mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 14:10:41 +00:00
101 lines
6.1 KiB
Markdown
101 lines
6.1 KiB
Markdown
|
||
|
||
<details>
|
||
|
||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
||
Other ways to support HackTricks:
|
||
|
||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
|
||
|
||
# Introduction
|
||
|
||
Available since the Bluetooth 4.0 specification, BLE uses only 40 channels, covering the range of 2400 to 2483.5 MHz. In contrast, traditional Bluetooth uses 79 channels in that same range.
|
||
|
||
BLE devices communicate is by sending **advertising packets** (**beacons**), these packets broadcast the BLE device’s existence to other nearby devices. These beacons sometimes **send data**, too.
|
||
|
||
The listening device, also called a central device, can respond to an advertising packet with a **SCAN request** sent specifically to the advertising device. The **response** to that scan uses the same structure as the **advertising** packet with additional information that couldn’t fit on the initial advertising request, such as the full device name.
|
||
|
||
![](<../.gitbook/assets/image (201) (2) (1) (1).png>)
|
||
|
||
The preamble byte synchronizes the frequency, whereas the four-byte access address is a **connection identifier**, which is used in scenarios where multiple devices are trying to establish connections on the same channels. Next, the Protocol Data Unit (**PDU**) contains the **advertising data**. There are several types of PDU; the most commonly used are ADV\_NONCONN\_IND and ADV\_IND. Devices use the **ADV\_NONCONN\_IND** PDU type if they **don’t accept connections**, transmitting data only in the advertising packet. Devices use **ADV\_IND** if they **allow connections** and **stop sending advertising** packets once a **connection** has been **established**.
|
||
|
||
## GATT
|
||
|
||
The **Generic Attribute Profile** (GATT) defines how the **device should format and transfer data**. When you’re analyzing a BLE device’s attack surface, you’ll often concentrate your attention on the GATT (or GATTs), because it’s how **device functionality gets triggered** and how data gets stored, grouped, and modified. The GATT lists a device’s characteristics, descriptors, and services in a table as either 16- or 32-bits values. A **characteristic** is a **data** value **sent** between the central device and peripheral. These characteristics can have **descriptors** that **provide additional information about them**. **Characteristics** are often **grouped** in **services** if they’re related to performing a particular action.
|
||
|
||
# Enumeration
|
||
|
||
```bash
|
||
hciconfig #Check config, check if UP or DOWN
|
||
# If DOWN try:
|
||
sudo modprobe -c bluetooth
|
||
sudo hciconfig hci0 down && sudo hciconfig hci0 up
|
||
|
||
# Spoof MAC
|
||
spooftooph -i hci0 -a 11:22:33:44:55:66
|
||
```
|
||
|
||
## GATTool
|
||
|
||
**GATTool** allows to **establish** a **connection** with another device, listing that device’s **characteristics**, and reading and writing its attributes.\
|
||
GATTTool can launch an interactive shell with the `-I` option:
|
||
|
||
```bash
|
||
gatttool -i hci0 -I
|
||
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
|
||
[A4:CF:12:6C:B3:76][LE]> characteristics
|
||
handle: 0x0002, char properties: 0x20, char value handle:
|
||
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
|
||
handle: 0x0015, char properties: 0x02, char value handle:
|
||
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
|
||
[...]
|
||
|
||
# Write data
|
||
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
|
||
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)
|
||
|
||
# Read data
|
||
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16
|
||
|
||
# Read connecting with an authenticated encrypted connection
|
||
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
|
||
```
|
||
|
||
## Bettercap
|
||
|
||
```bash
|
||
# Start listening for beacons
|
||
sudo bettercap --eval "ble.recon on"
|
||
# Wait some time
|
||
>> ble.show # Show discovered devices
|
||
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported
|
||
|
||
# Write data in a characteristic
|
||
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
|
||
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
|
||
```
|
||
|
||
|
||
<details>
|
||
|
||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
||
Other ways to support HackTricks:
|
||
|
||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
|
||
|