Performing a Physical Pentest? Bring This!
Physical Pentest Upcoming? Bring a Badgy.
While badge reproduction may not be the intended use of this product, if you are a physical tester and you don’t own one, you need to get one.
https://www.badgy.com/products/badgy-200.html
While stuffing this thing in my suitcase was the obvious choice, maybe in the future I’ll avoid the TSA’s standard loveletter and just ship it.
During an onsite and depending on the time constructs, wandering around outside customer facilities can often lead to an information disclosure situation that is rarely protected by steadfast data controls. If you can identify a badge, the next part is easy; duplicate it. This product had no trouble mapping over USB direct to a VM. From there, Evolis Studio allowed us to iterate through badge variations until we were satisfied.
https://www.badgy.com/download/evolis-badge-studio.html
This page requires things, but not attributable things or monetary exchange. While I’m not going to display the front we came up with, here’s the back:
Don’t forget to match the target environment; with these badges and a tie, we were essentially ignored… even with our antennae, Rubber Duckys, Bash Bunnys, and lock picks in full, upright, and locked positions.
Want to learn more mad skills from the person who wrote this blog?
Check out this class from Kent and Jordan:
