
ZigBee Auditor - XA device is a tool developed for professionals working with ZigBee network as developers, auditors, and cybersecurity professionals. ZigBee Auditor - XA comes with an on-board antenna that provides indispensable 100m signal range for network auditing and scanning task. To use ZigBee Auditor, you need to install EXPLIoT, an open source framework for security testing and exploiting IoT. ZigBee Auditor provides ZigBee network scanning, packet sniffing, and packet replay functionality.


All ZigBee Auditor plugins need root privileges to access lowlevel usb driver. If you are seeing permission issues, kindly add a udev rule for your user for the ZigBee Auditor device.


This plugin displays information about ZigBee Auditor hardware that is used with framework, information like device name, device firmware revision and services that supported by this device.

Usage details:

ef> run zbauditor.generic.devinfo -h


ef> run zbauditor.generic.devinfo
[*] Zigbee Auditor Details:
[*] Device Name      : ZigBee Auditor
[*] FW Revision      : 1.0.0
[*] Services:
[*]    GET_FW_REV       : True
[*]    GET_FW_SERV      : True
[*]    CHANNEL_CHNG     : True
[*]    MAC_ON_OFF       : True
[*]    802154_SNIFF     : True
[*]    802154_INJECT    : True
[*]    802154_NWK_SCAN  : True
[*]    SUPP_FREQ_2400   : True
[+] Test zbauditor.generic.devinfo passed


This plugin scans 2.4 GHz network for active IEEE 802.15.4 and Zigbee devices by sending IEEE 802.15.4 beacon requests on selected channels and save result in specified log file.

Usage details:

ef> run zbauditor.generic.nwkscan -h


ef> run zbauditor.generic.nwkscan -s 11 -e 26 -f ./zigbee_nwkscan.log
[*] Start Channel: (11)
[*] End Channel  : (26)
[*] Log File     : (./zigbee_nwkscan.log)
[*] Devices found     1
[*] Device Number    : 1
[*] Channel          : 21
[*] Source Address   : 0x0
[*] Source PAN ID    : 0x1234
[*] Extended PAN ID (Device Address): ['0x0', '0x12', '0x34', '0x56', '0x78', '0x90', '0xab', '0xcd']
[*] Pan Coordinator  : True
[*] Permit Joining   : False
[*] Router Capacity  : True
[*] Device Capacity  : True
[*] Protocol Version : 2
[*] Stack Profile    : 2
[*] LQI              : 160
[*] rssi             : -53
[*] Scan duration     6.543011665344238
[+] Test zbauditor.generic.nwkscan passed


This plugin captures IEEE 802.15.4 packets on a specified channel and saves them in pcap format.

Usage details:

ef> run zbauditor.generic.sniffer -h


ef> run zbauditor.generic.sniffer -c 25 -f ../1450.pcap
[*] Channel      : (25)
[*] File         : (../1450.pcap)
[*] Count        : (65535)
[*] Time-Out     : (0)

ef> run zbauditor.generic.sniffer -c 25 -f ../1500.pcap -n 10
[*] Channel      : (25)
[*] File         : (../1500.pcap)
[*] Count        : (10)
[*] Time-Out     : (0)
[*] Packet Received: (10)
[*] Packet Transmit: (0)
[+] Test zbauditor.generic.sniffer passed

ef> run zbauditor.generic.sniffer -c 25 -f ../1530.pcap -t 10
[*] Channel      : (25)
[*] File         : (../1530.pcap)
[*] Count        : (65535)
[*] Time-Out     : (10)
[*] Packet Received: (2)
[*] Packet Transmit: (0)
[+] Test zbauditor.generic.sniffer passed


This plugin reads packets from the specified pcap file and replays them on the specified channel ignores ACK packets. If destination PAN is specified, plugin transmits packets with matching destination PAN.

Usage details:

ef> run zbauditor.generic.replay -h


ef> run zbauditor.generic.replay -c 25 -f ../0500.pcap
[*] Channel      : (25)
[*] File         : (../0500.pcap)
[*] Delay (seconds): (0.2)
[*] Packet Received: (0)
[*] Packet Transmit: (31)
[+] Test zbauditor.generic.replay passed

ef> run zbauditor.generic.replay -c 25 -f ../0500.pcap -p 0x1234
[*] Channel      : (25)
[*] File         : (../0500.pcap)
[*] Delay (seconds): (0.2)
[*] Destination PAN: (0x1234)
[*] Packet Received: (0)
[*] Packet Transmit: (24)
[+] Test zbauditor.generic.replay passed