Hak5 Signal Owl

From Embedded Lab Vienna for IoT & Security
Revision as of 14:06, 3 December 2020 by DZiegler (talk | contribs) (Created page with "== Summary == The [https://docs.hak5.org/hc/en-us/categories/360002117953-Signal-Owl Signal Owl] is a payload-based signals intelligence platform. Its unique design allows fo...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


The Signal Owl is a payload-based signals intelligence platform. Its unique design allows for discreet planting and mobile operations.


The Signal Owl is designed to be rapidly deployed in all kinds of environments, allowing it to be an entry point for network analysis and basic wireless attacks in a variety of locations. With a power consumption of 100-200 mAh and the thermally optimized architecture, mobile operations as well as long term deployments, are enabled.


This device features several components of which some may not be visible to the human eye at first sight.

USB Power / Passthrough Plug

The USB power or passthrough plug is used to power the device. It can be powered from any reliable USB source.

USB 2.0 Passthrough Port

The USB 2.0 passthrough port is the port closest to the pigtail. Data and power pass through to that port, allowing for implant operations. With devices like keyboards plugged plugged inline between this passthrough port and the power plug connected to the target computer, the Signal Owl will remain undetected from the operating system. Only the keyboard will be visible.

USB 2.0 Host Port

The USB 2.0 host port is the port farthest away from the pigtail. It is connected to the Linux socket of the Signal Owl and supports USB flash drives formatted with FAT32 and EXT4 file systems as well as many Wi-Fi, Bluetooth and other RF transceivers.


The button on the bottom of the device is used to enter Arming Mode and to interact with payloads. It is not pressable without special tools like paperclips.

Status LED

The status LED indicates the current status of the Signal Owl. When turned off, it is not visible.

Default Settings

Default settings that are used in order to access the device via SSH are pictured in the table below.

Default Settings
Username root
Password hak5owl
SSID Owl_xxxx
IP Address
SSH command ssh root@

The SSID during Arming Mode is Owl_xxxx in which xxxx indicates the last two octets of the devices MAC address.

LED Status Indications

The Signal Owl features a red LED with the following default status indications:

LED Status
Blinking Booting
Solid Mounting external storage / Running upgrade
Single blinking Attack Mode
Double blinking Arming Mode
Slow blinking Error running payload

Modes of Operation

The Signal Owl comes with two modes of operation, Attack Mode and Arming Mode. By default, the device will boot into Attack Mode. In order to access Arming Mode, the button on the bottom of the device has to be pressed while in Attack Mode. It is not recommended to press the button during the boot sequence as this can possibly brick the device and render it useless.

Attack Mode

Attack Mode is the default mode, the Signal Owl boots into. It provides two basic functions, being the payload loading function and the payload execution function. The payload loading function checks for any USB flash drives plugged into the host port of the device and copies payloads and extensions to the root of the Signal Owl. The payload execution function is responsible for executing the payload that is currently stored on the root of the Signal Owl. In case no payload is found, the device will blink slowly, indicating the FAIL status.

Arming Mode

The Arming Mode provides two basic functions, being the firmware update function and the shell access function. The firmware update function checks for any USB flash drives plugged into the host port of the device and copies firmware upgrade files into the internal storage of the device and flashes it. The shell access function starts an open access point with the SSID Owl_xxxx in which xxxx indicates the last two octets of the devices MAC address. Additionally, a SSH server providing access to the shell of the Signal Owl is enabled.

Initial Setup

When first unboxing the Signal Owl, the device runs a stager firmware that is designed to flash the latest firmware from a USB flash drive. In order to update the Signal Owl, the latest firmware has to be downloaded. Then, the downloaded file must be copied to the root of an EXT4 or FAT32 formatted USB flash drive. It is important not to modify this file. The next step is to plug the USB flash drive into the powered off Signal Owl. Afterwards, the device has to be powered on by a reliable USB source. The upgrade itself takes approximately five to ten minutes and is indicated by a solid red LED light. When finished, the device will reboot, enter Attack Mode and blink slowly, indicating an error running the payload because no payload has been found.

Payload Development

Payloads for the Signal Owl are written in bash with Ducky Script and can be created with any standard text editor. All payloads should begin with an interpreter directive, like the shebang #!/bin/bash for bash payloads and payloads must be named either payload.txt or payload.sh. In order to create effective payloads, the Signal Owl comes with several preinstalled penetration testing tools. These are as follows: Nmap, Aircrack-ng, MDK4 and Kismet.

Adding Payloads

Payloads can be stored on the internal storage of the Signal Owl as well as on a USB flash drive. When booting, payloads on USB flash drives are given priority and will override payloads stored on the Signal Owl. If no payload is found on the external storage and a payload is present on the internal storage, the internally stored payload will be executed. In case no payload is found on both internal and external storage, the Signal Owl will blink slowly.

Random Beacon Flooding Attack

Use Cases

Used Hardware