‹ 首页

offensive-z-wave

@snailsploit · 收录于 1 周前 · 上游提交 2 个月前

Z-Wave attack methodology — sniffing with Z-Force / EZ-Wave / RTL-SDR + ZniffMobile, S0 (legacy) network-key derivation flaw and key reuse, S2 (modern) ECDH commissioning analysis, replay/injection on unauthenticated nodes, default-key brute-force on test deployments, and home-automation hub pivots. Use when targeting Z-Wave smart home devices (door locks, sensors, garage controllers) — common in mid-2010s smart home deployments still in production.

适合你,如果需要对Z-Wave智能家居设备进行安全评估

/ 下载安装
offensive-z-wave.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add snailsploit/claude-red/offensive-z-wave
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- snailsploit/claude-red/offensive-z-wave
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify snailsploit/claude-red/offensive-z-wave
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
2669GitHub stars
~1.1K上下文体积 · 单文件
镜像托管

怎么用

商店整理自技能原文 · 版本 aeb41ec · 表述以原文为准
它做什么

装上后,Claude 能指导你嗅探 Z-Wave 通信、破解 S0 网络密钥、重放未认证设备指令,以及分析 S2 实现漏洞。

什么时候触发

当你需要评估 Z-Wave 智能家居设备(如门锁、传感器、车库控制器)的安全性时触发,尤其是针对 2010 年代中期仍在使用的旧设备。

装好后可以这样说
Claude 会指导你捕获包含密钥的通信帧。
技能原文 SKILL.md作者撰写 · MIT · aeb41ec

Z-Wave Attacks

Z-Wave runs in the 800/900 MHz ISM band (US: 908 MHz, EU: 868 MHz). Older networks used the S0 security scheme with a fixed-derivation network key — long-known to be flawed. S2 (mandatory for Z-Wave Plus v2 since 2017) uses ECDH commissioning and is significantly stronger.

Quick Workflow
  1. Identify region (US 908 MHz / EU 868 MHz) — adapter frequency must match
  2. Sniff inclusion (commissioning) traffic — that's where keys are exchanged
  3. Determine S0 vs S2 from frame format
  4. For S0: derive/replay; for S2: analyze ECDH and look for implementation flaws

Hardware

| Adapter | Use | |---|---| | Z-Force (legacy, hard to find) | Original research tool | | EZ-Wave (custom HackRF firmware) | Modern, full transceiver | | Aeotec Z-Stick | Commercial controller, useful as legitimate node | | HackRF + open Z-Wave firmware | Multi-band SDR approach | | RTL-SDR + ZniffMobile (passive only) | Cheap sniffer |

Sniffing
# EZ-Wave (HackRF firmware-based)
git clone https://github.com/cureHsu/EZ-Wave
ezwave-sniff -f 908.4MHz -o capture.pcap

# Wireshark with the Z-Wave dissector parses captured frames
wireshark capture.pcap

Look for the inclusion phase (controller adding new device) — that's where the network key is exchanged.

S0 Security Flaw

S0 derives the network key from a fixed all-zero PSK during the inclusion of the first device. That fixed material is well-known — any S0 network you sniff during inclusion can be decrypted offline.

S0 commissioning:
  1. New node joins → controller sends key with zero-PSK encryption
  2. Attacker sniffs commissioning frame → derives session key
  3. All future S0 traffic on that network is decryptable

If you can:

  • Trigger inclusion (factory-reset a node, or wait for legitimate inclusion)
  • Sniff during the ~2-second key-exchange window

You own the network key for that mesh.

S2 (Z-Wave Plus / S2 Authenticated)

S2 fixes S0 by using ECDH for commissioning:

  • Each device has a Curve25519 keypair
  • Inclusion uses DSK (Device Specific Key) verified out-of-band (sticker/QR)
  • Network key never traverses the air in plaintext

S2 attack surface is mostly implementation:

  • Inclusion-mode-always-open (controller misconfig)
  • Firmware bugs in S2 verification
  • Side-channel on ECDH on resource-constrained chips
  • DSK printed on a sticker → physical access yields it
Replay / Injection on Unauthenticated Nodes

Many low-end Z-Wave devices (older sensors, basic switches) don't enforce S0 or S2 — they accept commands in cleartext.

# scapy-zwave (community fork) for crafted frames
from scapy.contrib.zwave import *
frame = ZWave(home_id=0x12345678)/ZWaveBasic(set_value=0xff)
sendp(frame, iface='ezwave0')

This unlocks doors / switches lights / unarms sensors when the target lacks authentication.

Key Brute-Force

For old test deployments using default home IDs / network keys:

# Try default home IDs
for hid in 0x00000000 0x12345678 ...; do
  ezwave-test --home-id $hid --target-node 1
done

Hit rate on production is low; useful only for default-config IoT lab gear.

Hub Pivots

Z-Wave devices are typically controlled by a hub (SmartThings, Hubitat, Vera, Home Assistant, Z-Wave JS UI). The hub is a Linux device with the Z-Wave PSK in plaintext storage:

  • SmartThings Hub: previously cloud-only credentials; modern v3 stores network key locally
  • Home Assistant: ~/.homeassistant/zwave_js.json typically contains keys
  • Hubitat: web UI with default password on older versions

Compromise the hub → walk away with the Z-Wave PSK + every paired device's command authority. See offensive-iot for hub firmware extraction.

Engagement Cheatsheet
# 1. Identify region + frequency
# US: 908.4 MHz; EU: 868.4 MHz; CN: 868.4 MHz

# 2. Sniff
ezwave-sniff -f 908.4MHz -o cap.pcap
wireshark cap.pcap   # filter zwave

# 3. Identify S0 vs S2 from frame format

# 4. For S0: capture inclusion → derive key → decrypt history + control devices

# 5. For S2: focus on hub compromise / DSK theft / implementation bugs

# 6. Test unauthenticated cleartext devices with crafted frames
Detection
  • Most Z-Wave deployments have no IDS comparable to Wi-Fi/Zigbee monitoring
  • Hub may log unexpected commands but UI rarely surfaces these to users
  • Inclusion-mode-open is visible in hub UI but ignored by inattentive admins
Reporting
  • Identify chipset / firmware revision per device (ZW0500 series, ZW7000 series)
  • Map S0 vs S2 per node — note any S0 left on a network with S2-capable nodes
  • Document hub compromise paths separately

Key References
  • EZ-Wave: github.com/cureHsu/EZ-Wave (HackRF-based)
  • "Z-Force and the Z-Wave Sniffer" — original research
  • Silicon Labs Z-Wave 700-series spec
  • Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。