Mercy College

A Penetration Tester’s Workout

Mark Gladstone

IASP 600 Advanced Topics in Cybersecurity Practices

Professor John Yoon

5/7/2017

1

Abstract:

A cyber security professional must have a very broad knowledge of systems and the

security surrounding them. As this is the quest of many information security professionals,

several efforts are made to expand this knowledge through the application of hands-on learning.

This project accomplishes the goal of hands-on learning by providing a walkthrough of the

process of a “black box” penetration test on a small local business. The 1st iteration of this two

part project began to analyze the gym from a data mining and social engineering perspective. A

web crawler was created with the Python Scrapy framework to help with information gathering

on the Gym’s Facebook page. Several tools were also utilized such as the API Facepager and

Maltego to find out more about the network. The second part of the project will be concerned

with the more physical and on-site implementation of the attack. Before diving into the

penetration test, related work and some of the main applications and tools used will be discussed.

The process of compromising the Gym’s network was a long and tedious one. If you ask anyone

in the gym what the key to success is they will tell you consistency. Even though they are talking

about increasing strength and endurance, consistency was imperative for the success of my

penetration test. Repeated trips back and forth from the Gym, performing several different types

of scanning, and using several different technologies was critical to reach my goal. The

penetration test was carried out through the operation of Kali Linux network scanning, HID card

manipulation, and WiFi Pineapple susceptibility. My final report will state how the network was

assessed, accessed, and rate the vulnerabilities by associated risk. The penetration test will be

performed and results submitted to the client.

2

Chapter 1: Out of shape

Problem Description:

“Network and application vulnerability assessments have a tendency to be difficult and

costly; however, failing to have an assessment done and fixing security loopholes may result in a

security breach by malicious attackers. A security breach can cost an organization time and

money remediating the damage, such as lost confidential business information, which far

exceeds the cost of a security assessment”. Penetration testing in a box (pg. 1)

This statement from the Penetration testing in a box article accurately describes the

general problems involved without securing a network with the use of pen testing. Much like

people become out of shape and unhealthy if they do not have any physical activity for an

extended period of time. Networks need to be evaluated and attacked regularly to ensure secure

operation. The problem presented in this project specifically involves breaking into, or

compromising a small business’s network. The company chosen had asked that their name

remain anonymous. For the purpose of the project it can be noted that the target was a small

private gym business in the United States. The task of this project was more difficult due to the

nature of the black box test. In a black box testing environment very minimal information is

known of the entity prior to the test. Whereas in a white box environment some aspects of the

infrastructure may be known or given in order to aid the tester. Since the Gym is open 24 hours,

there are HID card readers at the front door, the gym desk, steam rooms, and the network closet.

3

The gym was also under complete closed circuit surveillance at the interior as well as the exterior

door. This is due to the fact that there are hours of the night where the front desk remains

unmanned by staff, where the gym remains open to guests. Another aspect that made this

location a difficult one to test is that this gym happened to be underground (the lower level in a

shopping center). Network signals could not be detected from outside the gym at the sidewalk, or

the parking lot due to the lower level nature of the building. The Gym network consists of a

network closet containing the main router and switch along with the outward facing Mood Social

WiFi router facing the customers. One Desktop sits at the front desk connected to the LAN.

(Fig 1- Gym Network Overview)

With the combination of the bunker like security and the limited information known at the

beginning of the test, one can see how this system was no easy task. As the network is laid out

4

quite simply compared to larger companies, this also meant that there were far less attack vectors

to utilize to gain access. The goal is to find a way into the building, and to get valuable

information off of the network while holding true to the pen testing guidelines of the client.

Chapter 2: Developing Good Form

Related Work:

Form is one of the hardest things for new gym members to develop. Working out with the

proper technique is a big part of exercise. If one does not look back and learn from those who

have perfected the art they will have great difficulties or possibly even risk getting hurt. Before

jumping into my penetration test I made sure I did ample research and developed my skills. The

largest body of relative work which was used as a strong guideline and reference during the

process of this project was Georgia Weidman’s Penetration testing; A hands-on introduction to

Hacking. The author Georgia Weidman is a veteran, well respected penetration tester and

researcher. She has spoken at several reputable conventions including ShmooCon, Black Hat,

Derbycon and more. Weidman has also coined her own mobile device penetration testing

framework. Penetration Testing, supplies introductory labs covering all elements of penetration

testing including framework, information gathering, programming, finding vulnerabilities,

exploitation, password attacks, social engineering, bypassing antivirus, and more. The hands-on

nature of the book provides several examples for all of the above subjects.

