mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 22:52:06 +00:00
92 lines
6 KiB
Markdown
92 lines
6 KiB
Markdown
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
|
|
# Utangulizi
|
|
|
|
Inapatikana tangu spesifikasisi ya Bluetooth 4.0, BLE inatumia tu vituo 40, ikifunika anuwai ya 2400 hadi 2483.5 MHz. Kinyume chake, Bluetooth ya jadi inatumia vituo 79 katika anuwai hiyo hiyo.
|
|
|
|
Vifaa vya BLE vinawasiliana kwa kutuma **pakiti za matangazo** (**beacons**), pakiti hizi zinatangaza uwepo wa kifaa cha BLE kwa vifaa vingine vya karibu. Beacons hizi wakati mwingine **zinasambaza data** pia.
|
|
|
|
Kifaa kinachosikiliza, pia kinachojulikana kama kifaa cha kati, kinaweza kujibu pakiti ya matangazo kwa **ombio la SCAN** lililotumwa mahsusi kwa kifaa kinachotangaza. **Jibu** kwa skani hiyo linatumia muundo sawa na pakiti ya **matangazo** ikiwa na taarifa za ziada ambazo hazikuweza kuingia kwenye ombi la matangazo la awali, kama vile jina kamili la kifaa.
|
|
|
|
![](<../.gitbook/assets/image (201) (2) (1) (1).png>)
|
|
|
|
Byte ya preamble inasawazisha masafa, wakati anwani ya ufikiaji ya byte nne ni **kitambulisho cha muunganisho**, ambacho kinatumika katika hali ambapo vifaa vingi vinajaribu kuanzisha muunganisho kwenye vituo sawa. Kisha, Kitengo cha Data ya Protokali (**PDU**) kina **data za matangazo**. Kuna aina kadhaa za PDU; zile zinazotumika sana ni ADV\_NONCONN\_IND na ADV\_IND. Vifaa vinatumia aina ya PDU ya **ADV\_NONCONN\_IND** ikiwa **havikubali muunganisho**, vinatoa data tu katika pakiti ya matangazo. Vifaa vinatumia **ADV\_IND** ikiwa **vinakubali muunganisho** na **kusitisha kutuma matangazo** mara tu **muunganisho** unapokuwa **umeanzishwa**.
|
|
|
|
## GATT
|
|
|
|
**Profaili ya Sifa ya Kijeneriki** (GATT) inaelezea jinsi **kifaa kinapaswa kuunda na kuhamasisha data**. Unapokuwa unachambua uso wa shambulio la kifaa cha BLE, mara nyingi utaelekeza umakini wako kwenye GATT (au GATTs), kwa sababu ndivyo **ufanyaji kazi wa kifaa unavyoanzishwa** na jinsi data inavyohifadhiwa, kuunganishwa, na kubadilishwa. GATT inataja sifa, maelezo, na huduma za kifaa katika jedwali kama thamani za 16- au 32-biti. **Sifa** ni thamani ya **data** inayotumwa kati ya kifaa cha kati na cha pembeni. Sifa hizi zinaweza kuwa na **maelezo** yanayotoa **taarifa za ziada kuhusu hizo**. **Sifa** mara nyingi **zinaunganishwa** katika **huduma** ikiwa zinahusiana na kutekeleza hatua maalum.
|
|
|
|
# Uhesabuji
|
|
```bash
|
|
hciconfig #Check config, check if UP or DOWN
|
|
# If DOWN try:
|
|
sudo modprobe -c bluetooth
|
|
sudo hciconfig hci0 down && sudo hciconfig hci0 up
|
|
|
|
# Spoof MAC
|
|
spooftooph -i hci0 -a 11:22:33:44:55:66
|
|
```
|
|
## GATTool
|
|
|
|
**GATTool** inaruhusu **kuanzisha** **muunganisho** na kifaa kingine, kuorodhesha **sifa** za kifaa hicho, na kusoma na kuandika sifa zake.\
|
|
GATTTool inaweza kuzindua shell ya mwingiliano kwa chaguo la `-I`:
|
|
```bash
|
|
gatttool -i hci0 -I
|
|
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
|
|
[A4:CF:12:6C:B3:76][LE]> characteristics
|
|
handle: 0x0002, char properties: 0x20, char value handle:
|
|
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
|
|
handle: 0x0015, char properties: 0x02, char value handle:
|
|
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
|
|
[...]
|
|
|
|
# Write data
|
|
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
|
|
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)
|
|
|
|
# Read data
|
|
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16
|
|
|
|
# Read connecting with an authenticated encrypted connection
|
|
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
|
|
```
|
|
## Bettercap
|
|
```bash
|
|
# Start listening for beacons
|
|
sudo bettercap --eval "ble.recon on"
|
|
# Wait some time
|
|
>> ble.show # Show discovered devices
|
|
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported
|
|
|
|
# Write data in a characteristic
|
|
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
|
|
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
|
|
```
|
|
{% hint style="success" %}
|
|
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
|
|
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
|
|
|
</details>
|
|
{% endhint %}
|