Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-28 07:31:10 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/radio-hacking/pentesting-ble-bluetooth-low-energy.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

8.3 KiB
Raw Permalink Blame History

htARTE (HackTricks AWS Red Team Expert) ! tlhIngan Hol

HackTricks vItlhutlh:

Introduction

Available since the Bluetooth 4.0 specification, BLE uses only 40 channels, covering the range of 2400 to 2483.5 MHz. In contrast, traditional Bluetooth uses 79 channels in that same range.

BLE devices communicate is by sending advertising packets (beacons), these packets broadcast the BLE devices existence to other nearby devices. These beacons sometimes send data, too.

The listening device, also called a central device, can respond to an advertising packet with a SCAN request sent specifically to the advertising device. The response to that scan uses the same structure as the advertising packet with additional information that couldnt fit on the initial advertising request, such as the full device name.

The preamble byte synchronizes the frequency, whereas the four-byte access address is a connection identifier, which is used in scenarios where multiple devices are trying to establish connections on the same channels. Next, the Protocol Data Unit (PDU) contains the advertising data. There are several types of PDU; the most commonly used are ADV_NONCONN_IND and ADV_IND. Devices use the ADV_NONCONN_IND PDU type if they dont accept connections, transmitting data only in the advertising packet. Devices use ADV_IND if they allow connections and stop sending advertising packets once a connection has been established.

GATT

The Generic Attribute Profile (GATT) defines how the device should format and transfer data. When youre analyzing a BLE devices attack surface, youll often concentrate your attention on the GATT (or GATTs), because its how device functionality gets triggered and how data gets stored, grouped, and modified. The GATT lists a devices characteristics, descriptors, and services in a table as either 16- or 32-bits values. A characteristic is a data value sent between the central device and peripheral. These characteristics can have descriptors that provide additional information about them. Characteristics are often grouped in services if theyre related to performing a particular action.

Enumeration

hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up

# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66

GATTool

GATTool ghItlh ghItlh connection 'ej ghItlh characteristics laH 'ej attributes vItlhutlh 'e' device listing.
GATTTool -I interactive shell launch jatlh:

gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
handle: 0x0002, char properties: 0x20, char value handle:
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x02, char value handle:
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[...]

# Write data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)

# Read data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16

# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c

Bettercap

Bettercap is a powerful, flexible, and extensible tool for network monitoring and penetration testing. It provides a wide range of features and capabilities for analyzing and manipulating network traffic.

Installation

To install Bettercap, follow these steps:

  1. Step 1: Open a terminal window.

  2. Step 2: Run the following command to update the package lists:

    sudo apt update

  3. Step 3: Run the following command to install Bettercap:

    sudo apt install bettercap

Usage

Once Bettercap is installed, you can use it to perform various network monitoring and penetration testing tasks. Here are some common use cases:

  • Sniffing: Bettercap allows you to capture and analyze network traffic, including Bluetooth Low Energy (BLE) packets. You can use the ble.recon on command to start sniffing BLE traffic.

  • Man-in-the-Middle (MITM) Attacks: Bettercap supports MITM attacks, which allow you to intercept and manipulate network traffic between two parties. You can use the ble.recon on command to start sniffing BLE traffic and the ble.recon off command to stop sniffing.

  • Spoofing: Bettercap enables you to spoof BLE devices, making them appear as different devices to other devices on the network. You can use the ble.recon on command to start sniffing BLE traffic and the ble.recon off command to stop sniffing.

  • Injecting Malicious Packets: Bettercap allows you to inject custom packets into the network, which can be used for various purposes, including testing the security of BLE devices. You can use the ble.recon on command to start sniffing BLE traffic and the ble.recon off command to stop sniffing.

Conclusion

Bettercap is a versatile tool that can be used for a wide range of network monitoring and penetration testing tasks. By leveraging its features and capabilities, you can gain valuable insights into the security of BLE devices and networks.

# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported

# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: