Full Report
Introduction Towards the end of last year, I found myself playing around with some basic amplitude modulation (AM)/On-off keying (OOK) software defined radio. That resulted in ooktools being built to help with making some of that work easier and to help me learn. A little while ago, the Metasploit project announced new ‘rftransceiver’ capabilities that were added to the framework with a similar goal of making this research easier. How things fit together First things first. I had to try and understand how this new functionality actually works. From the Metasploit blog post, it was possible to see that the additions allowed you to communicate with a RFCat capable device from Metasploit and run modules over a session. A session is started by connecting to a small JSON API (with a python helper) that bridges HTTP requests to rflib methods.
Analysis Summary
# Tool/Technique: RFCat/rftransceiver Capabilities in Metasploit (and related tools: ooktools, rfcat_msfrelay)
## Overview
This summary details the integration of Software Defined Radio (SDR) capabilities, specifically for Amplitude Modulation (AM)/On-Off Keying (OOK) signal transmission and reception, into the Metasploit Framework via its new `rftransceiver` feature. This integration allows Metasploit to communicate with RFCat-capable SDR devices (like Yard Stick One) through an intermediary hardware bridge built upon the `rfcat` library and custom Python relays (`rfcat_msfrelay`). This setup enables running specialized RF modules directly from Metasploit sessions.
## Technical Details
- Type: Tool/Framework Extension (Leveraging SDR Hardware/Software)
- Platform: Metasploit Framework (Host running Metasploit, interacting with external hardware bridge)
- Capabilities: Communication with RFCat devices, session management over RF hardware, transmission of modulated signals (AM/OOK), RF brute-forcing, signal searching, and frequency jamming.
- First Seen: Metasploit additions announced around March 2017; initial experimentation started late 2016.
## MITRE ATT&CK Mapping
Since this primarily deals with interaction with physical/hardware devices outside typical operating systems, the mapping focuses on capabilities related to hardware manipulation and denial of service.
- **TA0006 - Credential Access** (Applicable if used for brute-forcing proprietary RF authentication)
- **T1557 - Man-in-the-Middle** (If used to intercept or inject signals into physical systems)
- *No direct sub-techniques apply based on the analysis provided, but interaction with a physical communication channel is key.*
- **TA0011 - Command and Control** (Establishing a communication channel via non-traditional means)
- **T1071 - Application Layer Protocol** (Used for the JSON API communication between Metasploit and the relay)
- **TA0003 - Persistence** (If used to maintain control over a physical device/frequency)
- **TA0010 - Exfiltration** (If eavesdropping/signal interception is implied)
- **TA0007 - Discovery** (Signal searching/analysis)
- **T1598 - Spearphishing Link** (Indirectly related to initial access targeting specialized hardware users, less direct)
- **TA0004 - Privilege Escalation** (N/A directly)
- **TA0009 - Collection**
- **T1119 - Automated Collection** (Automated scanning/brute-forcing of RF signals)
- **TA0014 - Impact**
- **T1489 - Service Disruption**
- **T1489.001 - Denial of Service: Network Denial of Service** (Applicable via frequency jamming)
## Functionality
### Core Capabilities
1. **RFCat Communication:** Establishing a session within Metasploit that communicates with an RFCat-capable SDR dongle (e.g., Yard Stick One).
2. **HWBridge Session:** Utilizing an auxiliary module (`auxiliary/client/hwbridge/connect`) to initiate the connection, which relies on an external Python helper script (`rfcat_msfrelay`) running a small JSON API.
3. **API Bridging:** The `rfcat_msfrelay` script translates HTTP requests from Metasploit into calls to `rflib` methods, controlling the SDR hardware.
4. **Signal Transmission (OOK/AM):** Sending basic Amplitude Modulation (AM) or On-Off Keying (OOK) encoded data, including options for raw transmission or automatic Pulse Width Modulation (PWM) encoding.
### Advanced Features
1. **RF Brute Forcing:** Executing the `rfpwnon.rb` module to rapidly transmit signals, aimed at brute-forcing proprietary RF devices.
2. **Signal Searching:** Implementation of a module (`searchsignal`) to scan for, and potentially decode/analyze, PWM encoded keys.
3. **Frequency Jamming:** The `jamsignal` module broadcasts continuous, non-meaningful signals on a specified frequency to disrupt nearby legitimate RF communications (tested on 433MHz).
4. **Tool Porting:** Migration of capabilities previously found in the standalone `ooktools` project directly into Metasploit modules.
## Indicators of Compromise
*(Note: This summary focuses on the *tools* used for RF interaction, not typical malware artifacts. Indicators are related to the execution environment setup.)*
- File Hashes: N/A (Focus is on legitimate/custom tools)
- File Names: `rfcat_msfrelay` (Script used for bridging HTTP to rflib), `transmitter.rb`, `rfpwnon.rb`, `sendook` (custom module), `searchsignal` (custom module), `jamsignal` (custom module).
- Registry Keys: N/A
- Network Indicators: TCP/IP communication on port 8080 (default for `rfcat_msfrelay` API bridge).
- Behavioral Indicators: Execution of Metasploit modules under `post/hardware/rftransceiver/` category; high volume of HTTP traffic directed towards the local bridge IP address (RHOST).
## Associated Threat Actors
- Knowledgeable security researchers or penetration testers leveraging SDR hardware for physical layer testing and RF interaction. (The integration was developed within the Metasploit community context.)
## Detection Methods
- **Signature-based detection:** Detection of the Python script `rfcat_msfrelay` execution, or Metasploit modules within the specified directories.
- **Behavioral detection:** Monitoring for outbound/inbound network connections initiating from the Metasploit process to a local API bridge (e.g., port 8080) combined with high-frequency radio transmissions detected by SDR monitoring tools.
- **YARA rules:** Applicable for detecting source code/scripts related to `rfcat_msfrelay` or the custom Metasploit modules hosted on GitHub.
## Mitigation Strategies
- **Hardware Isolation:** Ensure sensitive RF environments are physically isolated from machines running SDR control software.
- **Auditing:** Review systems for installations of SDR libraries (`rflib`) and custom relay scripts running persistently.
- **RF Monitoring:** Deploy spectrum analyzers or dedicated monitoring software capable of detecting anomalous OOK/AM signal patterns or consistent jamming signals on target frequencies (e.g., 433 MHz).
## Related Tools/Techniques
- **ooktools:** Precursor tool built by the author for initial AM/OOK testing using SDR.
- **rfcat:** Underlying library/firmware that provides the necessary interface to the SDR hardware (e.g., Yard Stick One).
- **GnuRadio:** Frequently used alongside these tools for visualizing and analyzing raw RF signals (e.g., generating scope plots).
- **Yard Stick One:** Specific SDR hardware confirmed to be compatible and used in testing.