Sdr
Decoding RF Protocols Within GRC
I’ve been fascinated by SDR and everything you can do with it for a long time, and from a pentesters perspective, I thought it would be awesome to be able to fuzz random devices. RF devices are everywhere, and people have used SDR to mess with lots of devices, such as portable traffic lights, weather stations, and older car key fobs.
The thing is, getting started is much harder than I thought it would be as most tutorials are ambiguous, or much more manual that I’d like. There are lots of tutorials that describe how to find and view an RF signal, but they tend to end up with you counting square waves in audacity, and writing custom scripts to decode the bits you manually wrote down.
building the bsidescpt17 rfchallenge
In this post I want to talk a little about the BSides Cape Town 17 RFCat challenge and how I went about trying to build a challenge for it. Unfortunately I was not able to able to attend the con itself, but still had the privilege to contribute in some way!
The first question you may have could be: “But why RFCat?”. Truthfully, some people that are way better at this hacking thing than me (and that were also primarily responsible for this years BSides badge hardware) came up with this idea: “Wouldn’t it be cool to have a cc1111 chip on the badges?”. The cc1111 chip is RFCat compatible, so naturally this would be the goto firmware to use for the chip. With this in mind, I got invited by @elasticninja to see if I would be interested in building an RFCat based challenge and without hesitation agreed! So there we were.
Sending AM-OOK using Metasploit and rftransceiver
Introduction Towards the end of last year, I found myself playing around with some basic amplitude modulation (AM)/On-off keying (OOK) software defined radio. That resulted in ooktools being built to help with making some of that work easier and to help me learn. A little while ago, the Metasploit project announced new ‘rftransceiver’ capabilities that were added to the framework with a similar goal of making this research easier.
How things fit together First things first. I had to try and understand how this new functionality actually works. From the Metasploit blog post, it was possible to see that the additions allowed you to communicate with a RFCat capable device from Metasploit and run modules over a session. A session is started by connecting to a small JSON API (with a python helper) that bridges HTTP requests to rflib methods.
Page 1 of 1