-
Notifications
You must be signed in to change notification settings - Fork 117
/
README.msfrelay
116 lines (95 loc) · 4.39 KB
/
README.msfrelay
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
RfCat MSF Relay
===============
The RfCat MSF Relay is a lightweight webserver that provides
Metasploit Hardware Bridge support. Many of the python methods
are available interfactive from either the Metasploit hwbridge
interactive shell or from Metasploit modules written to support
the rftransceiver extension.
For details on the RFTransceiver extension API see:
http://OpenGarages.org/hwbridge
To download Metasploit: https://www.metasploit.com/
Usage
=====
With a RfCat compatible device plugged into a machine (ie YardStickOne)
run rfcat_msfrelay. It will start a webserver and report
RfCat MSFRelay running.
By default it only listens to localhost and has a default username:password
of msf_relay:rfcat_relaypass. All of these options can be altered via
command line arguments for rfcat_msfrelay. Once running can launch Metasploit.
```
./msfconsole -q
msf > use auxiliary/client/hwbridge/connect
msf auxiliary(connect) > set httpusername msf_relay
httpusername => msf_relay
msf auxiliary(connect) > set httppassword rfcat_relaypass
httppassword => rfcat_relaypass
msf auxiliary(connect) > run
[*] Attempting to connect to 127.0.0.1...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-03-11 17:16:23 -0800
[+] HWBridge session established
[*] HW Specialty: {"rftransceiver"=>true} Capabilities: {"cc11xx"=>true}
[!] NOTICE: You are about to leave the matrix. All actions performed on this hardware bridge
[!] could have real world consequences. Use this module in a controlled testing
[!] environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf auxiliary(connect) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 hwbridge cmd/hardware rftransceiver 127.0.0.1 -> 127.0.0.1 (127.0.0.1)
msf auxiliary(connect) > sessions -i 1
[*] Starting interaction with 1...
hwbridge > help
Core Commands
=============
Command Description
------- -----------
? Help menu
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
exit Terminate the hardware bridge session
help Help menu
info Displays information about a Post module
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
load_custom_methods Loads custom HW commands if any
reboot Reboots the device. Usually only supported by stand-alone devices
reset Resets the device. Some devices this is a full factory reset
run Executes a meterpreter script or Post module
specialty Hardware devices specialty
status Fetch bridge status information
RFtransceiver Commands
======================
Command Description
------- -----------
baud sets the baud rate
channel sets channel
channel_bw sets the channel bandwidth
deviation sets the deviation
enable_crc enables crc
enable_manchester enales manchester encoding
flen sets the fixed length packet size
freq sets the frequency
idx sets an active idx
maxpower sets max power
modulation sets the modulation
power sets the power level
preamble sets the preamble number
recv receive a packet of data
supported_idx supported USB indexes
sync_word sets the sync word
vlen sets the variable length packet size
xmit transmits some data
hwbridge > run post/hardware/rftransceiver/...
```
Notes
=====
Not all methods have been ported to Metasploit. The typical workflow
is to do your initial research via rfcat and use Metasploit just
for the results of that research. Metasploit works better as an
exploit framework than a research framework. However, if you feel
that there are some useful methods missing that you would want to see,
please file an issue on the Metasploit github page:
https://github.com/rapid7/metasploit-framework