zigbee_sniff¶
Presentation¶
zigbee_sniff allows to passively sniffs ZigBee frames. It allows to configure the target by channel, PanID and address (respectively the CHANNEL, TARGET_PANID and TARGET parameters), along with the execution time (TIME parameter) and the optional PCAP file (PCAP_FILE parameter) in which the capture will be saved.
Compatible devices¶
Input parameters¶
Name |
Default value |
Possible values |
Description |
---|---|---|---|
INTERFACE |
rzusbstick0 |
rzusbstickX |
Interface to use |
TARGET_PANID |
<hexadecimal, 2 bytes> |
Targeted PanID |
|
CHANNEL |
13 |
<integer> |
Targeted channel |
TARGET |
<ZigBee address> |
Targeted device |
|
TIME |
20 |
<integer> |
Execution time |
PCAP_FILE |
<file path> |
Capture file |
Output parameters¶
Name |
Possible values |
Description |
---|---|---|
INTERFACE |
rzusbstickX |
Interface used |
CHANNEL |
<integer> |
Channel used |
PCAP_FILE |
<file path> |
Capture file |
Usage¶
Basic Usage¶
To sniff on a given channel and PanID, type the following command:
$ mirage zigbee_sniff CHANNEL=12 TARGET_PANID=0x3332
[INFO] Module zigbee_sniff loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f757212353d >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 0000000000000000426f6e6a6f75722028626973297031bb >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f7572128684 >>
^C[INFO] Mirage process terminated !
If you want to export the collected data to a PCAP file, uses the following command:
$ mirage zigbee_sniff CHANNEL=12 TARGET_PANID=0x3332 PCAP_FILE=/tmp/capture.pcap
[INFO] Module zigbee_sniff loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f757212353d >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 0000000000000000426f6e6a6f75722028626973297031bb >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f7572128684 >>
^C[INFO] Mirage process terminated !
Performing a replay attack¶
You can also easily perform a replay attack by combining this module with zigbee_inject :
$ mirage "zigbee_sniff|zigbee_inject" zigbee_sniff1.CHANNEL1=12 zigbee_sniff1.TARGET_PANID=0x3332 zigbee_sniff1.PCAP_FILE=/tmp/zigbeereplay.pcap zigbee_sniff1.TIME=5
[INFO] Module zigbee_sniff loaded !
[INFO] Module zigbee_inject loaded !
[INFO] RZUSBStick: Killerbee firmware in use.
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f757212353d >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 0000000000000000426f6e6a6f75722028626973297031bb >>
[PACKET] [ CH:12|RSSI:-55dBm|LKI:255/255|CRC:OK ] << Zigbee - Application Data Packet | srcAddr = 0x0000 | destAddr = 0xFFFF | destPanID = 0x3332 | data = 00000000000000fffe0000426f6e6a6f7572128684 >>
[INFO] Extracting packet stream from PCAP ...
[SUCCESS] PCAP file successfully loaded (DLT : 195) !
[SUCCESS] Packet stream successfully extracted !
[INFO] Injecting ...
[...]