Lucene search
K

Sends Beacons to Scan for Active ZigBee Networks

🗓️ 07 Mar 2017 00:10:14Reported by Craig SmithType 
metasploit
 metasploit
🔗 www.rapid7.com👁 41 Views

Sends Beacons to Scan for Active ZigBee Networks. Post Module to send beacon signals to the broadcast address while channel hoppin

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Hardware::Zigbee::Utils

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Sends Beacons to Scan for Active ZigBee Networks',
        'Description' => %q{
          Post Module to send beacon signals to the broadcast address while
          channel hopping
        },
        'License' => MSF_LICENSE,
        'Author' => ['Craig Smith'],
        'Platform' => ['hardware'],
        'SessionTypes' => ['hwbridge']
      )
    )
    register_options([
      OptInt.new('CHANNEL', [false, 'Disable channel hopping by forcing a channel (11-26)', nil]),
      OptInt.new('LOOP', [false, 'How many times to loop over the channels (-1 will run in an endless loop)', 1]),
      OptInt.new('DELAY', [false, 'Delay in seconds to listen on each channel', 2]),
      OptString.new('DEVICE', [false, 'ZigBee device ID, defaults to target device', nil])
    ])
    @seq = 0
    @channel = 11
    @stumbled = {}
    @loop_count = 0
  end

  def display_details(routerdata)
    stackprofile_map = {
      0 => 'Network Specific',
      1 => 'ZigBee Standard',
      2 => 'ZigBee Enterprise'
    }
    stackver_map = {
      0 => 'ZigBee Prototype',
      1 => 'ZigBee 2004',
      2 => 'ZigBee 2006/2007'
    }
    spanid, source, extpanid, stackprofilever, channel = routerdata
    stackprofilever = stackprofilever.unpack('H*')[0].hex
    stackprofile = stackprofilever & 0x0f
    stackver = (stackprofilever & 0xf0) >> 4
    profile = 'Unknown'
    profile = stackprofile_map[stackprofile] if stackprofile_map.key? stackprofile
    ver = 'Unknown'
    ver = stackver_map[stackver] if stackver_map.key? stackver
    print_status("New Network: PANID: 0x#{spanid.upcase} SOURCE: 0x#{source.upcase}")
    print_status("        Ext PANID: #{extpanid.upcase.scan(/../).join(':')}       Stack Profile: #{profile}")
    print_status("        Stack Version: #{ver}")
    print_status("        Channel: #{@channel}")
  end

  def scan
    @seq = 0 if @seq > 255
    print_status("Scanning Channel #{@channel}")
    set_channel(datastore['DEVICE'], @channel)
    beacon = "\x03\x08#{@seq.chr}\xff\xff\xff\xff\x07"
    inject(datastore['DEVICE'], beacon)
    delay = Time.now + datastore['DELAY']
    while delay > Time.now
      pkt = recv(datastore['DEVICE'])
      next unless pkt && !pkt.empty? && pkt['valid_crc']

      pktdecode = dot154_packet_decode(pkt['data'])
      next unless (pktdecode['FSF'] & DOT154_FCF_TYPE_MASK) == DOT154_FCF_TYPE_BEACON

      key = "#{pktdecode['SPAN_ID']}#{pktdecode['SOURCE']}"
      value = [pktdecode['SPAN_ID'], pktdecode['SOURCE'], pktdecode['EXT_PAN_ID'], pktdecode['STACK_PROFILE'], @channel]
      if [email protected]? key
        @stumbled[key] = value
        display_details(value)
      end
    end
    sniffer_off(datastore['DEVICE']) # Needed to clear receive buffers
    @seq += 1
    @channel += 1 if !datastore['CHANNEL']
    @loop_count += 1 if (@channel > 26) || datastore['CHANNEL']
    @channel = 11 if @channel > 26
  end

  def run
    if !get_target_device && !datastore['DEVICE']
      print_error "No target device set.  Either set one with the 'target' command or specify the DEVICE."
      return
    end
    @channel = datastore['CHANNEL'] if datastore['CHANNEL']
    @channel = 11 if @channel > 26
    if datastore['LOOP'] == -1
      loop { scan }
    else
      scan while (@loop_count < datastore['LOOP'])
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Feb 2023 13:47Current
10High risk
Vulners AI Score10
41