Physical Security: Access Card Cloning with Proxmark in Red Team Operations (2)

1. Introduction and Objectives

In this article, we will explore how easy it can be to clone certain types of cards that are widely used, not only in access controls of private organizations (hotels, etc.) but also in public institutions.

To achieve this, we will make use of Proxmark3, which can be acquired from its official website:

• https://proxmark.com

In this article, we will not demonstrate how to set up the environment to be able to use Proxmark3, as there are several tutorials available on the Internet that provide clear instructions for that:

• https://programmerclick.com/article/6252484389/

• https://blog.thehackingday.com/2021/04/conociendo-la-proxmark3-profundidad.html

Therefore, to carry out this practice, we should have the environment prepared as indicated in the previous articles, and a basic understanding of how to use the framework Proxmark3.

2. Cloning a Card in Less Than 1 Minute

Unfortunately, as we’re about to see, there are many cards that can be cloned in less than 1 minute.

It’s important to note that when conducting a security audit of these types of cards, they are always tested to ensure they adhere to the fundamental principles of Cybersecurity, the so-called CID principles: Confidentiality, Integrity, and Availability.

In this case, we will only focus on card cloning, as we won’t perform a comprehensive security audit of the card. Instead, we will simulate how a criminal group could potentially clone an employee’s card (victim) to gain unauthorized access and compromise the physical assets of the victim’s company by impersonating their identity.

a) Proxmark and Cards

To avoid wasting more time, let’s get to work. The materials we need are the following:

b) Obtaining data and keys from the victim card

The following shows how to clone the legitimate access keychain (chip) with two simple commands. Using the “auto” command, the entire keychain check, which is physically on the Proxmark3, is automated. In this case, we see how, after checking the victim card, it tells us that it operates in LF and that it is unknown what type of chip it is. However, as we will see later, this will not be a problem to be able to perform the cloning.

c) Cloning the victim’s card

With the information obtained in the previous step, we proceed to clone the victim keychain (chip) onto a blank “tag T55x7” card, as shown below:

After cloning, we verify it using the “lf em 410x reader” command and see that we get the expected result. Similarly, if we run the “auto” command on the cloned card, we will see the same results as those obtained on the victim keychain (chip).

d) Testing the success of the cloned card

As we can see below, the cloned card works perfectly:

3. Automating Card Cloning in Red Team Operations

As we have seen in the previous section, card cloning can be accomplished by executing three commands in the terminal.

In a desirable physical Red Team Operation scenario, the goal is to automate this cloning process so that it can be executed anywhere, simply by approaching the appropriate person who has their access card from the victim organization in their pocket, or who has momentarily left it unattended on a table. These are just two examples among the many possibilities.

To achieve this, a setup consisting of an autonomous Raspberry Pi powered by a Powerbank and a Proxmark3 connected via USB is proposed. This entire setup can be discreetly hidden in a small enclosure under clothing or wherever is most suitable for the scenario.

The Raspberry Pi, with the Proxmark framework, remains ready to receive input data from the Proxmark3. When a card is brought near, the Raspberry Pi automatically executes the “auto” command. Once this is completed, it reads the output and concatenates the appropriate command with “autopwn,” capturing all the data and keys from the victim card and storing them in corresponding files.

Subsequently, the operator can move to a more comfortable location to perform the data transfer from the victim card to a new card, effectively carrying out the cloning process.

The actions described in the two preceding paragraphs can be achieved by programming a simple script. However, due to professional considerations, we will not make this script available.

4. What can happen at a physical level in a Red Team Operation?

In a physical Red Team Operation, the operator aims to compromise physical security in order to gain access to various departments of the target company. The goal is to obtain confidential information and install different computer devices that allow external team members to gain control of the victim company’s machines.

Some of the devices that can be used for these objectives include:

• Tortuga LAN: https://shop.hak5.org/products/lan-turtle
• Keylogger hardware: https://www.keelog.com
• Piña WiFi: https://shop.hak5.org/products/wifi-pineapple
• USB Rubber Ducky o BadUSB: https://jaymonsecurity.com/ataque-badusb-o-rubber-ducky/
• Shark Jack: https://shop.hak5.org/products/shark-jack
• Screen Crab: https://shop.hak5.org/products/screen-crab

Once the operator has successfully granted cyber access to their team members, they must proceed to leave the organization without detection. This is when their team members come into play to further compromise the entire victim company: installing persistent spyware malware on computer systems, exfiltrating confidential information to Command and Control (C2) servers to compromise the principle of Confidentiality, altering system data to compromise Integrity, launching Denial of Service (DoS) attacks to compromise Availability, and so on.

It goes without saying that reaching this stage poses a serious threat, where a criminal group could have the potential to fully compromise the victim company.

5. Conclusions

Throughout this article, we have witnessed how easily a criminal group can carry out the cloning of access cards.

Likewise, we have been able to observe how a failure in physical security can be exploited by a criminal group to compromise a business organization. Therefore, physical security, responsible for safeguarding the organization’s information systems, must be treated with the seriousness it deserves.

To mitigate such incidents, robust and up-to-date access methods (such as advanced card systems and turnstiles) should be employed along with well-defined security policies.

When implementing new access systems, both physical and digital, it is crucial to follow secure configuration guidelines using proven methods to ensure proper functioning.

In conclusion, the most important and challenging aspect for any organization is mitigating the lack of awareness among its employees. Having well-patched and updated physical and digital systems is of little use if employees do not use them properly.

If you are interested in cybersecurity awareness courses, please feel free to contact us for more information. If you want to acquire introductory knowledge in ethical hacking, you can enroll in our basic ethical hacking course. Alternatively, for more advanced knowledge in offensive cybersecurity, you can consider our advanced course.

If you liked it, or found this article useful, you can treat us to a warm crypto-coffee 😉

BTC: bc1qexsdm4auh6gf7fvdteas8s0lyvvdhmf8m030z3

ETH: 0x87b3d25A9bc19F653aE597D4Cd256C8D49465da6

ZCASH: t1JtTthdmeB9pgqqQqokQRARuGzSXgypieZ

See also: https://jaymonsecurity.com/seguridad-clonar-tarjeta-proxmark-red-team/