Skip to main content

ADS-B plotting with Kali (and other SDR goodies)

Recently I wanted to try some Software Defined Radio stuff.   

I had a RTL-SDR, FM+DAB, DVB-T USB Stick Set with RTL2832U & R820T. that I got from:

But, even though this dongle would break out FM radio stations, and ATC frequencies (like the local Ground Control, tower, and even ATIS), which was cool, it wouldn't break out ADS-B.   

Thus, I bought a Vantech Green Mini RTL2832U R820T DVB-T SDR DAB FM USB DIGITAL TV Tuner Receiver RTL-SDR Project + DAB dongle Tuner MCX Input from Amazon, and tried this.  

This dongle was able to listen to the 1090MHz frequency required for ADS-B (as it goes from 25MHz to 1700MHz).  There were tons of Windows programs out there for breaking out and plotting ADS-B Mode S broadcasts, but not many for Linux.  

For Kali Linux, here's how I got it running and plotting planes around my home:

0) before you start, you should do an apt-get update to ensure you have the most current packages 
1) you'll need USB1.0 support, so run "apt-get install libusb-1.0-0-dev"
2) The rtl_sdr that comes with Kali doesn't work with dump1090. You'll need to build rtl-sdr from source.
To do this, you'll need to follow the instructions at:, you'll need to:
    - #apt-get install cmake (you'll need this as part of the install)
    - #git clone git:// (this will get the rtl-sdr package... be careful...             whatever directory you type in the command is where it will go)
    - #cd rtl-sdr/
    - #mkdir build
    - #cd build
    - #cmake ../
    - #make
    - #sudo make install
    - #sudo ldconfig
3) get dump1090 from
(Note, if you have a hard time finding it, you can type "wget h-t-t-p-s:// --no-check-certificate" ....dashes were put in the URL to stop stupid Godaddy formatting)
   - change to the directory and type "make" and that should be it.
    - to run it, you can just type "./dump1090", and it will pipe all the text it sees to the command line.
    - Here's the cool part:  "./dump1090 --net" will start up a web server, and you can connect to it with a browser to localhost:8080 to see the aircraft flying!
Below is a screenshot of what this will look like:

Pretty cool stuff!   

As a note, here is what worked for me with other stuff:

For FM Radio:
#rtl_fm -W -f 89.1M -r 48k -s 200k - | aplay -r 48k -c 1 -f S16_LE

For ATC frequencies (they are actually AM broadcasts, and the -M tells rtl_fm to break it out as AM):
rtl_fm -f 124.2M -M -s 48k | aplay -t raw -r 48k -f S16_LE

Police Scanner (haven't tried this yet, so it may not work):
rtl_fm -N -E -f 154.42M -f 154.75M -f 154.82M -f 154.89M -s 44.1k -o 4 -g 49.2 -l 70 | aplay -r 44.1k -t raw -f S16_LE

Pager Decoder (haven't tried this yet either, so this also may not work):
rtl_fm -N -f 929.77M -s 22.5k -o 4 -g 11.5 -l 250 | multimon -t raw /dev/stdin
(note, I had to apt-get install multimon to get that package)

To get a cool scanner, I used "multimode."  To install this, I did:
  - I went into the multimode/tags/rel0.1/ directory, and ran "make install"
  - I typed "python" and the GUI came up... SLICK!
(note, I did get a lot of overruns running this, but I think that was an artifact of me running Kali in a VM, and not on real hardware.  Thus your milage may vary).  

Also for scanning, the rtlsdr-scanner GUI worked like a champ out of the box with Kali.

Lastly, the grx scanner worked GREAT with Kali.   I didn't even have to install it.  I just used the menu (Applications->Kali Linux->Wireless Attacks->SDR->gqrx.  Here's a cool screenshot of that:


Popular posts from this blog

Beaglebone Black as a Wireless Intrusion Detection System (WIDS)

Recently I have been wanting a wireless IDS (WIDS) to detect nefarious wifi activity.  I also had a Beaglebone Black hanging around that I wanted to put to good use.   This seemed like a perfect match, and indeed it seems to be so!

I did some research on WIDSs, and although there is SUPPOSED to be several out there, nearly all that I seemed to find was commercial and Windows-based products, not something I could use myself.   
About the only exception to that rule was Kismet, so I decided to give that a try.  Kismet is supposed to work as a WIDS, and per its documentation should catch the following attacks:
Kismet supports the following alerts, where applicable the WVE (Wireless Vulnerability and Exploits, ID is included: AIRJACKSSID Fingerprint Deprecated The original 802.11 hacking tools, Airjack, set the initial SSID to 'airjack' when starting up. This alert is no longer relevant as the Airjac…

Hacker Capture The Flag (CTF)

In 2011 I set up a CTF network, which players can VPN into in order to hack the victims inside.  It started out as me just setting up boxes to practice my own stuff, then friends wanted in, then I started scoring, and now it's HUGE, with over 100 boxes, several subnets, and tons of stuff to do!

Here are the instructions: 

1)  Scoring:  The lab consists of over 100 machines with various levels of vulnerabilities.  There are dozens of OSs spanning the range from Win2K, to DPRK linux, and even a little real hardware!  To get credit for hacking these machines, you'll need to provide the secret word, or 'flag,' which is usually annotated in a "hackthis" file located somewhere on the machine.  Document your activities, and feel free to share exceptional hacking methods and tools, and extra credit points may be awarded.  Send a separate email for each victim hacked with the IP of the victim, the secret word, and any additional information such as exploit/payload/metho…