← LibraryTechnique entry
SE-RFID-CLONEInitial Access
RFID / Badge Cloning
Proxmark3 / Flipper Zero captures a badge's HID/iCLASS ID at brush-pass range — clone to a blank for unauthorised entry.
§ Where this technique fits
SE-RFID-CLONE is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 1.5 on average.
§ Dossiers chaining this technique
- step 1 / 5
Mifare Classic crack → cloned hotel key
Many hotel / corporate door systems still use Mifare Classic. Capture nonces during normal use, recover the Crypto-1 key with mfoc / mfcuk, write to a 'magic UID' card — full access to the property.
- step 2 / 6
RFID badge clone → after-hours access
Brush-pass a target employee with a long-range RFID reader, capture their HID/iCLASS card data, clone to a blank — return after hours to badge into restricted floors.
§ What commonly comes next
- 01Network Sniffingseen 1×T1040 · Credential Access
- 02Tailgating / Piggybackingseen 1×SE-TAILGATE · Initial Access
- 03Valid Accountsseen 1×T1078 · Initial Access