ワンクリックでManusで任意のスキルを実行

$pwd:

offensive-lorawan-sub-ghz

Name: Offensive Lorawan Sub Ghz
Author: SnailSploit

// LoRaWAN and sub-GHz (433 / 868 / 915 MHz) attack methodology — LoRaWAN ABP/OTAA join attack, network/session key reuse, frame counter replay, downlink injection on TTN/Helium-style networks, sub-GHz protocol replay (KeeLoq garage doors, fixed-code remotes, TPMS spoofing, smart plug telemetry), HackRF / RTL-SDR / Flipper Zero workflows, signal analysis with Inspectrum / Universal Radio Hacker, and reconstruction of proprietary packet formats. Use for LoRaWAN deployments (smart cities, asset tracking, industrial telemetry), or any wireless device using the unlicensed 433/868/915 MHz bands (garage openers, doorbells, IoT sensors, RC equipment).

Manusで実行

$ git log --oneline --stat

stars:1,604

forks:262

updated:2026年5月6日 08:09

SKILL.md

readonly

name

offensive-lorawan-sub-ghz

description

LoRaWAN and sub-GHz (433 / 868 / 915 MHz) attack methodology — LoRaWAN ABP/OTAA join attack, network/session key reuse, frame counter replay, downlink injection on TTN/Helium-style networks, sub-GHz protocol replay (KeeLoq garage doors, fixed-code remotes, TPMS spoofing, smart plug telemetry), HackRF / RTL-SDR / Flipper Zero workflows, signal analysis with Inspectrum / Universal Radio Hacker, and reconstruction of proprietary packet formats. Use for LoRaWAN deployments (smart cities, asset tracking, industrial telemetry), or any wireless device using the unlicensed 433/868/915 MHz bands (garage openers, doorbells, IoT sensors, RC equipment).

LoRaWAN & Sub-GHz Attacks

LoRaWAN provides long-range low-bitrate communication for IoT — common in smart cities, asset tracking, and industrial telemetry. Outside LoRaWAN, the 433 / 868 / 915 MHz ISM bands host garage doors, doorbells, smart plugs, weather stations, and TPMS — most with weak or no crypto.

Quick Workflow

Identify the band + modulation (LoRa CSS vs. simple OOK/FSK)
Capture transmissions with appropriate hardware (HackRF / RTL-SDR / Flipper Zero)
For LoRaWAN: capture join + uplinks; analyze key derivation
For proprietary sub-GHz: demodulate, identify packet format, replay or craft

Hardware

Tool	Range	Use
RTL-SDR	RX only, 24 MHz–1.7 GHz	Cheap reconnaissance
HackRF One	RX/TX, 1 MHz–6 GHz	Full transceiver
Flipper Zero	RX/TX, sub-GHz	Quick replays, fixed-code attacks
LimeSDR / BladeRF	RX/TX, wider band	Higher fidelity for LoRaWAN
YARD Stick One	TX-focused sub-GHz	Targeted replays
LoRa-specific gateway (RAK / Heltec)	LoRaWAN dual-direction	Standards-compliant LoRaWAN testing

LoRaWAN

LoRaWAN is a MAC layer over LoRa physical (chirp spread spectrum). Devices either:

OTAA (Over-the-Air Activation) — derive session keys at join
ABP (Activation By Personalization) — pre-flashed keys

OTAA Join Capture

# Capture LoRa packets with HackRF + Inspectrum
hackrf_transfer -r capture.iq -f 868000000 -s 1000000 -n 60000000
# Or LoRa-specific: rak_common_for_gateway

# Decode with PHY + MAC stack
git clone https://github.com/Lora-net/LoRaMac-node
# Or use ChirpStack as a sniffing gateway

The Join-Request and Join-Accept are encrypted with the device's AppKey. With AppKey (extracted from device firmware — see offensive-iot):

Decrypt Join-Accept → recover NwkSKey, AppSKey
Subsequent traffic decryption + injection

