setup other methods of entry (clone actual employee badges, note security layout, locate different methods of entry, disable alarms, etc). Some examples I have used for setting up meetings in the past
You’re a journalist wanting to do a story about the company / their product
Your a student doing your thesis on something they do and want to interview their experts
Your there for a job interview and they lost / forgot your paperwork. I’ve used this to get a compassionate free lunch and access to the inside their building and a guest ID badge
Also be aware of who gives out these guest badges, which is almost always the front desk attendant. In many cases there will be a drawer easily accessible to the front desk staff (which almost always means unlocked) full of guest badges. If you can build rapport with the front desk staff and wait for an opportunity, you may be able to simply steal one.
Further, many guest badges are simply left on the front desk by actual guests who have dropped off their badges or for guests who are going to be arriving soon and the staff have simply set out badges in anticipation.
In any of these situations, grabbing an employee badge from the front desk itself is a quick and easy way to clone a guest badge. If you have enough people on your team, bring someone to run interference for you while you’re doing this to draw attention away from you while cloning.
Its Not Suppose To Be a One Man Show
If you show up to deliver flowers to someone in the office, you may or may not make it passed the front desk or get a guest badge. While this is a perfectly fine attempt, realize that you cannot come back tomorrow as an employee as the front desk staff now recognizes you as the delivery guy.
If you’re at the front desk trying to build rapport and see a guest badge sitting on the desk but the attendant simply wont leave or give you enough time to grab and clone it you simply have to walk away from the opportunity … unless you have teammates who can help you out.
At this point lets suppose you have managed to clone a guest ID badge, depending on how you did it, and the size of your team, this is where you should hand off the cloned badge to another team member. This individual can return to the facility at a later time, posing as an employee rather than a guest. Since the badge has already been cloned and tested, the risk of failure is significantly reduced, ensuring a smoother operation.
While the badge wont get them into the high security areas, it will get them through the first access control system at which point they can start looking to privilege escalate by getting a hold of a real employee badge, or finding another method to elevate their access.
One thing to keep in mind is that while guest badges are suppose to be deactivated after use or at the end of the day, they are VERY OFTEN not. It is incredibly common to see guest ID badges left active indefinitely; however, to avoid the situation where your guest badge is deactivated, try cloning multiple guest IDs if possible.
The I-Copy XS: A Penetration Tester's Best Friend
While I know that the RFID cloning community all have their own preferences of which tools are best and why, the I-Copy XS stands out as my go-to device for this specific task. Of course this is just my opinion, but I will attempt to share why i have come to this conclusion.
Essentially a Proxmark device in a compact box, complete with a user-friendly GUI and a built-in battery, the I-copy offers reliability and speed while being the easiest to use in the field when trying to multitask.
The I-Copy has a “do everything for me button” on it that i have found to be incredibly handy over the years.
Lets revisit the idea of grabbing a guest badge from the front desk.
Because the I-copy is a proxmark, its fast, and with the “do everything for me button” i can continue to social engineer, distract or do other tasks while cloning a badge simply by pushing a single button without even having to look at the device.
This allows you to steal the badge, clone it to the I-copy while keeping up a conversation with no interruptions, then simply glance down to check if its finished and return the badge.
For me, the reliability and speed of the i-copy is great, but its the ability to have that “do everything for me button” that lets me multitask, often social engineering while cloning a badge that makes the device my go to.
Conclusion
In the world of physical penetration testing, adaptability and innovation are key. Cloning guest ID badges offers a strategic alternative to the traditional approach of targeting employee badges. By leveraging the capabilities of an RFID cloning device, penetration testers can execute their operations with precision and confidence, ensuring success and maintaining stealth throughout the process.
Remember, the goal is always to stay one step ahead, and sometimes, the best way to do that is to think outside the box—or in this case, outside the employee badge.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private one on one Instruction - Book time to get private and personalized instruction on physical penetration testing