Hak5 Signal Owl

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


The Signal Owl is a hardware product developed by the company Hak5. It is a simple payload-based signals intelligence platform with a unique design for discreet planting or mobile operations on any engagement. The most popular application cases include classic network mapping and basic penetration tests for various wireless technologies.

Initial Setup

When first unboxing the Signal Owl, the device runs a stager firmware that is designed to flash the latest firmware from a USB flash drive. In order to update the Signal Owl, the latest firmware has to be downloaded. Then, the downloaded file must be copied to the root of an EXT4 or FAT32 formatted USB flash drive. It is important not to modify this file. The next step is to plug the USB flash drive into the powered off Signal Owl. Afterwards, the device has to be powered on by a reliable USB source. The upgrade itself takes approximately five to ten minutes and is indicated by a solid red LED light. When finished, the device will reboot, enter Attack Mode and blink slowly, indicating an error running the payload because no payload has been found.


Components of the Signal Owl [Eigene Darstellung]

The Signal Owl is designed to be rapidly deployed in all kinds of environments, allowing it to be an entry point for network analysis and basic wireless attacks in a variety of locations. With a power consumption of 100-200 mAh and the thermally optimized architecture, mobile operations as well as long term deployments, are enabled.


This device features several components of which some may not be visible to the human eye at first sight.

USB Power / Passthrough Plug

The USB power or passthrough plug is used to power the device. It can be powered from any reliable USB source.

USB 2.0 Passthrough Port

The USB 2.0 passthrough port is the port closest to the pigtail. Data and power pass through to that port, allowing for implant operations. If a device such as a keyboard is plugged in between this passthrough port and the power plug is connected to the target computer, the Signal Owl will remain undetected by the operating system. Only the keyboard will be visible on the target computer.

USB 2.0 Host Port

The USB 2.0 host port is the port farthest away from the pigtail. It is connected to the Linux socket of the Signal Owl and supports USB flash drives formatted with FAT32 and EXT4 file systems as well as many Wi-Fi, Bluetooth and other RF transceivers.


The button on the bottom of the device is used to enter Arming Mode and to interact with payloads. It is not pressable without special tools like paperclips.

Status LED

The status LED indicates the current status of the Signal Owl. When it is turned off, it is not visible.

The Signal Owl features a red LED with the following default status indications:

LED Status
Blinking Booting
Solid Mounting external storage / Running upgrade
Single blinking Attack Mode
Double blinking Arming Mode
Slow blinking Error running payload
Fast blinking Select Mode (Deprecated from version 1.0.1 onward)


Modes of Operation

The Signal Owl comes with two modes of operation, Attack Mode and Arming Mode. By default, the device will boot into Attack Mode. In order to access Arming Mode, the button on the bottom of the device has to be pressed while in Attack Mode. It is not recommended to press the button during the boot sequence, as this can possibly brick the device and render it useless. The arming mode is used for firmware updates and shell access, while the attack mode is used to load and execute the payload.

Attack Mode

Attack Mode is the default mode, the Signal Owl boots into. It provides two basic functions, being the payload loading function and the payload execution function.

The payload loading function checks for any USB flash drives plugged into the host port of the device and copies payloads to /root/payload and extensions to /root/payload/extensions on the Signal Owl.

The payload execution function is responsible for executing the payload that is currently stored on the root of the Signal Owl. In case no payload is found, the device will blink slowly, indicating the FAIL status.

Arming Mode

The Arming Mode provides two basic functions, being the firmware update function and the shell access function. The firmware update function checks for any USB flash drives plugged into the host port of the device and copies firmware upgrade files into the internal storage of the device and flashes it. The shell access function starts an open access point with the SSID Owl_xxxx in which xxxx indicates the last two octets of the device's MAC address. Additionally, a SSH server providing access to the shell of the Signal Owl is enabled.

Default Settings

Default settings that are used in order to access the device via SSH are pictured in the table below.

