Fun with Zigbee Wireless - Part IV (Passive attacks)

By Tony Lee

Introduction

In our previous zigbee articles, we covered ZigBee usage, history, one hardware option, and a handful of software options:
History:  http://securitysynapse.blogspot.com/2015/11/fun-with-zigbee-wireless-part-i.html 
Hardware: http://securitysynapse.blogspot.com/2015/11/fun-with-zigbee-wireless-part-ii.html
Software: http://securitysynapse.blogspot.com/2015/12/fun-with-zigbee-wireless-part-iii.html

This time, let's explore some passive attacks.  This means that we will not send any packets--we will only listen to what is already being sent.  Active attacks which require packet injection require flashing the RZUSBSTICK and thus will be covered in the next article.

Friendly reminder:  As always use this information responsibly.  Make sure you own the equipment prior to experimentation and learning.  We do not condone malicious intentions, are not held responsible for your actions, and will not bail you out of jail.

List devices

Most of the Windows software will let you know when the RZUSBSTICK is plugged in.  However, if wanting to use some of the more flexible Killerbee tools in Linux, we will need to first list the available devices.  For this, we use the zbid command.

zbid:

root@kali:~# zbid Monkey-patching usb.util.get_string() Dev Product String Serial Number 2:7 RZUSBSTICK 3FA0F6A01C25

This should show at least one device if it is plugged in.  If nothing shows up or an error occurs do the following:

• Check to make sure the USB stick is plugged in and a light illuminated
• Check dmesg to check for errors
• Reinstall Killerbee software per our instructions in the last article

Discovery

Now that we have a working RZUSBSTICK, let's discover some ZigBee devices use the existing firmware on the device.  Fortunately, ZigBee has a limited number of channels (11-26) because we could not find very good passive options for tools that hopped through all of the channels using this hardware.  Pro-tip:  Try channel 19 first--it is a popular default channel.

zbfind
One tool seemed to have a lot of promise, but we could not get it working.  zbfind is a GUI tool with passive and active network detection features and works similar to "net stumbler".  Keep in mind though that active discovery mode requires the RZUSBSTICK to be flashed with the KillerBee firmware, but even this did not help the tool function properly.  The screenshot below shows promise.

Screenshot from:  http://www.willhackforsushi.com/

zbopenear
zbopenear is a very interesting tool in that it can listen (and write to pcap) on multiple channels at the same time (given enough RZUSBSTICKs).  Since there are 16 channels, it would require 16 RZUSBSTICKs to listen on all channels at the same time.  At a cost of $42.50 per stick x 16 sticks, it would be a total of $680.  This tool did work but defaulted to channel 11 (the first channel).

root@kali:~# zbopenear  Monkey-patching usb.util.get_string() Found device at 1:3: ‘RZUSBSTICK' Assigning to channel 11. Cap1:3: Launching a capture on channel 11. Warning: You are using pyUSB 1.x, support is in beta. Capturing on '1:3' at channel 11. Result: zb_c11_20151012-1128.pcap

Sniff and Analyze Packets

Once devices are discovered, the last phase in the passive attack is to sniff and analyze packets.  Most of the Windows tools discussed in the last article have the ability to sniff and analyze packets as well.  In this section, we will focus on some of the KillerBee tools.

zbdump

zbdump is like tcpdump for ZigBee.  It can save packets in both pcap and DainTree format.  For our testing we will use pcap format so we can open it in Wireshark (which natively understands the ZigBee protocol).  The following command can be used to run zbdump.  -f specifies the channel and -w specifies the name of the pcap to write the captured packets.

root@kali:~# zbdump -f 19 -w test.pcap zbdump: listening on '002:006', link-type DLT_IEEE802_15_4, capture size 127 bytes 66 packets captured

After capturing some packets, we will now open the pcap in Wireshark to learn about the protocol and components.

Good to know info

When looking at the packet capture above there are a few things to note:

• Source and destination fields in packet captures are assigned network IDs (think IP address)
• Ex:  Source:  0x7a7c is the ZigBee network ID assigned when the device joined
• Source of 0x0000 is usually a controller
• Extended addresses are hardware addresses
• Ex:  Extended Source:  00:0d:6f:00:04:49:7d:13
• Instead of 48-bit (like NICs), ZigBee hardware addresses are 64-bit in length

Obtain a Key 

zbdsniff

The last passive tool on the list is zbdsniff.  This tool searches pcap files for ZigBee keys.  However, we did not get any output from the file--which may indicate that there were no keys available.

root@ubuntu:# zbdsniff operating.pcap Monkey-patching usb.util.get_string() Processing operating.pcap Processed 1 capture files.

Conclusion

This article outlined the KillerBee software that can be used for passive attacks against the 2.4 GHz ZigBee frequency range.  Passive attacks primarily covered sniffing and analyzing ZigBee packets.  The following tools were covered in this article:

• zbfind
• zbdump
• zbopenear
• zbdsniff

Some of the more interesting attacks require packet injection capabilities.  For this feature we must upgrade the firmware on the RZUSBSTICK which will be covered in the next article.  We are interested in hearing feedback from others regarding the success shown with the tools covered in this article.  Feel fee to leave feedback in the comments section below.