SDR Hardware for Pentesting: Selection and Practical Application
Classical penetration testing tools stop at the digital layer (L2/L3 of the OSI model - Ethernet, IP, transport). Protocols such as 802.11, Bluetooth or cellular networks have their own physical layer, which ordinary network cards simply do not expose. SDR (Software Defined Radio) changes this situation: instead of equipment dedicated to a single protocol, you get a wideband receiver and full control over signal processing. RF intelligence through wideband monitoring with GNU Radio on hardware like the HackRF Pro opens an attack surface that the SIEM will never log. In this article you will find criteria for choosing SDR hardware, an overview of specific devices and a practical comparison for RF audits.
Table of Contents
Key Takeaways
| Point | Details |
|---|---|
| Choose hardware by goal | Pick an SDR by analyzing frequency range, sample rate and software compatibility. |
| SDR shows more than SIEM | An SDR-based pentest reveals anomalies and attacks at the RF level, invisible in classical tools. |
| Real case studies | Rayhunter detects cell-site simulators by analyzing QMDL from the cellular modem, while HackRF Pro with GNU Radio lets you audit RF protocols (IoT 433/868 MHz, keyless entry). |
| Pro workflow from spectrum to attack | First build an RF spectrum baseline - only then move to active attack attempts. |
How to choose SDR hardware for radio pentesting
Choosing SDR hardware for pentesting is not just a budget question. Each device has different parameters that directly affect what you can observe and test in the field.
Supported frequency range
The frequency range is the first filter when choosing hardware. Cheap receivers based on the RTL2832U chip typically operate from 500 kHz to 1.7 GHz, which covers most use cases: FM, ADS-B, ISM signals at 433/868 MHz, GSM 900/1800. Professional-class devices, such as the HackRF One or Pro, support a range from 1 MHz to 6 GHz, which gives access to 5G sub-6GHz networks and many industrial protocols. The 5 GHz Wi-Fi band is within hardware reach, but the 20 MSPS bandwidth allows only fragmentary snapshots of a single channel - to fully decode 40/80/160 MHz channels you need a USRP B200-mini or a faster SDR (BladeRF 2.0, USRP X310).
Sample rate and resolution
The sample rate determines the bandwidth you can observe simultaneously. RTL-SDR v3 and v4 reach a stable 2.4 MSPS (millions of samples per second), which gives a view of about 2 MHz of bandwidth. HackRF Pro samples up to 20 MSPS, USRP B200-mini up to 56 MSPS. In practice, a higher sample rate means a wider view of the spectrum and a lower risk of missing short transmissions.
Open source framework support
Good SDR hardware must work with the open source tooling ecosystem. Key platforms are:
GNU Radio: an environment for building signal-processing chains, supports virtually every popular SDR device
SDR# (SDRSharp): quick spectrum preview, a good starting point for RF analysis
GQRX: cross-platform receiver with GNU Radio support
URH (Universal Radio Hacker): analysis and decoding of unknown radio protocols
Inspectrum: visualization and analysis of IQ recordings
Lack of drivers or library support in these tools practically eliminates a device from a professional pentester workflow.
Detection baseline and spectrum observation
The key difference in radio pentesting is that you need not just a receiver, but a process for moving from RF observation (spectrum and IQ data) to test conditions. The detection baseline is a recording of normal RF activity in the target environment: which signals are present, in which bands, at what power and on what schedule. Deviations from this norm point to anomalies, new devices or active attacks.
An example process looks as follows: first you scan a wide band and record IQ data for 15-30 minutes at different times of day. Then you analyze the spectrum for unknown signals and compare them with a protocol database. Only after establishing the baseline do you move on to active tests: replay attacks, protocol fuzzing, deauthentication tests.
SDR hardware is not just a receiver. It is a tool for building RF context, without which active penetration tests at the physical layer are blind action.
Differences between consumer and professional devices
Consumer devices (RTL-SDR, cheap HackRF clones) have higher phase noise, worse input filters and limited transmit capabilities. Professional devices (USRP, LimeSDR) offer lower noise, factory calibration and the ability to operate as a full transceiver (transmit and receive). For most passive audits and spectrum analysis, consumer-grade hardware is sufficient. For active testing, protocol fuzzing or base station emulation, you need hardware with higher dynamic range and frequency stability.
