使用Ubertooth one扫描嗅探低功耗蓝牙

admin
admin
admin
140350
文章
117
评论
2022年1月6日01:05:48评论596 views字数 6388阅读21分17秒阅读模式

0x00 本机环境

1
2
3
4
 
Mac osx 10.15.5
VMware Fusion 11.5.1
Ubuntu 18.04
Ubertooth One

0x01 环境搭建

1. 安装lib库

1
2
3
4
 
apt-get install python-software-properties
add-apt-repository ppa:pyside
apt-get update
apt-get install libnl-3-dev libusb-1.0-0-dev pyside-tools

2. 安装libbtbb

1
2
3
4
5
6
7
8
 
wget https://github.com/greatscottgadgets/libbtbb/archive/2015-09-R2.tar.gz -O libbtbb-2015-09-R2.tar.gz
tar xf libbtbb-2015-09-R2.tar.gz
cd libbtbb-2015-09-R2
mkdir build
cd build
cmake ..
make
sudo make install

3. 安装ubertooth

1
 
sudo apt-get install ubertooth

报错安装:

1
 
sudo apt-get install pkg-config

4. 安装wireshark

1
 
sudo apt-get install wireshark

5. 安装kismet

a. 直接安装

1
 
sudo apt-get install ckermit

在~中创建.kermrc,然后输入如下配置信息:

1
2
3
4
5
6
7
8
9
10
11
 
set line          /dev/ttyUSB0  
set speed         115200  
set carrier-watch off  
set handshake     none  
set flow-control none  
robust  
set file type     bin  
set file name     lit  
set rec pack      1000  
set send pack     1000  
set window        5

b. 编译安装

1
2
3
4
5
6
7
8
 
wget https://kismetwireless.net/code/kismet-2020-09-R1.tar.xz
tar xf kismet-2020-09-R1.tar.xz
cd kismet-2020-09-R1
ln -s ../ubertooth-2015-09-R2/host/kismet/plugin-ubertooth .
./configure
make && make plugins
sudo make suidinstall
sudo make plugins-install

报错安装:

1
2
3
4
5
 
sudo apt-get install ncurses-dev
sudo apt-get install libpcap-dev
sudo apt-get install libz-dev
sudo apt-get install libmicrohttpd-dev
sudo apt-get install libsqlite3-dev

找到kismet的配置文件kismet.conf ,把”pcapbtbb”加入到kismet.conf的logtypes= 里边

6. 安装BLE解密工具crackle

1
2
3
4
 
git clone https://github.com/mikeryan/crackle.git
cd crackle
make
sudo make install

0x02 嗅探扫描

1. Spectool

1
 
sudo apt install spectools

a. spectool_curses

image-20201015092657632

b. spectool_gtk

扫描附近信号在频谱上显示

image-20201015093808357

c. spectool_raw

RAW中文的解释是“原材料”或“未经过处理的东西”,这里猜测是显示设备捕获到的未经处理的信号数据:

image-20201015094038013

d. spectool_net

将Ubertooth One作为一台“硬件服务器”,并监听TCP:30569端口,局域网内任何可以跟主机建立通信的PC可通过Ubertoothe主机IP+30569共享设备。连接方式:在另外一台主机终端上执行:spectool_gtk

—>选择Open Network Device —>输入ip、端口

image-20201015094733056

2. Hcitool

hcitool –help

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
 
hcitool - HCI Tool ver 5.48
Usage:
	hcitool [options] <command> [command parameters]
Options:
	--help	Display help
	-i dev	HCI device
Commands:
	dev 	Display local devices
	inq 	Inquire remote devices
	scan	Scan for remote devices
	name	Get name from remote device
	info	Get information from remote device
	spinq	Start periodic inquiry
	epinq	Exit periodic inquiry
	cmd 	Submit arbitrary HCI commands
	con 	Display active connections
	cc  	Create connection to remote device
	dc  	Disconnect from remote device
	sr  	Switch master/slave role
	cpt 	Change connection packet type
	rssi	Display connection RSSI
	lq  	Display link quality
	tpl 	Display transmit power level
	afh 	Display AFH channel map
	lp  	Set/display link policy settings
	lst 	Set/display link supervision timeout
	auth	Request authentication
	enc 	Set connection encryption
	key 	Change connection link key
	clkoff	Read clock offset
	clock	Read local or remote clock
	lescan	Start LE scan
	leinfo	Get LE remote information
	lewladd	Add device to LE White List
	lewlrm	Remove device from LE White List
	lewlsz	Read size of LE White List
	lewlclr	Clear LE White List
	lerladd	Add device to LE Resolving List
	lerlrm	Remove device from LE Resolving List
	lerlclr	Clear LE Resolving List
	lerlsz	Read size of LE Resolving List
	lerlon	Enable LE Address Resolution
	lerloff	Disable LE Address Resolution
	lecc	Create a LE Connection
	ledc	Disconnect a LE Connection
	lecup	LE Connection Update

For more information on the usage of each command use:
	hcitool <command> --help

hcitool scan :扫描附近蓝牙设备

hcitool lescan :扫描附近低功耗蓝牙设备

image-20201015095601031

3. Gatttool

gatttool -h

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 
Usage:
  gatttool [OPTION?]

