Eun0us/espilon-source
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d1b89f6fd5
espilon-source/MODULE_IDEAS.md

797 lines
27 KiB
Markdown
Raw Blame History

# Espilon Module Ideas
Future module ideas for the Espilon agent framework, organized by category. Each entry includes hardware requirements, estimated cost, complexity (1-5), and key C2 commands.
> **Legend**: Complexity 1 = simple wrapper, 5 = full protocol stack. Cost = additional hardware beyond ESP32.
---
## Table of Contents
- [Radio & Wireless](#radio--wireless)
- [USB & HID](#usb--hid)
- [Hardware Hacking](#hardware-hacking)
- [Network & Protocols](#network--protocols)
- [Industrial & SCADA](#industrial--scada)
- [Exfiltration & Covert Channels](#exfiltration--covert-channels)
- [Sensors & Environment](#sensors--environment)
- [Crypto & WiFi Attacks](#crypto--wifi-attacks)
- [Automotive](#automotive)
- [Physical Security](#physical-security)
---
## Radio & Wireless
### mod_ble — Bluetooth Low Energy
**Hardware**: ESP32 built-in | **Cost**: 0 EUR | **Complexity**: 3/5
BLE scanning, GATT enumeration, beacon spoofing, and device tracking.
**Commands**:
- `ble_scan [duration]` — Discover BLE devices (name, RSSI, services)
- `ble_enum <addr>` — Enumerate GATT services and characteristics
- `ble_read <addr> <handle>` — Read characteristic value
- `ble_write <addr> <handle> <hex>` — Write to characteristic
- `ble_beacon <uuid> [major] [minor]` — Spoof iBeacon/Eddystone
- `ble_track <addr> [duration]` — Track device RSSI over time
- `ble_flood [count]` — Broadcast random BLE advertisements
**Use cases**: IoT device recon, BLE lock testing, asset tracking, Bluetooth phishing.
---
### mod_zigbee — IEEE 802.15.4 / Zigbee
**Hardware**: CC2530/CC2531 module via UART | **Cost**: ~4 EUR | **Complexity**: 4/5
Sniff, inject, and replay Zigbee/802.15.4 frames. Targets smart home (Philips Hue, SmartThings, Ikea).
**Commands**:
- `zigbee_scan [channel]` — Discover Zigbee networks and devices
- `zigbee_sniff <channel> [duration]` — Capture 802.15.4 frames
- `zigbee_inject <channel> <hex_frame>` — Inject raw frame
- `zigbee_replay` — Replay captured frames
- `zigbee_key_sniff [duration]` — Capture transport key exchange
- `zigbee_jam <channel>` — Channel jamming
**Use cases**: Smart home testing, IoT protocol analysis, Zigbee network penetration.
---
### mod_nfc — RFID / NFC
**Hardware**: RC522 (MIFARE) or PN532 (full NFC) via SPI | **Cost**: ~3 EUR | **Complexity**: 3/5
Read, write, clone, and emulate RFID/NFC tags. Supports MIFARE Classic, NTAG, and ISO 14443.
**Commands**:
- `nfc_scan` — Detect tags in range (UID, type, ATQA, SAK)
- `nfc_read <sector> [key]` — Read MIFARE sector
- `nfc_write <sector> <hex> [key]` — Write to sector
- `nfc_clone` — Read tag → store → emulate (UID-level clone)
- `nfc_crack <sector>` — MIFARE Classic key recovery (nested/hardnested)
- `nfc_dump` — Dump full tag contents
- `nfc_emulate <uid>` — Emulate tag UID
**Use cases**: Access card cloning, NFC payment research, badge system testing.
---
### mod_subghz — Sub-GHz Radio (433/868/915 MHz)
**Hardware**: CC1101 module via SPI | **Cost**: ~3 EUR | **Complexity**: 4/5
Sniff, decode, record, and replay sub-GHz radio signals. Targets garage doors, remotes, weather stations, sensors.
**Commands**:
- `subghz_rx <freq_mhz> [modulation]` — Listen on frequency (ASK/FSK/GFSK)
- `subghz_tx <freq_mhz> <hex_data> [repeat]` — Transmit raw data
- `subghz_scan <start_mhz> <end_mhz>` — Frequency scanner (find active freqs)
- `subghz_record <freq_mhz> [duration]` — Record raw signal
- `subghz_replay [speed]` — Replay recorded signal
- `subghz_decode <protocol>` — Decode known protocols (Oregon, LaCrosse, etc.)
- `subghz_bruteforce <freq_mhz> <bits> [delay]` — Brute-force fixed codes
**Use cases**: Garage door testing, remote control analysis, sensor spoofing, ISM band recon.
---
### mod_lora — LoRa Long-Range Mesh
**Hardware**: SX1276/SX1278 module via SPI | **Cost**: ~5 EUR | **Complexity**: 3/5
LoRa-based backup C2 channel and mesh network for long-range, low-bandwidth communication.
**Commands**:
- `lora_start <freq_mhz> [sf] [bw]` — Init LoRa radio (spreading factor, bandwidth)
- `lora_send <hex_data>` — Send raw LoRa packet
- `lora_listen [duration]` — Receive packets
- `lora_mesh_start` — Enable mesh relay mode (multi-hop)
- `lora_c2_enable` — Use LoRa as backup C2 channel
- `lora_range_test` — Ping-pong range measurement
**Use cases**: Backup C2 (1-10 km range), field mesh network, exfiltration when WiFi unavailable.
---
### mod_ir — Infrared TX/RX
**Hardware**: IR LED + IR receiver (VS1838B) | **Cost**: ~1 EUR | **Complexity**: 2/5
Capture, decode, and replay infrared remote signals. Universal remote functionality.
**Commands**:
- `ir_learn [timeout]` — Record IR signal from any remote
- `ir_send <protocol> <code>` — Send known protocol (NEC, Sony, RC5, Samsung)
- `ir_replay` — Replay last captured signal
- `ir_scan` — Brute-force common power codes (TV-B-Gone style)
- `ir_raw_send <timing_data>` — Send raw pulse/space timing
**Use cases**: TV/AC control, IR protocol analysis, physical access (some locks use IR).
---
### mod_espnow_swarm — Coordinated ESP-NOW Swarm
**Hardware**: Additional ESP32 agents | **Cost**: 0 EUR per agent | **Complexity**: 4/5
Coordinate multiple Espilon agents via ESP-NOW for distributed operations. Mesh-aware task distribution.
**Commands**:
- `swarm_discover` — Find nearby Espilon agents
- `swarm_broadcast <command>` — Send command to all agents
- `swarm_assign <agent_id> <command>` — Targeted task assignment
- `swarm_sync` — Synchronize clocks for coordinated actions
- `swarm_scan_distributed <target>` — Parallel network scanning from multiple positions
- `swarm_relay <agent_id>` — Use agent as relay for out-of-range C2
**Use cases**: Distributed WiFi scanning, coordinated deauth, coverage extension, multi-angle recon.
---
### mod_tpms — Tire Pressure Monitoring
**Hardware**: CC1101 (315 or 433 MHz) | **Cost**: ~3 EUR | **Complexity**: 3/5
Sniff and spoof TPMS sensors at 315/433 MHz. Vehicle identification via unique sensor IDs.
**Commands**:
- `tpms_listen [duration]` — Capture TPMS broadcasts
- `tpms_decode` — Show decoded sensor data (pressure, temp, ID)
- `tpms_track <sensor_id>` — Track specific vehicle presence
- `tpms_spoof <sensor_id> <pressure> <temp>` — Inject fake reading
**Use cases**: Vehicle tracking via TPMS IDs, TPMS protocol research.
---
## USB & HID
### mod_badusb — USB HID Injection
**Hardware**: ESP32-S2 or ESP32-S3 (native USB) | **Cost**: 0 EUR | **Complexity**: 3/5
Keystroke injection attack via USB HID. Triggered remotely from C2.
**Commands**:
- `badusb_run <payload_name>` — Execute named payload
- `badusb_type <text>` — Type arbitrary text
- `badusb_key <combo>` — Send key combo (e.g., `WIN+R`, `CTRL+ALT+DEL`)
- `badusb_delay <ms>` — Wait between keystrokes
- `badusb_upload <script>` — Upload Ducky Script payload
- `badusb_list` — List stored payloads
- `badusb_os_detect` — Detect target OS via timing analysis
**Use cases**: Physical access exploitation, credential harvesting, reverse shell deployment.
---
### mod_rubber_ducky — Ducky Script Interpreter
**Hardware**: ESP32-S2/S3 | **Cost**: 0 EUR | **Complexity**: 2/5
Full Ducky Script interpreter for scripted USB HID payloads. Companion to mod_badusb.
**Commands**:
- `ducky_load <script>` — Load script from NVS or C2
- `ducky_exec` — Execute loaded script
- `ducky_store <name> <script>` — Save payload to NVS
- `ducky_list` — List stored scripts
---
### mod_usb_mitm — USB Man-in-the-Middle
**Hardware**: ESP32-S3 (dual USB ports) | **Cost**: 0 EUR | **Complexity**: 5/5
Transparent USB proxy: sniff, modify, or inject traffic between host and device.
**Commands**:
- `usb_mitm_start` — Start USB proxy
- `usb_mitm_sniff [class]` — Log traffic (HID, mass storage, etc.)
- `usb_mitm_inject <hex>` — Inject USB packets
- `usb_mitm_filter <rule>` — Modify packets in transit
**Use cases**: USB protocol analysis, keyboard sniffing, mass storage interception.
---
## Hardware Hacking
### mod_jtag — JTAG/SWD Debug Interface
**Hardware**: GPIO wires (no extra module) | **Cost**: 0 EUR | **Complexity**: 4/5
Bit-bang JTAG/SWD for firmware extraction, debug access, and boundary scan on target devices.
**Commands**:
- `jtag_scan` — Detect JTAG chain (IDCODE scan)
- `jtag_read <addr> <size>` — Read memory via debug port
- `jtag_write <addr> <hex>` — Write memory
- `jtag_dump <addr> <size>` — Dump firmware to C2
- `swd_scan` — Detect SWD target
- `swd_read <addr> <size>` — Read via SWD
- `swd_halt` / `swd_resume` — Halt/resume target CPU
**Use cases**: Firmware extraction from IoT devices, bypassing read-out protection, live debugging.
---
### mod_uart_bridge — UART Sniff/Inject
**Hardware**: GPIO wires (no extra module) | **Cost**: 0 EUR | **Complexity**: 2/5
UART bridge: sniff serial console traffic or inject commands. Auto-detect baud rate.
**Commands**:
- `uart_scan [gpio]` — Auto-detect baud rate on GPIO pin
- `uart_listen <baud> <rx_gpio> [duration]` — Sniff UART traffic
- `uart_send <baud> <tx_gpio> <data>` — Send data
- `uart_bridge <baud> <rx> <tx>` — Bidirectional bridge (relay to C2)
**Use cases**: Router console access, IoT device debug ports, embedded system exploitation.
---
### mod_i2c_scan — I2C Bus Discovery
**Hardware**: GPIO wires | **Cost**: 0 EUR | **Complexity**: 2/5
Scan, read, and write I2C devices. EEPROM dumping and sensor spoofing.
**Commands**:
- `i2c_scan [sda] [scl]` — Discover devices on bus
- `i2c_read <addr> <reg> <len>` — Read registers
- `i2c_write <addr> <reg> <hex>` — Write registers
- `i2c_dump_eeprom <addr> <size>` — Dump EEPROM contents
**Use cases**: EEPROM credential extraction, sensor data manipulation, I2C device enumeration.
---
### mod_spi_flash — SPI Flash Dumper
**Hardware**: SOIC-8 clip + GPIO wires | **Cost**: ~5 EUR | **Complexity**: 3/5
Read/write SPI NOR flash chips (25xx series). In-circuit or off-board.
**Commands**:
- `spi_flash_detect` — Read JEDEC ID, detect chip
- `spi_flash_read <addr> <size>` — Read flash to C2
- `spi_flash_write <addr> <hex>` — Write data
- `spi_flash_erase <addr> <size>` — Erase sectors
- `spi_flash_dump` — Full chip dump
**Use cases**: Firmware extraction, credential recovery, flash image modification.
---
### mod_glitch — Voltage/Clock Glitching
**Hardware**: MOSFET + GPIO (voltage glitch) or clock inject circuit | **Cost**: ~5 EUR | **Complexity**: 5/5
Fault injection: precise voltage or clock glitches to bypass secure boot, skip instructions, or corrupt crypto.
**Commands**:
- `glitch_config <width_ns> <offset_ns> <repeat>` — Set glitch parameters
- `glitch_arm <trigger_gpio>` — Arm, fire on trigger edge
- `glitch_fire` — Manual trigger
- `glitch_sweep <start_ns> <end_ns> <step>` — Automated parameter sweep
**Use cases**: Secure boot bypass, read-out protection defeat, crypto fault injection.
---
## Network & Protocols
### mod_dns — DNS Spoofing & Tunneling
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
DNS server for spoofing + DNS tunnel for covert data exfiltration through firewalls.
**Commands**:
- `dns_spoof_start <domain> <ip>` — Spoof specific domain resolution
- `dns_spoof_all <ip>` — Redirect all DNS queries to IP
- `dns_spoof_stop` — Stop spoofing
- `dns_tunnel_start <domain>` — Start DNS tunnel (data over TXT/CNAME)
- `dns_tunnel_send <hex>` — Exfiltrate data via DNS
**Use cases**: Pharming, captive portal bypass, firewall evasion, covert exfiltration.
---
### mod_dhcp — DHCP Attacks
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
DHCP starvation and rogue DHCP server for MitM via gateway redirection.
**Commands**:
- `dhcp_starve [count]` — Exhaust DHCP pool with fake MACs
- `dhcp_rogue_start <gateway_ip> <dns_ip>` — Start rogue DHCP server
- `dhcp_rogue_stop` — Stop rogue server
- `dhcp_discover` — Passive DHCP monitoring
**Use cases**: MitM setup, network disruption, rogue gateway for traffic interception.
---
### mod_mdns — mDNS/Bonjour Discovery
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5
Discover and spoof local services via mDNS (Bonjour, Avahi).
**Commands**:
- `mdns_scan [duration]` — Discover all mDNS services
- `mdns_query <service>` — Query specific service type (_http._tcp, _ssh._tcp, etc.)
- `mdns_spoof <hostname> <ip>` — Spoof mDNS response
- `mdns_register <service> <port>` — Advertise fake service
**Use cases**: Local service enumeration, service spoofing, printer/AirPlay impersonation.
---
### mod_mqtt — MQTT Broker/Client
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
MQTT client for IoT device interaction + rogue broker for message interception.
**Commands**:
- `mqtt_connect <broker> [user] [pass]` — Connect to broker
- `mqtt_sub <topic>` — Subscribe and stream messages to C2
- `mqtt_pub <topic> <payload>` — Publish message
- `mqtt_enum` — Enumerate all topics (wildcard subscribe)
- `mqtt_broker_start [port]` — Start rogue MQTT broker
- `mqtt_intercept <topic>` — MitM specific topic
**Use cases**: IoT device control, smart home exploitation, message injection, credential sniffing.
---
### mod_coap — CoAP Discovery & Exploitation
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
CoAP client for constrained IoT device interaction (UDP-based REST).
**Commands**:
- `coap_discover <ip>` — Discover CoAP resources (.well-known/core)
- `coap_get <uri>` — GET resource
- `coap_put <uri> <payload>` — PUT resource
- `coap_observe <uri>` — Subscribe to resource changes
**Use cases**: IoT device enumeration, sensor data extraction, actuator control.
---
### mod_upnp — UPnP/SSDP Discovery
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5
Discover and interact with UPnP devices on the network. Map router port forwards.
**Commands**:
- `upnp_scan` — Discover UPnP devices (SSDP M-SEARCH)
- `upnp_describe <url>` — Get device description XML
- `upnp_port_map <ext_port> <int_ip> <int_port>` — Add port mapping on router
- `upnp_port_list` — List existing port mappings
- `upnp_port_del <ext_port>` — Remove port mapping
**Use cases**: Router exploitation, port mapping for persistence, device enumeration.
---
### mod_socks — SOCKS5 Proxy
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
Full SOCKS5 proxy running on the agent for network pivoting.
**Commands**:
- `socks_start [port] [auth]` — Start SOCKS5 server
- `socks_stop` — Stop proxy
- `socks_status` — Active connections, bandwidth stats
- `socks_whitelist <ip>` — Allow only specific clients
**Use cases**: Network pivoting, traffic routing through agent, accessing internal networks.
---
### mod_wifi_rogue — Advanced Evil Twin
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 5/5
WPA2-Enterprise Evil Twin with EAP credential interception (EAP-TTLS, PEAP, MSCHAPv2).
**Commands**:
- `rogue_start <ssid> [eap_type]` — Start evil twin with RADIUS
- `rogue_stop` — Stop
- `rogue_creds` — List captured credentials
- `rogue_deauth <bssid> <station>` — Force client reconnection to rogue AP
**Use cases**: Enterprise WiFi credential harvesting, WPA2-Enterprise testing.
---
## Industrial & SCADA
### mod_modbus — Modbus TCP/RTU
**Hardware**: None (TCP) or MAX485 (~2 EUR for RTU) | **Cost**: 0-2 EUR | **Complexity**: 3/5
Modbus protocol for SCADA/ICS reconnaissance and interaction.
**Commands**:
- `modbus_scan <ip_range>` — Discover Modbus TCP devices
- `modbus_read <ip> <unit> <addr> <count> [type]` — Read holding/input registers
- `modbus_write <ip> <unit> <addr> <value>` — Write register
- `modbus_coils <ip> <unit> <addr> <count>` — Read/write coils
- `modbus_enum <ip>` — Enumerate function codes and unit IDs
- `modbus_rtu_scan <baud>` — Scan RTU bus (RS-485)
**Use cases**: SCADA assessment, PLC interaction, industrial network mapping.
---
### mod_bacnet — Building Automation
**Hardware**: None (WiFi/Ethernet) | **Cost**: 0 EUR | **Complexity**: 4/5
BACnet protocol for building automation system interaction (HVAC, lighting, access).
**Commands**:
- `bacnet_discover` — Who-Is broadcast, discover BACnet devices
- `bacnet_read <device> <object> <property>` — Read property
- `bacnet_write <device> <object> <property> <value>` — Write property
- `bacnet_enum <device>` — Enumerate objects on device
**Use cases**: Building automation testing, HVAC control, access system research.
---
### mod_ethernet — Wired Ethernet (W5500)
**Hardware**: W5500 or ENC28J60 SPI module | **Cost**: ~4 EUR | **Complexity**: 3/5
Wired Ethernet connectivity — bypass WiFi isolation, direct LAN access.
**Commands**:
- `eth_start [dhcp|static <ip>]` — Init Ethernet interface
- `eth_status` — Link state, IP config
- `eth_scan` — ARP scan on wired LAN
- `eth_bridge` — Bridge WiFi ↔ Ethernet traffic
**Use cases**: Drop box on wired network, bypass wireless ACLs, physical pentesting.
---
## Exfiltration & Covert Channels
### mod_dns_tunnel — C2 over DNS
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5
Full C2 communication over DNS queries/responses. Bypasses most firewalls.
**Commands**:
- `dns_c2_start <domain> <resolver>` — Start DNS C2 channel
- `dns_c2_stop` — Revert to TCP
- `dns_c2_status` — Throughput, latency stats
**Use cases**: Firewall bypass, restricted network C2, exfiltration through corporate DNS.
---
### mod_icmp_tunnel — C2 over ICMP
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
Backup C2 channel using ICMP echo request/reply payloads.
**Commands**:
- `icmp_c2_start <server_ip>` — Start ICMP tunnel
- `icmp_c2_stop` — Revert to TCP
- `icmp_exfil <hex_data>` — One-shot data exfiltration
**Use cases**: C2 when TCP is blocked, ping-based covert channel.
---
### mod_audio_exfil — Audio Capture
**Hardware**: INMP441 I2S MEMS microphone | **Cost**: ~3 EUR | **Complexity**: 4/5
Audio recording and optional ultrasonic covert channel for air-gapped data transfer.
**Commands**:
- `audio_record [duration] [quality]` — Record audio, stream to C2
- `audio_level` — Ambient noise level (trigger-based recording)
- `audio_vad_start` — Voice Activity Detection — record only when speaking
- `audio_ultrasonic_tx <hex>` — Transmit data via ultrasound (18-22 kHz)
**Use cases**: Environmental awareness, meeting capture, air-gap bridging.
---
### mod_sdcard — SD Card Storage
**Hardware**: MicroSD module via SPI | **Cost**: ~2 EUR | **Complexity**: 2/5
Local offline storage for dead-drop operations, large data dumps, and logging.
**Commands**:
- `sd_init` — Mount SD card
- `sd_write <filename> <data>` — Write file
- `sd_read <filename>` — Read and stream to C2
- `sd_list` — List files
- `sd_log_start` — Log all C2 traffic to SD
- `sd_space` — Free/total space
**Use cases**: Offline data collection, dead-drop exfiltration, large firmware dumps.
---
## Sensors & Environment
### mod_gps — GPS/GNSS Tracking
**Hardware**: NEO-6M/NEO-7M via UART | **Cost**: ~5 EUR | **Complexity**: 2/5
GPS positioning, geofencing, and location-stamped events.
