Difference between revisions of "ZigBee Replay"
Jump to navigation
Jump to search
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Summary == | == Summary == | ||
After successfully sniffing the Network Key of a ZigBee network as described in [[ZigBee Sniffing]] the next step is to conduct a replay attack by resending the decrypted on/off commands with adjusted counters. | After successfully sniffing the Network Key of a [https://en.wikipedia.org/wiki/Zigbee ZigBee] network as described in [[ZigBee Sniffing]] the next step is to conduct a [https://en.wikipedia.org/wiki/Replay_attack replay attack] by resending the decrypted on/off commands with adjusted counters. | ||
== Requirements == | == Requirements == | ||
* Operating system of attacking host: Kali Linux 64 Bit | * Operating system of attacking host: [https://www.kali.org/downloads/12/ Kali Linux 64 Bit] | ||
** Version 2018.2 | ** Version 2018.2 | ||
* Packages: KillerBee | * Packages: [https://github.com/riverloopsec/killerbee KillerBee] | ||
* Operating system of Raspberry Pi: RaspBee Gateway SD card image Raspbian Jessi RaspBee (Stable) | * Operating system of Raspberry Pi: [https://www.dresden-elektronik.de/funktechnik/solutions/wireless-light-control/raspbee-gw-sd-card-image/?L=1 RaspBee Gateway SD card image Raspbian Jessi RaspBee (Stable)] | ||
** Version 01-2017 | ** Version 01-2017 | ||
Line 19: | Line 19: | ||
* <code>zbreplay</code> does not work due to counter queries | * <code>zbreplay</code> does not work due to counter queries | ||
* Python script to log the latest counters and create a packet with updated counters | * [https://en.wikipedia.org/wiki/Python_(programming_language) Python] script to log the latest counters and create a packet with updated counters | ||
** Data is misinterpreted and therefore the FCS and MIC are wrong | ** Data is misinterpreted and therefore the [https://en.wikipedia.org/wiki/Frame_check_sequence FCS] and [https://de.wikipedia.org/wiki/Message_Integrity_Check MIC] are wrong | ||
** Packet is not constructed | ** Packet is not constructed | ||
* Documentation of the conducted project and source code of the python script | * [[:File:ZigBeeReplay.pdf|Documentation]] of the conducted project and source code of the python script | ||
The authors suppose that the misinterpretation of data results from the limited hardware capacities of the Atmel RZ Raven USB stick. | The authors suppose that the misinterpretation of data results from the limited hardware capacities of the [[AVR RZUSBSTICK|Atmel RZ Raven USB stick]]. | ||
The solution would be a Software Defined Radio (SDR). | The solution would be a [https://en.wikipedia.org/wiki/Software-defined_radio Software Defined Radio (SDR)]. | ||
The drivers of scapy were only written for the Ettus USRP but the authors were not provided with this SDR. | The drivers of scapy were only written for the [https://www.ettus.com/ Ettus USRP] but the authors were not provided with this SDR. | ||
== Used Hardware == | == Used Hardware == | ||
* Raspberry Pi 3 Model B+ | * [[Raspberry Pi 3, Model B+, WLAN, BT]] | ||
* SD | * [[Kingston 8GB micro SD-HC class 4]] | ||
* | * [[RaspBee premium, Erweiterungsplatine mit Funkmodul für Raspberry Pi]] | ||
* Philips Hue | * [[Philips Hue White and Color Ambiance Single LED-Bulb E27 10W]] | ||
* | * [[AVR RZUSBSTICK]] | ||
* Kali Linux host | * [https://www.kali.org/downloads/12/ Kali Linux] host | ||
* USB mouse and keyboard | * USB mouse and keyboard | ||
* external monitor | * external monitor |
Latest revision as of 13:15, 12 March 2019
Summary
After successfully sniffing the Network Key of a ZigBee network as described in ZigBee Sniffing the next step is to conduct a replay attack by resending the decrypted on/off commands with adjusted counters.
Requirements
- Operating system of attacking host: Kali Linux 64 Bit
- Version 2018.2
- Packages: KillerBee
- Operating system of Raspberry Pi: RaspBee Gateway SD card image Raspbian Jessi RaspBee (Stable)
- Version 01-2017
Authors
- Daniel Tod
- Luca Strobl
Results
zbreplay
does not work due to counter queries- Python script to log the latest counters and create a packet with updated counters
- Documentation of the conducted project and source code of the python script
The authors suppose that the misinterpretation of data results from the limited hardware capacities of the Atmel RZ Raven USB stick. The solution would be a Software Defined Radio (SDR). The drivers of scapy were only written for the Ettus USRP but the authors were not provided with this SDR.
Used Hardware
- Raspberry Pi 3, Model B+, WLAN, BT
- Kingston 8GB micro SD-HC class 4
- RaspBee premium, Erweiterungsplatine mit Funkmodul für Raspberry Pi
- Philips Hue White and Color Ambiance Single LED-Bulb E27 10W
- AVR RZUSBSTICK
- Kali Linux host
- USB mouse and keyboard
- external monitor
- HDMI cable
Courses
- Vertiefendes Wahlfachprojekt (2019)