‹ 首页

offensive-lorawan-sub-ghz

@snailsploit · 收录于 1 周前 · 上游提交 2 个月前

LoRaWAN and sub-GHz (433 / 868 / 915 MHz) attack methodology — LoRaWAN ABP/OTAA join attack, network/session key reuse, frame counter replay, downlink injection on TTN/Helium-style networks, sub-GHz protocol replay (KeeLoq garage doors, fixed-code remotes, TPMS spoofing, smart plug telemetry), HackRF / RTL-SDR / Flipper Zero workflows, signal analysis with Inspectrum / Universal Radio Hacker, and reconstruction of proprietary packet formats. Use for LoRaWAN deployments (smart cities, asset tracking, industrial telemetry), or any wireless device using the unlicensed 433/868/915 MHz bands (garage openers, doorbells, IoT sensors, RC equipment).

适合你,如果需要对LoRaWAN或sub-GHz设备进行安全评估

/ 下载安装
offensive-lorawan-sub-ghz.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add snailsploit/claude-red/offensive-lorawan-sub-ghz
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- snailsploit/claude-red/offensive-lorawan-sub-ghz
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify snailsploit/claude-red/offensive-lorawan-sub-ghz
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
2669GitHub stars
~1.4K上下文体积 · 单文件
镜像托管

怎么用

商店整理自技能原文 · 版本 aeb41ec · 表述以原文为准
它做什么

Claude 会指导你如何攻击 LoRaWAN 网络和 sub-GHz 无线设备,包括捕获、解码、重放和注入数据包。

什么时候触发

当你需要测试 LoRaWAN 智能城市、资产追踪等部署,或分析 433/868/915 MHz 频段的无线设备(如车库门、门铃、TPMS)时触发。

装好后可以这样说
Claude 会说明加载 IQ 文件并识别调制和比特流。
技能原文 SKILL.md作者撰写 · MIT · aeb41ec

LoRaWAN & Sub-GHz Attacks

LoRaWAN provides long-range low-bitrate communication for IoT — common in smart cities, asset tracking, and industrial telemetry. Outside LoRaWAN, the 433 / 868 / 915 MHz ISM bands host garage doors, doorbells, smart plugs, weather stations, and TPMS — most with weak or no crypto.

Quick Workflow
  1. Identify the band + modulation (LoRa CSS vs. simple OOK/FSK)
  2. Capture transmissions with appropriate hardware (HackRF / RTL-SDR / Flipper Zero)
  3. For LoRaWAN: capture join + uplinks; analyze key derivation
  4. For proprietary sub-GHz: demodulate, identify packet format, replay or craft

Hardware

| Tool | Range | Use | |---|---|---| | RTL-SDR | RX only, 24 MHz–1.7 GHz | Cheap reconnaissance | | HackRF One | RX/TX, 1 MHz–6 GHz | Full transceiver | | Flipper Zero | RX/TX, sub-GHz | Quick replays, fixed-code attacks | | LimeSDR / BladeRF | RX/TX, wider band | Higher fidelity for LoRaWAN | | YARD Stick One | TX-focused sub-GHz | Targeted replays | | LoRa-specific gateway (RAK / Heltec) | LoRaWAN dual-direction | Standards-compliant LoRaWAN testing |

LoRaWAN

LoRaWAN is a MAC layer over LoRa physical (chirp spread spectrum). Devices either:

  • OTAA (Over-the-Air Activation) — derive session keys at join
  • ABP (Activation By Personalization) — pre-flashed keys
OTAA Join Capture
# Capture LoRa packets with HackRF + Inspectrum
hackrf_transfer -r capture.iq -f 868000000 -s 1000000 -n 60000000
# Or LoRa-specific: rak_common_for_gateway

# Decode with PHY + MAC stack
git clone https://github.com/Lora-net/LoRaMac-node
# Or use ChirpStack as a sniffing gateway

The Join-Request and Join-Accept are encrypted with the device's AppKey. With AppKey (extracted from device firmware — see offensive-iot):

  • Decrypt Join-Accept → recover NwkSKey, AppSKey
  • Subsequent traffic decryption + injection
ABP — Pre-Flashed Keys

ABP devices have NwkSKey + AppSKey flashed at manufacture. Common flaws:

  • Same key across thousands of devices (vendor laziness)
  • No frame counter rollover protection → replay any historical uplink
  • DevAddr predictability (sequential allocation)
# If you have NwkSKey + AppSKey + DevAddr, decode/inject with lorawan-test-tools
git clone https://github.com/IoTsec/loraserver-attack-tools
python lora_inject.py --nwkskey <NWKS> --appskey <APPS> --devaddr <ADDR>
Frame Counter Replay

Older LoRaWAN 1.0.x doesn't enforce strict frame counter monotonicity in all stacks. Replay an uplink with a different timestamp → server processes as fresh.

