Skip to content

jeffersoncesarantunes/EW-Verify

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

8 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

EW-Verify

Purple Team adversarial validation suite for Electronic Warfare detection capabilities on Linux.

Platform-Linux Language-C99 License-MIT Status CI CodeQL Docker Tested-on Domain


Etymology & Origin

The name EW-Verify stands for Electronic Warfare Verify β€” it validates whether a Linux system can detect, report, or survive electronic attack scenarios. The "EW" prefix signals a departure from pure host forensics into the electromagnetic and wireless domain, while "Verify" preserves the adversarial validation DNA inherited from K-Verify.

Where K-Verify tests memory-level attack detection (RWX, process hiding, ASLR bypass), EW-Verify tests the RF and wireless attack surface: jamming, spoofing, deauthentication, and spectrum manipulation.


Overview

EW-Verify is a Purple Team adversarial validation tool built to stress-test the detection layer for Electronic Warfare attack scenarios on Linux systems.

It runs controlled adversarial actions in the wireless and electromagnetic spectrum, then cross-references each one against the kernel and RF interfaces that detection tools rely on. Every scenario maps to a MITRE ATT&CK technique or an EW taxonomy classification, and the final report includes a Detection Gap Analysis that points out blind spots nobody's covering.

The tool covers several core areas. It launches deauthentication attacks against test networks and checks whether the kernel's wireless stack (nl80211/cfg80211) reports them. It attempts GPS spoofing and assesses system-side detection (if GPS hardware is present). It floods Bluetooth and Wi-Fi channels and monitors for kernel-level interference signals. It checks RFkill state, wireless regulatory domain constraints, and spectrum congestion indicators. When live detection tools are available (like Wireshark, aircrack-ng suite, or custom SDR-based sensors), it can invoke them for true end-to-end validation. Every scenario is tagged with its MITRE ATT&CK technique ID or EW category, and the detection gap analysis counts how many scenarios no tool covers.


Features

EW-Verify comes with ten adversarial scenarios across the electromagnetic spectrum. You get wireless deauthentication testing via --deauth that sends 802.11 deauth frames and checks kernel detection. GPS spoofing simulation with --gps-spoof validates whether the system or connected applications detect forged NMEA data. Bluetooth attack scenarios with --bt-attack test for flood and pairing-based attacks. Spectrum congestion analysis with --spectrum reads RF signal density indicators. RFkill state verification with --rfkill checks whether the kernel's RF kill switch is engaged. Wi-Fi regulatory domain assessment with --regulatory validates country code and channel restrictions. Aireplay-ng integration with --aireplay runs actual aireplay-ng attacks and checks for detection. There's an SDR readiness check with --sdr that validates whether RTL-SDR or HackRF devices are available and functional. Output goes to a color-coded Purple Team validation matrix on the terminal, and you can also export structured JSON or CSV for your reporting pipeline. The Detection Gap Analysis calls out blind spots where no tool provides coverage. MITRE ATT&CK and EW taxonomy IDs show up in terminal output, JSON, and CSV. There's a Silent JSON mode (--json) that suppresses the banner entirely for CI/CD pipelines. The engine is modular C99 β€” each scenario lives in its own source file. There's an automated unit test suite via make test, a CI/CD pipeline through GitHub Actions, a read-only verification phase that assesses system state without running any attacks, and full child process lifecycle management with a cleanup mode.


MITRE ATT&CK & EW Taxonomy Mapping

Every scenario is mapped to a real MITRE ATT&CK technique or Electronic Warfare category:

Scenario ID Description
DEAUTH_ATTACK T1562.001 Impair Defenses: Disable or Modify Tools
GPS_SPOOF T1557 Adversary-in-the-Middle
BT_FLOOD T1498 Network Denial of Service
SPECTRUM_SCAN EW-ES-001 Electronic Support β€” Spectrum Monitoring
RFKILL_STATE EW-EP-001 Electronic Protection β€” RF Kill Assessment
REGULATORY_CHECK EW-EP-002 Electronic Protection β€” Regulatory Compliance
AIREPLAY_ATTACK T1562.001 Impair Defenses: Disable or Modify Tools
SDR_READINESS EW-ES-002 Electronic Support β€” SDR Capability
WIFI_JAM T1498 Network Denial of Service
CHANNEL_HOP EW-EA-001 Electronic Attack β€” Channel Hopping

Technique IDs are embedded in terminal output, JSON exports, and CSV reports.

Note: IDs prefixed with EW-ES, EW-EP, and EW-EA are extended taxonomy specific to EW-Verify β€” not official MITRE ATT&CK identifiers. They cover electromagnetic spectrum scenarios (Electronic Support, Electronic Protection, Electronic Attack) that MITRE does not currently address. Scenarios with standard MITRE IDs (e.g., T1562.001) map directly to ATT&CK for Enterprise or ICS.


Example Output

        ╔═══════════════════════════════════════════════════════╗
        β•‘     EW-Verify | Purple Team - Electronic Warfare      β•‘
        β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•

  ════════════════════════════════════════════════════════════════
    RUN SEQUENCE INITIATED
  ════════════════════════════════════════════════════════════════

  [01/10] DEAUTH_ATTACK    PASS  [EW:βœ”  KS:✘]  T1562.001
  [02/10] GPS_SPOOF        SKIP  (no GPS device)
  [03/10] BT_FLOOD         WARN  (BT not powered)
  [04/10] SPECTRUM_SCAN    WARN  (no wireless interfaces)
  [05/10] RFKILL_STATE     SKIP  (rfkill not available)
  [06/10] REGULATORY_CHECK WARN  (no regulatory info)
  [07/10] AIREPLAY_ATTACK  SKIP  (aireplay-ng not found)
  [08/10] SDR_READINESS    PASS  (SDR tools found, no device)  [EW:βœ”  KS:✘]  EW-ES-002
  [09/10] WIFI_JAM         SKIP  (no jamming tools found)
  [10/10] CHANNEL_HOP      SKIP  (no wireless interface)

  ════════════════════════════════════════════════════════════════
    RESULTS
  ════════════════════════════════════════════════════════════════

  [01/10] DEAUTH_ATTACK      PASS  [EW:βœ”  KS:✘]  T1562.001
  [02/10] GPS_SPOOF          SKIP  [EW:✘  KS:✘]  T1557
  [03/10] BT_FLOOD           WARN  [EW:✘  KS:✘]  T1498
  [04/10] SPECTRUM_SCAN      WARN  [EW:✘  KS:✘]  EW-ES-001
  [05/10] RFKILL_STATE       SKIP  [EW:✘  KS:✘]  EW-EP-001
  [06/10] REGULATORY_CHECK   WARN  [EW:✘  KS:✘]  EW-EP-002
  [07/10] AIREPLAY_ATTACK    SKIP  [EW:✘  KS:✘]  T1562.001
  [08/10] SDR_READINESS      PASS  [EW:βœ”  KS:✘]  EW-ES-002
  [09/10] WIFI_JAM           SKIP  [EW:✘  KS:✘]  T1498
  [10/10] CHANNEL_HOP        SKIP  [EW:✘  KS:✘]  EW-EA-001

  ═════════════════════════════════════════════════════════════════
    FINAL ASSESSMENT
  ════════════════════════════════════════════════════════════════

   [β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–‘β–‘β–‘β–‘β–‘]  5/10  (50%)  adversarial actions succeeded
   [β–ˆβ–ˆβ–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘]  2/10  (20%)  detected by EW-Sensor
   [β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘]  0/10  (0%)  detected by Kernel
   [β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–‘β–‘]  8/10  (80%)  unmonitored gaps (no EW or KS coverage)

   STATUS:  Purple Team Validation Complete
  ════════════════════════════════════════════════════════════════

How It Works

EW-Verify runs in three phases.

Phase 1: Adversarial Execution

Each scenario executes a controlled electronic attack or measurement. DEAUTH_ATTACK sends 802.11 deauthentication frames using iw or aireplay-ng. GPS_SPOOF injects forged NMEA sentences into the GPS device stream. BT_FLOOD floods Bluetooth L2CAP packets. SPECTRUM_SCAN reads signal level indicators from /proc/net/wireless or iw dev. RFKILL_STATE queries /sys/class/rfkill/*. REGULATORY_CHECK reads iw reg get. AIREPLAY_ATTACK runs aireplay-ng in test mode. SDR_READINESS probes for RTL-SDR or HackRF devices via USB. WIFI_JAM floods a target channel with noise frames. CHANNEL_HOP rapidly cycles through Wi-Fi channels while measuring signal changes.

Phase 2: Detection

For every scenario, EW-Verify queries the same kernel and RF interfaces a detection tool would read. On the kernel path, it checks /sys/class/rfkill/, /proc/net/wireless, iw event traces, and dmesg for wireless driver alerts. On the EW sensor path, it checks for spectrum analyzer output, SDR sample captures, or external detector logs. You don't need any external detection tools installed to run EW-Verify. The detection logic is baked directly into EW-Verify's source code: it reads the same interfaces they would and predicts whether they'd fire. If you pass --live, it optionally invokes actual tools (Wireshark, aircrack-ng, custom SDR detectors) for real validation.

Phase 3: Correlation

Results come out as a validation matrix. You get to see whether the adversarial action succeeded, whether each detection tool would detect it, and the MITRE ATT&CK or EW taxonomy ID. There's a summary with progress bars for adversarial success rate, detection coverage, and unmonitored gaps.

Detection Gap Analysis

The final assessment includes a metric called unmonitored gaps β€” scenarios where no detection tool provides coverage. Those are your highest-risk blind spots in the electromagnetic domain.


Build and Run

# Clone the repository
git clone https://github.com/jeffersoncesarantunes/EW-Verify.git
cd EW-Verify

# Build the project
make

# (Optional) Clean rebuild from scratch
make clean && make

# Run the test suite
make test

# Run all scenarios with default terminal output
sudo ./ewverify

# Run all scenarios with silent JSON export (no banner, CI/CD ready)
sudo ./ewverify --json

# Export results to CSV
sudo ./ewverify --csv

# Run a specific module
sudo ./ewverify --deauth
sudo ./ewverify --gps-spoof
sudo ./ewverify --bt-attack
sudo ./ewverify --spectrum
sudo ./ewverify --rfkill
sudo ./ewverify --regulatory
sudo ./ewverify --aireplay
sudo ./ewverify --sdr
sudo ./ewverify --wifi-jam
sudo ./ewverify --channel-hop

# Run with live detection tool integration
sudo ./ewverify --live

# Read-only verification (no adversarial actions)
sudo ./ewverify --verify-only

# Clean up any remaining child processes
sudo ./ewverify --cleanup

# Check available hardware and tools before running
sudo ./ewverify --check-req

External Dependencies

Some scenarios require optional tools. The tool handles missing dependencies gracefully (SKIP), but installing them enables more scenarios:

Tool Required by Install (Arch) Install (Debian/Ubuntu)
iw deauth, regulatory, channel-hop, wifi-jam sudo pacman -S iw sudo apt install iw
rfkill rfkill sudo pacman -S rfkill sudo apt install rfkill
bluetoothctl bt-attack sudo pacman -S bluez bluez-utils sudo apt install bluez bluez-tools
aireplay-ng aireplay, deauth sudo pacman -S aircrack-ng sudo apt install aircrack-ng
mdk4 / mdk3 wifi-jam yay -S mdk4 (AUR) sudo apt install mdk4
gpsd gps-spoof sudo pacman -S gpsd sudo apt install gpsd
rtl_test sdr sudo pacman -S rtl-sdr sudo apt install rtl-sdr
hackrf_info sdr sudo pacman -S hackrf sudo apt install hackrf

πŸ’‘ Run sudo ./ewverify --check-req before executing scenarios to see which tools and hardware are available on your system.

When --json is used alone, the tool skips the banner and terminal output entirely and writes only the JSON report file. This is meant for automated pipelines, cron jobs, and CI/CD integration.


Post-Analysis & Report Viewing

Once reports are generated, you can inspect them right from the terminal:

# View aligned and formatted CSV results (top 15 results)
column -t -s ',' ewverify-report.csv | head -n 16

# Quickly inspect the structured JSON output header
cat ewverify-report.json | head -n 15

Project in Action

Screenshots are reserved for a future visual walkthrough. The images directory contains assets that will be referenced here once the walkthrough is finalized.


Operational Integrity

EW-Verify is designed for controlled adversarial testing. All wireless attacks target test interfaces only β€” never production networks. Child processes are tracked and reaped. The --cleanup mode kills any remaining children. --verify-only does a read-only assessment. There are no persistent system modifications and no lateral movement. Every action is logged transparently. Use in isolated, authorized lab environments only.