**Commands**:
- `gps_start` — Begin GPS acquisition
- `gps_position` — Current lat/lon/alt/speed
- `gps_track [interval]` — Stream position to C2
- `gps_geofence <lat> <lon> <radius_m> <action>` — Trigger action on enter/exit
- `gps_log_start` — Log positions to NVS
**Use cases**: Asset tracking, geofenced triggers, location-aware operations.
---
### mod_environment — Environmental Sensors
**Hardware**: DHT22/BME280/PIR/LDR | **Cost**: ~3 EUR | **Complexity**: 1/5
Read temperature, humidity, pressure, motion, and light sensors.
**Commands**:
- `env_read` — Read all connected sensors
- `env_monitor [interval]` — Stream readings to C2
- `env_motion_alert` — Alert C2 on PIR trigger
- `env_trigger <sensor> <threshold> <action>` — Conditional triggers
**Use cases**: Physical security awareness, environmental monitoring, trigger-based activation.
---
### mod_power — Power Management
**Hardware**: TP4056 + LiPo battery | **Cost**: ~5 EUR | **Complexity**: 3/5
Battery management, intelligent deep sleep, and solar charging support.
**Commands**:
- `power_status` — Battery voltage, charging state, estimated runtime
- `power_sleep <seconds>` — Enter deep sleep with wake timer
- `power_sleep_until <gpio_trigger>` — Sleep until GPIO event
- `power_profile <mode>` — Power profiles (aggressive, balanced, stealth)
- `power_schedule <cron> <command>` — Scheduled wake + command execution
**Use cases**: Long-duration deployment, battery-powered field operations, solar-powered persistent presence.
---
### mod_display — OLED/TFT Display
**Hardware**: SSD1306 OLED (0.96") or ST7735 TFT via SPI/I2C | **Cost**: ~3 EUR | **Complexity**: 2/5
Local status display for field operations (no C2 needed to see agent state).
**Commands**:
- `display_text <text>` — Show text on screen
- `display_status` — Show device info, connection state, active module
- `display_qr <data>` — Generate QR code on display
- `display_off` — Turn off (stealth)
**Use cases**: Field status monitoring, debug output, one-way info display.
---
## Crypto & WiFi Attacks
### mod_deauth — 802.11 Deauthentication
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5
Targeted 802.11 deauth for forcing client reconnection (handshake capture setup).
**Commands**:
- `deauth <bssid> <station> [count]` — Targeted deauth
- `deauth_all <bssid> [count]` — Broadcast deauth
- `deauth_continuous <bssid> [interval]` — Persistent deauth
**Use cases**: WPA handshake capture setup, client denial, forced AP migration.
---
### mod_wpa_crack — WPA Handshake Capture
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5
Capture 4-way handshake and attempt dictionary attack with embedded wordlist.
**Commands**:
- `wpa_capture <bssid> [channel] [timeout]` — Wait for handshake (or deauth to force)
- `wpa_crack <bssid> [wordlist]` — Dictionary attack on captured handshake
- `wpa_export <bssid>` — Export handshake as pcap/hccapx to C2
**Use cases**: WiFi security assessment, credential recovery.
---
### mod_pmkid — PMKID Attack
**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5
Capture PMKID from AP without any connected client. Faster than handshake capture.
**Commands**:
- `pmkid_scan [duration]` — Scan APs and capture PMKIDs
- `pmkid_target <bssid>` — Target specific AP
- `pmkid_export` — Export PMKIDs for offline cracking
**Use cases**: WiFi testing without connected clients, faster WPA cracking.
---
### mod_rfcrack — Rolling Code Analysis
**Hardware**: CC1101 via SPI | **Cost**: ~3 EUR | **Complexity**: 5/5
Analyze and attack rolling code systems (garages, car key fobs, gates).
**Commands**:
- `rfcrack_listen <freq>` — Capture rolling code transmissions
- `rfcrack_analyze` — Identify protocol (KeeLoq, etc.)
- `rfcrack_rolljam <freq>` — RollJam attack (jam + capture + replay)
- `rfcrack_desync <freq>` — De-synchronization attack
**Use cases**: Physical security research, rolling code protocol analysis.
---
## Automotive
### mod_lin_bus — LIN Bus
**Hardware**: MCP2004A LIN transceiver | **Cost**: ~3 EUR | **Complexity**: 3/5
LIN bus (Local Interconnect Network) — sub-bus used for windows, seats, mirrors, lights.
**Commands**:
- `lin_start [baud]` — Init LIN transceiver (default 19200)
- `lin_sniff [duration]` — Capture LIN frames
- `lin_send <id> <data_hex>` — Send LIN frame
- `lin_master_start` — Become LIN master (send schedule table)
- `lin_enum` — Enumerate slave nodes
**Use cases**: Automotive body control testing, seat/window/mirror manipulation.
---
### mod_obd_tracker — OBD-II GPS Tracker
**Hardware**: MCP2515 + NEO-6M GPS | **Cost**: ~8 EUR | **Complexity**: 3/5
Autonomous vehicle tracker: logs GPS position + OBD-II data, reports to C2 when connectivity available.
**Commands**:
- `tracker_start [interval]` — Begin tracking (OBD + GPS)
- `tracker_stop` — Stop and upload buffered data
- `tracker_status` — Current position + vehicle stats
- `tracker_geofence <lat> <lon> <radius>` — Alert on geofence breach
- `tracker_trips` — Summarize recorded trips
**Use cases**: Vehicle tracking, fleet monitoring, trip analysis.
---
### mod_flexray — FlexRay Bus
**Hardware**: FlexRay transceiver (TJA1080) | **Cost**: ~15 EUR | **Complexity**: 5/5
FlexRay monitoring for premium vehicles (BMW, Mercedes, Audi). Deterministic, time-triggered protocol.
**Commands**:
- `flexray_listen <channel>` — Monitor FlexRay channel (A or B)
- `flexray_decode` — Decode known frame IDs
- `flexray_status` — Bus state, cycle time, slot info
**Use cases**: Premium vehicle bus analysis, FlexRay protocol research.
---
## Physical Security
### mod_keylogger — PS/2 Keyboard Logger
**Hardware**: PS/2 connector + GPIO wires | **Cost**: ~2 EUR | **Complexity**: 2/5
Hardware keylogger for PS/2 keyboards. Inline transparent interception.
**Commands**:
- `keylog_start` — Begin capturing keystrokes
- `keylog_stop` — Stop and send buffer to C2
- `keylog_dump` — Send current buffer
- `keylog_live` — Stream keystrokes in real-time to C2
**Use cases**: Physical access keystroke capture.
---
### mod_relay — Relay Control
**Hardware**: Relay module (1/2/4 channel) | **Cost**: ~2 EUR | **Complexity**: 1/5
GPIO relay control for physical actuators (doors, power, devices).
**Commands**:
- `relay_on <channel>` — Activate relay
- `relay_off <channel>` — Deactivate relay
- `relay_pulse <channel> <duration_ms>` — Momentary activation
- `relay_schedule <channel> <cron>` — Scheduled activation
**Use cases**: Physical access control, remote power switching, automated triggers.
---
## Priority Matrix
Modules ranked by impact/effort ratio for implementation priority:
| Priority | Module | Why |
|----------|--------|-----|
| **High** | mod_ble | Built-in hardware, zero cost, huge IoT attack surface |
| **High** | mod_deauth | Simple, essential for WiFi assessment workflows |
| **High** | mod_badusb | ESP32-S2/S3 native USB, high impact physical access |
| **High** | mod_uart_bridge | Zero cost, essential for hardware hacking |
| **High** | mod_dns | WiFi only, enables MitM and exfiltration |
| **Medium** | mod_nfc | Cheap hardware, wide applicability (access cards) |
| **Medium** | mod_subghz | CC1101 is cheap, covers huge attack surface |
| **Medium** | mod_mqtt | IoT everywhere, zero additional hardware |
| **Medium** | mod_socks | Pivoting capability, WiFi only |
| **Medium** | mod_gps | Cheap module, enables location-aware operations |
| **Medium** | mod_modbus | SCADA is a growing target, dual TCP/RTU |
| **Medium** | mod_sdcard | Simple, enables offline operations |
| **Low** | mod_lora | Good range but low throughput |
| **Low** | mod_glitch | High complexity, niche use case |
| **Low** | mod_flexray | Expensive hardware, niche vehicles |
| **Low** | mod_usb_mitm | Requires ESP32-S3 dual USB, very complex |
Reference in New Issue View Git Blame Copy Permalink