Initially the labs were set up as Windows, Kali Linux, and Ubuntu virtual machines. Kali

configuration was up to date while the two windows systems and one Ubuntu system were all

configured with slight vulnerabilities. Several activities including Linux terminal drills and

bash/python scripting are picked up early to aid the tester later in the book. Towards the middle

5

of the book there is an in depth look at the Linux tool Metasploit. The metasploit framework can

be essential in allowing for the smooth utilization of exploits to a vulnerable system. The

importance of metasploit knowledge and implementation was practiced prior to the attempt as it

is praised to be an extremely powerful tool in the world of penetration testing.

The two main information gathering tools Nmap/Zenmap utilized in the project were also

introduced and practiced in Weidman’s labs. Nmap which stands for ("Network Mapper") is a

free and open source utility for network discovery and security auditing. Nmap works by using

raw IP packets in novel ways to determine what hosts are available on the network, and what

services those hosts are offering. Additional information imperative to information gathering can

be found, such as what operating systems, versions, and what type of packet filters/firewalls are

used. Zenmap is simply a GUI and results viewer for the command line Nmap. The Nessus tool

can be used to automate testing and discovery of several known security issues. For the purpose

of the project the Nessus vulnerability is used as a baseline for potential vulnerabilities, as well

as a massive boost to information as far as device names, IP’s, versions, etc. Nessus

configuration and implementation are discussed and shown in Weidman’s labs under information

gathering. The inclusion of these labs and tools were essential in the success of this project and

will be seen later in the approach section.

The 2nd related article is called Penetration testing in a box, from the ACM digital

library. This article is from the ACM digital library and explains basic and proper penetration

testing strategy, objectives, and introduces a system to aid penetration testers. The article makes

light of the past use of automated penetration testing systems such as the Pwn Plug, Pwn Pi and

MiniPwner. The Pwn Plug released in 2012 was a Debian 6 based minicomputer with 512MB of

RAM. This device has open source security tools that allow for stealthy connections to a wireless

6

network. The Pwn Pi runs a Linux distribution on a raspberry pi to be used as a drop box. The

Minipwner is a penetration testing drop box which acts as a portable router. The Minipwner was

designed to utilize VPN connections as well and can be used for war walking (A penetration

testing technique where information of nearby wireless networks are stored as one walks by

several networks.) These types of devices can be used for a small business that might not be able

to afford a pen testing team, allowing them do some pen testing securing in a more affordable

manner. The article continues to expand on how the group created their own low cost

minicomputer device. They use a Raspberry Pi B+ model and propose it to be connected to a

corporate computer. Then it creates a connection to the VPS or Virtual Private Server, while

configuring a web interface to create a backdoor for a pen tester to scan for vulnerabilities. This

application is definitely useful however; it requires physical access to a network machine as well

as the VPS vulnerability. The idea of small automated pen testing gizmos is always a good one.

These types of devices could potentially do assessments individual or greatly aid the team of pen

testers in certain situations. The value here can be seen in the use of our Pineapple device in the

approach section.

The final article, Attacks on Proximity Card systems, discusses vulnerabilities of HID

systems. As you will see later in the approach, one of the main security systems in place for the

gym is an HID proximity card system. Understanding how this system works and can be

manipulated was crucial to the pen test. The article begins by noting that the low frequency 125

kHz cards have apparent vulnerabilities that have yet to be addressed as these devices are still

being frequently installed. The article goes on to talk about the design and functionality of the

HID card. In a basic interaction the employee brings the card within range of a ProxPoint reader.

The reader then supplies the card with power allowing for the card to transmit the pre-

7

programmed code to the door reader. This code is than transmitted to the door controller and the

controller can decide whether to allow or deny. As for the cards there are two types of card

frequencies 125 kHz (low) and 13.56 MHz (High). The interesting element of the card is that it

does not actively transmit the RF signal until it is introduced to the reader and gains the energy

inductively, just like an induction stove top and pan. The process of transmission in-between the

door reader and the card is referred to as the Wiegand interface. During the Wiegand interface,

transmission occurs with the use of three wires and a series of 50uS wide pulses of binary 1’s or

0’s. This is referred to as the Wiegand 26. The HID card in the gyms case is the HID Proxcard II.

