HackRF as a Purple Team Asset: Passive RF Collection in 2026
The HackRF One remains one of the most versatile tools in the purple team operator's kit in 2026. What started as a $300 hobbyist SDR (software-defined radio) has become a legitimate professional instrument — used by pentesters, red teams, and signal intelligence researchers worldwide.
This post covers how we integrate HackRF into authorized assessments and what the RF landscape looks like heading into mid-2026.
What HackRF Brings to an Engagement
HackRF covers 1 MHz to 6 GHz with half-duplex operation. That range catches:
- Sub-1GHz: 433/915 MHz IoT sensors, key fobs, garage openers, legacy alarm systems
- Cellular bands: GSM, LTE (passive monitoring only, carrier rules apply)
- 2.4 GHz ISM: WiFi preambles, Bluetooth advertisements, ZigBee traffic, baby monitors
- 5.8 GHz: WiFi 802.11ac/ax probes, some drone control links
- TPMS: Tire pressure monitoring systems broadcast plaintext vehicle identifiers
During a physical penetration test, passive RF scanning with HackRF running GQRX or SDR++ gives you a real-time picture of what's broadcasting in a facility before you touch a single cable.
The HackRF-Treasure-Chest Repository
Our HackRF-Treasure-Chest repo (663+ stars) exists because signal captures are reusable intelligence. The collection includes:
- Pre-recorded
.iqfiles for common protocols - GNU Radio flowgraphs for demodulation
- Scripts for batch scanning and spectrum logging
- Community-submitted captures across industrial, consumer, and specialty bands
Contributors have added everything from gate openers to pager intercepts (in jurisdictions where that's permitted). If you're doing authorized assessments and want baseline captures for comparison, this is a resource.
Workflow: RF Recon Before a Physical Assessment
# Scan 300–950 MHz at 2 MSPS, log to file
hackrf_sweep -f 300:950 -w 8192 -r /tmp/site_sweep_$(date +%Y%m%d).bin
# Then visualize in inspectrum or feed into rtl_power_fftw for heatmap
A 15-minute sweep of a building exterior tells you:
- Whether wireless access controls are sub-GHz (common in older badge systems)
- What IoT sensors are deployed (unencrypted 433 MHz is still everywhere)
- If any microwave links or point-to-point bridges are present
- Spectrum congestion maps useful for later jamming detection tests
Protocol Replay Considerations in 2026
With rolling code systems now standard on automotive and most smart locks, straight replay attacks are largely dead. But static-code legacy systems persist in:
- Industrial facility gate controllers (especially sub-$500 units)
- Older apartment intercom systems
- Parking garage barriers at sub-prime facilities
When scoping an engagement that includes wireless controls, the HackRF lets you verify whether the client has upgraded to rolling code before you even attempt anything active.
Pairing HackRF with Flipper Zero
We maintain the Flipper_Zero repo (1,373+ stars) alongside HackRF-Treasure-Chest because the two tools complement each other perfectly:
| Task | Tool | |------|------| | Broadband passive survey | HackRF | | Protocol decode and replay | Flipper Zero | | Targeted sub-GHz capture | Both | | NFC/RFID badge cloning | Flipper Zero | | Spectrum analysis | HackRF |
Flipper handles the close-proximity, interactive work. HackRF handles the distance scanning and signal capture for later analysis.
Legal and Scope Notes
All RF work we do is within explicit written authorization. The FCC's rules on intentional interference (Part 97, Part 15) apply regardless of your engagement scope. We document every RF activity in the rules of engagement before touching hardware.
If you're building an authorized security program and want to add RF coverage to your assessment methodology, the Treasure Chest repo is a starting point — and our OSINT dashboard tracks current research on wireless attack surfaces.