hacktricks/radio-hacking/pentesting-ble-bluetooth-low-energy.md

92 lines
6 KiB
Markdown

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# Utangulizi
Inapatikana tangu spesifikasisi ya Bluetooth 4.0, BLE inatumia tu vituo 40, ikifunika anuwai ya 2400 hadi 2483.5 MHz. Kinyume chake, Bluetooth ya jadi inatumia vituo 79 katika anuwai hiyo hiyo.
Vifaa vya BLE vinawasiliana kwa kutuma **pakiti za matangazo** (**beacons**), pakiti hizi zinatangaza uwepo wa kifaa cha BLE kwa vifaa vingine vya karibu. Beacons hizi wakati mwingine **zinasambaza data** pia.
Kifaa kinachosikiliza, pia kinachojulikana kama kifaa cha kati, kinaweza kujibu pakiti ya matangazo kwa **ombio la SCAN** lililotumwa mahsusi kwa kifaa kinachotangaza. **Jibu** kwa skani hiyo linatumia muundo sawa na pakiti ya **matangazo** ikiwa na taarifa za ziada ambazo hazikuweza kuingia kwenye ombi la matangazo la awali, kama vile jina kamili la kifaa.
![](<../.gitbook/assets/image (201) (2) (1) (1).png>)
Byte ya preamble inasawazisha masafa, wakati anwani ya ufikiaji ya byte nne ni **kitambulisho cha muunganisho**, ambacho kinatumika katika hali ambapo vifaa vingi vinajaribu kuanzisha muunganisho kwenye vituo sawa. Kisha, Kitengo cha Data ya Protokali (**PDU**) kina **data za matangazo**. Kuna aina kadhaa za PDU; zile zinazotumika sana ni ADV\_NONCONN\_IND na ADV\_IND. Vifaa vinatumia aina ya PDU ya **ADV\_NONCONN\_IND** ikiwa **havikubali muunganisho**, vinatoa data tu katika pakiti ya matangazo. Vifaa vinatumia **ADV\_IND** ikiwa **vinakubali muunganisho** na **kusitisha kutuma matangazo** mara tu **muunganisho** unapokuwa **umeanzishwa**.
## GATT
**Profaili ya Sifa ya Kijeneriki** (GATT) inaelezea jinsi **kifaa kinapaswa kuunda na kuhamasisha data**. Unapokuwa unachambua uso wa shambulio la kifaa cha BLE, mara nyingi utaelekeza umakini wako kwenye GATT (au GATTs), kwa sababu ndivyo **ufanyaji kazi wa kifaa unavyoanzishwa** na jinsi data inavyohifadhiwa, kuunganishwa, na kubadilishwa. GATT inataja sifa, maelezo, na huduma za kifaa katika jedwali kama thamani za 16- au 32-biti. **Sifa** ni thamani ya **data** inayotumwa kati ya kifaa cha kati na cha pembeni. Sifa hizi zinaweza kuwa na **maelezo** yanayotoa **taarifa za ziada kuhusu hizo**. **Sifa** mara nyingi **zinaunganishwa** katika **huduma** ikiwa zinahusiana na kutekeleza hatua maalum.
# Uhesabuji
```bash
hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up
# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66
```
## GATTool
**GATTool** inaruhusu **kuanzisha** **muunganisho** na kifaa kingine, kuorodhesha **sifa** za kifaa hicho, na kusoma na kuandika sifa zake.\
GATTTool inaweza kuzindua shell ya mwingiliano kwa chaguo la `-I`:
```bash
gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
handle: 0x0002, char properties: 0x20, char value handle:
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x02, char value handle:
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[...]
# Write data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)
# Read data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16
# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
```
## Bettercap
```bash
# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported
# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}