This card is passive and holds a 44 bit value separated into different sectors and blocks. The two

of these sectors which are the most important are the card number and the Facility code or Site

code. Together these form the Wiegand 26 as they are the only 26 bits needed from the card to

open the door. These two numbers are preset by the manufacture of the card and can be imagined

much like the ID and password of the card. During the Wiegand interface the door reader powers

the card and opens if the correct ID number and site code are recognized.

(Fig 2 -Manchester waveform for Wiegand transmission. Transmission sent to brute force

door in chapter 5.)

8

This is the usual standard for these cards but other formats are supported as well. A card

with this configuration usually has the ID code printed on the front of it. This code represents

that of the cards for that building and has the intent to not allow people from another company

with the same user code to access the door. The card has partitioned space to prevent collisions.

The article referenced continues to talk about the many attack vectors and weaknesses of these

HID systems. This includes replay attacks, cloning of cards, off- shelf reading, RF sniffing, and

brute force attacks. This is all possible thanks to the fact that these cards do not use any real

authentication or encryption security measures to protect the card numbers or validate the user.

The use of an off-the-shelf RF reader can be extremely helpful for sniffing the Wiegand

transmission from the card. This transmission can be copied and then replayed to gain access to a

door for entry. RF sniffers can operate from a distance as well. With the proper equipment a

Wiegand transmission could be copied from long distance. The cards themselves also have brute

force vulnerability through the means of the card numbers. If the site code can be depicted with

the use of software then it significantly helps a brute force cut down the variables and allows the

attack to open doors in a more reasonable timeframe. This type of attack will be discussed later

9

on in the approach section as it is carried out. With the combination of replay and brute force

vulnerabilities the modern low voltage HID system is not a secure as one might think.

Chapter 3: Workout Regiment

Proposed Approach:

Most people motivate themselves to go to the gym with a goal. Whether it is lifting

weight to get stronger or doing cardio to lose weight. A good practice to achieve your overall

goal is to plan it out with a regiment. My goal and the main idea proposed for this project was to

conduct a real world penetration test at the gym. Much research would be done in the procedure

of pen testing and proper equipment acquired to do so. For the purpose of this project the

penetration testing company was called ShadowSec and was contracted to conduct a penetration

test against XXX Gym. This assessment was conducted in the situation where a malicious user

would use anything at his disposal to penetrate XXX gym’s defenses. The impact of the security

breach will be based on the integrity of the company's systems, confidentiality of the business’s

customer information, and the internal infrastructure of XXX’s information systems. The small

business was contacted and agreed to conduct the pen test. The constraints as far as access and

information privacy were discussed. The project is to carry out this pen test in the black box

manner and use any vector possible to compromise the target. Once the targets system is tested

and vulnerabilities are accounted for a report should be developed. The pen tester shall not affect

normal working day systems in any way to inhibit operation. The pen tester shall not steal,

withhold, or divulge private client information from customers of XXX gym. The pen test report

should follow proper standards, displaying the results of the pen test and the methods used. Upon

completing the pen test, the report will be presented to the client.

10

Chapter 4: Circuit Training

Approach:

Circuit training is a workout routine which involves several quick exercises in succession

to increase your heartrate and burn calories. Comparably this section of the pen test was all about

running around and trying different things to find my way in and reach my goal. As the approach

sounded very simple in concept, the reality of the approach was a slow grind involving long man

hours, multiple attempts, and a lot of weight lifting, Figuratively lifting weight by slowly picking

up parts of the network and looking under to find an attack vector, along with the literal physical

lifting of weight to look less conspicuous while turning around and scanning the network with a

laptop at the same time.

Starting from the beginning, the target was acquired because it was a local small

business, with less than 10 employees and approximately 100 active clients. Much information

was collected prior to the physical implementation of the project through online data collection

of clients, employees and web site properties. However, due to the agreement with the client the

name of the gym and its clients are to remain confidential throughout this report. For this reason

the main focus shifted to find a more technical means to gain access, compared to socially

engineering straight into the network closet. Although, it is important to know some helpful

information was gleaned from some of the gym’s employees. Discussions took place relating to

where the network closet was located, the software and HID card model, and the operation of the

cameras. These information gaining questions were phrased innocently at several different

employees, just from the curious perspective of a customer. The first real step was to purchase a

gym membership to gain access into the gym easily. Upon purchase of the $20 monthly

membership an HID card is issued to the customer to allow 24 hour access to the gym equipment

