mercy collegecysecure.org/600/markgladstone_masterspaper.pdf · penetration test was carried out...
TRANSCRIPT
Mercy College
A Penetration Tester’s Workout
Mark Gladstone
IASP 600 Advanced Topics in Cybersecurity Practices
Professor John Yoon
5/7/2017
1
Abstract:
A cyber security professional must have a very broad knowledge of systems and the
security surrounding them. As this is the quest of many information security professionals,
several efforts are made to expand this knowledge through the application of hands-on learning.
This project accomplishes the goal of hands-on learning by providing a walkthrough of the
process of a “black box” penetration test on a small local business. The 1st iteration of this two
part project began to analyze the gym from a data mining and social engineering perspective. A
web crawler was created with the Python Scrapy framework to help with information gathering
on the Gym’s Facebook page. Several tools were also utilized such as the API Facepager and
Maltego to find out more about the network. The second part of the project will be concerned
with the more physical and on-site implementation of the attack. Before diving into the
penetration test, related work and some of the main applications and tools used will be discussed.
The process of compromising the Gym’s network was a long and tedious one. If you ask anyone
in the gym what the key to success is they will tell you consistency. Even though they are talking
about increasing strength and endurance, consistency was imperative for the success of my
penetration test. Repeated trips back and forth from the Gym, performing several different types
of scanning, and using several different technologies was critical to reach my goal. The
penetration test was carried out through the operation of Kali Linux network scanning, HID card
manipulation, and WiFi Pineapple susceptibility. My final report will state how the network was
assessed, accessed, and rate the vulnerabilities by associated risk. The penetration test will be
performed and results submitted to the client.
2
Chapter 1: Out of shape
Problem Description:
“Network and application vulnerability assessments have a tendency to be difficult and
costly; however, failing to have an assessment done and fixing security loopholes may result in a
security breach by malicious attackers. A security breach can cost an organization time and
money remediating the damage, such as lost confidential business information, which far
exceeds the cost of a security assessment”. Penetration testing in a box (pg. 1)
This statement from the Penetration testing in a box article accurately describes the
general problems involved without securing a network with the use of pen testing. Much like
people become out of shape and unhealthy if they do not have any physical activity for an
extended period of time. Networks need to be evaluated and attacked regularly to ensure secure
operation. The problem presented in this project specifically involves breaking into, or
compromising a small business’s network. The company chosen had asked that their name
remain anonymous. For the purpose of the project it can be noted that the target was a small
private gym business in the United States. The task of this project was more difficult due to the
nature of the black box test. In a black box testing environment very minimal information is
known of the entity prior to the test. Whereas in a white box environment some aspects of the
infrastructure may be known or given in order to aid the tester. Since the Gym is open 24 hours,
there are HID card readers at the front door, the gym desk, steam rooms, and the network closet.
3
The gym was also under complete closed circuit surveillance at the interior as well as the exterior
door. This is due to the fact that there are hours of the night where the front desk remains
unmanned by staff, where the gym remains open to guests. Another aspect that made this
location a difficult one to test is that this gym happened to be underground (the lower level in a
shopping center). Network signals could not be detected from outside the gym at the sidewalk, or
the parking lot due to the lower level nature of the building. The Gym network consists of a
network closet containing the main router and switch along with the outward facing Mood Social
WiFi router facing the customers. One Desktop sits at the front desk connected to the LAN.
(Fig 1- Gym Network Overview)
With the combination of the bunker like security and the limited information known at the
beginning of the test, one can see how this system was no easy task. As the network is laid out
4
quite simply compared to larger companies, this also meant that there were far less attack vectors
to utilize to gain access. The goal is to find a way into the building, and to get valuable
information off of the network while holding true to the pen testing guidelines of the client.
Chapter 2: Developing Good Form
Related Work:
Form is one of the hardest things for new gym members to develop. Working out with the
proper technique is a big part of exercise. If one does not look back and learn from those who
have perfected the art they will have great difficulties or possibly even risk getting hurt. Before
jumping into my penetration test I made sure I did ample research and developed my skills. The
largest body of relative work which was used as a strong guideline and reference during the
process of this project was Georgia Weidman’s Penetration testing; A hands-on introduction to
Hacking. The author Georgia Weidman is a veteran, well respected penetration tester and
researcher. She has spoken at several reputable conventions including ShmooCon, Black Hat,
Derbycon and more. Weidman has also coined her own mobile device penetration testing
framework. Penetration Testing, supplies introductory labs covering all elements of penetration
testing including framework, information gathering, programming, finding vulnerabilities,
exploitation, password attacks, social engineering, bypassing antivirus, and more. The hands-on
nature of the book provides several examples for all of the above subjects.
Initially the labs were set up as Windows, Kali Linux, and Ubuntu virtual machines. Kali
configuration was up to date while the two windows systems and one Ubuntu system were all
configured with slight vulnerabilities. Several activities including Linux terminal drills and
bash/python scripting are picked up early to aid the tester later in the book. Towards the middle
5
of the book there is an in depth look at the Linux tool Metasploit. The metasploit framework can
be essential in allowing for the smooth utilization of exploits to a vulnerable system. The
importance of metasploit knowledge and implementation was practiced prior to the attempt as it
is praised to be an extremely powerful tool in the world of penetration testing.
The two main information gathering tools Nmap/Zenmap utilized in the project were also
introduced and practiced in Weidman’s labs. Nmap which stands for ("Network Mapper") is a
free and open source utility for network discovery and security auditing. Nmap works by using
raw IP packets in novel ways to determine what hosts are available on the network, and what
services those hosts are offering. Additional information imperative to information gathering can
be found, such as what operating systems, versions, and what type of packet filters/firewalls are
used. Zenmap is simply a GUI and results viewer for the command line Nmap. The Nessus tool
can be used to automate testing and discovery of several known security issues. For the purpose
of the project the Nessus vulnerability is used as a baseline for potential vulnerabilities, as well
as a massive boost to information as far as device names, IP’s, versions, etc. Nessus
configuration and implementation are discussed and shown in Weidman’s labs under information
gathering. The inclusion of these labs and tools were essential in the success of this project and
will be seen later in the approach section.
The 2nd related article is called Penetration testing in a box, from the ACM digital
library. This article is from the ACM digital library and explains basic and proper penetration
testing strategy, objectives, and introduces a system to aid penetration testers. The article makes
light of the past use of automated penetration testing systems such as the Pwn Plug, Pwn Pi and
MiniPwner. The Pwn Plug released in 2012 was a Debian 6 based minicomputer with 512MB of
RAM. This device has open source security tools that allow for stealthy connections to a wireless
6
network. The Pwn Pi runs a Linux distribution on a raspberry pi to be used as a drop box. The
Minipwner is a penetration testing drop box which acts as a portable router. The Minipwner was
designed to utilize VPN connections as well and can be used for war walking (A penetration
testing technique where information of nearby wireless networks are stored as one walks by
several networks.) These types of devices can be used for a small business that might not be able
to afford a pen testing team, allowing them do some pen testing securing in a more affordable
manner. The article continues to expand on how the group created their own low cost
minicomputer device. They use a Raspberry Pi B+ model and propose it to be connected to a
corporate computer. Then it creates a connection to the VPS or Virtual Private Server, while
configuring a web interface to create a backdoor for a pen tester to scan for vulnerabilities. This
application is definitely useful however; it requires physical access to a network machine as well
as the VPS vulnerability. The idea of small automated pen testing gizmos is always a good one.
These types of devices could potentially do assessments individual or greatly aid the team of pen
testers in certain situations. The value here can be seen in the use of our Pineapple device in the
approach section.
The final article, Attacks on Proximity Card systems, discusses vulnerabilities of HID
systems. As you will see later in the approach, one of the main security systems in place for the
gym is an HID proximity card system. Understanding how this system works and can be
manipulated was crucial to the pen test. The article begins by noting that the low frequency 125
kHz cards have apparent vulnerabilities that have yet to be addressed as these devices are still
being frequently installed. The article goes on to talk about the design and functionality of the
HID card. In a basic interaction the employee brings the card within range of a ProxPoint reader.
The reader then supplies the card with power allowing for the card to transmit the pre-
7
programmed code to the door reader. This code is than transmitted to the door controller and the
controller can decide whether to allow or deny. As for the cards there are two types of card
frequencies 125 kHz (low) and 13.56 MHz (High). The interesting element of the card is that it
does not actively transmit the RF signal until it is introduced to the reader and gains the energy
inductively, just like an induction stove top and pan. The process of transmission in-between the
door reader and the card is referred to as the Wiegand interface. During the Wiegand interface,
transmission occurs with the use of three wires and a series of 50uS wide pulses of binary 1’s or
0’s. This is referred to as the Wiegand 26. The HID card in the gyms case is the HID Proxcard II.
This card is passive and holds a 44 bit value separated into different sectors and blocks. The two
of these sectors which are the most important are the card number and the Facility code or Site
code. Together these form the Wiegand 26 as they are the only 26 bits needed from the card to
open the door. These two numbers are preset by the manufacture of the card and can be imagined
much like the ID and password of the card. During the Wiegand interface the door reader powers
the card and opens if the correct ID number and site code are recognized.
(Fig 2 -Manchester waveform for Wiegand transmission. Transmission sent to brute force
door in chapter 5.)
8
This is the usual standard for these cards but other formats are supported as well. A card
with this configuration usually has the ID code printed on the front of it. This code represents
that of the cards for that building and has the intent to not allow people from another company
with the same user code to access the door. The card has partitioned space to prevent collisions.
The article referenced continues to talk about the many attack vectors and weaknesses of these
HID systems. This includes replay attacks, cloning of cards, off- shelf reading, RF sniffing, and
brute force attacks. This is all possible thanks to the fact that these cards do not use any real
authentication or encryption security measures to protect the card numbers or validate the user.
The use of an off-the-shelf RF reader can be extremely helpful for sniffing the Wiegand
transmission from the card. This transmission can be copied and then replayed to gain access to a
door for entry. RF sniffers can operate from a distance as well. With the proper equipment a
Wiegand transmission could be copied from long distance. The cards themselves also have brute
force vulnerability through the means of the card numbers. If the site code can be depicted with
the use of software then it significantly helps a brute force cut down the variables and allows the
attack to open doors in a more reasonable timeframe. This type of attack will be discussed later
9
on in the approach section as it is carried out. With the combination of replay and brute force
vulnerabilities the modern low voltage HID system is not a secure as one might think.
Chapter 3: Workout Regiment
Proposed Approach:
Most people motivate themselves to go to the gym with a goal. Whether it is lifting
weight to get stronger or doing cardio to lose weight. A good practice to achieve your overall
goal is to plan it out with a regiment. My goal and the main idea proposed for this project was to
conduct a real world penetration test at the gym. Much research would be done in the procedure
of pen testing and proper equipment acquired to do so. For the purpose of this project the
penetration testing company was called ShadowSec and was contracted to conduct a penetration
test against XXX Gym. This assessment was conducted in the situation where a malicious user
would use anything at his disposal to penetrate XXX gym’s defenses. The impact of the security
breach will be based on the integrity of the company's systems, confidentiality of the business’s
customer information, and the internal infrastructure of XXX’s information systems. The small
business was contacted and agreed to conduct the pen test. The constraints as far as access and
information privacy were discussed. The project is to carry out this pen test in the black box
manner and use any vector possible to compromise the target. Once the targets system is tested
and vulnerabilities are accounted for a report should be developed. The pen tester shall not affect
normal working day systems in any way to inhibit operation. The pen tester shall not steal,
withhold, or divulge private client information from customers of XXX gym. The pen test report
should follow proper standards, displaying the results of the pen test and the methods used. Upon
completing the pen test, the report will be presented to the client.
10
Chapter 4: Circuit Training
Approach:
Circuit training is a workout routine which involves several quick exercises in succession
to increase your heartrate and burn calories. Comparably this section of the pen test was all about
running around and trying different things to find my way in and reach my goal. As the approach
sounded very simple in concept, the reality of the approach was a slow grind involving long man
hours, multiple attempts, and a lot of weight lifting, Figuratively lifting weight by slowly picking
up parts of the network and looking under to find an attack vector, along with the literal physical
lifting of weight to look less conspicuous while turning around and scanning the network with a
laptop at the same time.
Starting from the beginning, the target was acquired because it was a local small
business, with less than 10 employees and approximately 100 active clients. Much information
was collected prior to the physical implementation of the project through online data collection
of clients, employees and web site properties. However, due to the agreement with the client the
name of the gym and its clients are to remain confidential throughout this report. For this reason
the main focus shifted to find a more technical means to gain access, compared to socially
engineering straight into the network closet. Although, it is important to know some helpful
information was gleaned from some of the gym’s employees. Discussions took place relating to
where the network closet was located, the software and HID card model, and the operation of the
cameras. These information gaining questions were phrased innocently at several different
employees, just from the curious perspective of a customer. The first real step was to purchase a
gym membership to gain access into the gym easily. Upon purchase of the $20 monthly
membership an HID card is issued to the customer to allow 24 hour access to the gym equipment
11
and steam rooms. To avoid risking detection it made sense to buy a membership to the gym in
cash under a fake name. Although using the discussed RFID long range sniffing technique would
have also worked to copy another customers Wiegand transmission and gain access. Once the
membership was purchased, I was granted 24/7 physical access to the gym. The next task was to
make sure I could do some reconnaissance without being compromised. The client was informed
of the test but the employees were not made aware of my pen test for the purpose of realism. The
client agreed to notify me if any employee felt my activities in the gym were suspicious, or if any
technical staff flagged my presence on the network. Luckily during the entire implementation of
the pen test no employee raised any flags. Moving on, it is also important to know during
working hours there is an employee stationed at the gym desk until ten pm each day. After ten
there are no employees at the gym desk until six am the following day. For my initial
reconnaissance I went in around 1 am and conducted a three part scan involving a Nessus scan,
Nmap scan, and an angry IP scan on the wireless network. I brought my laptop in with a bag and
made sure to open it only three quarters of the way and use it in a specific corner on a bench. I
moved this bench to the corner of the gym to avoid any of the gym cameras from seeing my
computer screen during my scanning. I also made sure to use the nearby leg machines and bench
press at intervals to make it appear that I was only there for a late night workout. The gym has
free WiFi access, so getting on the network couldn't have been easier. To make it easy for the
guests there is no password for the wireless network, only a portal page. The portal page wanted
me to log in with my Facebook, but I noticed the alternative option to create my own profile. I
created my own profile under a fake name and I was able to connect to the network. My first
basic Nmap scans for SYN, TCP, and UDP on any class C netmask came back with very little.
(Fig 3- SYN Stealth scan):
12
(Fig 4- Nessus Scan)
(Fig 5- ifconfig command)
13
Now that I was connected to the WiFi I went to the kali terminal and ran an ifconfig to
see my IP and the IP of the network. The only hit from my scanning was the 10.1.7.255 based IP
of the router's broadcast signal. I was not thrilled to see the network subnetted at 0.255.255.248.
This meant that the network I was accessing was segmented from the bigger network and not
easily connected. After scoping out the gym’s environment it appeared that they only possessed
one desktop computer which stored customer information and possessed the HID card software.
A web server vulnerability profile was conducted but the website did not possess a log in or
customer portal. The website simply acts as an online advertisement and informs customers to
come in and sign up at the gym. The site is not connected to the customer’s data in anyway. For
this reason targeting the web server seemed less critical in the goal of making a significant
compromise. My thinking that the network would be small and simple was correct, but my idea
that this would aid my attempt was wrong. The wireless network was simply configured but well
segmented. My two main objectives then shifted to either gaining access to the desktop running
off the local Ethernet, or gaining access to the networking closet located in the back room. As
14
there are cameras covering virtually every inch of the gym, reaching over the front desk would
been risky. If one could simply slip a key logger into the computer during unmanned desk hours
there could be an easy compromise. To avoid getting caught, this was not attempted, but the plug
and play capability of USB drives was confirmed later by the client as well as the fact that the
cameras are not actively monitored. This is a valid vulnerability of the gym system and was
stated in the report.
Chapter 5: How to Pull Open a Door Labeled Push.
Approach Continued:
Having read the “Attacks on Proximity Card systems” article, and gaining familiarity
with these HID systems, I then decided to focus on trying to penetrate the door to the network
closet. Gaining access to the closet would give me the greatest amount of control over the
system. Currently when scanning my card at the door reader, it simply flashed red (denying my
card). The first step to getting access to the closet door was to capture the Wiegand transmission
from my card with the use of a third party card reader. The equipment used for this purpose is
called the Proxmark3 card reader kit. It can be found online for about $400 and includes a small
chip board, antennas for reading low and high frequency RFID, and some sample tags to practice
with. The Proxmark Client software implements a GUI that makes cloning and sniffing card data
a breeze. Using the Proxmark3 reader and client I was able to read the 44 bits off of my HID
card and locate my site code. The ID number was written on the card when I received it,
However it also can be seen by the software when the card is scanned. The software in action can
be seen below.
(Fig 6- Proxmark software card bit breakdown with Site code and ID number).