ABP — Pre-Flashed Keys

ABP devices have NwkSKey + AppSKey flashed at manufacture. Common flaws:

Same key across thousands of devices (vendor laziness)
No frame counter rollover protection → replay any historical uplink
DevAddr predictability (sequential allocation)

# If you have NwkSKey + AppSKey + DevAddr, decode/inject with lorawan-test-tools
git clone https://github.com/IoTsec/loraserver-attack-tools
python lora_inject.py --nwkskey <NWKS> --appskey <APPS> --devaddr <ADDR>

Frame Counter Replay

Older LoRaWAN 1.0.x doesn't enforce strict frame counter monotonicity in all stacks. Replay an uplink with a different timestamp → server processes as fresh.

Downlink Injection

If you control AppSKey + NwkSKey, you can inject downlinks (configuration changes, remote commands) to devices.

Sub-GHz Proprietary Protocols

Quick Capture + Replay (Flipper Zero / HackRF)

# RTL-SDR live monitor
rtl_433 -f 433.92M -A     # auto-decode many devices
gqrx                       # interactive spectrum analyzer

# Flipper Zero Sub-GHz menu: Read → identify modulation → capture → save
# Then replay from the saved file

# HackRF capture
hackrf_transfer -r garage.iq -f 433920000 -s 8000000 -n 80000000
# Inspectrum to visualize, identify OOK / FSK, decode bits

KeeLoq (Old Garage Doors, Some Cars)

KeeLoq uses a 32-bit block cipher with a manufacturer key. The manufacturer key was extracted publicly years ago for major brands. With it:

Decrypt rolling code → predict next valid code
Combined with capture-replay, take over the remote

# rolling-code-tools (research)
git clone https://github.com/AndrewMohawk/RollingPwn

Modern KeeLoq deployments (last 5 years) have rotated manufacturer keys, but legacy hardware (older garage doors, some industrial equipment) is in scope.

Fixed-Code Remotes

Many cheap garage openers, doorbells, and smart plugs use fixed codes — the same packet every time you press the button. Capture once, replay forever.

# Flipper Zero: Read → Save → Send (from saved file)
# Or with RFCat:
python -c "import rflib; ..."
# OR with HackRF:
hackrf_transfer -t replay.iq -f 433920000 -s 8000000

TPMS Spoofing

Tire-pressure monitoring sensors broadcast at 315/433 MHz with no authentication. Spoof low-pressure alerts:

# Capture legitimate TPMS
rtl_433 -f 315M -F json | grep TPMS

# Synthesize crafted alerts (custom modulator with HackRF)
# Useful for testing TPMS-aware vehicle systems or as denial-of-trust attack

Reconstruction of Unknown Protocols

# Universal Radio Hacker (URH) — visual reverse engineering
urh
# Load .iq capture, identify modulation visually,
# auto-detect symbols, decode bits, identify packet structure

URH walks you from raw RF to a parsed protocol description, even with no docs.

Engagement Cheatsheet

# 1. Identify band + modulation
rtl_433 -f <freq> -A           # auto-detect known protocols
gqrx                           # spectrum view to find activity

# 2. For LoRaWAN
#    - Set up gateway (or HackRF + LoRa decoding)
#    - Capture joins + uplinks
#    - Extract keys from device firmware (see offensive-iot)

# 3. For proprietary sub-GHz
#    - Capture with HackRF / RTL-SDR
#    - Visualize / decode with Inspectrum or URH
#    - Replay or craft

# 4. Document modulation, frequency, packet format, replay viability

Detection

LoRaWAN networks have server-side anomaly detection (frame counter, signal strength, geographic) — varies widely by operator
Sub-GHz consumer products typically have no monitoring
TPMS / industrial equipment has minimal telemetry on RF anomalies

Reporting

Identify exact frequency, modulation, baud, and packet format per device
Distinguish capture-replay vs. crafted-frame attacks
Note crypto state (cleartext / weak-fixed-key / standards-compliant)
For LoRaWAN: identify AppKey / NwkSKey / AppSKey storage in firmware