11

and steam rooms. To avoid risking detection it made sense to buy a membership to the gym in

cash under a fake name. Although using the discussed RFID long range sniffing technique would

have also worked to copy another customers Wiegand transmission and gain access. Once the

membership was purchased, I was granted 24/7 physical access to the gym. The next task was to

make sure I could do some reconnaissance without being compromised. The client was informed

of the test but the employees were not made aware of my pen test for the purpose of realism. The

client agreed to notify me if any employee felt my activities in the gym were suspicious, or if any

technical staff flagged my presence on the network. Luckily during the entire implementation of

the pen test no employee raised any flags. Moving on, it is also important to know during

working hours there is an employee stationed at the gym desk until ten pm each day. After ten

there are no employees at the gym desk until six am the following day. For my initial

reconnaissance I went in around 1 am and conducted a three part scan involving a Nessus scan,

Nmap scan, and an angry IP scan on the wireless network. I brought my laptop in with a bag and

made sure to open it only three quarters of the way and use it in a specific corner on a bench. I

moved this bench to the corner of the gym to avoid any of the gym cameras from seeing my

computer screen during my scanning. I also made sure to use the nearby leg machines and bench

press at intervals to make it appear that I was only there for a late night workout. The gym has

free WiFi access, so getting on the network couldn't have been easier. To make it easy for the

guests there is no password for the wireless network, only a portal page. The portal page wanted

me to log in with my Facebook, but I noticed the alternative option to create my own profile. I

created my own profile under a fake name and I was able to connect to the network. My first

basic Nmap scans for SYN, TCP, and UDP on any class C netmask came back with very little.

(Fig 3- SYN Stealth scan):

12

(Fig 4- Nessus Scan)

(Fig 5- ifconfig command)

13

Now that I was connected to the WiFi I went to the kali terminal and ran an ifconfig to

see my IP and the IP of the network. The only hit from my scanning was the 10.1.7.255 based IP

of the router's broadcast signal. I was not thrilled to see the network subnetted at 0.255.255.248.

This meant that the network I was accessing was segmented from the bigger network and not

easily connected. After scoping out the gym’s environment it appeared that they only possessed

one desktop computer which stored customer information and possessed the HID card software.

A web server vulnerability profile was conducted but the website did not possess a log in or

customer portal. The website simply acts as an online advertisement and informs customers to

come in and sign up at the gym. The site is not connected to the customer’s data in anyway. For

this reason targeting the web server seemed less critical in the goal of making a significant

compromise. My thinking that the network would be small and simple was correct, but my idea

that this would aid my attempt was wrong. The wireless network was simply configured but well

segmented. My two main objectives then shifted to either gaining access to the desktop running

off the local Ethernet, or gaining access to the networking closet located in the back room. As

14

there are cameras covering virtually every inch of the gym, reaching over the front desk would

been risky. If one could simply slip a key logger into the computer during unmanned desk hours

there could be an easy compromise. To avoid getting caught, this was not attempted, but the plug

and play capability of USB drives was confirmed later by the client as well as the fact that the

cameras are not actively monitored. This is a valid vulnerability of the gym system and was

stated in the report.

Chapter 5: How to Pull Open a Door Labeled Push.

Approach Continued:

Having read the “Attacks on Proximity Card systems” article, and gaining familiarity

with these HID systems, I then decided to focus on trying to penetrate the door to the network

closet. Gaining access to the closet would give me the greatest amount of control over the

system. Currently when scanning my card at the door reader, it simply flashed red (denying my

card). The first step to getting access to the closet door was to capture the Wiegand transmission

from my card with the use of a third party card reader. The equipment used for this purpose is

called the Proxmark3 card reader kit. It can be found online for about $400 and includes a small

chip board, antennas for reading low and high frequency RFID, and some sample tags to practice

with. The Proxmark Client software implements a GUI that makes cloning and sniffing card data

a breeze. Using the Proxmark3 reader and client I was able to read the 44 bits off of my HID

card and locate my site code. The ID number was written on the card when I received it,

However it also can be seen by the software when the card is scanned. The software in action can

be seen below.

(Fig 6- Proxmark software card bit breakdown with Site code and ID number).

