RF Hacking with SDR

Why choose this course?

Learn using Software-Defined Radio applied to security

Compared to other courses that teach how to use public tools, this class is more about understanding how these tools work and building proper tools to analyze and attack targeted systems.

All techniques here will demonstrate real uses-cases encountered in pentests and Red Teams, but also techniques that aim to be applied to future systems by teaching important steps when dealing with unknown targets.

Contact us to request a quote! Look at the pricing

About the training

With this class, students will learn how to find exciting radio-communications and ways to attack targeted systems:

  • Learn how radio works and about actual technologies using this interface
  • Find and analyze a signal
  • Modulate and demodulate a signal
  • Encode and decode data meant to be transported over-the-air
  • Capture, generate, replay and analyze a signal
  • Interface with a signal using SDR devices and software
  • Get primary reflexes to attack embedded and IoT systems
  • Create your own tools with the GNU Radio framework and its alternatives
  • Learn how to use SDR and classical attacks on mobile 2G/3G/4G, RFID/NFC, LoRa, wireless mousses/keyboards/presenters, sub-GHz remotes/alarms, and other similar or custom technologies

Day 1 - RF preliminaries

Day 1 is an introduction to radio that will help students to learn its concepts and the techniques used today to receive and transmit signals, but also the constraints that we have to deal with in heterogeneous environments:

  • Introduction to Radio
    • History, evolution, and EU regulations
    • Radio waves
    • Digital Signal Processing
    • Software-Defined Radio
    • Antennas
    • Amplifiers and connectors
  • Software-Defined Radio devices
    • Specifications
    • How to choose them
    • Few tips and hacks
  • Observations
    • Waterfall and spectrum analyzers
    • Signal identification
    • Modulation/Demodulation
    • Encoding/Decoding
  • Faraday cages and how to design a very cheap one
  • Use of attenuators and software gain parameters

Day 2 - Hands-on radio

Day 2 will put the student in the playground of the Software-Defined Radio, where every idea can be written on software to be simulated and then concretized to realize receivers and transmitters depending on the chosen hardware limitations:

  • Introduction du GNU Radio
  • Software-Defined Radio processing in the chain
  • Practice with GNU Radio Companion
    • Block schemas
    • Parameters
    • Generators
    • Sinks and sources
    • Operators
    • Simulations
    • Modules
    • Executing a block in a real SDR device
    • Listening to simple AM and FM signals
    • Transferring a simple signal
    • Optimizing samples processing
    • Features to process samples
    • Creating your own block
  • Investigation and handy tools
  • Alternatives to GNU Radio (RedhawkSDR, etc.)

  • Day 3 - Attacking physical intrusion systems

    Day 3 resumes and applies previous chapters to study physical intrusion systems and brings useful tricks for Red Team tests as well as pentests:

    • Common sub-GHz Remotes
      • Introduction
      • Capturing data
      • Replaying saved samples
      • Analyzing samples (manually and with powerful tools)
      • Rolling codes security
    • Devices using the mobile network (2G/3G/4G)
      • Introduction
      • Monitoring
      • Mobile security
      • Existing tools
      • Interception techniques
      • Our feedback in missions
      • Tooling with GNU Radio
      • Fuzzing and triggering bugs with 2G, 3G and 4G protocol stacks over-the-air
    • RFID
      • Analyzing radio communications
      • Identifying technologies
      • Tools and techniques to defeat common physical access systems and methods to study custom systems
    • Some feedback on connected locks
    • Red Team tips

    Day 4 - Unexpected implants, industrial systems, and arsenals

    Last day will focus on unexpected implants vendors introduced in some technologies, custom and industrial systems, and the development of handy radio prototypes to use during a mission:

    • Attacking Custom devices
      • Introduction
      • Identification (looking at devices' references, components, etc.)
      • Sniffing signals
      • Decoding signals
    • nRF devices
      • Introduction
      • Analyzing nRF bases devices GNU Radio like mousses, keyboards, and presenters
      • Capturing strokes
      • Hijacking vulnerable devices
    • LoRa
      • Introduction
      • Detect used bands
      • Capture signal
      • Optimize the interception process
      • Decode data and payloads
      • Security of LoRa
      • Transmit packets
    • Power-Line Communication systems
      • Introduction: data superposed on your electric line
      • Monitor PLC devices
      • Exploit old and new vulnerabilities on the HomePlug standards
      • Talk to cars and charging stations
      • Take advantage of your electric lines that behave like an antenna
    • Hardware Hacking
      • Introduction and how it could be complementary
      • Survival and practical reflexes
      • Cheap tools and tricks
      • Radio prototyping arsenal for red team tests

The content of private trainings can be arranged depending on your needs. As PentHertz is specialized the RF fields, we also provide additional content as follows:

  • GPS: decoy attacks, limits, and defenses
  • Bluetooth: attacks, fuzzing, and defenses
  • Wi-Fi: attacking the different protocols, fuzzing the protocol stack, and analyzing the radio signal
  • RFID/NFC: additional content and advanced techniques with SDR
  • Hardware: additional content in hardware and practice to attack embedded systems
  • etc.
  • Knowledge of Linux and a programming language such as C, C++, C#, Rust, or Python is necessary
  • Understanding of pentesting (network and applications) or Red teaming
  • All attendees will need to bring a laptop capable of running VMware virtual machine (8GB of RAM is a minimum)
  • Basic knowledge of radio is not mandatory but is a plus
Events hosting our courses

Pricing (prices exclude 20% VAT in France)

Remote Single person
3 600€ for one person

4-day remote live training, including a Full-duplex TX/RX SDR kit, slides, flowgraphs, scripts, and captures. The content can be customized depending on the means and required days for the training.

Contact us!
Remote Private group
3 200€ /attendee
+ possible discount

4-day remote live training, including a Full-duplex TX/RX SDR kit, slides, flowgraphs, scripts, and captures. The content can be customized depending on the means and required days for the training.

An extra discount can be negociated depending on the number of attendees.

Contact us!
Tailored content

Content can be fully tailored depending on your needs.

Contact us for more information!

Subscribe to our mailing list

New content, events, products, services, and more!

* indicates required