5

I am performing some research on IoT test tools and came across the HackRF One which can transmit and receive from 1 MHz to 6 GHz. I therefore think that it can analyze many protocols, but I cannot find a list of them anywhere. Can it for example analyze (and exploit) Zigbee, Z-Wave, LoRaWAN, RFID and NFC? Why is there no list, because there are too many protocols? Is the HackRF a more general sniffer then?

I also came across some specific protocol sniffers, like the Suphacap Z-Wave Sniffer and the Proxmark and so on. What are the advantages of these over the HackRF? Is the best option to start with a HackRF and then when necessary buy specific sniffers according to the needs of the current pentest?

I would like to know this, because then I know which devices to afford for penetration testing.

Maikkeyy
  • 187
  • 7
  • Not really an answer, but, one difference is that the One is half-duplex, whereas some others out there offer full-duplex. – multithr3at3d Jan 10 '20 at 01:02
  • Alright, so if there are full-duplex protocols, then the HackRF or the software tools behind it (GNURadio) can't decode it correctly? And then it would be necessary to afford a protocol-specific sniffer, right? – Maikkeyy Jan 10 '20 at 17:02
  • Well, full-duplex means you can transmit and receive simultaneously. So the One won't allow you to actually communicate bi-directionally, just transmit or receive. – multithr3at3d Jan 11 '20 at 03:14
  • Oh okayy, but are there protocols that don't work if there isn't full-duplex communication possible? Or do most of the protocols have two modes (half-duplex or full-duplex) available? I don't understand what the consequences are of the HackRF being half-duplex? Do you have a concrete example of what you cannot do, apart from the fact that you cannot communicate full-duplex? – Maikkeyy Jan 11 '20 at 17:08
  • There's not much more to it. If you are just interested in sniffing, it won't matter. Half-duplex just means you can't transmit and receive at the same time. So there will definitely be protocols that you cannot _communicate_ over, but you will be able to sniff them. – multithr3at3d Jan 12 '20 at 01:54

3 Answers3

2

From sniffing POV, HackRF One as well as many other SDRs give you radio wave processing capabilities. This means that you can tune to a wide band of frequencies and capture the signal. What you do with it then is generally beyond the SDR's scope.

You can always try to process the signal yourself (e.g. with GnuRadio) and write a decoder the data packets for the corresponding protocol (or use Wireshark if the decoder is already available). With the popularity of HackRF One there are often solutions available to work from, e.g. this Z-Wave tool claims to support it by default.

I have no hands-on experience with protocol-specific sniffers (sb. correct me), but I would expect them to provide the promised feature with little effort, while locking you from easily doing anything unsupported (e.g. capturing new/tweaked version of the protocol or tuning to different frequency than usual).

stuchl4n3k
  • 138
  • 3
  • Thank you, this makes it all a lot more clear. So the protocol specific sniffers then probably have already some additional software tools that perform the decoding for you, right? It is an assumption, but in general they do more work for you. And do you have an example of what you meant with: "doing anything unsupported"? – Maikkeyy Jan 10 '20 at 17:08
  • Some sniffers are even capable of hardware decoding. I've updated the answer. – stuchl4n3k Jan 12 '20 at 19:08
2

Traditional radios work by having electronic circuitry that tunes in only the frequency of interest. The hardware of the radio uses filters and other technologies to modify the signal so that only the desired wave is output. Circuits take care of splitting left and right stereo signals, filtering out side bands, receiving AM or FM, etc.; they ultimately output an analog signal that usually goes to a speaker. This makes a dedicated radio very good at receiving exactly the kind of signal it was designed for, but nothing else.

A Software Defined Radio (SDR) works by receiving a very wide band of the radio spectrum as data, and then processes the data within that band to pick out individual signals. It’s a matter of software to receive AM or FM, to filter out side bands, select bandwidth, etc. An SDR can receive almost anything that can be sent. Similarly, an SDR transmitter can use software to assemble any complex signal needed and output it. The HackRF One is both an SDR receiver and transmitter.

There is a third kind of radio out there: a software controlled radio. These are based on a chip that tunes its radio to a specified frequency chosen by parameters that are passed in. These parameters not only select radio modes such as frequency, AM, FM, etc., but also are designed to interpret the RF signal and directly output the received data. These chips are designed for cheap consumer remotes, and usually include both a receiver and transmitter for installing the same chips in the appliance and its remote control, using the same parameters. These are very inexpensive radios.

As with anything, there are a lot of choices. A HackRF One contains both an SDR transmitter and an SDR receiver, while a typical RTL-SDR is a receiver only. A HackRF One also costs about ten times as much as a good quality RTL-SDR dongle. So if you simply want to study received transmissions, the RTL-SDR is a much more economical choice, and is usually a good starting point.

There are also some inexpensive software controlled radio choices if you need to transmit. The Yardstick One is an RF hackers tool that contains a software-controlled CC1100 chip, which are manufactured for transmitting and receiving small data messages such as consumer remote controls and IoT data. They cost less than a third of what a HackRF One costs. But they’re limited - you can’t use them to spoof a GPS signal, for example.

Most people start with a cheap RTL-SDR, because you can discover a tremendous variety of signals for about $20 USD; and the open source software available ranges from “plug and play” to “automatically interpret the data in this signal” to “I’m working on my EE degree.”

The kind of radio people buy next depends on their needs. People often want to transmit next, but are unaware of the very strict rules on radio transmissions. You really have to know what you are doing; an amateur radio license may even be required.

John Deters
  • 33,650
  • 3
  • 57
  • 110
1

As said by @stuchl4n3k, HackRF One is a SDR (Software Defined Radio) solution. This mean that the whole "protocol" part is done on software side.

The advantages of such a solution is that it isn't limited to one usage: with HackRF One, one may create:

  • GSM / LTE base station.
  • 433 Mhz (garage door) sniffer/emitter.
  • DAB+ (Digital Audio Broadcast) receiver.
  • etc....

The disavandtages is that, to get a fully working analyser, you'll probably have more work to do by yourself if your use case isn't covered by an opensource GnuRadio software or so.

binarym
  • 744
  • 4
  • 8
  • Another disadvantage is, that the HackRF can only receive a small part of the spectrum at the same time. For some protocols that use a broader spectrum or use frequency hopping,that is not enough. – Josef Jan 10 '20 at 12:21