silicrax/killerbee
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
This is KillerBee - Framework and Tools for Attacking ZigBee and IEEE 802.15.4 networks. Copyright 2009, Joshua Wright <jwright@willhackforsushi.com> Updates Copyright 2010-11, Ryan Speers <ryan@rmspeers.com> Ricky Melgares <rmelgares@dartmouth.edu> All Rights Reserved. Distributed under a BSD license, see LICENSE for details. REQUIREMENTS KillerBee is developed and tested on Linux systems. Windows support may be added in the future. We have striven to use a minimum number of software dependencies, however, it is necessary to install the following Python modules before installation: serial usb crypto (for some functions) pygtk (for use of tools that have GUIs) cairo (for use of tools that have GUIs) On Ubuntu systems, you can install the needed dependencies with the following command line: # apt-get install python-gtk2 python-cairo python-usb python-crypto python-serial Additionally, python-dev headers are required, as well as libgcrypt, for the Scapy Extension Patch (thanks to Spencer McIntyre for the patch): # apt-get install python-dev libgcrypt-dev Also note that this is a fairly advanced and un-friendly attack platform. This is not Cain & Abel. It is intended for developers and advanced analysts who are attacking ZigBee and IEEE 802.15.4 networks. I recommend you gain some understanding of the ZigBee protocol (the book ZigBee Wireless Networks and Transceivers by Shahin Farahani at http://bit.ly/2I5ppI is reasonable, though still not great) and familiarity with the Python language before digging into this framework. INSTALLATION KillerBee uses the standard Python 'setup.py' installation file. Install KillerBee with the following command: # python setup.py install The setup.py script will identify any missing dependencies before installation any will provide assistance on satisfying them before installing. DIRECTORIES The directory structure for the KillerBee code is described as follows: doc - HTML documentation on the KillerBee library, courtesy of epydoc. firmware - Firmware for supported KillerBee hardware devices. killerbee - Python library source. sample - Sample packet captures, referenced below. scripts - Shell scripts used in development. t - Short testing scripts, not used in the setup and install process. tools - ZigBee and IEEE 802.15.4 attack tools developed using this framework. REQUIRED HARDWARE The KillerBee framework is being expanded to support multiple devices. Currently there is support for the Atmel RZ RAVEN USB Stick, the MoteIV Tmote Sky, and the TelosB mote. Support for Freaklab's Freakduino with added hardware and the Dartmouth arduino sketch as well as for the Zena Packet Analyzer board are in development. For the MoteIV Tmote Sky or TelosB mode: This device can be loaded with firmware via USB. Attach the device, and then within killerbee/firmware, run: ./goodfet.bsl --telosb -e -p gf-telosb-001.hex For the Atmel RZ RAVEN USB Stick: (http://www.atmel.com/dyn/products/tools_card.asp?tool_id=4396). This hardware is convenient as the base firmware is open source with a freely-available IDE. The KillerBee firmware for the RZ RAVEN included in the firmware/ directory is a modified version of the stock firmware distributed by Atmel to include attack functionality. The RZ RAVEN USB Stick is available from common electronics resellers for approximately $40/USD: Mouser: http://bit.ly/vZ2pt Digi-Key: http://bit.ly/3T8MaK The stock firmware shipped with this hardware allows you to leverage the passive functionality included in the KillerBee tools and framework (such as receiving frames), but does not allow you to do packet injection, or to impersonate devices on the network. In order to get the full functionality included in KillerBee, the RZ RAVEN USB Stick must be flashed with the custom firmware included in the firmware/ directory. This process requires additional hardware and software: + Hardware: Atmel RZ Raven USB Stick + Hardware: Atmel JTAGICE mkII On-Chip Programmer + Software: AVR Studio for Windows (free) + Software: KillerBee Firmware for the RZUSBSTICK (free) + A Windows host for programming the RZ Raven USB Stick (one time operation) The problematic component in this list of the JTAGICE mkII programmer, as this device retails for $300. While often available in EBay for much less (beware imitators, however, as these knock-off programmers may not work properly on all Atmel hardware), this device is required to flash the KillerBee firmware onto a RZ RAVEN USB Stick using the included 10-pin header interface. You can flash the RZ RAVEN USB Stick using the AVR Studio Software (Tools -> Program AVR) and the supplied firmware with the JTAGICE mkII programmer. The firmware included in KillerBee should applied to the Flash memory of the RZ USB Stick. See http://bit.ly/3ttLTc for an additional example, or contact the author for additional information. If you are able to catch us at a conference, bring your RZ RAVEN USB Stick and we'll happily flash it for you. TOOLS KillerBee includes several tools designed to attack ZigBee and IEEE 802.15.4 networks, built using the KillerBee framework. Each tool has its own usage instructions documented by running the tool with the "-h" argument, and summarized below. zbassocflood - Repeatedly associate to the target PANID in an effort to cause the device to crash from too many connected stations. zbconvert - Convert a packet capture from Libpcap to Daintree SNA format, or vice-versa. zbdsniff - Captures ZigBee traffic, looking for NWK frames and over-the-air key provisioning. When a key is found, zbdsniff prints the key to stdout. The sample packet capture sample/zigbee-network-key-ota.dcf can be used to demonstrate this functionality. zbdump - A tcpdump-like took to capture IEEE 802.15.4 frames to a libpcap or Daintree SNA packet capture file. Does not display real-time stats like tcpdump when not writing to a file. zbfind - A GTK GUI application for tracking the location of an IEEE 802.15.4 transmitter by measuring RSSI. Zbfind can be passive in discovery (only listen for packets) or it can be active by sending Beacon Request frames and recording the responses from ZigBee routers and coordinators. If you get a bunch of errors after starting this tool, make sure your DISPLAY variable is set properly. If you know how to catch these errors to display a reasonable error message, please drop me a note. zbgoodfind - Implements a key search function using an encrypted packet capture and memory dump from a legitimate ZigBee or IEEE 802.15.4 device. This tool accompanies Travis Goodspeed's GoodFET hardware attack tool, or other binary data that could contain encryption key information such as bus sniffing with legacy chips (such as the CC2420). Zbgoodfind's search file must be in binary format (obj hexfile's are not supported). To convert from the hexfile format to a binary file, use the objcopy tool: objcopy -I ihex -O binary mem.hex mem.bin zbid - Identifies available interfaces that can be used by KillerBee and associated tools. zbreplay - Implements a replay attack, reading from a specified Daintree DCF or libpcap packet capture file, retransmitting the frames. ACK frames are not retransmitted. zbstumbler - Active ZigBee and IEEE 802.15.4 network discovery tool. Zbstumbler sends beacon request frames out while channel hopping, recording and displaying summarized information about discovered devices. Can also log results to a CSV file. Additional tools, that are for special cases or are not stable, are stored in the Api-Do project repository: http://code.google.com/p/zigbee-security/ Additional tools are coming. Stay tuned. FRAMEWORK KillerBee is designed to simplify the process of sniffing packets from the air interface or a supported packet capture file (libpcap or Daintree SNA), and for injecting arbitrary packets. Helper functions including IEEE 802.15.4, ZigBee NWK and ZigBee APS packet decoders are available as well. The KillerBee API is documented in epydoc format, with HTML documentation in the doc/ directory of this distribution. If you have epydoc installed, you can also generate a convenient PDF for printing, if desired, as shown: $ cd killerbee $ mkdir pdf $ epydoc --pdf -o pdf killerbee/ The pdf/ directory will have a file called "api.pdf" which includes the framework documentation. To get started using the KillerBee framework, take a look at the included tools (zbdump and zbreplay are good examples to get started) and the simple test cases in the t/ directory. Since KillerBee is a Python library, it integrates well with other Python software as well. For example, the Sulley library is a fuzzing framework written in Python by Pedram Amini. Using the Sulley mutation features and KillerBee's packet injection features, it is staightforward to build a mechanism for generating and transmitting malformed ZigBee data to a target. QUESTIONS/COMMENTS/CONCERNS Please drop me a note: jwright@willhackforsushi.com Bug fixes, updates, etc: ryan@rmspeers.com THANKS A word of thanks to several folks who helped out with this project: Mike Kershaw (dragorn) Chris Wang (aikiba) Nick DePetrillo Ed Skoudis Matt Carpenter Travis Goodspeed Sergey Bratus (research support at Dartmouth)
About
No description, website, or topics provided.
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published