Welbourne SecurityProjects

Projects

CTF events, hardware, tooling, and interactive security projects.

RFIDemon logo on a dark aircraft fuselage

Primary Project

RFIDemon

RFIDemon is a Raspberry Pi based RFID analysis and cloning workstation for authorised MIFARE Classic testing. The Pi owns the RC522 reader, REST API, scan loop, encrypted capture storage, and AutoPwn cracking pipeline. A laptop runs the browser dashboard proxy and HTTPS receiver for captured card snapshots.

View repository
Hardware Raspberry Pi + RC522

SPI-connected MFRC522/RC522 reader support with a Windows development path through `MockMFRC522`.

Target MIFARE Classic

Classification for 1K, Mini, 4K, and Fudan-style cards, with card-type routing into AutoPwn workers.

Pipeline AutoPwn phases

Dictionary, Darkside, and nested attack phases with shared reader locking for hardware-safe access.

Storage Encrypted Pi captures

Pi-side card data is encrypted before SQLite writes, while the laptop inbox is plaintext by design for review/export.

Runtime Model

  • Pi API runs on port 5000.
  • Laptop dashboard proxy serves the browser UI on localhost port 5001.
  • Laptop receiver accepts HTTPS capture pushes on port 5002.
  • Both devices use the same infrastructure Wi-Fi network.

Security Model

  • Dashboard login uses JWT access and refresh tokens.
  • Proxy-to-Pi traffic can use HTTPS with SHA-256 certificate fingerprint pinning.
  • Secure exfil mode supports bearer auth, HMAC request signatures, and encrypted payloads.
  • Runtime secrets, captures, logs, pair state, and virtual environments are ignored by Git.

Operator Flow

  • Start Pi service, laptop receiver, and dashboard proxy.
  • Open the local dashboard and authenticate with the Pi API password.
  • Pair the laptop receiver with the Pi, then switch into attack mode.
  • Present an authorised card and review status, keys, cloneability, exports, and reports.
Use boundary

RFIDemon is intended for authorised RFID security testing, controlled lab work, and defensive assessment only. It should only be used on cards and systems owned by the tester or covered by explicit permission.

Pwn2Play 2026 Capture The Flag · DMU Hackers logo

CTF Competition

Pwn2Play

Pwn2Play is the flagship Capture The Flag competition run by DMU Hackers, De Montfort University's cybersecurity society. A jeopardy-style event spanning web exploitation, OSINT, cryptography, reverse engineering, binary exploitation, and more. I helped launch the first edition in 2025 as H&S Officer, and as Chairman in 2026 I lead the full competition · Pwn2Play: Core Incursion, running 30 May 2026.

View Pwn2Play details DMU Hackers
Format Jeopardy-style CTF

50 challenges across 12 categories. Teams of up to 6 compete for prizes from Kit365, TryHackMe, and Immersive Labs.

My challenge (2025) B.P.O · Typex cipher

A multi-artefact historical cryptography puzzle. Competitors recover Typex rotor settings from six forensic artefacts to decrypt a wartime intercept.

2026 · my challenges Five challenges, now unlocked

BIKINI State: RED, The Sign of Four, The Cutlery Drawer, Concordat, and The Baker Street Affair — revealed post-event with writeups on the Pwn2Play page.

Role Chairman, DMU Hackers

H&S Officer in 2025 (founding year). Chairman in 2026 · responsible for the full competition design, sponsorship, and delivery.