# Espilon Module Ideas

Future module ideas for the Espilon agent framework, organized by category. Each entry includes hardware requirements, estimated cost, complexity (1-5), and key C2 commands.

> **Legend**: Complexity 1 = simple wrapper, 5 = full protocol stack. Cost = additional hardware beyond ESP32.

---

## Table of Contents

- [Radio & Wireless](#radio--wireless)
- [USB & HID](#usb--hid)
- [Hardware Hacking](#hardware-hacking)
- [Network & Protocols](#network--protocols)
- [Industrial & SCADA](#industrial--scada)
- [Exfiltration & Covert Channels](#exfiltration--covert-channels)
- [Sensors & Environment](#sensors--environment)
- [Crypto & WiFi Attacks](#crypto--wifi-attacks)
- [Automotive](#automotive)
- [Physical Security](#physical-security)

---

## Radio & Wireless

### mod_ble — Bluetooth Low Energy

**Hardware**: ESP32 built-in | **Cost**: 0 EUR | **Complexity**: 3/5

BLE scanning, GATT enumeration, beacon spoofing, and device tracking.

**Commands**:
- `ble_scan [duration]` — Discover BLE devices (name, RSSI, services)
- `ble_enum <addr>` — Enumerate GATT services and characteristics
- `ble_read <addr> <handle>` — Read characteristic value
- `ble_write <addr> <handle> <hex>` — Write to characteristic
- `ble_beacon <uuid> [major] [minor]` — Spoof iBeacon/Eddystone
- `ble_track <addr> [duration]` — Track device RSSI over time
- `ble_flood [count]` — Broadcast random BLE advertisements

**Use cases**: IoT device recon, BLE lock testing, asset tracking, Bluetooth phishing.

---

### mod_zigbee — IEEE 802.15.4 / Zigbee

**Hardware**: CC2530/CC2531 module via UART | **Cost**: ~4 EUR | **Complexity**: 4/5

Sniff, inject, and replay Zigbee/802.15.4 frames. Targets smart home (Philips Hue, SmartThings, Ikea).

**Commands**:
- `zigbee_scan [channel]` — Discover Zigbee networks and devices
- `zigbee_sniff <channel> [duration]` — Capture 802.15.4 frames
- `zigbee_inject <channel> <hex_frame>` — Inject raw frame
- `zigbee_replay` — Replay captured frames
- `zigbee_key_sniff [duration]` — Capture transport key exchange
- `zigbee_jam <channel>` — Channel jamming

**Use cases**: Smart home testing, IoT protocol analysis, Zigbee network penetration.

---

### mod_nfc — RFID / NFC

**Hardware**: RC522 (MIFARE) or PN532 (full NFC) via SPI | **Cost**: ~3 EUR | **Complexity**: 3/5

Read, write, clone, and emulate RFID/NFC tags. Supports MIFARE Classic, NTAG, and ISO 14443.

**Commands**:
- `nfc_scan` — Detect tags in range (UID, type, ATQA, SAK)
- `nfc_read <sector> [key]` — Read MIFARE sector
- `nfc_write <sector> <hex> [key]` — Write to sector
- `nfc_clone` — Read tag → store → emulate (UID-level clone)
- `nfc_crack <sector>` — MIFARE Classic key recovery (nested/hardnested)
- `nfc_dump` — Dump full tag contents
- `nfc_emulate <uid>` — Emulate tag UID

**Use cases**: Access card cloning, NFC payment research, badge system testing.

---

### mod_subghz — Sub-GHz Radio (433/868/915 MHz)

**Hardware**: CC1101 module via SPI | **Cost**: ~3 EUR | **Complexity**: 4/5

Sniff, decode, record, and replay sub-GHz radio signals. Targets garage doors, remotes, weather stations, sensors.

**Commands**:
- `subghz_rx <freq_mhz> [modulation]` — Listen on frequency (ASK/FSK/GFSK)
- `subghz_tx <freq_mhz> <hex_data> [repeat]` — Transmit raw data
- `subghz_scan <start_mhz> <end_mhz>` — Frequency scanner (find active freqs)
- `subghz_record <freq_mhz> [duration]` — Record raw signal
- `subghz_replay [speed]` — Replay recorded signal
- `subghz_decode <protocol>` — Decode known protocols (Oregon, LaCrosse, etc.)
- `subghz_bruteforce <freq_mhz> <bits> [delay]` — Brute-force fixed codes

**Use cases**: Garage door testing, remote control analysis, sensor spoofing, ISM band recon.

---

### mod_lora — LoRa Long-Range Mesh

**Hardware**: SX1276/SX1278 module via SPI | **Cost**: ~5 EUR | **Complexity**: 3/5

LoRa-based backup C2 channel and mesh network for long-range, low-bandwidth communication.

