Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 05:03:35 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md

93 lines
5.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Pentesting BLE - Bluetooth Low Energy
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## 介绍
自Bluetooth 4.0规范以来BLE仅使用40个频道覆盖2400到2483.5 MHz的范围。相比之下传统蓝牙在同一范围内使用79个频道。
BLE设备通过发送**广告数据包****信标**进行通信这些数据包向其他附近设备广播BLE设备的存在。这些信标有时也会**发送数据**。
监听设备,也称为中央设备,可以通过向广告设备发送特定的**扫描请求**来响应广告数据包。该扫描的**响应**使用与**广告**数据包相同的结构,并包含无法在初始广告请求中容纳的附加信息,例如完整的设备名称。
![](<../../.gitbook/assets/image (152).png>)
前导字节用于同步频率,而四字节访问地址是**连接标识符**,在多个设备尝试在同一频道上建立连接的场景中使用。接下来,协议数据单元(**PDU**)包含**广告数据**。PDU有几种类型最常用的是ADV\_NONCONN\_IND和ADV\_IND。如果设备**不接受连接**,则使用**ADV\_NONCONN\_IND** PDU类型仅在广告数据包中传输数据。如果设备**允许连接**,并且在**建立连接**后**停止发送广告**数据包,则使用**ADV\_IND**。
### GATT
**通用属性配置文件**GATT定义了**设备应如何格式化和传输数据**。当您分析BLE设备的攻击面时您通常会将注意力集中在GATT或GATTs因为这是**设备功能被触发**以及数据被存储、分组和修改的方式。GATT以表格形式列出设备的特性、描述符和服务值为16位或32位。**特性**是**在中央设备和外设之间发送的**数据值。这些特性可以具有**描述符**,以**提供有关它们的附加信息**。如果特性与执行特定操作相关,则**特性**通常会在**服务**中**分组**。
## 枚举
```bash
hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up
# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66
```
### GATTool
**GATTool** 允许与另一个设备 **建立** **连接**,列出该设备的 **特征**,并读取和写入其属性。\
GATTTool 可以使用 `-I` 选项启动交互式 shell
```bash
gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
handle: 0x0002, char properties: 0x20, char value handle:
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x02, char value handle:
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[...]
# Write data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)
# Read data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16
# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
```
### Bettercap
```bash
# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported
# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
```
{% hint style="success" %}
学习与实践 AWS 黑客技术:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
学习与实践 GCP 黑客技术:<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks 培训 GCP 红队专家 (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>支持 HackTricks</summary>
* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass) 或 **在** **Twitter** 🐦 **上关注我们** [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 仓库提交 PR 来分享黑客技巧。
</details>
{% endhint %}
Reference in a new issue View git blame Copy permalink