Skip to content

ADSB Ultrafeeder Beast Mode Detection #13337

New issue
New issue
Open
#13346
Open
ADSB Ultrafeeder Beast Mode Detection#13337
#13346
Assignees
DhiyaneshGeek
Labels
template-contributionNuclei template contribution
@random-robbie

Description

@random-robbie
random-robbie
opened on Sep 21, 2025

Is there an existing template for this?

  • I have searched the existing templates.

Nuclei Template

id: adsb-ultrafeeder-detection

info:
  name: ADSB Ultrafeeder Beast Mode Detection
  author: Random-Robbie
  severity: info
  description: |
    Detects ADSB (Automatic Dependent Surveillance-Broadcast) ultrafeeders running Beast mode protocol on port 30005.

    These devices receive aircraft transponder data via software-defined radio and redistribute it over the internet.
    Commonly used by aviation enthusiasts, flight tracking services, and research institutions.

    Beast mode is a binary protocol that streams real-time aircraft position, altitude, speed, and identification data.
    The protocol uses 0x1A as a start marker followed by message type identifiers (0x31, 0x32, 0x33).
  reference:
    - https://github.com/flightaware/dump1090
    - https://github.com/wiedehopf/readsb
    - https://mode-s.org/decode/content/ads-b/1-basics.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 3.7
    cwe-id: CWE-200
  metadata:
    max-request: 1
    shodan-query: 'port:30005'
    verified: true
  tags: adsb,aviation,ultrafeeder,beast-mode,dump1090,readsb,flight-tracking

tcp:
  - inputs:
      - data: ""
    host:
      - "{{Hostname}}"
    port: 30005
    read-size: 2048

    matchers-condition: and
    matchers:
      - type: binary
        name: beast_mode_messages
        binary:
          - "1a31"  # Beast mode message type 31 (DF 17/18 Extended Squitter)
          - "1a32"  # Beast mode message type 32 (DF 5/21 Surveillance ID Reply)
          - "1a33"  # Beast mode message type 33 (DF 4/20 Surveillance Altitude Reply)
        condition: or

      - type: binary
        name: multiple_markers
        binary:
          - "1a"    # Multiple Beast start markers indicate active feed

    extractors:
      - type: regex
        name: beast_message_types
        internal: true
        regex:
          - "1a(3[1-3])"
        group: 1

      - type: regex
        name: feed_quality
        internal: true
        regex:
          - "(1a)"

      - type: kval
        kval:
          - beast_message_types
          - feed_quality

Relevant dumped responses

[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[adsb-ultrafeeder-detection] [tcp] [info] 192.168.1.169:30005

Anything else?

No response

Metadata

Metadata

Assignees

Labels

template-contributionNuclei template contribution

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions