Pentesting BLE - Bluetooth Low Energy

介绍

自蓝牙4.0规范以来，BLE仅使用40个信道，覆盖2400至2483.5 MHz范围。相比之下，传统蓝牙在同一范围内使用79个信道。

BLE设备通过发送广播包（信标）进行通信，这些包向其他附近设备广播BLE设备的存在。这些信标有时也会发送数据。

监听设备，也称为中央设备，可以通过向广告设备发送专门的扫描请求来响应广播包。对该扫描的响应使用与广播包相同的结构，还包含无法放入初始广告请求中的附加信息，例如完整设备名称。

前导字节同步频率，而四字节的访问地址是一个连接标识符，用于在多个设备尝试在相同信道上建立连接的情况下使用。接下来，协议数据单元（PDU）包含广告数据。有几种类型的PDU；最常用的是ADV_NONCONN_IND和ADV_IND。如果设备不接受连接，则使用ADV_NONCONN_IND PDU类型，仅在广播包中传输数据。如果设备允许连接并且一旦建立连接就停止发送广告包，则使用ADV_IND。

GATT

通用属性配置文件（GATT）定义了设备应如何格式化和传输数据。当您分析BLE设备的攻击面时，通常会集中注意力在GATT（或GATTs）上，因为这是触发设备功能以及存储、分组和修改数据的方式。GATT以16位或32位值的形式在表中列出设备的特征、描述符和服务。特征是在中央设备和外围设备之间发送的数据值。这些特征可以有提供有关它们的附加信息的描述符。如果这些特征与执行特定操作相关，则通常会将特征****分组在服务中。

枚举

hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up

# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66

GATTool

GATTool 允许与另一个设备建立连接，列出该设备的特征，并读取和写入其属性。 GATTTool可以使用 -I 选项启动交互式 shell：

gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
handle: 0x0002, char properties: 0x20, char value handle:
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x02, char value handle:
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[...]

# Write data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)

# Read data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16

# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c

Bettercap

BLE Sniffing

Passive Sniffing

Passive sniffing is the process of monitoring BLE traffic without actively participating in the communication. Bettercap can be used to passively sniff BLE traffic by setting up a BLE proxy and forwarding all traffic through it.

To start passive sniffing with Bettercap, use the following command:

ble.recon on

This command will enable BLE reconnaissance mode in Bettercap, allowing you to passively sniff BLE traffic in the vicinity.

Active Sniffing

Active sniffing involves actively participating in the BLE communication by sending specific packets to devices and capturing their responses. Bettercap supports active sniffing by allowing you to send custom BLE packets and analyze the responses.

To start active sniffing with Bettercap, use the following command:

ble.recon on
ble.enum

The ble.enum command will send enumeration packets to nearby devices and display their responses, allowing you to gather information about the devices in the vicinity.

# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported

# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06