Deployment

Requirements

You'll need a Linux kernel 5.x or newer, gcc, make, and root privileges for wireless interface access and RF tests. A wireless adapter supporting monitor mode helps for deauth and jamming scenarios. A UTF-8 compatible terminal is recommended. Optionally you'll want aircrack-ng for --aireplay, bluetoothctl for --bt-attack, and rtl-sdr/hackrf tools for --sdr.


Repository Structure

β”œβ”€β”€ .github/workflows/
β”‚   β”œβ”€β”€ ci.yml
β”‚   └── codeql.yml
β”œβ”€β”€ build/
β”‚   └── obj/
β”œβ”€β”€ docs/
β”‚   β”œβ”€β”€ EW_SCENARIOS.md
β”‚   β”œβ”€β”€ EW_TAXONOMY.md
β”‚   └── EW_VALIDATION_PROTOCOL.md
β”œβ”€β”€ Images/
β”‚   β”œβ”€β”€ ewverify1.png
β”‚   β”œβ”€β”€ ewverify2.png
β”‚   └── ewverify3.png
β”œβ”€β”€ include/
β”‚   β”œβ”€β”€ colors.h
β”‚   β”œβ”€β”€ ewverify.h
β”‚   └── modules.h
β”œβ”€β”€ reports/
β”œβ”€β”€ scenarios/
β”‚   β”œβ”€β”€ deauth.c
β”‚   β”œβ”€β”€ gps_spoof.c
β”‚   β”œβ”€β”€ bt_attack.c
β”‚   β”œβ”€β”€ spectrum.c
β”‚   β”œβ”€β”€ rfkill.c
β”‚   β”œβ”€β”€ regulatory.c
β”‚   β”œβ”€β”€ aireplay.c
β”‚   β”œβ”€β”€ sdr_check.c
β”‚   β”œβ”€β”€ wifi_jam.c
β”‚   └── channel_hop.c
β”œβ”€β”€ src/
β”‚   β”œβ”€β”€ main.c
β”‚   β”œβ”€β”€ utils.c
β”‚   └── verify.c
β”œβ”€β”€ tests/
β”‚   β”œβ”€β”€ .gitkeep
β”‚   └── test_utils.c
β”œβ”€β”€ .clang-format
β”œβ”€β”€ .gitignore
β”œβ”€β”€ LICENSE
β”œβ”€β”€ Makefile
└── README.md

Project in Action

Terminal Matrix

Purple Team validation matrix with MITRE ATT&CK and EW taxonomy references.

Spectrum Analysis

Spectrum congestion and RF signal density assessment output.

Detection Gap Report

Detection Gap Analysis with cross-referenced blind spots in the electromagnetic domain.


Tech Stack

The language is C99. Data sources are /sys, /proc, iw, rfkill, and USB device enumeration. The build tool is GNU Make. The test framework is a custom C test harness. Target platforms are Linux Kernel 5.x and 6.x with wireless and Bluetooth support.


Roadmap

  • Modular C99 engine with deauth, gps, bt, and spectrum modules
  • Verification engine cross-referencing EW sensor and kernel interfaces
  • Color-coded terminal validation matrix
  • JSON/CSV structured export with MITRE ATT&CK and EW taxonomy IDs
  • Detection Gap Analysis (unmonitored blind spots)
  • Silent JSON mode for CI/CD pipelines
  • --verify-only read-only assessment mode
  • RFkill-based detection validation (--rfkill)
  • Regulatory domain enforcement validation (--regulatory)
  • SDR device readiness check (--sdr)
  • Wi-Fi channel hopping detection (--channel-hop)
  • Automated test suite (make test)
  • CI/CD pipeline (GitHub Actions)
  • Hardware requirements check (--check-req)
  • Centralized hardware detection (has_wireless, has_bt, has_gps, has_sdr)
  • Live tool integration (--live)
  • Scenario-level automated tests with interface mocking (/proc, /sys, iw)
  • Map extended taxonomy (EW-ES/EP/EA) to real MITRE ATT&CK for ICS
  • Container-aware scenario execution
  • eBPF-based wireless syscall telemetry

Documentation

Docs-EW-Taxonomy Docs-Scenarios Docs-Validation

About

🐧Purple Team adversarial validation suite for Electronic Warfare detection capabilities on Linux.

Topics

Resources

License

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors