riverloopsec / killerbee

IEEE 802.15.4/ZigBee Security Research Toolkit
http://www.riverloopsecurity.com
Other
759 stars 215 forks source link

zbassocflood no success #158

Open maxjung96 opened 5 years ago

maxjung96 commented 5 years ago

Hi, I am trying to associate to a network using the zbassocflood tool and the clone of the TelosB stick.

The first steps work, I receive the ACKs for the association request and data request but then never get the association response. I verified the behavior, the same happens when I am sending the packets manually in a script.

I tried it with different networks/coordinators and the networks are open for new devices to join at the time of testing.

Regards

rmspeers commented 5 years ago

This is something that is tough for us to debug from a tool perspective, as it likely is very specific to your setup or coordinators.

One thing that it could be from a tool perspective is that the timing is off -- e.g., you are not able to inject fast enough with that device to hit the windows that the target expects you to communicate in.

Another thing that could be the case is that the coordinator is filtering based on MAC or other metrics what it allows to associate.

I suggest capturing a traffic of a successful 'legitimate' association and then working to match that as tightly as possible -- in terms of message contents but also timing.

maxjung96 commented 5 years ago

First of all thank for the quick previous reply!

In addition to the TelosB dongle I already had I now have the new Apimote too. Of course, now I can send packets with one dongle and sniff packets with the other dongle.

Here is what I found out so far: So I saw the problem is not that the coordinator is not sending the association response. In Wireshark with the second sniffing dongle, I see the association response, but the issue is that the dongle that wants to associate is not receiving this packet.

Is it possible that the dongles can't receive packets fast enough?

rmspeers commented 5 years ago

Very possible, although you should get warnings printed out about the FIFO buffer overflowing in that case.

On Feb 1, 2019, at 9:15 AM, maxjung96 notifications@github.com wrote:

First of all thank for the quick previous reply!

In addition to the TelosB dongle I already had I now have the new Apimote too. Of course, now I can send packets with one dongle and sniff packets with the other dongle.

Here is what I found out so far: So I saw the problem is not that the coordinator is not sending the association response. In Wireshark with the second sniffing dongle, I see the association response, but the issue is that the dongle that wants to associate is not receiving this packet.

Is it possible that the dongles can't receive packets fast enough?

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/riverloopsec/killerbee/issues/158#issuecomment-459735777, or mute the thread https://github.com/notifications/unsubscribe-auth/AJbQCW5OPAoWeIH1nNKt_oL7BxrOUSbqks5vJEvogaJpZM4aD4yM.

tomato990 commented 5 years ago

I am facing the same problem: I can send the association request and data request well, but I cannot receive an association response though I can sniff it by another sniffer. Here are some reasons I guess.

  1. 802.15.4 protocol requires "ack" within 864 microseconds(54 signals). This interval is too short.
  2. zbassocflood cannot work as sniffer and sender at the same time. It may waste time by exchanging the function.
SteveJM commented 4 years ago

Hmmm, I generally have two devices connected - I might try a listener and an emitter...