Physical Security: Access Card Cloning with Proxmark in Red Team Operations
1. Introduction and Objectives
In this article, we will explore how easy it can be to clone certain types of cards that are widely used, not only in access controls of private organizations (hotels, etc.) but also in public institutions.
To achieve this, we will make use of Proxmark3, which can be acquired from its official website:
In this article, we will not demonstrate how to set up the environment to be able to use Proxmark3, as there are several tutorials available on the Internet that provide clear instructions for that:
Therefore, to carry out this practice, we should have the environment prepared as indicated in the previous articles, and a basic understanding of how to use the framework Proxmark3.
2. Cloning a Card in Less Than 1 Minute
Unfortunately, as we’re about to see, there are many cards that can be cloned in less than 1 minute.
It’s important to note that when conducting a security audit of these types of cards, they are always tested to ensure they adhere to the fundamental principles of Cybersecurity, the so-called CID principles: Confidentiality, Integrity, and Availability.
In this case, we will only focus on card cloning, as we won’t perform a comprehensive security audit of the card. Instead, we will simulate how a criminal group could potentially clone an employee’s card (victim) to gain unauthorized access and compromise the physical assets of the victim’s company by impersonating their identity.
a) Proxmark and Cards
To avoid wasting more time, let’s get to work. The materials we need are the following:
b) Obtaining data and keys from the victim card
Here is how the cloning of the legitimate access card is done with two simple commands. The “auto” command automates the entire card check process for the card that is physically placed on the Proxmark3. In this case, it shows us that after checking the victim card, it operates in HF and is a MIFARE Classic 1K.
By executing the command “hf mf autopwn,” the Proxmark3 automatically performs the necessary operations to compromise the card’s keys.
As seen in the following image, all the keys of the MIFARE Classic 1K card have been automatically obtained, and the data has been saved in various files that will be necessary for cloning the card onto a new one by dumping the contents from these files.
c) Cloning the victim’s card
With all the information obtained in the previous steps, we proceed to clone the victim’s card as shown below:
d) Testing the success of the cloned card
As we can see below, the cloned card works perfectly:
3. Automating Card Cloning in Red Team Operations
As we have seen in the previous section, card cloning can be accomplished by executing three commands in the terminal.
In a desirable physical Red Team Operation scenario, the goal is to automate this cloning process so that it can be executed anywhere, simply by approaching the appropriate person who has their access card from the victim organization in their pocket, or who has momentarily left it unattended on a table. These are just two examples among the many possibilities.
To achieve this, a setup consisting of an autonomous Raspberry Pi powered by a Powerbank and a Proxmark3 connected via USB is proposed. This entire setup can be discreetly hidden in a small enclosure under clothing or wherever is most suitable for the scenario.
The Raspberry Pi, with the Proxmark framework, remains ready to receive input data from the Proxmark3. When a card is brought near, the Raspberry Pi automatically executes the “auto” command. Once this is completed, it reads the output and concatenates the appropriate command with “autopwn,” capturing all the data and keys from the victim card and storing them in corresponding files.
Subsequently, the operator can move to a more comfortable location to perform the data transfer from the victim card to a new card, effectively carrying out the cloning process.
The actions described in the two preceding paragraphs can be achieved by programming a simple script. However, due to professional considerations, we will not make this script available.
4. What can happen at a physical level in a Red Team Operation?
In a physical Red Team Operation, the operator aims to compromise physical security in order to gain access to various departments of the target company. The goal is to obtain confidential information and install different computer devices that allow external team members to gain control of the victim company’s machines.
Some of the devices that can be used for these objectives include:
- Tortuga LAN: https://shop.hak5.org/products/lan-turtle
- Keylogger hardware: https://www.keelog.com
- Piña WiFi: https://shop.hak5.org/products/wifi-pineapple
- USB Rubber Ducky o BadUSB: https://jaymonsecurity.com/ataque-badusb-o-rubber-ducky/
- Shark Jack: https://shop.hak5.org/products/shark-jack
- Screen Crab: https://shop.hak5.org/products/screen-crab
Once the operator has successfully granted cyber access to their team members, they must proceed to leave the organization without detection. This is when their team members come into play to further compromise the entire victim company: installing persistent spyware malware on computer systems, exfiltrating confidential information to Command and Control (C2) servers to compromise the principle of Confidentiality, altering system data to compromise Integrity, launching Denial of Service (DoS) attacks to compromise Availability, and so on.
It goes without saying that reaching this stage poses a serious threat, where a criminal group could have the potential to fully compromise the victim company.
Throughout this article, we have witnessed how easily a criminal group can carry out the cloning of access cards.
Likewise, we have been able to observe how a failure in physical security can be exploited by a criminal group to compromise a business organization. Therefore, physical security, responsible for safeguarding the organization’s information systems, must be treated with the seriousness it deserves.
To mitigate such incidents, robust and up-to-date access methods (such as advanced card systems and turnstiles) should be employed along with well-defined security policies.
When implementing new access systems, both physical and digital, it is crucial to follow secure configuration guidelines using proven methods to ensure proper functioning.
In conclusion, the most important and challenging aspect for any organization is mitigating the lack of awareness among its employees. Having well-patched and updated physical and digital systems is of little use if employees do not use them properly.
If you are interested in cybersecurity awareness courses, please feel free to contact us for more information. If you want to acquire introductory knowledge in ethical hacking, you can enroll in our basic ethical hacking course. Alternatively, for more advanced knowledge in offensive cybersecurity, you can consider our advanced course.