Pentesting BLE - Bluetooth Low Energy

从零开始学习AWS黑客技术，成为专家 htARTE（HackTricks AWS红队专家）！

支持HackTricks的其他方式：

如果您想看到您的公司在HackTricks中做广告或下载PDF格式的HackTricks，请查看订阅计划!
获取官方PEASS & HackTricks周边产品
探索PEASS家族，我们的独家NFTs
加入 💬 Discord群 或 电报群 或在Twitter上关注我们 🐦 @carlospolopm。
通过向HackTricks和HackTricks Cloud github仓库提交PR来分享您的黑客技巧。

介绍

自蓝牙4.0规范以来，BLE仅使用40个信道，覆盖2400至2483.5 MHz范围。相比之下，传统蓝牙在同一范围内使用79个信道。

BLE设备通过发送广播包（信标）进行通信，这些包向其他附近设备广播BLE设备的存在。这些信标有时也会发送数据。

监听设备，也称为中央设备，可以通过向广告设备发送专门的扫描请求来响应广播包。对该扫描的响应使用与广播包相同的结构，还包含无法放入初始广告请求中的附加信息，例如完整设备名称。

前导字节同步频率，而四字节的访问地址是一个连接标识符，用于在多个设备尝试在相同信道上建立连接的情况下使用。接下来，协议数据单元（PDU）包含广告数据。有几种类型的PDU；最常用的是ADV_NONCONN_IND和ADV_IND。如果设备不接受连接，则使用ADV_NONCONN_IND PDU类型，仅在广播包中传输数据。如果设备允许连接并且一旦建立连接就停止发送广告包，则使用ADV_IND。

GATT

通用属性配置文件（GATT）定义了设备应如何格式化和传输数据。当您分析BLE设备的攻击面时，通常会集中注意力在GATT（或GATTs）上，因为这是触发设备功能以及存储、分组和修改数据的方式。GATT以16位或32位值的形式在表中列出设备的特征、描述符和服务。特征是在中央设备和外围设备之间发送的数据值。这些特征可以有提供有关它们的附加信息的描述符。如果这些特征与执行特定操作相关，则通常会将特征****分组在服务中。

枚举

hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up

# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66

GATTool

GATTool 允许与另一个设备建立连接，列出该设备的特征，并读取和写入其属性。 GATTTool可以使用 -I 选项启动交互式 shell：

gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
handle: 0x0002, char properties: 0x20, char value handle:
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x02, char value handle:
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[...]

# Write data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)

# Read data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16

# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c

Bettercap

BLE Sniffing

Passive Sniffing

Passive sniffing is the process of monitoring BLE traffic without actively participating in the communication. Bettercap can be used to passively sniff BLE traffic by setting up a BLE proxy and forwarding all traffic through it.

To start passive sniffing with Bettercap, use the following command:

ble.recon on

This command will enable BLE reconnaissance mode in Bettercap, allowing you to passively sniff BLE traffic in the vicinity.

Active Sniffing

Active sniffing involves actively participating in the BLE communication by sending specific packets to devices and capturing their responses. Bettercap supports active sniffing by allowing you to send custom BLE packets and analyze the responses.

To start active sniffing with Bettercap, use the following command:

ble.recon on
ble.enum

The ble.enum command will send enumeration packets to nearby devices and display their responses, allowing you to gather information about the devices in the vicinity.

# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported

# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06

从零开始学习AWS黑客技术，成为专家 htARTE（HackTricks AWS Red Team Expert）！

其他支持HackTricks的方式：

如果您想看到您的公司在HackTricks中做广告或下载PDF格式的HackTricks，请查看订阅计划!
获取官方PEASS & HackTricks周边产品
探索PEASS家族，我们的独家NFTs
加入 💬 Discord群 或 电报群 或关注我们的Twitter 🐦 @carlospolopm。
通过向HackTricks和HackTricks Cloud github仓库提交PR来分享您的黑客技巧。

上一页Low-Power Wide Area Network 下一页Industrial Control Systems Hacking

最后更新于7个月前