• Stars
    star
    258
  • Rank 158,189 (Top 4 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 6 years ago
  • Updated about 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A ZigBee hacking toolkit by Bishop Fox

ZigDiggity - Logo

ZigDiggity Version 2

Introducing ZigDiggity 2.0, a ZigBee penetration testing framework created by Matt Gleason & Francis Brown of Bishop Fox. Special thanks to Caleb Marion!

ZigDiggity version 2 is a major overhaul of the original package and aims to enable cybersecurity professionals, auditors, and developers to run complex interactions with ZigBee networks using a single device.

2019 - Black Hat USA 2019 & DEF CON 27 - links, slides, and videos

Videos

ZigDiggity 2019 DEMO

Slides

ABSTRACT:

Do you feel safe in your home with the security system armed? You may reconsider after watching a demo of our new hacking toolkit, ZigDiggity, where we target door & window sensors using an "ACK Attack". ZigDiggity will emerge as the weapon of choice for testing Zigbee-enabled systems, replacing all previous efforts.

Zigbee continues to grow in popularity as a method for providing simple wireless communication between devices (i.e. low power/traffic, short distance), & can be found in a variety of consumer products that range from smart home automation to healthcare. Security concerns introduced by these systems are just as diverse and plentiful, underscoring a need for quality assessment tools.

Unfortunately, existing Zigbee hacking solutions have fallen into disrepair, having barely been maintained, let alone improved upon. Left without a practical way to evaluate the security of Zigbee networks, we've created ZigDiggity, a new open-source pentest arsenal from Bishop Fox.

Our DEMO-rich presentation showcases ZigDiggity's attack capabilities by pitting it against common Internet of Things (IoT) products that use Zigbee. Come experience the future of Zigbee hacking, in a talk that the New York Times will be hailing as "a veritable triumph of the human spirit." ... ya know, probably

Installation

Using a default install of Raspbian (GUI install, not headless), perform the following steps:

  • With your Raspberry Pi powered off, plug your Raspbee into your Raspberry Pi
  • Clone this repository onto your Raspberry Pi and cd into the ZigDiggity directory
  • Enable serial using the sudo raspbi-config command
    • Select "Advanced Options/Serial"
    • Select NO to "Would you like a login shell to be accessible over serial?"
    • Select YES to enabling serial
    • Restart the Raspberry Pi
  • Install GCFFlasher available Here
    • wget http://deconz.dresden-elektronik.de/raspbian/gcfflasher/gcfflasher-latest.deb
    • sudo dpkg -i gcfflasher-latest.deb
    • sudo apt update
    • sudo apt -f install
  • Flash the Raspbee's firmware
    • sudo GCFFlasher -f firmware/zigdiggity_raspbee.bin
    • sudo GCFFlasher -r
  • Install the python requirements using pip3 install -r requirements.txt
  • Patch scapy sudo cp patch/zigbee.py /home/$USER/.local/lib/python3.7/site-packages/scapy/layers/zigbee.py
  • Install wireshark on the device using sudo apt install wireshark
    • be sure to add your user to the wireshark group (e.g. sudo usermod -a -G wireshark $USER). Log out and back in again for the changes to take effect.

Hardware

The current version of ZigDiggity is solely designed for use with the Raspbee

Usage

Currently scripts are available in the root of the repository, they can all be run using Python3:

python3 listen.py -c 15

When running with wireshark, root privileges may be required.

Scripts

  • ack_attack.py - Performs the acknowledge attack against a given network.
  • beacon.py - Sends a single beacon and listens for a short time. Intended for finding which networks are near you.
  • find_locks.py - Examines the network traffic on a channel to determine if device behavior looks like a lock. Displays which devices it thinks are locks.
  • insecure_rejoin.py - Runs an insecure rejoin attempt on the target network.
  • listen.py - Listens on a channel piping all output to wireshark for viewing.
  • scan.py - Moves between channels listening and piping the data to wireshark for viewing.
  • unlock.py - Attempts to unlock a target lock

Notes

The patterns used by ZigDiggity version 2 are designed to be as reliable as possible. The tool is still in fairly early stages of development, so expect to see improvements over time.

More Repositories

1

sliver

Adversary Emulation Framework
Go
8,155
star
2

unredacter

Never ever ever use pixelation as a redaction technique
TypeScript
7,687
star
3

cloudfox

Automating situational awareness for cloud penetration tests.
Go
1,867
star
4

GitGot

Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.
Python
1,412
star
5

jsluice

Extract URLs, paths, secrets, and other interesting bits from JavaScript
Go
1,311
star
6

eyeballer

Convolutional neural network for analyzing pentest screenshots
Python
1,017
star
7

spoofcheck

Simple script that checks a domain for email protections
Python
776
star
8

h2csmuggler

HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
Python
632
star
9

bfinject

Dylib injection for iOS 11.0 - 11.1.2 with LiberiOS and Electra jailbreaks
Objective-C++
619
star
10

GadgetProbe

Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
Java
578
star
11

badPods

A collection of manifests that will create pods with elevated privileges.
Shell
574
star
12

sj

A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files.
Go
484
star
13

iam-vulnerable

Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.
HCL
457
star
14

bfdecrypt

Utility to decrypt App Store apps on jailbroken iOS 11.x
C
439
star
15

iSpy

A reverse engineering framework for iOS
Logos
438
star
16

rmiscout

RMIScout uses wordlist and bruteforce strategies to enumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities
Java
422
star
17

smogcloud

Find cloud assets that no one wants exposed 🔎 ☁️
Go
329
star
18

cloudfoxable

Create your own vulnerable by design AWS penetration testing playground
Python
311
star
19

sliver-gui

A Sliver GUI Client
TypeScript
288
star
20

dufflebag

Search exposed EBS volumes for secrets
Go
274
star
21

deephack

PoC code from DEF CON 25 presentation
Python
240
star
22

rickmote

The Rickmote Controller: Hijack TVs using Google Chromecast
Python
220
star
23

CVE-2023-3519

RCE exploit for CVE-2023-3519
Python
216
star
24

json-interop-vuln-labs

Companion labs to "An Exploration of JSON Interoperability Vulnerabilities"
Python
193
star
25

Imperva_gzip_WAF_Bypass

Python
154
star
26

pwn-pulse

Exploit for Pulse Connect Secure SSL VPN arbitrary file read vulnerability (CVE-2019-11510)
Shell
136
star
27

firecat

Firecat is a penetration testing tool that allows you to punch reverse TCP tunnels out of a compromised network.
C
126
star
28

CVE-2023-27997-check

Safely detect whether a FortiGate SSL VPN instance is vulnerable to CVE-2023-27997 based on response timing
Python
124
star
29

asminject

Heavily-modified fork of David Buchanan's dlinject project. Injects arbitrary assembly (or precompiled binary) payloads directly into x86-64, x86, and ARM32 Linux processes without the use of ptrace by accessing /proc/<pid>/mem. Useful for certain post-exploitation scenarios, recovering content from process memory, etc..
Python
112
star
30

cve-2024-21762-check

Safely detect whether a FortiGate SSL VPN is vulnerable to CVE-2024-21762
Python
93
star
31

anti-anti-automation

Anti-Anti-Automation Framework
Python
92
star
32

mellon

OSDP attack tool (and the Elvish word for friend)
HTML
87
star
33

forticrack

Decrypt encrypted Fortienet FortiOS firmware images
Python
83
star
34

cyberdic

An auxiliary spellcheck dictionary that corresponds with the Bishop Fox Cybersecurity Style Guide
83
star
35

llm-testing-findings

LLM Testing Findings Templates
HTML
65
star
36

bigip-scanner

Determine the running software version of a remote F5 BIG-IP management interface.
Python
61
star
37

IDontSpeakSSL-deprecated

Simple tool based on sslyze to scan large scope and provide SSL/TLS vulnerabilities
Python
51
star
38

spfmap

A program to map out SPF and DKIM records for a large number of domains
Go
37
star
39

CVE-2021-35211

Python
36
star
40

SpoofcheckSelfTest

Web application that lets you test if your domain is vulnerable to email spoofing
Python
33
star
41

ca-clone

Scripts to clone CA certificates for use in HTTPS client attacks.
Shell
33
star
42

ProxyListReliabilityCheck

Perl script to test the reliability of a list of open web proxies.
Perl
27
star
43

ispy-shell

C
24
star
44

coldfusion-10-11-xss

Proof of Concept code for CVE-2015-0345 (APSB15-07)
22
star
45

CVE-2022-22274_CVE-2023-0656

Python
18
star
46

awsservicemap

Go module that returns supported regions for a service or supported services for a region
Go
14
star
47

wordlist-sanitizer

Remove Offensive and Profane Words from Wordlists
Go
12
star
48

sliver-overlord

Go
9
star
49

burpcage

Kotlin
7
star
50

guardian-ci

Shell
4
star
51

You-re-Doing-IoT-RNG

Results and device code from the DEF CON 29 presentation "You're Doing IoT RNG"
C
4
star
52

VulnerableGWTApp

An intentionally-vulnerable GWT-based web application to test tooling and techniques
Java
3
star
53

.github

Bishop Fox Engineering
2
star
54

knownawsaccountslookup

Go module that provides two lookup functions for the data in https://github.com/fwdcloudsec/known_aws_accounts
Go
1
star