Key References

rtl_433 protocol database: github.com/merbanan/rtl_433
Universal Radio Hacker: github.com/jopohl/urh
RollingPwn (KeeLoq research): github.com/AndrewMohawk/RollingPwn
LoRaWAN Specification: lora-alliance.org
Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md

related-skills.json

同じリポジトリ

offensive-bluetooth-ble.md

from "SnailSploit/Claude-Red"

Bluetooth Low Energy (BLE) attack methodology — GATT enumeration, characteristic read/write without auth, pairing downgrade (Just Works forced), LE Secure Connections bypass, MITM via active relay, sniffing with Sniffle (TI CC1352) / Ubertooth / Frontline, encryption key extraction (LE Legacy Pairing crackable, LE Secure Connections strong), proximity authentication abuse (cars, locks), and companion-app trust analysis. Use for IoT BLE devices, smart locks, fitness trackers, medical devices, BLE beacons, or any device pairing over BLE.

2026-05-061.6k

offensive-bluetooth-classic.md

from "SnailSploit/Claude-Red"

Bluetooth Classic (BR/EDR) attack methodology — device discovery, service enumeration via SDP, LMP/L2CAP layer attacks, legacy PIN cracking (BlueBorne / KNOB), Bluetooth file-transfer abuse (BlueSnarfing legacy), unauthenticated profile abuse (HSP, HFP, OPP), and modern relevance against older industrial / automotive / accessory targets. Use when in-scope devices use Bluetooth Classic (Bluetooth ≤ 4.0 BR/EDR) — common in legacy car kits, industrial sensors, older medical devices, and audio accessories.

2026-05-061.6k

offensive-deauth-disassoc.md

from "SnailSploit/Claude-Red"

Deauthentication and disassociation attacks against 802.11 networks — targeted single-client deauth for handshake capture, broadcast deauth for DoS (with authorization), action-frame attacks bypassing 802.11w (PMF), beacon flooding, mdk4 / aireplay-ng tooling, and rate-limit / PMF-aware operation. Use to coerce client reconnection (handshake capture, evil-twin roaming), as targeted DoS, or to test PMF posture.

2026-05-061.6k

offensive-evil-twin.md

from "SnailSploit/Claude-Red"

Evil Twin / KARMA / Mana access point methodology — rogue AP construction with hostapd-mana / wifiphisher / airgeddon, KARMA universal probe response, Mana selective probe response, captive portal phishing, deauth-driven client coercion to attacker AP, MAC randomization defeat via PNL leak analysis, post-association MITM (DNS, ARP, transparent proxy), credential capture for portal/web/SMB, and detection-evasion tactics. Use to coerce client devices onto an attacker-controlled AP, intercept their traffic, harvest credentials, or deliver payloads via captive portal.

2026-05-061.6k

offensive-krack-fragattacks.md

from "SnailSploit/Claude-Red"

KRACK (CVE-2017-13077..082) and FragAttacks (CVE-2020-24586..588 + 26139-26147) — key reinstallation, fragmentation, and aggregation attacks against WPA2 supplicants. Covers Vanhoef's test scripts, viability against modern patched stacks (mostly mitigated post-2021), residual unpatched embedded devices and IoT vendors, and the practical limitations of these attacks in modern engagements. Use when assessing legacy supplicants, embedded clients, or vendors with poor patch cadence.

2026-05-061.6k

offensive-wifi-recon.md

from "SnailSploit/Claude-Red"

Wi-Fi reconnaissance methodology — adapter selection, monitor mode and packet injection setup, regulatory domain handling, multi-band airspace mapping, hidden SSID discovery, BSSID/ESSID/channel/PMF/encryption fingerprinting, client probe analysis, vendor OUI lookup, war-driving with Kismet/airodump-ng/Wigle, and structured airspace data capture for downstream attacks. Use at the start of any wireless engagement to build the target map before active attacks; covers 2.4 GHz, 5 GHz, and 6 GHz (Wi-Fi 6E) bands and adapter compatibility for each.

