<- Back to writeups

Key Duplication - Basics of Persistent Physical Access

You come into contact with, or get close to, a key to a desired location. How do you gain (persistent) access to that location? Here's how I did it with minimal knowledge of the landscape.


I have access to a facility via a shared key, and only certain personnel can get a copy. There's some situational restrictions against me walking out with it to duplicate. But given temporary access, how can I gain persistent access? How can I maintain physical access to the facility even after my access to the key is revoked? I could exercise some simple red team skills and gain that access, with the added benefit of having my own key.

Closest thing I've done at this point is lockpicking, but that won't work to get into this facility on a day to day basis. It'll take a while, I'll get seen (high foot traffic location), and potentially damage the lock. Not desirable here.

What I could do is duplicating the key, the oldest trick in the book other than lockpicking.

Prerequisite knowledge here is that you know lockpicking and the basics of how a lock works, essentially that there's pins inside and the lock turns when the pins line up.

Duplication - So How Do You Do It?

For my purposes, the key was a fairly standard residential/commercial key and I didn't hit major snags. As I've learned, there's numerous types of keys and it may be a challenge to get one you need. YMMV.

There's a few aspects of a key you need to know to get a duplicate:

Information Gathering

First off, check out the key exterior, are there numbers stamped on it or a vendor name? This is potentially very useful, but mine unfortunately had nothing on the key or the lock.

Essential and basic step, get a good picture of the key, or use a mobile app like InstaCode. Bitting is simply determining the distance the key pushes the pin. A clear picture without shadows, where you can see the key blade, is best. Get a picture of the keyway on the lock too if possible, it'll be a lot more helpful than interpreting shape of the key from the grooves on a picture. While that's possible, it's tricky and has room for error.

Interpreting Your Recon

Bitting is determined by measuring where the sawtooth pattern flattens out (bottom of the cut). I knew the basics from lock picking, but it took some research to find out the bottom of the cut is where you measure. Number of pins will vary, but around 4-7 is common. Since they're equidistant, I measured out and inferred how many pins there'd be. The final sequence should be from bow (key handle) to tip (point of key inserted into the lock).

The site https://cq.cx/key.html is a great help in understanding a key and to determine the bitting and pin count. Shown below is the sample key and measurement they provide. Note the 5 lines where the pins would go. You can tell this key is for a 5 pin lock.

The following link I found helpful in defining various terms and parts of the key, I'd recommend giving it a read: https://www.lockreference.com/how-key-bitting-specifications-work/

You'll also need to know the keyway. This is the shape of the lock opening that the key has to fit into. If you got a picture of it that'd come in handy, compare with different manufacturer keyways. Typical residential/commercial keyways would be Kwikset, Schlage C, Schlage E, but several others exiset. Higher security areas, facilities, server rooms, etc. might use others and the key blank for you case may vary. I was lucky that Schalge E was the keyway I was dealing with.

Example of some Schlage keyways below. Note that the references show the keyway as if you're looking straight at the lock.

Determine Key Blank You Need

Keyblank will determine on two things: pin count and keyway.

There's a bunch of keyblank options. It was hard to find a good resource that makes sense of which key blank I'd need once I've found a keyway and pin count. Turns out ilco's site has a directory with just this information in a bunch of PDFs: http://www.ilco.us/literature-support/373042/key-directory-references.html?category=853794.

Getting The Duplicate

This is the purpose of the whole blog post. You don't have access to the key anymore, so how do you duplicate? Some hardware stores I tried wanted a physical copy of the key before they'd duplicate, and they wouldn't accept the bitting alone.

From an answer on Quora, turns out there's some sellers on Ebay with a key cutter, a bunch of key blanks, and they'll ship you a key cut to your specifications. All you need is the key type and bitting.

Use some opsec sense on the shipping address. Don't send your home key bitting, and ship it to your home. Compare the picture you got of the key and keyway with the key you received, it should match exactly. Lastly of course, test out the key, the lock should open just fine. Congrats!

This is the route I ended up taking. Shipping time took about 3-4 days, and the fit was flawless. Access granted!

Alternate Methods For Duplication

During research it turns out there's many ways including 3D printing that could yield promising results. 3D printing has the added benefit of replicating uncommon key shapes where blanks or key cutters are hard to find, i.e. bike lock keys, or Schlage Primus keys as seen in this neat DEFCON talk Defcon 21 - Key Decoding and Duplication Attacks for the Schlage Primus High-Security Lock.

<- Back to writeups