15

On one dark night in March, I came back to the gym and snuck over to the network closet

door. I hid the Proxmark device inside my shirt and slid the antenna with my card information up

my sleeve. I casually scrolled on my phone while pressing my sleeve with the disk of the antenna

up to the door. After 33 very long minutes the door finally flashed green I immediately grabbed

the door handle and felt the door unlatch. I had fulfilled my goal of compromising the Gyms

physical access system, and gained entry to the network closet. This breach was stated in my

report as a major vulnerability. I performed the attack again on the front door on my way out just

for good measure and was able to unlock the front door with the same method.

(Fig 7- Indoor brute force, antenna held against door, authenticated)

16

(Fig 8-outdoor Brute force) (Fig 9- Access granted)

17

18

I was thrilled that I was able to gain physical access to the closet through HID

manipulation, but I still felt very much defeated in my initial effort to exploit vulnerability in the

wireless network. Finally it dawned on me that I was trying so hard to find something specific

like an open port or a service, that I had completely overlooked the more obvious security flaw

of the gym’s free WiFi. This gym network is similar to most public WiFi networks much like an

airport or cafe. I couldn’t see any part of the network beyond the WiFi but, I could see all of the

other gym members on the subnet. I also realized that I possessed the perfect tool to take

advantage of this situation, The WiFi Pineapple.

Chapter 6: Superset

Approach Continued:

A superset is gym jargon for a workout that involves two different exercises performed in

conjunction instead of separately. This is usually when you use the bench press then run over to

do the incline bench right after. My superset involved taking another shot at the wireless network

after gaining physical access. The WiFi Pineapple is a device that can act as a rogue access point.

The WiFi Pineapple device used for the purpose of this attack was the WiFi Pineapple Nano, the

least expensive of the product line. For my purpose the Nano performed exceptionally well with

the addition of one antenna to boost the strength of my signal. As the gym was small, it didn't

need any extra power that the higher end models provide. I was able to run and save the data

from the Pineapple device as it was plugged into my dedicated Kali laptop. The pineapple works

by emulating the actual network access point of the gym’s FREE WIFI network. As users come

back to the gym and try to reconnect to the real network, my copy of the open network is

constantly trying to pick up the probes being sent out by their devices. Once connected to the

false access point the customer’s connections access the internet much the same way they

19

normally would. I could then analyze all of the customer’s traffic as it is sent through my

machine and logged. Any information sent through HTTP traffic can be seen in clear text. Http

could be inspected and translated into clear text. Unlike the brute force adventure, I needed to be

at the gym during the day when other people were there to pick up their devices. I quickly ran

over to the gym and reluctantly setup my laptop in a bathroom stall. By implementing an attack

in this way, I was able to use the layout of the gym to my advantage. Any customer inside the

gym must use the gyms Wi-Fi, as there is no cell signal inside the underground concrete walls of

the gym. This created a large amount of targets to attract to my rogue access points. In just a few

minutes I was able to pick up several of the customers devices.

(Fig 10- Pineapple captured devices list.)

20

To stay within the pen testing parameters I simply noted that the packets were collected

from the devices and did not inspect the packets too deeply to discover personal information.

After discovering the rogue access point vulnerability, all data including traffic and user device

names are to be deleted after the report is submitted to adhere to the client's guidelines. It is

important to know that once the traffic can be seen over HTTP, customers are made vulnerable

to a myriad of attacks. Examples of follow-up attacks to this situation include SSL stripping,

captive portal, and Site Survey. When using SSL strip the user's HTTPS connections are forced

to direct to an http false login page that captures credentials in clear text. The captive portal

module can setup a fake splash display page in HTML requiring users to enter data while

thinking they are logging it into the gym. All three of the “Man in the Middle attacks” have

dedicated modules in the Wi-Fi Pineapple GUI. The manipulation of the Wireless network was

very successful as it showed that the network does not protect the information and credentials of

the customers. This was noted as another major vulnerability.

Chapter 7: Building Strength

Conclusion:

After the test was completed the following report was written and presented to the client.

The overall purpose of the report was to test and inform the client of the vulnerabilities in their

network, along some possible remedies. My report finds XXX gym to have a high risk rating.