2026-05-061.6k

package.json

"author": "SnailSploit"

"repository": "SnailSploit/Claude-Red"

GitHub リポジトリを開く Creator のリポジトリを見る

$ install --global

$ download --local

Manusで実行

$ useful --forSOC

情報セキュリティアナリストコンピュータ・数学職15-1212L4

name

offensive-lorawan-sub-ghz

description

LoRaWAN & Sub-GHz Attacks

Quick Workflow

Identify the band + modulation (LoRa CSS vs. simple OOK/FSK)
Capture transmissions with appropriate hardware (HackRF / RTL-SDR / Flipper Zero)
For LoRaWAN: capture join + uplinks; analyze key derivation
For proprietary sub-GHz: demodulate, identify packet format, replay or craft

Hardware

Tool	Range	Use
RTL-SDR	RX only, 24 MHz–1.7 GHz	Cheap reconnaissance
HackRF One	RX/TX, 1 MHz–6 GHz	Full transceiver
Flipper Zero	RX/TX, sub-GHz	Quick replays, fixed-code attacks
LimeSDR / BladeRF	RX/TX, wider band	Higher fidelity for LoRaWAN
YARD Stick One	TX-focused sub-GHz	Targeted replays
LoRa-specific gateway (RAK / Heltec)	LoRaWAN dual-direction	Standards-compliant LoRaWAN testing

LoRaWAN

LoRaWAN is a MAC layer over LoRa physical (chirp spread spectrum). Devices either:

OTAA (Over-the-Air Activation) — derive session keys at join
ABP (Activation By Personalization) — pre-flashed keys

OTAA Join Capture

# Capture LoRa packets with HackRF + Inspectrum
hackrf_transfer -r capture.iq -f 868000000 -s 1000000 -n 60000000
# Or LoRa-specific: rak_common_for_gateway

# Decode with PHY + MAC stack
git clone https://github.com/Lora-net/LoRaMac-node
# Or use ChirpStack as a sniffing gateway

The Join-Request and Join-Accept are encrypted with the device's AppKey. With AppKey (extracted from device firmware — see offensive-iot):

Decrypt Join-Accept → recover NwkSKey, AppSKey
Subsequent traffic decryption + injection

ABP — Pre-Flashed Keys

ABP devices have NwkSKey + AppSKey flashed at manufacture. Common flaws:

Same key across thousands of devices (vendor laziness)
No frame counter rollover protection → replay any historical uplink
DevAddr predictability (sequential allocation)

# If you have NwkSKey + AppSKey + DevAddr, decode/inject with lorawan-test-tools
git clone https://github.com/IoTsec/loraserver-attack-tools
python lora_inject.py --nwkskey <NWKS> --appskey <APPS> --devaddr <ADDR>

Frame Counter Replay

Older LoRaWAN 1.0.x doesn't enforce strict frame counter monotonicity in all stacks. Replay an uplink with a different timestamp → server processes as fresh.

Downlink Injection

If you control AppSKey + NwkSKey, you can inject downlinks (configuration changes, remote commands) to devices.

Sub-GHz Proprietary Protocols

Quick Capture + Replay (Flipper Zero / HackRF)

# RTL-SDR live monitor
rtl_433 -f 433.92M -A     # auto-decode many devices
gqrx                       # interactive spectrum analyzer

# Flipper Zero Sub-GHz menu: Read → identify modulation → capture → save
# Then replay from the saved file

# HackRF capture
hackrf_transfer -r garage.iq -f 433920000 -s 8000000 -n 80000000
# Inspectrum to visualize, identify OOK / FSK, decode bits

KeeLoq (Old Garage Doors, Some Cars)

KeeLoq uses a 32-bit block cipher with a manufacturer key. The manufacturer key was extracted publicly years ago for major brands. With it:

Decrypt rolling code → predict next valid code
Combined with capture-replay, take over the remote

# rolling-code-tools (research)
git clone https://github.com/AndrewMohawk/RollingPwn

Modern KeeLoq deployments (last 5 years) have rotated manufacturer keys, but legacy hardware (older garage doors, some industrial equipment) is in scope.

Fixed-Code Remotes

Many cheap garage openers, doorbells, and smart plugs use fixed codes — the same packet every time you press the button. Capture once, replay forever.

# Flipper Zero: Read → Save → Send (from saved file)
# Or with RFCat:
python -c "import rflib; ..."
# OR with HackRF:
hackrf_transfer -t replay.iq -f 433920000 -s 8000000

TPMS Spoofing

Tire-pressure monitoring sensors broadcast at 315/433 MHz with no authentication. Spoof low-pressure alerts:

# Capture legitimate TPMS
rtl_433 -f 315M -F json | grep TPMS

# Synthesize crafted alerts (custom modulator with HackRF)
# Useful for testing TPMS-aware vehicle systems or as denial-of-trust attack

Reconstruction of Unknown Protocols

# Universal Radio Hacker (URH) — visual reverse engineering
urh
# Load .iq capture, identify modulation visually,
# auto-detect symbols, decode bits, identify packet structure

URH walks you from raw RF to a parsed protocol description, even with no docs.

Engagement Cheatsheet

# 1. Identify band + modulation
rtl_433 -f <freq> -A           # auto-detect known protocols
gqrx                           # spectrum view to find activity

# 2. For LoRaWAN
#    - Set up gateway (or HackRF + LoRa decoding)
#    - Capture joins + uplinks
#    - Extract keys from device firmware (see offensive-iot)

# 3. For proprietary sub-GHz
#    - Capture with HackRF / RTL-SDR
#    - Visualize / decode with Inspectrum or URH
#    - Replay or craft

# 4. Document modulation, frequency, packet format, replay viability

Detection

LoRaWAN networks have server-side anomaly detection (frame counter, signal strength, geographic) — varies widely by operator
Sub-GHz consumer products typically have no monitoring
TPMS / industrial equipment has minimal telemetry on RF anomalies

Reporting

Identify exact frequency, modulation, baud, and packet format per device
Distinguish capture-replay vs. crafted-frame attacks
Note crypto state (cleartext / weak-fixed-key / standards-compliant)
For LoRaWAN: identify AppKey / NwkSKey / AppSKey storage in firmware

Key References

rtl_433 protocol database: github.com/merbanan/rtl_433
Universal Radio Hacker: github.com/jopohl/urh
RollingPwn (KeeLoq research): github.com/AndrewMohawk/RollingPwn
LoRaWAN Specification: lora-alliance.org
Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md

offensive-lorawan-sub-ghz

LoRaWAN & Sub-GHz Attacks

Quick Workflow

Hardware

LoRaWAN

OTAA Join Capture

ABP — Pre-Flashed Keys

Frame Counter Replay

Downlink Injection

Sub-GHz Proprietary Protocols

Quick Capture + Replay (Flipper Zero / HackRF)

KeeLoq (Old Garage Doors, Some Cars)

Fixed-Code Remotes

TPMS Spoofing

Reconstruction of Unknown Protocols

Engagement Cheatsheet

Detection

Reporting

Key References

このリポジトリの他の Skills

このリポジトリの他の Skills

LoRaWAN & Sub-GHz Attacks

Quick Workflow

Hardware

LoRaWAN

OTAA Join Capture

ABP — Pre-Flashed Keys

Frame Counter Replay

Downlink Injection

Sub-GHz Proprietary Protocols

Quick Capture + Replay (Flipper Zero / HackRF)

KeeLoq (Old Garage Doors, Some Cars)

Fixed-Code Remotes

TPMS Spoofing

Reconstruction of Unknown Protocols

Engagement Cheatsheet

Detection

Reporting

Key References