**Commands**:
- `lora_start <freq_mhz> [sf] [bw]` — Init LoRa radio (spreading factor, bandwidth)
- `lora_send <hex_data>` — Send raw LoRa packet
- `lora_listen [duration]` — Receive packets
- `lora_mesh_start` — Enable mesh relay mode (multi-hop)
- `lora_c2_enable` — Use LoRa as backup C2 channel
- `lora_range_test` — Ping-pong range measurement

**Use cases**: Backup C2 (1-10 km range), field mesh network, exfiltration when WiFi unavailable.

---

### mod_ir — Infrared TX/RX

**Hardware**: IR LED + IR receiver (VS1838B) | **Cost**: ~1 EUR | **Complexity**: 2/5

Capture, decode, and replay infrared remote signals. Universal remote functionality.

**Commands**:
- `ir_learn [timeout]` — Record IR signal from any remote
- `ir_send <protocol> <code>` — Send known protocol (NEC, Sony, RC5, Samsung)
- `ir_replay` — Replay last captured signal
- `ir_scan` — Brute-force common power codes (TV-B-Gone style)
- `ir_raw_send <timing_data>` — Send raw pulse/space timing

**Use cases**: TV/AC control, IR protocol analysis, physical access (some locks use IR).

---

### mod_espnow_swarm — Coordinated ESP-NOW Swarm

**Hardware**: Additional ESP32 agents | **Cost**: 0 EUR per agent | **Complexity**: 4/5

Coordinate multiple Espilon agents via ESP-NOW for distributed operations. Mesh-aware task distribution.

**Commands**:
- `swarm_discover` — Find nearby Espilon agents
- `swarm_broadcast <command>` — Send command to all agents
- `swarm_assign <agent_id> <command>` — Targeted task assignment
- `swarm_sync` — Synchronize clocks for coordinated actions
- `swarm_scan_distributed <target>` — Parallel network scanning from multiple positions
- `swarm_relay <agent_id>` — Use agent as relay for out-of-range C2

**Use cases**: Distributed WiFi scanning, coordinated deauth, coverage extension, multi-angle recon.

---

### mod_tpms — Tire Pressure Monitoring

**Hardware**: CC1101 (315 or 433 MHz) | **Cost**: ~3 EUR | **Complexity**: 3/5

Sniff and spoof TPMS sensors at 315/433 MHz. Vehicle identification via unique sensor IDs.

**Commands**:
- `tpms_listen [duration]` — Capture TPMS broadcasts
- `tpms_decode` — Show decoded sensor data (pressure, temp, ID)
- `tpms_track <sensor_id>` — Track specific vehicle presence
- `tpms_spoof <sensor_id> <pressure> <temp>` — Inject fake reading

**Use cases**: Vehicle tracking via TPMS IDs, TPMS protocol research.

---

## USB & HID

### mod_badusb — USB HID Injection

**Hardware**: ESP32-S2 or ESP32-S3 (native USB) | **Cost**: 0 EUR | **Complexity**: 3/5

Keystroke injection attack via USB HID. Triggered remotely from C2.

**Commands**:
- `badusb_run <payload_name>` — Execute named payload
- `badusb_type <text>` — Type arbitrary text
- `badusb_key <combo>` — Send key combo (e.g., `WIN+R`, `CTRL+ALT+DEL`)
- `badusb_delay <ms>` — Wait between keystrokes
- `badusb_upload <script>` — Upload Ducky Script payload
- `badusb_list` — List stored payloads
- `badusb_os_detect` — Detect target OS via timing analysis

**Use cases**: Physical access exploitation, credential harvesting, reverse shell deployment.

---

### mod_rubber_ducky — Ducky Script Interpreter

**Hardware**: ESP32-S2/S3 | **Cost**: 0 EUR | **Complexity**: 2/5

Full Ducky Script interpreter for scripted USB HID payloads. Companion to mod_badusb.

