环境搭建
上面介绍了数据包和各层协议,接下来我们将使用Ubertooth One来捕获通信过程中的蓝牙数据包。
(1)安装lib库
apt-get install python-software-propertiesadd-apt-repository ppa:pysideapt-get updateapt-get install libnl-dev libusb-1.0-0-dev pyside-tools(2)安装libbtbb
wget https://github.com/greatscottgadgets/libbtbb/archive/2015-09-R2.tar.gz -O libbtbb-2015-09-R2.tar.gztar xf libbtbb-2015-09-R2.tar.gzcd libbtbb-2015-09-R2mkdir buildcd buildcmake ..makesudo make install(3)安装ubertooth
wget https://github.com/greatscottgadgets/ubertooth/releases/download/2015-09-R2/ubertooth-2015-09-R2.tar.xz -O ubertooth-2015-09-R2.tar.xztar xf ubertooth-2015-09-R2.tar.xzcd ubertooth-2015-09-R2/hostmkdir buildcd buildcmake ..makesudo make installsudo ldconfig(4)安装wireshark
sudo apt-get install checkinstallwget https://www.wireshark.org/download/src/wireshark-2.0.3.tar.bz2tar -xvf wireshark-2.0.3.tar.bz2cd wireshark-2.0.3./configuremakemake install(5)安装kismet
wget https://kismetwireless.net/code/kismet-2013-03-R1b.tar.xztar xf kismet-2013-03-R1b.tar.xzcd kismet-2013-03-R1bln -s ../ubertooth-2015-09-R2/host/kismet/plugin-ubertooth ../configuremake && make pluginssudo make suidinstallsudo make plugins-install(6)安装BLE解密工具crackle
crackle (开源项目地址)
git clone https://github.com/mikeryan/crackle.gitcd cracklemakemake install找到kismet的配置文件kismet.conf ,把”pcapbtbb”加入到kismet.conf的logtypes= 里边
嗅探扫描
(1)spectool
spectool_curses
spectool_gtk扫描附近信号并在频谱上显示:
spectool_rawRAW中文解释是“原材料”或“未经处理的东西”,这里猜测是显示设备捕获到的未经处理的信号数据:
spectool_net将Ubertooth One作为一台“硬件服务器”,并监听TCP:30569端口,局域网内任何可以跟主机建立通信的PC可通过Ubertoothe主机IP+30569共享设备。连接方式:在另外一台主机终端上执行:spectool_gtk
—>选择Open Network Device —>输入ip、端口。
(2)hcitool
:~# hcitool --helphcitool - HCI Tool ver 4.99Usage:hcitool [options] <command> [command parameters]Options:Display helpdev HCI deviceCommands:dev Display local devicesinq Inquire remote devicesscan Scan for remote devicesname Get name from remote deviceinfo Get information from remote devicespinq Start periodic inquiryepinq Exit periodic inquirycmd Submit arbitrary HCI commandscon Display active connectionscc Create connection to remote devicedc Disconnect from remote devicesr Switch master/slave rolecpt Change connection packet typerssi Display connection RSSIlq Display link qualitytpl Display transmit power levelafh Display AFH channel maplp Set/display link policy settingslst Set/display link supervision timeoutauth Request authenticationenc Set connection encryptionkey Change connection link keyclkoff Read clock offsetclock Read local or remote clocklescan Start LE scanlewladd Add device to LE White Listlewlrm Remove device from LE White Listlewlsz Read size of LE White Listlewlclr Clear LE White listlecc Create a LE Connectionledc Disconnect a LE Connectionlecup LE Connection Updatehcitool scan :扫描附近蓝牙设备
hcitool lescan :扫描附近低功耗蓝牙设备
(3)gatttool
root@0xroot:~# gatttool -hUsage:gatttool [OPTION...]Help Options:-h, --help Show help options--help-all Show all help options--help-gatt Show all GATT commands--help-params Show all Primary Services/Characteristics arguments--help-char-read-write Show all Characteristics Value/Descriptor Read/Write argumentsApplication Options:-i, --adapter=hciX Specify local adapter interface-b, --device=MAC Specify remote Bluetooth address-m, --mtu=MTU Specify the MTU size-p, --psm=PSM Specify the PSM for GATT/ATT over BR/EDR-l, --sec-level=[low | medium | high] Set security level. Default: low-I, --interactive Use interactive modegatttool -b 1C:96:5A:FF:4B:E7 -I[ ][1C:96:5A:FF:4B:E7][LE]> helphelp Show this helpexit Exit interactive modequit Exit interactive modeconnect [address] Connect to a remote devicedisconnect Disconnect from a remote deviceprimary [UUID] Primary Service Discoverycharacteristics [start hnd [end hnd [UUID]]] Characteristics Discoverychar-desc [start hnd] [end hnd] Characteristics Descriptor Discoverychar-read-hnd <handle> [offset] Characteristics Value/Descriptor Read by handlechar-read-uuid <UUID> [start hnd] [end hnd] Characteristics Value/Descriptor Read by UUIDchar-write-req <handle> <new value> Characteristic Value Write (Write Request)char-write-cmd <handle> <new value> Characteristic Value Write (No response)sec-level [low | medium | high] Set security level. Default: lowmtu <value> Exchange MTU for GATT/ATT[ ][1C:96:5A:FF:4B:E7][LE]>(4)ubertooth-scan
root@0xroot:~# ubertooth-scan --helpubertooth-scan: invalid option -- '-'ubertooth-scan - active(bluez) device scan and inquiry supported by UbertoothUsage:-h this Help-U<0-7> set ubertooth device to use-s hci Scan - perform HCI scan-t scan Time (seconds) - length of time to sniff packets. [Default: 20s]-x eXtended scan - retrieve additional information about target devices-b Bluetooth device (hci0)ubertooth-scan -s
(5)ubertooth-btle
ubertooth-btle - passive Bluetooth Low Energy monitoringUsage:-h this helpMajor modes:-f follow connections-p promiscuous: sniff active connections-a[address] get/set access address (example: -a8e89bed6)-s<address> faux slave mode, using MAC addr (example: -s22:44:66:88:aa:cc)-t<address> set connection following target (example: -t22:44:66:88:aa:cc)Interference (use with -f or -p):-i interfere with one connection and return to idle-I interfere continuouslyData source:-U<0-7> set ubertooth device to useMisc:-r<filename> capture packets to PCAPNG file-q<filename> capture packets to PCAP file (DLT_BLUETOOTH_LE_LL_WITH_PHDR)-c<filename> capture packets to PCAP file (DLT_PPI)-A<index> advertising channel index (default 37)-v[01] verify CRC mode, get status or enable/disable-x<n> allow n access address offenses (default 32)If an input file is not specified, an Ubertooth device is used for live capture.In get/set mode no capture occurs.ubertooth-btle -f -ctest.pcap抓包&保存到本地
使用这条命令我们可以把设备捕获到的数据包保存到本地,完成后可导入wireshark进行数据包、协议分析。
wireshark导入嗅探到的蓝牙数据包需要处理一下才能正常查看,不然无法正常分析数据:
Edit → Preferences → Protocols → DLT_USER → Edit → New
在payload protocol中输入btle
使用规则过滤数据包:参考Capturing BLE in Wireshark
btle.data_header.length > 0 || btle.advertising_header.pdu_type == 0x05
(6)crackle
如果捕获到足够的数据包尤其是btsmp,那接下来便可以用crackle来破解tk和ltk:
crackle -i <file.pcap>解密数据包,并把解密后的包另存:
crackle -i <file.pcap> -o <output.pcap>crackle -i <file.pcap> -o <out.pcap> -l <ltk>参考 & 感谢
参考书:Robin Heydon. Bluetooth Low Energy the Developer’s Handbook 《低功耗蓝牙开发权威指南》,网盘密码迈微AI研习社公众号回复“8001” 链接:https://pan.baidu.com/s/1xneDTzdejtA91go5YuDhnQ
Sniffing and decoding NRF24L01+ and Bluetooth LE packets for under $30
Bluetooth sniffing with Ubertooth :https://dominicspill.com/kiwicon/Spill-Ubertooth-Kiwicon-2012.pdf
Now I wanna sniff some Bluetooth: Sniffing and Cracking Bluetooth with the UbertoothOne
http://j2abro.blogspot.com.au/2014/06/understanding-bluetooth-advertising.html
路人甲@乌云drops:Bluetooth Low Energy 嗅探
疯狗@乌云drops:物联网安全拔“牙”实战——低功耗蓝牙(BLE)初探
http://j2abro.blogspot.com.au/2014/06/understanding-bluetooth-advertising.html
http://j2abro.blogspot.com.au/2014/06/analyzing-bluetooth-advertising-with.html
http://cerescontrols.com/tutorials-3/sniffing-bluetooth-packets-with-kismet-and-wireshark-in-ubuntu-12-04/
https://github.com/greatscottgadgets/ubertooth/wiki/Build-Guide
https://github.com/greatscottgadgets/ubertooth/wiki/Capturing-BLE-in-Wireshark
http://stackoverflow.com/questions/23877761/sniffing-logging-your-own-android-bluetooth-traffic
https://lacklustre.net/bluetooth/wireshark.html
https://blog.lacklustre.net/posts/BLE_Fun_With_Ubertooth:_Sniffing_Bluetooth_Smart_and_Cracking_Its_Crypto/
http://superuser.com/questions/947593/how-can-i-sniff-bluetooth-traffic-coming-from-my-and-another-device
http://www.backtrack-linux.org/forums/showthread.php?t=41552
http://www.splitbits.com/2014/05/14/ubertooth-spectools-chromebook/
http://ubertooth.sourceforge.net/usage/start/
http://hackerific.net/2012/01/28/Spectrum-Tools-and-Ubertooth-One/
https://penturalabs.wordpress.com/2014/02/20/ubertooth-updated-for-2014/
https://blog.lacklustre.net/
精彩推荐
本文始发于微信公众号(FreeBuf):深入浅出低功耗蓝牙(BLE)协议栈(实战篇)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论