Popular hardware platforms for RF pentesting differ not only in price, but above all in the range of applications and signal quality under demanding field conditions.
Pro tip: before buying, check whether the device has an active community on the rtl-sdr.com forum or GNU Radio Discourse. Lack of community support means no ready-made processing blocks and no help with driver issues.
Top 3 SDR devices used by pentesters
SDR is used in radio pentesting to analyze signals beyond traditional security mechanisms. Below are three devices that actually end up in pentester kits.
HackRF Pro/One with PortaPack H4M Mayhem
HackRF Pro is the current standard in RF pentesting (the successor to HackRF One, which has been discontinued). Operating range from 100 kHz to 6 GHz, with tuning up to 7.1 GHz, which extends the reach compared to the predecessor (One started at 1 MHz). Sample rate of 20 MSPS standard, up to 40 MSPS in oversampling mode. 8-bit IQ with an available 16-bit precision mode for demanding measurements. Pro introduces a built-in TCXO (Temperature Compensated Crystal Oscillator) for significantly better frequency stability, USB-C instead of micro-USB, a dedicated SMA clock port for synchronization with an external clock, plus improved shielding and more FPGA RAM. The mode of operation remains half-duplex. Transmit power up to about +10 dBm at low frequencies (below 30 MHz); in the GHz bands typical TX power drops to 0 to +5 dBm, and above 4 GHz it reaches negative values - when planning active tests in the 2.4/5 GHz bands you need to factor in an external amplifier. The version with the PortaPack H4M Mayhem adds a touchscreen and the ability to operate without a laptop, which matters for field testing.
Pros:
Wide frequency range covering most protocols used in corporate infrastructure
Full transceiver: receive and transmit in a single device
A huge base of ready-made modules in GNU Radio and the Mayhem firmware
Active community and regular software updates
Stand-alone operation with PortaPack, no extra computer needed
Cons:
Sample rate of 20 MSPS is less than USRP for wideband analysis
Higher phase noise compared to USRP-class devices
Higher price than RTL-SDR, though still affordable for individual pentesters
Recommended scenarios: ISM protocol testing, keyless entry analysis, IoT infrastructure testing, GSM monitoring, alarm system audits.
RTL-SDR v4
RTL-SDR v4 is the best entry point into the world of RF pentesting. R828D chip with RTL2832U, range from 500 kHz to 1.75 GHz, sample rate up to 3.2 MSPS (stable at 2.4 MSPS). Version v4 introduces an improved input filter and better thermal stability compared to previous generations.
Pros:
Very low price with good signal quality
Native support in SDR#, GQRX, GNU Radio without extra configuration
Sufficient range for analysis of GSM 900/1800, 433 MHz, ADS-B, FM
Small form factor, USB powered
Cons:
Receive only, no transmit capability
Limited frequency range: no access to 2.4 GHz Wi-Fi or 5 GHz
Higher noise level than HackRF on weak signals
Recommended scenarios: passive RF spectrum monitoring, analysis of 433/868 MHz signals, ADS-B, initial environment analysis before active testing.
USRP B200-mini
The USRP B200-mini is a professional-class device from Ettus Research (National Instruments). Range from 70 MHz to 6 GHz, sample rate up to 56 MSPS, full transceiver with on-board FPGA. The price is significantly higher, but the parameters justify the choice for advanced audits.
Pros:
Highest sample rate in this category: 56 MSPS gives a wide view of the spectrum
Low phase noise and high frequency stability with an external clock
Native support in GNU Radio via the UHD library
Can operate as a full GSM/LTE base station with the right software
Cons:
High price rules it out of budget kits
Requires external power and a laptop, no stand-alone operation
Steep learning curve compared to RTL-SDR
Recommended scenarios: advanced cellular network audits, base station emulation, tests of protocols requiring high signal quality, scientific research and advanced corporate pentests.
Pro tip: for most corporate audits, HackRF Pro is enough. USRP is worth considering when the test scope covers cellular infrastructure or precise control over transmit power and frequency is required.
Comparison of the most popular SDR devices
SDR changes the approach to wireless pentesting: the operator sees raw RF, exposing timing artifacts, broken frames and weak pairing procedures. The table below summarizes the key parameters of the three main devices.
| Parameter | RTL-SDR v4 | HackRF One + PortaPack H4M | USRP B200-mini |
|---|---|---|---|
| Frequency range | 500 kHz - 1.75 GHz | 1 MHz - 6 GHz | 70 MHz - 6 GHz |
| Sample rate (max) | 3.2 MSPS | 20 MSPS | 56 MSPS |
| Mode of operation | Receive only | TX/RX | TX/RX |
| Stand-alone operation | No | Yes (with PortaPack) | No |
| GNU Radio support | Yes | Yes | Yes (UHD) |
| Price tier | Low | Medium | High |
| Main use | Passive monitoring | All-round pentesting | Advanced audits |
Matching hardware to the test scenario
The choice of device should follow from the audit scope. A few key tips:
RF L1 (physical) layer testing: any device suffices for passive observation; active testing requires a transceiver (HackRF or USRP)
Spectrum anomaly detection: RTL-SDR v4 with a wide scan is sufficient for baseline detection in bands up to 1.75 GHz
Testing keyless entry and alarm vulnerabilities: HackRF One with PortaPack enables replay attacks without a laptop
Cellular network audits and cell-site simulator detection: USRP or HackRF with an open cellular stack (srsRAN, Osmocom OsmoBTS/OsmoBSC) for spectrum scanning; Rayhunter separately on a mobile hotspot with a Qualcomm modem for QMDL analysis
ISM 433/868 MHz protocol analysis: RTL-SDR v4 with URH is a sufficient tool
Operating conditions also matter. Field tests require autonomy, so HackRF with PortaPack H4M Mayhem has the edge over a USRP tied to a laptop. In the lab or data center the USRP B200-mini delivers better data quality and a wider observation bandwidth.
When planning a pentester kit it is also worth checking complementary tools for RF audits that round out SDR hardware in a complete audit workflow.
SDR in real audits: application examples
After comparing parameters, time for concrete real-world scenarios. SDR opens up possibilities that classical tools for IP-layer pentests simply do not have.
Detecting downgrade attacks in cellular networks
One of the most interesting use cases is the detection of cell-site simulators (IMSI catchers). These are devices that impersonate a cellular base station and force phones to connect over a weaker protocol (for example from 4G down to 2G), which is vulnerable to interception. Rayhunter from the EFF is open-source software that runs stand-alone on mobile hotspots with a Qualcomm modem (such as the Orbic Speed RC400L, TP-Link M7350) - it parses QMDL (Qualcomm Mobile Diagnostic Log) from the modem chipset and detects anomalies at the metadata level of the LTE/2G protocol: requests for network downgrade, IMSI requests without authentication, and unusual base station behavior.
In audit practice: you run Rayhunter on a compatible hotspot, carry the device through the area being audited for several hours (or install it stationary), and analyze the generated reports for flags. SDR (HackRF, USRP) plays a complementary role in this scenario - with the right software (srsRAN, Osmocom, IMSICatcher Detection in GNU Radio) it scans the raw cellular spectrum and detects unauthorized base stations by atypical transmit power, suspicious ARFCN or PLMN inconsistencies. Rayhunter and SDR are two complementary paths, each with a different detection vector.
Analysis of weak IoT pairing procedures
Many IoT devices use simple 433 or 868 MHz radio protocols with no encryption or with a weak rolling-code implementation. SDR lets you record the pairing transmission, analyze it in URH and identify patterns enabling replay attacks or signal cloning.
Wideband spectrum monitoring for anomalies
In audits of industrial environments (OT/ICS), SDR is used to map the entire RF spectrum in a facility. Unknown signals may indicate unauthorized radio devices, RF-transmitting keyloggers or eavesdropping equipment. A baseline recorded before the audit and compared to the current spectrum exposes every new emission source.
Steps of a simple SDR radio audit
Define the frequency range to monitor (e.g. 400 MHz to 2.5 GHz for a typical corporate environment)
Record an RF spectrum baseline for at least 2 hours during normal working hours
Identify all known signals (Wi-Fi, Bluetooth, DECT, alarm signals)
Document unknown signals: frequency, bandwidth, transmission rhythm
Analyze unknown signals in URH or Inspectrum for frame structure
Run active tests on identified protocols: replay, fuzzing, deauthentication
Document results and vulnerabilities in the audit report
SDR lets you see what the SIEM misses: RF activity at the physical layer does not generate application logs. The only way to observe it is radio hardware.
It is also worth remembering that the pentesting tools shop offers both SDR hardware and complementary accessories for complete audit kits.
Non-obvious insights: what RF pentester handbooks don't tell you
Most material on SDR in pentesting focuses on a list of devices and their specifications. That is useful, but misses the most important element: the workflow from observation to attack.
Too many pentesters treat SDR exclusively as a receiver for spectrum viewing. They buy an RTL-SDR, open SDR# and stare at the colorful FFT bars. That is not RF pentesting. That is observation. The real value of SDR appears when you start seeing timing artifacts, broken frames and pairing-procedure anomalies that point to specific vulnerabilities.
RF signal detection baseline is underrated. In practice it is the most effective method for actually capturing the attack surface in a client environment. Without a baseline every unknown signal is just a curiosity. With a baseline it becomes potential evidence of an unauthorized device or active attack. Clients who see a report with an RF map of the environment and a list of anomalies grasp the value of a radio audit far better than with a classical IP-layer test report.
What is overrated? The transmit capabilities of cheap HackRF clones. Many devices sold as "HackRF compatible" have an unstable oscillator and high phase noise that prevents precise active testing. They are fine for passive analysis. For replay attacks and protocol fuzzing it is better to invest in an original HackRF Pro or RTL-SDR v4 from a trusted distributor.
What is underrated? The combination of RTL-SDR v4 with a Baofeng UV-5R as a signal reference. The Baofeng UV-5R 8W is an inexpensive transmitter that lets you generate a known reference signal for calibration and range testing of an SDR receiver in the field. It is a simple, cheap and effective method of validating your setup before an audit.
Practical rule: a cheap SDR (RTL-SDR v4) is enough for 80% of audit tasks: passive monitoring, baseline detection, ISM protocol analysis, ADS-B, GSM. Stepping up to HackRF Pro is justified when the test scope requires active testing or coverage of bands above 1.75 GHz. The USRP B200-mini only makes sense for advanced cellular infrastructure audits or research demanding lab-class precision.
One last observation from practice: corporate clients increasingly require the RF layer to be included in audit scope. Regulations such as NIS2 and the growing number of attacks via radio protocols (keyless entry, DECT, Zigbee) mean that RF pentesting is no longer a niche - it is becoming a standard element of comprehensive security testing.
Proven tools and SDR hardware for pentesting
If you are planning to build or expand a kit for RF audits, it is worth starting with proven hardware available from a distributor experienced in the pentesting segment. Sapsan offers a full lineup of SDR devices, from RTL-SDR v4 through HackRF One with PortaPack H4M Mayhem, plus accessories essential for fieldwork.
For field testing, a charger for SDR in the field comes in handy, providing power for the kit during long monitoring sessions away from the lab. The audit kit is rounded out by a Wi-Fi attack detector, which automatically detects deauthentication attacks on the wireless network. The full pentesting hardware lineup is available in the Sapsan shop, with worldwide shipping and fast B2B and B2C order fulfilment. Also check out the SDR collection directly in the shop.
Frequently asked questions
Which SDR device works best for basic wireless testing?
For basic testing, the RTL-SDR v4 works best, providing good signal quality at a low price with broad community support. RF signal analysis beyond traditional security mechanisms is accessible already at this budget device.
Can HackRF One detect attacks on cellular networks?
Yes. HackRF One and Pro with GNU Radio and specialized modules (e.g. srsRAN scanner, Osmocom GSM tools, IMSICatcher detection blocks) enables signal monitoring in cellular bands and detection of anomalies characteristic of cell-site simulators - atypical transmit power, suspicious ARFCNs, PLMN inconsistencies. A complementary tool is Rayhunter, but it does not use SDR - it runs stand-alone on a mobile hotspot with a Qualcomm modem and analyzes QMDL from the modem chipset, applying heuristics that detect network downgrade requests.
Why is the RF signal detection baseline important?
The detection baseline enables detection of unusual behavior and physical-layer attacks before they appear in application logs. An FFT processing chain with HackRF Pro lets you build a precise baseline of RF activity in the environment under audit.
Can SDR replace traditional Wi-Fi pentesting tools?
SDR complements classical tools by letting you observe raw radio phenomena invisible to ordinary network cards. Visibility of raw RF exposes timing artifacts, broken frames and weak pairing procedures, which no standard Wi-Fi pentesting tool will show.