2024-07-19 10:11:43 +00:00
{% hint style="success" %}
学习与实践 AWS Hacking:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
学习与实践 GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 10:11:43 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-07-19 10:11:43 +00:00
< summary > 支持 HackTricks< / summary >
2022-04-28 16:01:33 +00:00
2024-07-19 10:11:43 +00:00
* 查看 [**订阅计划** ](https://github.com/sponsors/carlospolop )!
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**telegram 群组** ](https://t.me/peass ) 或 **在** **Twitter** 🐦 **上关注我们** [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **通过向** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github 仓库提交 PR 来分享黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 10:11:43 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2022-05-01 16:32:23 +00:00
2023-08-03 19:12:22 +00:00
# 介绍
2022-02-28 09:13:08 +00:00
2024-07-19 10:11:43 +00:00
自 Bluetooth 4.0 规范以来,
2022-02-28 09:13:08 +00:00
2024-07-19 10:11:43 +00:00
BLE 设备通过发送 **广告数据包** (**beacons**) 进行通信,这些数据包将 BLE 设备的存在广播给其他附近的设备。这些信标有时也会 **发送数据** 。
2022-02-28 09:13:08 +00:00
2024-07-19 10:11:43 +00:00
监听设备,也称为中央设备,可以通过向广告设备发送特定的 **SCAN 请求** 来响应广告数据包。该扫描的 **响应** 使用与 **广告** 数据包相同的结构,并包含无法在初始广告请求中容纳的附加信息,例如完整的设备名称。
2022-02-28 09:13:08 +00:00
2022-05-01 16:17:23 +00:00
 ( 2 ) ( 1 ) ( 1 ) . png > )
2022-02-28 09:13:08 +00:00
2024-07-19 10:11:43 +00:00
前导字节同步频率,而四字节访问地址是 **连接标识符** ,用于多个设备尝试在同一频道上建立连接的场景。接下来,协议数据单元 (**PDU**) 包含 **广告数据** 。PDU 有几种类型;最常用的是 ADV\_NONCONN\_IND 和 ADV\_IND。如果设备 **不接受连接** ,则使用 **ADV\_NONCONN\_IND** PDU 类型,仅在广告数据包中传输数据。如果设备 **允许连接** ,并且在 **连接** 建立后 **停止发送广告** 数据包,则使用 **ADV\_IND** 。
2022-02-28 09:13:08 +00:00
2022-05-01 16:32:23 +00:00
## GATT
2022-02-28 09:13:08 +00:00
2024-07-19 10:11:43 +00:00
**通用属性配置文件** (GATT) 定义了 **设备应如何格式化和传输数据** 。当您分析 BLE 设备的攻击面时,您通常会将注意力集中在 GATT( ) , **设备功能被触发** 的方式, **在中央设备和外设之间发送的** **数据** 值。这些特性可以具有 **描述符** ,以 **提供有关它们的附加信息** 。如果特性与执行特定操作相关,则 **特性** 通常会在 **服务** 中 **分组** 。
2022-02-28 09:13:08 +00:00
2023-08-03 19:12:22 +00:00
# 枚举
2022-02-28 09:13:08 +00:00
```bash
hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down & & sudo hciconfig hci0 up
# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66
```
2022-05-01 16:32:23 +00:00
## GATTool
2022-02-28 09:13:08 +00:00
2024-07-19 10:11:43 +00:00
**GATTool** 允许与另一个设备 **建立** **连接** ,列出该设备的 **特性** ,并读取和写入其属性。\
GATTTool 可以使用 `-I` 选项启动交互式 shell:
2022-02-28 09:13:08 +00:00
```bash
gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
2023-08-03 19:12:22 +00:00
handle: 0x0002, char properties: 0x20, char value handle:
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x02, char value handle:
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
2022-02-28 09:13:08 +00:00
[...]
# Write data
gatttool -i < Bluetooth adapter interface > -b < MAC address of device > --char-write-req < characteristic handle > -n < value >
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)
# Read data
gatttool -i < Bluetooth adapter interface > -b < MAC address of device > --char-read -a 0x16
# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
```
2022-05-01 16:32:23 +00:00
## Bettercap
2022-02-28 09:13:08 +00:00
```bash
# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum < mac addr > # This will show the service, characteristics and properties supported
# Write data in a characteristic
>> ble.write < MAC ADDR > < UUID > < HEX DATA >
>> ble.write < mac address of device > ff06 68656c6c6f # Write "hello" in ff06
```
2024-07-19 10:11:43 +00:00
{% hint style="success" %}
学习与实践 AWS 黑客技术:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
学习与实践 GCP 黑客技术:< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks 培训 GCP 红队专家 (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 10:11:43 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-07-19 10:11:43 +00:00
< summary > 支持 HackTricks< / summary >
2022-04-28 16:01:33 +00:00
2024-07-19 10:11:43 +00:00
* 查看 [**订阅计划** ](https://github.com/sponsors/carlospolop )!
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**Telegram 群组** ](https://t.me/peass ) 或 **在** **Twitter** 🐦 **上关注我们** [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **通过向** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) GitHub 仓库提交 PR 来分享黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 10:11:43 +00:00
{% endhint %}