Help Options:
  -h, --help                                Show help options
  --help-all                                Show all help options
  --help-gatt                               Show all GATT commands
  --help-params                             Show all Primary Services/Characteristics arguments
  --help-char-read-write                    Show all Characteristics Value/Descriptor Read/Write arguments

Application Options:
  -i, --adapter=hciX                        Specify local adapter interface
  -b, --device=MAC                          Specify remote Bluetooth address
  -t, --addr-type=[public | random]         Set LE address type. Default: public
  -m, --mtu=MTU                             Specify the MTU size
  -p, --psm=PSM                             Specify the PSM for GATT/ATT over BR/EDR
  -l, --sec-level=[low | medium | high]     Set security level. Default: low
  -I, --interactive                         Use interactive mode

gatttool -b EC:F3:42:B2:DF:24 -I

image-20201015100005087

4. Ubertooth-scan -s

sudo apt install ubertooth

image-20201015104856092

image-20201015104915904

5. Ubertooth-ble

ubertooth-btle - passive Bluetooth Low Energy monitoring
Usage:
    -h this help

    Major modes:
    -f follow connections
    -p promiscuous: sniff active connections
    -a[address] get/set access address (example: -a8e89bed6)
    -s<address> faux slave mode, using MAC addr (example: -s22:44:66:88:aa:cc)
    -t<address> set connection following target (example: -t22:44:66:88:aa:cc)

    Interference (use with -f or -p):
    -i interfere with one connection and return to idle
    -I interfere continuously

    Data source:
    -U<0-7> set ubertooth device to use

    Misc:
    -r<filename> capture packets to PCAPNG file
    -q<filename> capture packets to PCAP file (DLT_BLUETOOTH_LE_LL_WITH_PHDR)
    -c<filename> capture packets to PCAP file (DLT_PPI)
    -A<index> advertising channel index (default 37)
    -v[01] verify CRC mode, get status or enable/disable
    -x<n> allow n access address offenses (default 32)

If an input file is not specified, an Ubertooth device is used for live capture.
In get/set mode no capture occurs.

ubertooth-btle -f -c test.pcap抓包&保存到本地

使用这条命令我们可以把设备捕获到的数据包保存到本地,完成后可导入wireshark进行数据包、协议分析。

wireshark导入嗅探到的蓝牙数据包需要处理一下才能正常查看,不然无法正常分析数据:

image-20201015113803864

Edit → Preferences → Protocols → DLT_USER → Edit → New

在payload protocol中输入btle

image-20201015110349788

image-20201015113903595

使用规则过滤数据包:参考Capturing BLE in Wireshark

1
 
btle.data_header.length > 0 || btle.advertising_header.pdu_type == 0x05

image-20201015114932731

6. crackle

如果捕获到足够的数据包尤其是btsmp,抓到包之后我们最关心的问题是我们有没有抓到的足够的包来破解tk。所以在wireshark中你可以在filter处加上btsmp,确保抓到了我们需要的6个包。,那接下来便可以用crackle来破解tk和ltk:

做到这个点尝试了身边的一些设备的连接没抓到大量包没有至少6个btsmp之后实践中碰到补足图片

1
 
crackle -i <file.pcap>

image-20201015115144837

1
2
3
 
从上图中我们可以看到我们不但破解了tk,还利用利用tk和其它一些数据成功的还原出了ltk。

接下来我们再来试试利用获取的ltk来破解其他的加密包。假设我们在配对过程中已经拿到了ltk=7f62c053f104a5bbe68b1d896a2ed49c

解密数据包,并把解密后的包另存:

1
2
3
4
 
crackle -i <file.pcap> -o <output.pcap>
crackle -i <file.pcap> -o <out.pcap> -l <ltk>

crackle -l 7f62c053f104a5bbe68b1d896a2ed49c -i test44.pcap -o test66.pcap

image-20201015115842434

可以看到成功破解了7个包

0x03 解决方案

1. 使用OOB

1
2
3
4
5
6
7
8
9
10
11
12
 
[email protected]:~/Desktop# crackle -i heart.pcap 
Warning: No output file specified. Won't decrypt any packets.
Warning: found multiple connects, only using the latest one
Warning: found multiple LL_ENC_REQ, only using latest one
Warning: found multiple connects, only using the latest one
Warning: found multiple pairing requests, only using the latest one
Warning: found multiple connects, only using the latest one
Warning: found multiple pairing requests, only using the latest one
Warning: already saw two random values, skipping
Warning: found multiple LL_ENC_REQ, only using latest one
TK not found, the connection is probably using OOB pairing
Sorry d00d :(

2. 支持bluetooth4.2以上的设备的出现(通过ECDH解决)

0x04 参考:

http://www.vuln.cn/6083

https://blog.csdn.net/charmve/article/details/107170250

路人甲@乌云drops:Bluetooth Low Energy 嗅探

疯狗@乌云drops:物联网安全拔“牙”实战——低功耗蓝牙(BLE)初探

https://github.com/greatscottgadgets/ubertooth/wiki/Build-Guide

https://github.com/greatscottgadgets/ubertooth/wiki/Capturing-BLE-in-Wireshark

FROM :ol4three.com | Author:ol4three

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月6日01:05:48
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   使用Ubertooth one扫描嗅探低功耗蓝牙http://cn-sec.com/archives/721015.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息