Difference between revisions of "ZigBee Replay"
Jump to navigation
Jump to search
Line 1: | Line 1: | ||
== Summary == | == Summary == | ||
After successfully sniffing the Network Key of a ZigBee network as described in [[ZigBee Sniffing]] the next step is to conduct a replay attack by resending the decrypted on/off commands with adjusted counters. | After successfully sniffing the Network Key of a [https://en.wikipedia.org/wiki/Zigbee ZigBee] network as described in [[ZigBee Sniffing]] the next step is to conduct a [https://en.wikipedia.org/wiki/Replay_attack replay attack] by resending the decrypted on/off commands with adjusted counters. | ||
== Requirements == | == Requirements == | ||
* Operating system of attacking host: Kali Linux 64 Bit | * Operating system of attacking host: [https://www.kali.org/downloads/12/ Kali Linux 64 Bit] | ||
** Version 2018.2 | ** Version 2018.2 | ||
* Packages: KillerBee | * Packages: [https://github.com/riverloopsec/killerbee KillerBee] | ||
* Operating system of Raspberry Pi: RaspBee Gateway SD card image Raspbian Jessi RaspBee (Stable) | * Operating system of Raspberry Pi: [https://www.dresden-elektronik.de/funktechnik/solutions/wireless-light-control/raspbee-gw-sd-card-image/?L=1 RaspBee Gateway SD card image Raspbian Jessi RaspBee (Stable)] | ||
** Version 01-2017 | ** Version 01-2017 | ||
Line 19: | Line 19: | ||
* <code>zbreplay</code> does not work due to counter queries | * <code>zbreplay</code> does not work due to counter queries | ||
* Python script to log the latest counters and create a packet with updated counters | * [https://en.wikipedia.org/wiki/Python_(programming_language) Python] script to log the latest counters and create a packet with updated counters | ||
** Data is misinterpreted and therefore the FCS and MIC are wrong | ** Data is misinterpreted and therefore the [https://en.wikipedia.org/wiki/Frame_check_sequence FCS] and [https://de.wikipedia.org/wiki/Message_Integrity_Check MIC] are wrong | ||
** Packet is not constructed | ** Packet is not constructed | ||
* [[:File:ZigBeeReplay.pdf|Documentation]] of the conducted project and source code of the python script | * [[:File:ZigBeeReplay.pdf|Documentation]] of the conducted project and source code of the python script | ||
The authors suppose that the misinterpretation of data results from the limited hardware capacities of the Atmel RZ Raven USB stick. | The authors suppose that the misinterpretation of data results from the limited hardware capacities of the [[https://www.microchip.com/developmenttools/ProductDetails/ATAVRRZUSBSTICK Atmel RZ Raven USB stick]. | ||
The solution would be a Software Defined Radio (SDR). | The solution would be a [https://en.wikipedia.org/wiki/Software-defined_radio Software Defined Radio (SDR)]. | ||
The drivers of scapy were only written for the Ettus USRP but the authors were not provided with this SDR. | The drivers of scapy were only written for the [https://www.ettus.com/ Ettus USRP] but the authors were not provided with this SDR. | ||
== Used Hardware == | == Used Hardware == | ||
* Raspberry Pi 3 Model B+ | * [https://www.raspberrypi.org/products/raspberry-pi-3-model-b-plus/ Raspberry Pi 3 Model B+] | ||
* SD card with at least 8 gigabyte of memory | * SD card with at least 8 gigabyte of memory | ||
* Raspbee module | * [https://www.dresden-elektronik.de/raspbee/ Raspbee module] | ||
* Philips Hue light bulb | * [https://www2.meethue.com/de-at/p/hue-white-einzellampe--e27/8718696449578 Philips Hue light bulb] | ||
* Atmel RZ Raven USB stick | * [https://www.microchip.com/developmenttools/ProductDetails/ATAVRRZUSBSTICK Atmel RZ Raven USB stick] | ||
* Kali Linux host | * [https://www.kali.org/downloads/12/ Kali Linux] host | ||
* USB mouse and keyboard | * USB mouse and keyboard | ||
* external monitor | * external monitor |
Revision as of 09:21, 7 March 2019
Summary
After successfully sniffing the Network Key of a ZigBee network as described in ZigBee Sniffing the next step is to conduct a replay attack by resending the decrypted on/off commands with adjusted counters.
Requirements
- Operating system of attacking host: Kali Linux 64 Bit
- Version 2018.2
- Packages: KillerBee
- Operating system of Raspberry Pi: RaspBee Gateway SD card image Raspbian Jessi RaspBee (Stable)
- Version 01-2017
Authors
- Daniel Tod
- Luca Strobl
Results
zbreplay
does not work due to counter queries- Python script to log the latest counters and create a packet with updated counters
- Documentation of the conducted project and source code of the python script
The authors suppose that the misinterpretation of data results from the limited hardware capacities of the [Atmel RZ Raven USB stick. The solution would be a Software Defined Radio (SDR). The drivers of scapy were only written for the Ettus USRP but the authors were not provided with this SDR.
Used Hardware
- Raspberry Pi 3 Model B+
- SD card with at least 8 gigabyte of memory
- Raspbee module
- Philips Hue light bulb
- Atmel RZ Raven USB stick
- Kali Linux host
- USB mouse and keyboard
- external monitor
- HDMI cable
Courses
- Vertiefendes Wahlfachprojekt (2019)