Default Settings
Username root
Password hak5owl
SSID Owl_xxxx
IP Address

SSH command: ssh root@

The SSID during Arming Mode is Owl_xxxx in which xxxx indicates the last two octets of the devices MAC address.


Arming Mode connection

Step-by-step guide for accessing the arming mode

  1. Click on the button located on the bottom of the Signal Owl while it is in attack mode. After pressing the button, the signal owl enters the arming mode and provides an open access point with the name Owl xxxx (where xxxx stands for the last two digits of the MAC address of the device).
  2. Connect to the access point.
    Armingmode.png[Eigene Darstellung]
  3. Now you can connect via ssh by using the default settings.
  4. After successful connection, you will end up in the root directory.
    ArmingmodeSSH.png[Eigene Darstellung]
  5. Now you can change the files and directories on the Signal Owl to view results, transfer payloads and extensions or to make further changes.

Directory Structure

The following directory tree shows the directory structure of the Signal Owl.

├── loot
└── payload/
    └── extensions
  • Loot - Directory where the Signal Owl saves loot while executing payloads that produce loot.
  • Payload - This directory holds the current payload.
  • Extensions - This directory holds all extensions.

Adding Payloads and Extensions

Adding a payload can be done in two different ways. Either with a USB flash drive or via the Signal Owl access point to the internal storage of the device.

When booting, payloads on USB flash drives are given priority and will override payloads stored on the Signal Owl. To successfully copy a payload to the Signal Owl, the payload must be named payload.txt or payload.sh and it has to be placed in the root directory of the flash drive. Similarly, payload extensions should be stored in a /extensions directory on the flash drive.

In addition, it is possible to transfer payloads and payload extensions to the device via the Signal Owl access point in arming mode using SSH. There they are stored in the /root/payload directory and Payload Extensions are stored in the /root/payload/extensions directory.

Payload Development

Payloads for the Signal Owl are written in bash with Ducky Script and can be created with any standard text editor. All payloads should begin with an interpreter directive, like the shebang #!/bin/bash for bash payloads and payloads must be named either payload.txt or payload.sh. In order to create effective payloads, the Signal Owl comes with several preinstalled penetration testing tools. These are as follows: Nmap, Aircrack-ng, MDK4 and Kismet.


• Kismet - detector for wireless networks and devices.

• MDK4 - Wi-Fi testing tool.

• Aircrack-ng Suite - a complete suite of tools for WiFi network security assessment.

• Nmap - open source utility for network discovery and security auditing.

Hak5 offers ready-to-use payloads and payload extensions on their GitHub repository.

Implant / mobile operations

Implant operations

During long term wireless engagements, the Signal Owl may be planted inline between any typical 5V USB power source. This may be useful in situations where ports are occupied, or to deter the unit from being unplugged.

Mobile operations

The Signal Owl features a low power consumption profile, with a typical power draw averaging 100-200 mAh. Additionally, it is thermally optimized for long term deployments in many indoor environments. One can expect a large 20,000 mAh USB battery bank to operate the unit for up to 4 days.

Use Cases

The Signal Owl has a variety of different use cases. Among the most popular ones are classical network mapping and wardriving as well as basic penetration tests for different wireless technologies.

Fake Beacon Flooding Attack

The Fake Beacon Flooding Attack is one possible use case for the Signal Owl. With that attack, fake beacon frames are broadcasted to nearby devices. Beacon Frames include various parameters like the SSID, the type of encryption used and timestamps. This results in the creation of multiple fake Wi-Fi networks. Devices with Wi-Fi browsers are then flooded with these fake networks, causing potential network scanner and driver crashes. Furthermore, the attack may prevent legitimate users from finding their networks and lead to denial of service. The preinstalled tools Aircrack-ng and MDK4 were used to create this payload. After powering on the device, multiple fake networks with random SSIDs are generated and broadcasted to all nearby devices.


sleep 10
airmon-ng check kill
sleep 10
#creates monitor mode interface on wirelss card of the Signal Owl
airmon-ng start wlan0
sleep 10
#floods nearby devices with random SSIDs
mdk4 wlan0mon b -a -m -s 500

The results as seen from a victim running a Windows 10 system are pictured in the figure below.

Random SSIDs as seen from a victim Windows 10 client[Eigene Darstellung]

Open AP Nmap Scanner

With the Open AP Nmap Scanner payload, the Signal Owl scans for open access points. If the Signal Owl finds one or more open access points, it connects to them and uses Nmap to scan and analyze them. The results are then stored in the loot directory. For each discovered open access point, the Signal Owl generates a separate results file. This payload has some settings which can be seen in the following listing.

  • NMAP_OPTIONS - Is used to specify the type of Nmap scan.
  • LOOT_DIR - Sets the destination folder for the scan results.
  • MAX_CIDR - Sets the maximum Classless Inter-Domain Routing
  • DEBUG - Specifies if debug information is saved to the payload.log file in the tmp folder.
    • 1 - Debug information is saved.
    • 0 - Debug information is not saved.

The results of a scan with this payload can be seen in the figure below.

OpenAPNmapScannerResult.png[Eigene Darstellung]

Basic Bluetooth Scanner

This payload requires an external Bluetooth adapter, since the Signal Owl does not have Bluetooth built in. The Basic Bluetooth Scanner scans for devices that have Bluetooth enabled and optionally queries them using the hcitool and the info command. This payload does also have some settings, as shown in the listing below.

BT_OUTFILE=`date +%s`.bt.list
BT_INFOFILE=`date +%s`.bt.info   
  • LOOT_DIR - Sets the directory for the scan result.
  • BT_OUTFILE - Sets a file name, in which all detected names and MAC addresses are saved.
  • BT_INFOFILE - Sets a file name, in which the details of the discovered devices are saved if the INTERROGATE variable is set to 1.
  • BTDEV - Specifies the bluetooth device used for scanning.
  • DEBUG - Specifies if debug information is saved to the payload.log file in the tmp folder.
    • 1 - Debug information is saved.
    • 0 - Debug information is not saved.
  • INTERROGATE - Specifies if the detected devices are interrogated.
    • 1 - Detected devices are interrogated
    • 0 - Detected devices are not interrogated

After a successful scan, all detected devices are listed with their names and MAC addresses in the file specified by BT_OUTFILE. If INTERROGATE has been set to 1, a .info file is generated that lists additional details about each scanned device.

WiFi Connect

With the WiFi Connect payload, which can be seen in the following listing, and the wificonnect.sh Payload extension, the Signal Owl can be connected to a nearby network. The SSID and password of the network to which the Signal Owl should connect must be specified in the code. Optionally, the SSH server of the device can be started by removing the hash sign in the code before the corresponding command.


# WiFi Client Setup

# optionally start SSH server
# /etc/init.d/sshd start

The WIFI_CONNECT command executes the wifi_connect.sh payload extension, which is shown in the following listing.


function WIFI_CONNECT() {
    [[ "x$WIFI_INT" == "x" ]] && WIFI_INT=wlan0
    ifconfig $WIFI_INT up;sleep 10
    echo -e "network={\nssid=\"$WIFI_SSID\"\npsk=\"$WIFI_PASS\"\npriority=1\n}">/tmp/wpa-$WIFI_INT.conf
    wpa_supplicant -B -Dnl80211 -i $WIFI_INT -c /tmp/wpa-$WIFI_INT.conf
    while(iwconfig $WIFI_INT | grep Not-Associated); do sleep 1; done
    udhcpc -i $WIFI_INT
export -f WIFI_CONNECT

The payload extension code uses the WIFI_SSID and WIFI_PASS variables of the payload to connect the Signal Owl to the network. With the command export -f WIFI_CONNECT the function WIFI_CONNECT is exported so that it can be called from the payload.

If the SSH server is enabled, any SSH-enabled device can connect to the Signal Owl over the network, even though Attack Mode is enabled. The default settings of the device can be used again for the connection, if they have not been changed yet. However, the IP address in this case is the IP address of the Signal Owl in this network.

Used Hardware

Signal Owl