Fork me on GitLab

Red-Teamers: Skip the Proxmark, Clone a Lanyard

I noticed a nice, cheap, low-tech alternative to badge cloning on a recent red-team engagement and thought I’d share. This post is going to be short and sweet.

If you plan to enter an office building with restricted areas during business hours, do a bit of recon a couple weeks ahead of time. Besides writing down how people are dressed, try to spot a pattern in the lanyards they wear. Are they customised? If so, the staff is most likely going to trust that anyone else with a matching one is allowed to be there.

Try to see if they have different designs for staff / contractors / vendors / etc. Pick your pretext, head over to eBay, and type “custom lanyards” into the search engine. I had luck finding a seller who had no minimum order (as most printing shops do) and sold custom lanyards for $10 a pop. I emailed her a photo I took of a legitimate contractor lanyard from the client site and I had a handful of matching replicas in a week.

Take you custom lanyard, attach any old RFID card to it (preferably the same frequency that the client uses, so it beeps if you scan it), and stroll confidently behind a group coming back from lunch. They’ll most likely hold the door open for you. You can even grab your badge and act like you are on your way to scan it as they do so, even getting a beep if you tap the badge behind them like a good little corporate soldier.

Enjoy!

All Access Badges