mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 03:53:29 +00:00
99 lines
6.1 KiB
Markdown
99 lines
6.1 KiB
Markdown
# Pentesting BLE - Bluetooth Low Energy
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|
||
|
||
## Introduction
|
||
|
||
Available since the Bluetooth 4.0 specification, BLE uses only 40 channels, covering the range of 2400 to 2483.5 MHz. In contrast, traditional Bluetooth uses 79 channels in that same range.
|
||
|
||
BLE devices communicate is by sending **advertising packets** (**beacons**), these packets broadcast the BLE device’s existence to other nearby devices. These beacons sometimes **send data**, too.
|
||
|
||
The listening device, also called a central device, can respond to an advertising packet with a **SCAN request** sent specifically to the advertising device. The **response** to that scan uses the same structure as the **advertising** packet with additional information that couldn’t fit on the initial advertising request, such as the full device name.
|
||
|
||
![](<../../.gitbook/assets/image (152).png>)
|
||
|
||
The preamble byte synchronizes the frequency, whereas the four-byte access address is a **connection identifier**, which is used in scenarios where multiple devices are trying to establish connections on the same channels. Next, the Protocol Data Unit (**PDU**) contains the **advertising data**. There are several types of PDU; the most commonly used are ADV\_NONCONN\_IND and ADV\_IND. Devices use the **ADV\_NONCONN\_IND** PDU type if they **don’t accept connections**, transmitting data only in the advertising packet. Devices use **ADV\_IND** if they **allow connections** and **stop sending advertising** packets once a **connection** has been **established**.
|
||
|
||
### GATT
|
||
|
||
The **Generic Attribute Profile** (GATT) defines how the **device should format and transfer data**. When you’re analyzing a BLE device’s attack surface, you’ll often concentrate your attention on the GATT (or GATTs), because it’s how **device functionality gets triggered** and how data gets stored, grouped, and modified. The GATT lists a device’s characteristics, descriptors, and services in a table as either 16- or 32-bits values. A **characteristic** is a **data** value **sent** between the central device and peripheral. These characteristics can have **descriptors** that **provide additional information about them**. **Characteristics** are often **grouped** in **services** if they’re related to performing a particular action.
|
||
|
||
## Enumeration
|
||
|
||
```bash
|
||
hciconfig #Check config, check if UP or DOWN
|
||
# If DOWN try:
|
||
sudo modprobe -c bluetooth
|
||
sudo hciconfig hci0 down && sudo hciconfig hci0 up
|
||
|
||
# Spoof MAC
|
||
spooftooph -i hci0 -a 11:22:33:44:55:66
|
||
```
|
||
|
||
### GATTool
|
||
|
||
**GATTool** allows to **establish** a **connection** with another device, listing that device’s **characteristics**, and reading and writing its attributes.\
|
||
GATTTool can launch an interactive shell with the `-I` option:
|
||
|
||
```bash
|
||
gatttool -i hci0 -I
|
||
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
|
||
[A4:CF:12:6C:B3:76][LE]> characteristics
|
||
handle: 0x0002, char properties: 0x20, char value handle:
|
||
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
|
||
handle: 0x0015, char properties: 0x02, char value handle:
|
||
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
|
||
[...]
|
||
|
||
# Write data
|
||
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
|
||
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)
|
||
|
||
# Read data
|
||
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16
|
||
|
||
# Read connecting with an authenticated encrypted connection
|
||
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
|
||
```
|
||
|
||
### Bettercap
|
||
|
||
```bash
|
||
# Start listening for beacons
|
||
sudo bettercap --eval "ble.recon on"
|
||
# Wait some time
|
||
>> ble.show # Show discovered devices
|
||
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported
|
||
|
||
# Write data in a characteristic
|
||
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
|
||
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
|
||
```
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|