**Commands**:
- `ducky_load <script>` — Load script from NVS or C2
- `ducky_exec` — Execute loaded script
- `ducky_store <name> <script>` — Save payload to NVS
- `ducky_list` — List stored scripts

---

### mod_usb_mitm — USB Man-in-the-Middle

**Hardware**: ESP32-S3 (dual USB ports) | **Cost**: 0 EUR | **Complexity**: 5/5

Transparent USB proxy: sniff, modify, or inject traffic between host and device.

**Commands**:
- `usb_mitm_start` — Start USB proxy
- `usb_mitm_sniff [class]` — Log traffic (HID, mass storage, etc.)
- `usb_mitm_inject <hex>` — Inject USB packets
- `usb_mitm_filter <rule>` — Modify packets in transit

**Use cases**: USB protocol analysis, keyboard sniffing, mass storage interception.

---

## Hardware Hacking

### mod_jtag — JTAG/SWD Debug Interface

**Hardware**: GPIO wires (no extra module) | **Cost**: 0 EUR | **Complexity**: 4/5

Bit-bang JTAG/SWD for firmware extraction, debug access, and boundary scan on target devices.

**Commands**:
- `jtag_scan` — Detect JTAG chain (IDCODE scan)
- `jtag_read <addr> <size>` — Read memory via debug port
- `jtag_write <addr> <hex>` — Write memory
- `jtag_dump <addr> <size>` — Dump firmware to C2
- `swd_scan` — Detect SWD target
- `swd_read <addr> <size>` — Read via SWD
- `swd_halt` / `swd_resume` — Halt/resume target CPU

**Use cases**: Firmware extraction from IoT devices, bypassing read-out protection, live debugging.

---

### mod_uart_bridge — UART Sniff/Inject

**Hardware**: GPIO wires (no extra module) | **Cost**: 0 EUR | **Complexity**: 2/5

UART bridge: sniff serial console traffic or inject commands. Auto-detect baud rate.

**Commands**:
- `uart_scan [gpio]` — Auto-detect baud rate on GPIO pin
- `uart_listen <baud> <rx_gpio> [duration]` — Sniff UART traffic
- `uart_send <baud> <tx_gpio> <data>` — Send data
- `uart_bridge <baud> <rx> <tx>` — Bidirectional bridge (relay to C2)

**Use cases**: Router console access, IoT device debug ports, embedded system exploitation.

---

### mod_i2c_scan — I2C Bus Discovery

**Hardware**: GPIO wires | **Cost**: 0 EUR | **Complexity**: 2/5

Scan, read, and write I2C devices. EEPROM dumping and sensor spoofing.

**Commands**:
- `i2c_scan [sda] [scl]` — Discover devices on bus
- `i2c_read <addr> <reg> <len>` — Read registers
- `i2c_write <addr> <reg> <hex>` — Write registers
- `i2c_dump_eeprom <addr> <size>` — Dump EEPROM contents

**Use cases**: EEPROM credential extraction, sensor data manipulation, I2C device enumeration.

---

### mod_spi_flash — SPI Flash Dumper

**Hardware**: SOIC-8 clip + GPIO wires | **Cost**: ~5 EUR | **Complexity**: 3/5

Read/write SPI NOR flash chips (25xx series). In-circuit or off-board.

**Commands**:
- `spi_flash_detect` — Read JEDEC ID, detect chip
- `spi_flash_read <addr> <size>` — Read flash to C2
- `spi_flash_write <addr> <hex>` — Write data
- `spi_flash_erase <addr> <size>` — Erase sectors
- `spi_flash_dump` — Full chip dump

**Use cases**: Firmware extraction, credential recovery, flash image modification.

---

### mod_glitch — Voltage/Clock Glitching

**Hardware**: MOSFET + GPIO (voltage glitch) or clock inject circuit | **Cost**: ~5 EUR | **Complexity**: 5/5

Fault injection: precise voltage or clock glitches to bypass secure boot, skip instructions, or corrupt crypto.

**Commands**:
- `glitch_config <width_ns> <offset_ns> <repeat>` — Set glitch parameters
- `glitch_arm <trigger_gpio>` — Arm, fire on trigger edge
- `glitch_fire` — Manual trigger
- `glitch_sweep <start_ns> <end_ns> <step>` — Automated parameter sweep

**Use cases**: Secure boot bypass, read-out protection defeat, crypto fault injection.

---

## Network & Protocols

### mod_dns — DNS Spoofing & Tunneling

**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5

DNS server for spoofing + DNS tunnel for covert data exfiltration through firewalls.

**Commands**:
- `dns_spoof_start <domain> <ip>` — Spoof specific domain resolution
- `dns_spoof_all <ip>` — Redirect all DNS queries to IP
- `dns_spoof_stop` — Stop spoofing
- `dns_tunnel_start <domain>` — Start DNS tunnel (data over TXT/CNAME)
- `dns_tunnel_send <hex>` — Exfiltrate data via DNS

**Use cases**: Pharming, captive portal bypass, firewall evasion, covert exfiltration.

---

### mod_dhcp — DHCP Attacks

**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5

DHCP starvation and rogue DHCP server for MitM via gateway redirection.

**Commands**:
- `dhcp_starve [count]` — Exhaust DHCP pool with fake MACs
- `dhcp_rogue_start <gateway_ip> <dns_ip>` — Start rogue DHCP server
- `dhcp_rogue_stop` — Stop rogue server
- `dhcp_discover` — Passive DHCP monitoring

**Use cases**: MitM setup, network disruption, rogue gateway for traffic interception.

---

### mod_mdns — mDNS/Bonjour Discovery

**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5

Discover and spoof local services via mDNS (Bonjour, Avahi).

**Commands**:
- `mdns_scan [duration]` — Discover all mDNS services
- `mdns_query <service>` — Query specific service type (_http._tcp, _ssh._tcp, etc.)
- `mdns_spoof <hostname> <ip>` — Spoof mDNS response
- `mdns_register <service> <port>` — Advertise fake service

**Use cases**: Local service enumeration, service spoofing, printer/AirPlay impersonation.

---

### mod_mqtt — MQTT Broker/Client

**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5

MQTT client for IoT device interaction + rogue broker for message interception.

**Commands**:
- `mqtt_connect <broker> [user] [pass]` — Connect to broker
- `mqtt_sub <topic>` — Subscribe and stream messages to C2
- `mqtt_pub <topic> <payload>` — Publish message
- `mqtt_enum` — Enumerate all topics (wildcard subscribe)
- `mqtt_broker_start [port]` — Start rogue MQTT broker
- `mqtt_intercept <topic>` — MitM specific topic

**Use cases**: IoT device control, smart home exploitation, message injection, credential sniffing.

---

### mod_coap — CoAP Discovery & Exploitation

**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5

CoAP client for constrained IoT device interaction (UDP-based REST).

**Commands**:
- `coap_discover <ip>` — Discover CoAP resources (.well-known/core)
- `coap_get <uri>` — GET resource
- `coap_put <uri> <payload>` — PUT resource
- `coap_observe <uri>` — Subscribe to resource changes

**Use cases**: IoT device enumeration, sensor data extraction, actuator control.

---

### mod_upnp — UPnP/SSDP Discovery

**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5

Discover and interact with UPnP devices on the network. Map router port forwards.

**Commands**:
- `upnp_scan` — Discover UPnP devices (SSDP M-SEARCH)
- `upnp_describe <url>` — Get device description XML
- `upnp_port_map <ext_port> <int_ip> <int_port>` — Add port mapping on router
- `upnp_port_list` — List existing port mappings
- `upnp_port_del <ext_port>` — Remove port mapping

**Use cases**: Router exploitation, port mapping for persistence, device enumeration.

---

### mod_socks — SOCKS5 Proxy

**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5

Full SOCKS5 proxy running on the agent for network pivoting.

**Commands**:
- `socks_start [port] [auth]` — Start SOCKS5 server
- `socks_stop` — Stop proxy
- `socks_status` — Active connections, bandwidth stats
- `socks_whitelist <ip>` — Allow only specific clients

**Use cases**: Network pivoting, traffic routing through agent, accessing internal networks.

---

### mod_wifi_rogue — Advanced Evil Twin

**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 5/5

WPA2-Enterprise Evil Twin with EAP credential interception (EAP-TTLS, PEAP, MSCHAPv2).