This was determined by the three main vulnerabilities of the physical access HID system, the

unsecure wireless network, and the passive nature of the facilities cameras. The medium risk

elements include the lack of cyber security training of the staff and the plug and play defenseless

USB ports at the Desktop Mac. The high risk HID vulnerability is due to the vulnerable HID

21

Proxcard and door control system. I recommended upgrading this system to a more secure

method of access control, such as the higher end RFID cards with brute force prevention. A door

control mechanism which implements a login limit, or one that reports back to the security

system, could have easily botched my physical access to the network closet and front door. The

high risk open Wi-Fi Pineapple attack is not quite as easy to solve. One of the best defenses

against the Pineapple attack is to provide a VPN tunnel for your customers on the Wi-Fi. This

will at least to protect the integrity of their data, if a man in the middle is present. They should

also educate their members about the possibility of these kinds of attacks, possibly even urging

them not to send valuable information over the Wi-Fi while at the gym. Influencing customers to

use HTTPS sites is a good practice but is not foolproof, as the mentioned SSLSTRIP attack can

still revert the user back to http unknowingly. After my testing phase I talked to the client asking

him to make sure that I wasn't noticed on the cameras, he told me how they are not actively

monitored and remain passive unless there is a reason to look back at them. I included this as

high risk vulnerability as looking back at the cameras would not be proactive enough to catch

one on the wireless network. The client told me that he was already thinking of having the front

desk worker watch the cameras, or install software to view them remotely. This would be

beneficial for the security of the gym and I highly recommended it. The medium risk of an easily

installed key logger or USB rubber ducky has a simple fix. Just disabling the USB ports on the

Mac desktop can easily prevent this type of attack. Another good practice would be to store the

desktop in a locked cabinet during the unmanned desk hours of the night. This risk is labeled

medium as a directed attack was not carried out on the machine in case of disrupting workflow,

and the antivirus might have noticed it. However, it is susceptible to an attack and antivirus can

be bypassed. The final, and one of the most important recommendations I had for XXX gym was

22

to run drills to inform their staff about possible cyber-attacks and threats. If the staff had been

less willing to answer my questions about the network throughout this test it would have

significantly slowed me down. Other standard security recommendations include implementing

regular firewall rule set reviews, implementing a patch management program, conducting regular

vulnerability assessments, and restricting access to all critical systems. Overall my report finds

XXX gym to have a high risk rating. It describes the manner vulnerabilities were uncovered

along with possible solutions and ideas to help prevent these vulnerabilities.

Chapter 8: New PR

Future efforts:

If one says “I just got a new PR!” after doing a lift it means that they have surpassed their

previous efforts and achieved a new “Personal Record”. After working on this project I got the

same feeling that I got when I deadlifted 365 pounds for the first time. I feel stronger now that I

have been able to succeed at such a task and I can't wait to improve my skills again. As I

appreciated making gym XXX more secure, the project was also a means to expand my own

knowledge of penetration testing. I was able to familiarize myself with a collection of tools and

interact with a real small business network. In my mission of becoming a professional

penetration tester, this project was a step in the right direction. I learned that I am capable of

carrying out a successful penetration test and plan to do many more in the future. As a next step I

am planning to take the highly regarded Offensive Security Certified Professional certification.

This certification involves a 30 day training course with virtual labs to break into. The

certification is quite a challenge but extremely valuable for an up and coming penetration tester.

Upon passing the OCSP test my next goal will be to familiarize myself with the defensive side of

23

the field. Mastering Security Onion operating system and learning how to prevent the attacks I

have perfected. I feel that these are my next necessary steps to help improve the state of

cybersecurity, and be successful in my future workouts.

24

Works Cited:

A: Attacks on Proximity Card Systems28 May 2013. (n.d.). Retrieved May 03,

2017, from https://ianhowson.com/blog/attacks-on-proximity-card-systems/

B: Weidman, G., & Eeckhoutte, P. V. (2014). Penetration testing: a hands-on

introduction to hacking. San Francisco: No Starch Press.

C: H. (2016, January 01). Retrieved May 03, 2017, from

https://www.youtube.com/watch?v=eHnQwTCKe2o&t=402s

D:Penetration testing in a box.Lee Epling,Brandon Hinkel, Yi Hu. Kennesaw,

Georgia — October 10 - 10, 2015

E: H. (2015, December 22). Retrieved May 03, 2017, from

https://www.youtube.com/watch?v=CrHbEZd4t00

F:(n.d.). Retrieved May 03, 2017, from http://www.puntoflotante.net/TUTORIAL-

RFID-ISO-14443A-TAGS-13.56-MHZ.htm