Downlink Injection

If you control AppSKey + NwkSKey, you can inject downlinks (configuration changes, remote commands) to devices.

Sub-GHz Proprietary Protocols
Quick Capture + Replay (Flipper Zero / HackRF)
# RTL-SDR live monitor
rtl_433 -f 433.92M -A     # auto-decode many devices
gqrx                       # interactive spectrum analyzer

# Flipper Zero Sub-GHz menu: Read → identify modulation → capture → save
# Then replay from the saved file

# HackRF capture
hackrf_transfer -r garage.iq -f 433920000 -s 8000000 -n 80000000
# Inspectrum to visualize, identify OOK / FSK, decode bits
KeeLoq (Old Garage Doors, Some Cars)

KeeLoq uses a 32-bit block cipher with a manufacturer key. The manufacturer key was extracted publicly years ago for major brands. With it:

  • Decrypt rolling code → predict next valid code
  • Combined with capture-replay, take over the remote
# rolling-code-tools (research)
git clone https://github.com/AndrewMohawk/RollingPwn

Modern KeeLoq deployments (last 5 years) have rotated manufacturer keys, but legacy hardware (older garage doors, some industrial equipment) is in scope.

Fixed-Code Remotes

Many cheap garage openers, doorbells, and smart plugs use fixed codes — the same packet every time you press the button. Capture once, replay forever.

# Flipper Zero: Read → Save → Send (from saved file)
# Or with RFCat:
python -c "import rflib; ..."
# OR with HackRF:
hackrf_transfer -t replay.iq -f 433920000 -s 8000000
TPMS Spoofing

Tire-pressure monitoring sensors broadcast at 315/433 MHz with no authentication. Spoof low-pressure alerts:

# Capture legitimate TPMS
rtl_433 -f 315M -F json | grep TPMS

# Synthesize crafted alerts (custom modulator with HackRF)
# Useful for testing TPMS-aware vehicle systems or as denial-of-trust attack
Reconstruction of Unknown Protocols
# Universal Radio Hacker (URH) — visual reverse engineering
urh
# Load .iq capture, identify modulation visually,
# auto-detect symbols, decode bits, identify packet structure

URH walks you from raw RF to a parsed protocol description, even with no docs.

Engagement Cheatsheet
# 1. Identify band + modulation
rtl_433 -f <freq> -A           # auto-detect known protocols
gqrx                           # spectrum view to find activity

# 2. For LoRaWAN
#    - Set up gateway (or HackRF + LoRa decoding)
#    - Capture joins + uplinks
#    - Extract keys from device firmware (see offensive-iot)

# 3. For proprietary sub-GHz
#    - Capture with HackRF / RTL-SDR
#    - Visualize / decode with Inspectrum or URH
#    - Replay or craft

# 4. Document modulation, frequency, packet format, replay viability
Detection
  • LoRaWAN networks have server-side anomaly detection (frame counter, signal strength, geographic) — varies widely by operator
  • Sub-GHz consumer products typically have no monitoring
  • TPMS / industrial equipment has minimal telemetry on RF anomalies
Reporting
  • Identify exact frequency, modulation, baud, and packet format per device
  • Distinguish capture-replay vs. crafted-frame attacks
  • Note crypto state (cleartext / weak-fixed-key / standards-compliant)
  • For LoRaWAN: identify AppKey / NwkSKey / AppSKey storage in firmware

Key References
  • rtl_433 protocol database: github.com/merbanan/rtl_433
  • Universal Radio Hacker: github.com/jopohl/urh
  • RollingPwn (KeeLoq research): github.com/AndrewMohawk/RollingPwn
  • LoRaWAN Specification: lora-alliance.org
  • Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。