**Commands**:
- `rogue_start <ssid> [eap_type]` — Start evil twin with RADIUS
- `rogue_stop` — Stop
- `rogue_creds` — List captured credentials
- `rogue_deauth <bssid> <station>` — Force client reconnection to rogue AP

**Use cases**: Enterprise WiFi credential harvesting, WPA2-Enterprise testing.

---

## Industrial & SCADA

### mod_modbus — Modbus TCP/RTU

**Hardware**: None (TCP) or MAX485 (~2 EUR for RTU) | **Cost**: 0-2 EUR | **Complexity**: 3/5

Modbus protocol for SCADA/ICS reconnaissance and interaction.

**Commands**:
- `modbus_scan <ip_range>` — Discover Modbus TCP devices
- `modbus_read <ip> <unit> <addr> <count> [type]` — Read holding/input registers
- `modbus_write <ip> <unit> <addr> <value>` — Write register
- `modbus_coils <ip> <unit> <addr> <count>` — Read/write coils
- `modbus_enum <ip>` — Enumerate function codes and unit IDs
- `modbus_rtu_scan <baud>` — Scan RTU bus (RS-485)

**Use cases**: SCADA assessment, PLC interaction, industrial network mapping.

---

### mod_bacnet — Building Automation

**Hardware**: None (WiFi/Ethernet) | **Cost**: 0 EUR | **Complexity**: 4/5

BACnet protocol for building automation system interaction (HVAC, lighting, access).

**Commands**:
- `bacnet_discover` — Who-Is broadcast, discover BACnet devices
- `bacnet_read <device> <object> <property>` — Read property
- `bacnet_write <device> <object> <property> <value>` — Write property
- `bacnet_enum <device>` — Enumerate objects on device

**Use cases**: Building automation testing, HVAC control, access system research.

---

### mod_ethernet — Wired Ethernet (W5500)

**Hardware**: W5500 or ENC28J60 SPI module | **Cost**: ~4 EUR | **Complexity**: 3/5

Wired Ethernet connectivity — bypass WiFi isolation, direct LAN access.

**Commands**:
- `eth_start [dhcp|static <ip>]` — Init Ethernet interface
- `eth_status` — Link state, IP config
- `eth_scan` — ARP scan on wired LAN
- `eth_bridge` — Bridge WiFi ↔ Ethernet traffic

**Use cases**: Drop box on wired network, bypass wireless ACLs, physical pentesting.

---

## Exfiltration & Covert Channels

### mod_dns_tunnel — C2 over DNS

**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5

Full C2 communication over DNS queries/responses. Bypasses most firewalls.

**Commands**:
- `dns_c2_start <domain> <resolver>` — Start DNS C2 channel
- `dns_c2_stop` — Revert to TCP
- `dns_c2_status` — Throughput, latency stats

**Use cases**: Firewall bypass, restricted network C2, exfiltration through corporate DNS.

---

### mod_icmp_tunnel — C2 over ICMP

**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5

Backup C2 channel using ICMP echo request/reply payloads.

**Commands**:
- `icmp_c2_start <server_ip>` — Start ICMP tunnel
- `icmp_c2_stop` — Revert to TCP
- `icmp_exfil <hex_data>` — One-shot data exfiltration

**Use cases**: C2 when TCP is blocked, ping-based covert channel.

---

### mod_audio_exfil — Audio Capture

**Hardware**: INMP441 I2S MEMS microphone | **Cost**: ~3 EUR | **Complexity**: 4/5

Audio recording and optional ultrasonic covert channel for air-gapped data transfer.

**Commands**:
- `audio_record [duration] [quality]` — Record audio, stream to C2
- `audio_level` — Ambient noise level (trigger-based recording)
- `audio_vad_start` — Voice Activity Detection — record only when speaking
- `audio_ultrasonic_tx <hex>` — Transmit data via ultrasound (18-22 kHz)

**Use cases**: Environmental awareness, meeting capture, air-gap bridging.

---

### mod_sdcard — SD Card Storage

**Hardware**: MicroSD module via SPI | **Cost**: ~2 EUR | **Complexity**: 2/5

Local offline storage for dead-drop operations, large data dumps, and logging.

**Commands**:
- `sd_init` — Mount SD card
- `sd_write <filename> <data>` — Write file
- `sd_read <filename>` — Read and stream to C2
- `sd_list` — List files
- `sd_log_start` — Log all C2 traffic to SD
- `sd_space` — Free/total space

**Use cases**: Offline data collection, dead-drop exfiltration, large firmware dumps.

---

## Sensors & Environment

### mod_gps — GPS/GNSS Tracking

**Hardware**: NEO-6M/NEO-7M via UART | **Cost**: ~5 EUR | **Complexity**: 2/5

GPS positioning, geofencing, and location-stamped events.

**Commands**:
- `gps_start` — Begin GPS acquisition
- `gps_position` — Current lat/lon/alt/speed
- `gps_track [interval]` — Stream position to C2
- `gps_geofence <lat> <lon> <radius_m> <action>` — Trigger action on enter/exit
- `gps_log_start` — Log positions to NVS

**Use cases**: Asset tracking, geofenced triggers, location-aware operations.

---

### mod_environment — Environmental Sensors

**Hardware**: DHT22/BME280/PIR/LDR | **Cost**: ~3 EUR | **Complexity**: 1/5

Read temperature, humidity, pressure, motion, and light sensors.

**Commands**:
- `env_read` — Read all connected sensors
- `env_monitor [interval]` — Stream readings to C2
- `env_motion_alert` — Alert C2 on PIR trigger
- `env_trigger <sensor> <threshold> <action>` — Conditional triggers

**Use cases**: Physical security awareness, environmental monitoring, trigger-based activation.

---

### mod_power — Power Management

**Hardware**: TP4056 + LiPo battery | **Cost**: ~5 EUR | **Complexity**: 3/5

Battery management, intelligent deep sleep, and solar charging support.

**Commands**:
- `power_status` — Battery voltage, charging state, estimated runtime
- `power_sleep <seconds>` — Enter deep sleep with wake timer
- `power_sleep_until <gpio_trigger>` — Sleep until GPIO event
- `power_profile <mode>` — Power profiles (aggressive, balanced, stealth)
- `power_schedule <cron> <command>` — Scheduled wake + command execution

**Use cases**: Long-duration deployment, battery-powered field operations, solar-powered persistent presence.

---

### mod_display — OLED/TFT Display

**Hardware**: SSD1306 OLED (0.96") or ST7735 TFT via SPI/I2C | **Cost**: ~3 EUR | **Complexity**: 2/5

Local status display for field operations (no C2 needed to see agent state).

**Commands**:
- `display_text <text>` — Show text on screen
- `display_status` — Show device info, connection state, active module
- `display_qr <data>` — Generate QR code on display
- `display_off` — Turn off (stealth)

**Use cases**: Field status monitoring, debug output, one-way info display.

---

## Crypto & WiFi Attacks

### mod_deauth — 802.11 Deauthentication

**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5

Targeted 802.11 deauth for forcing client reconnection (handshake capture setup).

**Commands**:
- `deauth <bssid> <station> [count]` — Targeted deauth
- `deauth_all <bssid> [count]` — Broadcast deauth
- `deauth_continuous <bssid> [interval]` — Persistent deauth

**Use cases**: WPA handshake capture setup, client denial, forced AP migration.

---

### mod_wpa_crack — WPA Handshake Capture

**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5

Capture 4-way handshake and attempt dictionary attack with embedded wordlist.

**Commands**:
- `wpa_capture <bssid> [channel] [timeout]` — Wait for handshake (or deauth to force)
- `wpa_crack <bssid> [wordlist]` — Dictionary attack on captured handshake
- `wpa_export <bssid>` — Export handshake as pcap/hccapx to C2

**Use cases**: WiFi security assessment, credential recovery.

---

### mod_pmkid — PMKID Attack

**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5

Capture PMKID from AP without any connected client. Faster than handshake capture.

**Commands**:
- `pmkid_scan [duration]` — Scan APs and capture PMKIDs
- `pmkid_target <bssid>` — Target specific AP
- `pmkid_export` — Export PMKIDs for offline cracking

**Use cases**: WiFi testing without connected clients, faster WPA cracking.

---

### mod_rfcrack — Rolling Code Analysis

**Hardware**: CC1101 via SPI | **Cost**: ~3 EUR | **Complexity**: 5/5

Analyze and attack rolling code systems (garages, car key fobs, gates).

**Commands**:
- `rfcrack_listen <freq>` — Capture rolling code transmissions
- `rfcrack_analyze` — Identify protocol (KeeLoq, etc.)
- `rfcrack_rolljam <freq>` — RollJam attack (jam + capture + replay)
- `rfcrack_desync <freq>` — De-synchronization attack

**Use cases**: Physical security research, rolling code protocol analysis.

---

## Automotive

### mod_lin_bus — LIN Bus

**Hardware**: MCP2004A LIN transceiver | **Cost**: ~3 EUR | **Complexity**: 3/5

LIN bus (Local Interconnect Network) — sub-bus used for windows, seats, mirrors, lights.