15
On one dark night in March, I came back to the gym and snuck over to the network closet
door. I hid the Proxmark device inside my shirt and slid the antenna with my card information up
my sleeve. I casually scrolled on my phone while pressing my sleeve with the disk of the antenna
up to the door. After 33 very long minutes the door finally flashed green I immediately grabbed
the door handle and felt the door unlatch. I had fulfilled my goal of compromising the Gyms
physical access system, and gained entry to the network closet. This breach was stated in my
report as a major vulnerability. I performed the attack again on the front door on my way out just
for good measure and was able to unlock the front door with the same method.
(Fig 7- Indoor brute force, antenna held against door, authenticated)
16
(Fig 8-outdoor Brute force) (Fig 9- Access granted)
17
18
I was thrilled that I was able to gain physical access to the closet through HID
manipulation, but I still felt very much defeated in my initial effort to exploit vulnerability in the
wireless network. Finally it dawned on me that I was trying so hard to find something specific
like an open port or a service, that I had completely overlooked the more obvious security flaw
of the gym’s free WiFi. This gym network is similar to most public WiFi networks much like an
airport or cafe. I couldn’t see any part of the network beyond the WiFi but, I could see all of the
other gym members on the subnet. I also realized that I possessed the perfect tool to take
advantage of this situation, The WiFi Pineapple.
Chapter 6: Superset
Approach Continued:
A superset is gym jargon for a workout that involves two different exercises performed in
conjunction instead of separately. This is usually when you use the bench press then run over to
do the incline bench right after. My superset involved taking another shot at the wireless network
after gaining physical access. The WiFi Pineapple is a device that can act as a rogue access point.
The WiFi Pineapple device used for the purpose of this attack was the WiFi Pineapple Nano, the
least expensive of the product line. For my purpose the Nano performed exceptionally well with
the addition of one antenna to boost the strength of my signal. As the gym was small, it didn't
need any extra power that the higher end models provide. I was able to run and save the data
from the Pineapple device as it was plugged into my dedicated Kali laptop. The pineapple works
by emulating the actual network access point of the gym’s FREE WIFI network. As users come
back to the gym and try to reconnect to the real network, my copy of the open network is
constantly trying to pick up the probes being sent out by their devices. Once connected to the
false access point the customer’s connections access the internet much the same way they
19
normally would. I could then analyze all of the customer’s traffic as it is sent through my
machine and logged. Any information sent through HTTP traffic can be seen in clear text. Http
could be inspected and translated into clear text. Unlike the brute force adventure, I needed to be
at the gym during the day when other people were there to pick up their devices. I quickly ran
over to the gym and reluctantly setup my laptop in a bathroom stall. By implementing an attack
in this way, I was able to use the layout of the gym to my advantage. Any customer inside the
gym must use the gyms Wi-Fi, as there is no cell signal inside the underground concrete walls of
the gym. This created a large amount of targets to attract to my rogue access points. In just a few
minutes I was able to pick up several of the customers devices.
(Fig 10- Pineapple captured devices list.)
20
To stay within the pen testing parameters I simply noted that the packets were collected
from the devices and did not inspect the packets too deeply to discover personal information.
After discovering the rogue access point vulnerability, all data including traffic and user device
names are to be deleted after the report is submitted to adhere to the client's guidelines. It is
important to know that once the traffic can be seen over HTTP, customers are made vulnerable
to a myriad of attacks. Examples of follow-up attacks to this situation include SSL stripping,
captive portal, and Site Survey. When using SSL strip the user's HTTPS connections are forced
to direct to an http false login page that captures credentials in clear text. The captive portal
module can setup a fake splash display page in HTML requiring users to enter data while
thinking they are logging it into the gym. All three of the “Man in the Middle attacks” have
dedicated modules in the Wi-Fi Pineapple GUI. The manipulation of the Wireless network was
very successful as it showed that the network does not protect the information and credentials of
the customers. This was noted as another major vulnerability.
Chapter 7: Building Strength
Conclusion:
After the test was completed the following report was written and presented to the client.
The overall purpose of the report was to test and inform the client of the vulnerabilities in their
network, along some possible remedies. My report finds XXX gym to have a high risk rating.
