Pre-loader

Red Team OTA: Physical Intrusion Systems

Why choose this course?

Intrude premises stealthily

This course shows current attacks on RFID, Bluetooth LE, nRF, and Sub-GHz technologies you can encounter today during your pentest and Red Team engagements.

After that, you will be able to tackle many systems, especially if you need to be stealthy.

Contact us to request a quote! Look at the pricing

About the training

Throughout this course, you will discover:

  • Introduction to RFID/NFC, Bluetooth LE, nRF, and Sub-GHz systems
  • Current attacks RFID/NFC systems
  • Opportunities to open when attacking BTLE
  • How to turn nRF devices into bugs
  • Attacks on garage doors
  • And more.

Part 1: RFID/NFC

In this part, we discover the RFID/NFC systems currently in use and ways to analyze but also to attack them with the Proxmark3 device.

Assignment 1: LF targets

  • Identify the technology manually & automatically
  • Decoding manually and automatically
  • Useful tools

Assignment 2: HF MIFARE Classic

  • Cracking sectors with known and unknown keys
  • Analysis
  • Automatic attacks

Assignment 3: HF MIFARE Classic

  • Snooping
  • Cracking keys offline
  • Recovering all blocks

Assignment 4: HF MIFARE Ultralight

  • Hotel room cases
  • Cracking pages
  • The different versions
  • Mitigations and bypasses

Assignment 4: HF MIFARE DESFire

  • Emulating ID
  • Cracking weak keys
  • Mitigations and some attacks

ICopy-X

Demonstration with the ICopy-X + comparisons.



Part 2: Bluetooth LE

During pentests or Red Team tests, we can face several physical intrusion systems using Bluetooth LE technology. In this part, we learn how to identify these systems, study the security level, and see our opportunities based on our previous analysis.

Assignment 1: Association

  • Identifying targets
  • Performing MITM on a basic device without security
  • Analyzing the communication

Assignment 2: Injection

  • Manipulation of exchanged data
  • Injecting traffic

Assignment 3: Secured cases

  • Cracking some secured communications
  • Performing MITM
  • Injecting data
  • Rolling code hooking

Further attacks on BT5

  • Scanning
  • Challenges with BT5


Part 3: nRF

Sometimes it is just overkill to enter a room, especially when you can turn a legit mouse or keyboard into a bug. Here we study the case of significant nRF devices and see how we can attack them.

Assignment 1: Capture

  • Scanning devices
  • Capturing traffic
  • Analyzing the traffic

Assignment 2: Injection

  • Sniffing & Injecting keystrokes

Assignment 3: Secure devices

  • Capturing exchanged AES keys to be reused
  • Injecting traffic
  • Further analysis


Part 4: Garage door remotes

When doors are challenging to intrude during the day, some openings exist when attacking garage doors. Therefore, this final part shows how to deal with current systems and have permanent access to intrude on a building from the parking place or any other scenarios.

Assignment 1: Analysis

  • Identifying an interesting signal
  • Demodulating, decoding, and analyzing it

Assignment 2: Replay attack

  • Replaying unsecured commands
  • Fuzzing button pushes

Assignment 3: Secure remotes

  • Dealing with rolling code with various attacks
  • Quick wins
  • Intruding the garage door

De/resync attacks

  • Weak implementations problems


The content of private trainings can be arranged depending on your needs. We also provide additional content as follows:

  • Fuzzing the RFID or Bluetooth LE protocol stacks
  • Hardware attacks in depth on Sub-GHz systems
  • How to build implants
  • etc.
  • Knowledge of Linux administration
  • Basics in programming (like Python, C/C++, Rust, etc.) is always a plus
  • Understanding of pentesting (network and applications) or Red teaming is also a plus
Events hosting our courses

Pricing (prices exclude 20% VAT in France)

Remote Single person
3 600€ for one person

3-day remote live training, including slides, a complete RF kit with targets (Proxmark3, Garage door target and remote, Raspberry Pi 4, RTL-SDR dongle, and RFID targets), scripts/tools, and captures. The content can be customized depending on the means and required days for the training.

Contact us!
POPULAR
Remote Private group
2 000€ /attendee
+ possible discount

3-day remote live training, including slides, a complete RF kit with targets (Proxmark3, Garage door target and remote, Raspberry Pi 4, RTL-SDR dongle, and RFID targets), scripts/tools, and captures. The content can be customized depending on the means and required days for the training.

An extra discount can be negotiated depending on the number of attendees.

Contact us!
Tailored content

Content can be fully tailored depending on your needs.

Contact us for more information!