**Commands**:
- `lin_start [baud]` — Init LIN transceiver (default 19200)
- `lin_sniff [duration]` — Capture LIN frames
- `lin_send <id> <data_hex>` — Send LIN frame
- `lin_master_start` — Become LIN master (send schedule table)
- `lin_enum` — Enumerate slave nodes

**Use cases**: Automotive body control testing, seat/window/mirror manipulation.

---

### mod_obd_tracker — OBD-II GPS Tracker

**Hardware**: MCP2515 + NEO-6M GPS | **Cost**: ~8 EUR | **Complexity**: 3/5

Autonomous vehicle tracker: logs GPS position + OBD-II data, reports to C2 when connectivity available.

**Commands**:
- `tracker_start [interval]` — Begin tracking (OBD + GPS)
- `tracker_stop` — Stop and upload buffered data
- `tracker_status` — Current position + vehicle stats
- `tracker_geofence <lat> <lon> <radius>` — Alert on geofence breach
- `tracker_trips` — Summarize recorded trips

**Use cases**: Vehicle tracking, fleet monitoring, trip analysis.

---

### mod_flexray — FlexRay Bus

**Hardware**: FlexRay transceiver (TJA1080) | **Cost**: ~15 EUR | **Complexity**: 5/5

FlexRay monitoring for premium vehicles (BMW, Mercedes, Audi). Deterministic, time-triggered protocol.

**Commands**:
- `flexray_listen <channel>` — Monitor FlexRay channel (A or B)
- `flexray_decode` — Decode known frame IDs
- `flexray_status` — Bus state, cycle time, slot info

**Use cases**: Premium vehicle bus analysis, FlexRay protocol research.

---

## Physical Security

### mod_keylogger — PS/2 Keyboard Logger

**Hardware**: PS/2 connector + GPIO wires | **Cost**: ~2 EUR | **Complexity**: 2/5

Hardware keylogger for PS/2 keyboards. Inline transparent interception.

**Commands**:
- `keylog_start` — Begin capturing keystrokes
- `keylog_stop` — Stop and send buffer to C2
- `keylog_dump` — Send current buffer
- `keylog_live` — Stream keystrokes in real-time to C2

**Use cases**: Physical access keystroke capture.

---

### mod_relay — Relay Control

**Hardware**: Relay module (1/2/4 channel) | **Cost**: ~2 EUR | **Complexity**: 1/5

GPIO relay control for physical actuators (doors, power, devices).

**Commands**:
- `relay_on <channel>` — Activate relay
- `relay_off <channel>` — Deactivate relay
- `relay_pulse <channel> <duration_ms>` — Momentary activation
- `relay_schedule <channel> <cron>` — Scheduled activation

**Use cases**: Physical access control, remote power switching, automated triggers.

---

## Priority Matrix

Modules ranked by impact/effort ratio for implementation priority:

| Priority | Module | Why |
|----------|--------|-----|
| **High** | mod_ble | Built-in hardware, zero cost, huge IoT attack surface |
| **High** | mod_deauth | Simple, essential for WiFi assessment workflows |
| **High** | mod_badusb | ESP32-S2/S3 native USB, high impact physical access |
| **High** | mod_uart_bridge | Zero cost, essential for hardware hacking |
| **High** | mod_dns | WiFi only, enables MitM and exfiltration |
| **Medium** | mod_nfc | Cheap hardware, wide applicability (access cards) |
| **Medium** | mod_subghz | CC1101 is cheap, covers huge attack surface |
| **Medium** | mod_mqtt | IoT everywhere, zero additional hardware |
| **Medium** | mod_socks | Pivoting capability, WiFi only |
| **Medium** | mod_gps | Cheap module, enables location-aware operations |
| **Medium** | mod_modbus | SCADA is a growing target, dual TCP/RTU |
| **Medium** | mod_sdcard | Simple, enables offline operations |
| **Low** | mod_lora | Good range but low throughput |
| **Low** | mod_glitch | High complexity, niche use case |
| **Low** | mod_flexray | Expensive hardware, niche vehicles |
| **Low** | mod_usb_mitm | Requires ESP32-S3 dual USB, very complex |