What starting position does this attack require?

The first step is Unauthorised entry (T1078) — a initial access primitive. Assumed environment: target uses Mifare Classic for door access.

What is the final impact of this kill-chain?

The final step lands on mfoc → recover sector keys (NFC-MIFARE-CRACK), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

Mifare Classic crack → cloned hotel key

Many hotel / corporate door systems still use Mifare Classic. Capture nonces during normal use, recover the Crypto-1 key with mfoc / mfcuk, write to a 'magic UID' card — full access to the property.

Filed by AD Knowledge BasePublished 2026-05-27

§ Kill-chainDrag · zoom · scroll

Initial Access

Unauthorised entry

T1078 · Valid Accounts

Initial Access

Write cloned data to magic-UID blank

SE-RFID-CLONE · RFID / Badge Cloning

Initial Access

Read victim card with Proxmark3

SE-RFID-CLONE · RFID / Badge Cloning

Credential Access

Capture authentication nonces

T1040 · Network Sniffing

Credential Access

mfoc → recover sector keys

NFC-MIFARE-CRACK · Mifare Classic Key Recovery

§ Context

Assumed environment: target uses Mifare Classic for door access. Attacker has a Proxmark3 / ChameleonMini in physical range of a valid card for a few minutes.

§ Steps

01
Unauthorised entryInitial Access
T1078— Valid Accounts
02
Write cloned data to magic-UID blankInitial Access
SE-RFID-CLONE— RFID / Badge Cloning
03
Read victim card with Proxmark3Initial Access
SE-RFID-CLONE— RFID / Badge Cloning
04
Capture authentication noncesCredential Access
T1040— Network Sniffing
05
mfoc → recover sector keysCredential Access
NFC-MIFARE-CRACK— Mifare Classic Key Recovery

§ References

T1078Valid Accounts
T1040Network Sniffing

§ Frequently asked

What is the "Mifare Classic crack → cloned hotel key" attack path?: Many hotel / corporate door systems still use Mifare Classic. Capture nonces during normal use, recover the Crypto-1 key with mfoc / mfcuk, write to a 'magic UID' card — full access to the property. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Unauthorised entry (T1078) — a initial access primitive. Assumed environment: target uses Mifare Classic for door access.
What is the final impact of this kill-chain?: The final step lands on mfoc → recover sector keys (NFC-MIFARE-CRACK), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Mifare Classic crack → cloned hotel key

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

5G core GTP-U user-plane injection → subscriber MITM

MITM HL7 v2 → tamper lab orders / results

RFID badge clone → after-hours access