RedTeam IDs

Sep 25, 2025

TODAY’S TOPIC — Red Team IDs / MIFARE Polyglot Cards !

To request: send name + image; if you sent it in time, printed IDs are ready for pickup.
Last year: printed on inkjet labels before we had a card printer.. improvements made!

MIFARE Classic is insecure. VERY Poor encryption.
- Uses the proprietary Crypto1 cypher (widely analyzed/pwned since ~2008). Very bad.
- Still commonly used in access control despite vulnerabilities.
Each card has a factory UID/serial number; this is readable and supposed to be changed.. but they don’t
Cards use sectors and keys (Key A / Key B) and contain access bits and manufacturer data.
Readers often convert UID to an upstream value (e.g., a Wiegand code) that the door controller uses to grant access.

We disclosed findings to IT; they were not concerned, but do not hand out cards or impersonate others.
Stay within Tech/IT policy boundaries and avoid actions that would get the club in trouble. (Covering our asses.)

A polyglot (2-in-1) card can present multiple formats (e.g., our Husky format + another).
Some readers (e.g., Schlage/Allegion) support multi-card types — nice for the organization - also nice for us… we can do a downgrade attack (we don’t need to, we already have the worst type).
readers try sector 15 as well, not sure why
move sector 1 to sector 15→ tada!

Mentioned tools: MIFARE Classic Tool (Android), Proxmark3, Flipper Zero, ChameleonUltra.
Buy the proxmark3 off of alibaba.
Equipment is available to check out through RedTeam (return like library items).

Take out your husky cards and flip it! (back numbers → facility code & card number are printed/readable).
Our card numbers are straight up printed , if you read someones’ card number you could hypothetically make a copy of their card (don’t do this)