This was determined by the three main vulnerabilities of the physical access HID system, the
unsecure wireless network, and the passive nature of the facilities cameras. The medium risk
elements include the lack of cyber security training of the staff and the plug and play defenseless
USB ports at the Desktop Mac. The high risk HID vulnerability is due to the vulnerable HID
21
Proxcard and door control system. I recommended upgrading this system to a more secure
method of access control, such as the higher end RFID cards with brute force prevention. A door
control mechanism which implements a login limit, or one that reports back to the security
system, could have easily botched my physical access to the network closet and front door. The
high risk open Wi-Fi Pineapple attack is not quite as easy to solve. One of the best defenses
against the Pineapple attack is to provide a VPN tunnel for your customers on the Wi-Fi. This
will at least to protect the integrity of their data, if a man in the middle is present. They should
also educate their members about the possibility of these kinds of attacks, possibly even urging
them not to send valuable information over the Wi-Fi while at the gym. Influencing customers to
use HTTPS sites is a good practice but is not foolproof, as the mentioned SSLSTRIP attack can
still revert the user back to http unknowingly. After my testing phase I talked to the client asking
him to make sure that I wasn't noticed on the cameras, he told me how they are not actively
monitored and remain passive unless there is a reason to look back at them. I included this as
high risk vulnerability as looking back at the cameras would not be proactive enough to catch
one on the wireless network. The client told me that he was already thinking of having the front
desk worker watch the cameras, or install software to view them remotely. This would be
beneficial for the security of the gym and I highly recommended it. The medium risk of an easily
installed key logger or USB rubber ducky has a simple fix. Just disabling the USB ports on the
Mac desktop can easily prevent this type of attack. Another good practice would be to store the
desktop in a locked cabinet during the unmanned desk hours of the night. This risk is labeled
medium as a directed attack was not carried out on the machine in case of disrupting workflow,
and the antivirus might have noticed it. However, it is susceptible to an attack and antivirus can
be bypassed. The final, and one of the most important recommendations I had for XXX gym was
22
to run drills to inform their staff about possible cyber-attacks and threats. If the staff had been
less willing to answer my questions about the network throughout this test it would have
significantly slowed me down. Other standard security recommendations include implementing
regular firewall rule set reviews, implementing a patch management program, conducting regular
vulnerability assessments, and restricting access to all critical systems. Overall my report finds
XXX gym to have a high risk rating. It describes the manner vulnerabilities were uncovered
along with possible solutions and ideas to help prevent these vulnerabilities.
Chapter 8: New PR
Future efforts:
If one says “I just got a new PR!” after doing a lift it means that they have surpassed their
previous efforts and achieved a new “Personal Record”. After working on this project I got the
same feeling that I got when I deadlifted 365 pounds for the first time. I feel stronger now that I
have been able to succeed at such a task and I can't wait to improve my skills again. As I
appreciated making gym XXX more secure, the project was also a means to expand my own
knowledge of penetration testing. I was able to familiarize myself with a collection of tools and
interact with a real small business network. In my mission of becoming a professional
penetration tester, this project was a step in the right direction. I learned that I am capable of
carrying out a successful penetration test and plan to do many more in the future. As a next step I
am planning to take the highly regarded Offensive Security Certified Professional certification.
This certification involves a 30 day training course with virtual labs to break into. The
certification is quite a challenge but extremely valuable for an up and coming penetration tester.
Upon passing the OCSP test my next goal will be to familiarize myself with the defensive side of
23
the field. Mastering Security Onion operating system and learning how to prevent the attacks I
have perfected. I feel that these are my next necessary steps to help improve the state of
cybersecurity, and be successful in my future workouts.
24
Works Cited:
A: Attacks on Proximity Card Systems28 May 2013. (n.d.). Retrieved May 03,
2017, from https://ianhowson.com/blog/attacks-on-proximity-card-systems/
B: Weidman, G., & Eeckhoutte, P. V. (2014). Penetration testing: a hands-on
introduction to hacking. San Francisco: No Starch Press.
C: H. (2016, January 01). Retrieved May 03, 2017, from
https://www.youtube.com/watch?v=eHnQwTCKe2o&t=402s
D:Penetration testing in a box.Lee Epling,Brandon Hinkel, Yi Hu. Kennesaw,
Georgia — October 10 - 10, 2015
E: H. (2015, December 22). Retrieved May 03, 2017, from
https://www.youtube.com/watch?v=CrHbEZd4t00
F:(n.d.). Retrieved May 03, 2017, from http://www.puntoflotante.net/TUTORIAL-
RFID-ISO-14443A-TAGS-13.56-MHZ.htm