Skip to content

Latest commit

 

History

History
660 lines (532 loc) · 31.5 KB

README-cn.md

File metadata and controls

660 lines (532 loc) · 31.5 KB

Bluing

为 hack 蓝牙而生的情报收集工具

English · 简体中文

Bluing(前身为 bluescan)是一个主要基于 Python 实现的蓝牙情报收集工具。它可以帮助我们窥探蓝牙这种复杂协议的内部结构或是 hack 蓝牙设备。其主要特性如下:

安装

Bluing 部分依赖 Linux 官方的 BlueZ 蓝牙协议栈,因此它仅支持在 Linux 上运行。执行如下命令可安装依赖包:

sudo apt install python3-pip python3-dev libcairo2-dev libgirepository1.0-dev \
                 libbluetooth-dev libdbus-1-dev bluez-tools python3-cairo-dev \
                 rfkill meson patchelf bluez ubertooth adb python-is-python3

目前 bluing 的分发途径是 PyPI,且仅支持 Python 3.10。安装命令如下:

sudo pip3.10 install bluing

使用

$ bluing --help
An intelligence gathering tool for hacking Bluetooth

Usage:
    bluing [-h | --help]
    bluing (-v | --version)
    bluing [-i <hci>] --clean BD_ADDR
    bluing --flash-micro-bit
    bluing <command> [<args>...]

Arguments:
    BD_ADDR    Bluetooth device address

Options:
    -h, --help           Print this help and quit
    -v, --version        Print version information and quit
    -i <hci>             HCI device
    --clean              Clean cached data of a remote device
    --flash-micro-bit    Download the dedicated firmware to micro:bit(s)

Commands:
    br         Basic Rate system, includes an optional Enhanced Data Rate (EDR) extension
    le         Low Energy system
    android    Android Bluetooth stack
    spoof      Spoof with new local device information
    plugin     Manage plugins

Run `bluing <command> --help` for more information on a command.

br 命令:Basic Rate system

$ bluing br --help
Usage:
    bluing br [-h | --help]
    bluing br [-i <hci>] [--inquiry-len=<n>] --inquiry
    bluing br [-i <hci>] --sdp BD_ADDR
    bluing br [-i <hci>] --local --sdp
    bluing br [-i <hci>] --lmp-features BD_ADDR
    bluing br [-i <hci>] --local --lmp-features
    bluing br [-i <hci>] --stack BD_ADDR
    bluing br [-i <hci>] --local --stack
    bluing br [-i <hci>] [--inquiry-scan] --mon-incoming-conn
    bluing br --org=<name> --timeout=<sec> --sniff-and-guess-bd-addr

Arguments:
    BD_ADDR    BR/EDR Bluetooth device address

Options:
    -h, --help                   Print this help and quit
    -i <hci>                     HCI device
    --local                      Target a local BR/EDR device instead of a remote one
    --inquiry                    Discover other nearby BR/EDR controllers
    --inquiry-len=<n>            Maximum amount of time (added to --ext-inquiry-len=<n>) 
                                 specified before the Inquiry is halted.
                                     Time = n * 1.28 s
                                     Time range: 1.28 to 61.44 s
                                     Range of n: 0x01 to 0x30 [default: 8]
    --ext-inquiry-len=<n>        Extended_Inquiry_Length measured in number of 
                                 Baseband slots.
                                     Interval Length = n * 0.625 ms (1 Baseband slot)
                                     Time Range: 0 to 40.9 s
                                     Range of n: 0x0000 to 0xFFFF [default: 0]
    --sdp                        Retrieve information from the SDP database of a 
                                 remote BR/EDR device
    --lmp-features               Read LMP features of a remote BR/EDR device
    --stack                      Determine the Bluetooth stack type of a remote BR/EDR device
    --mon-incoming-conn          Print incoming connection from other nearby BR/EDR devices
    --inquiry-scan               Enable the Inquiry Scan
    --sniff-and-guess-bd-addr    Sniff SAPs of BD_ADDRs over the air, then guess the 
                                 address based on the organization name. Need at 
                                 least one Ubertooth device
    --org=<name>                 An organization name in the OUI.txt
    --timeout=<sec>              Timeout in second(s)

--inquiry:发现附近其他的 BR/EDR 控制器

$ sudo bluing br --inquiry
[INFO] Discovering other nearby BR/EDR Controllers on hci0 for 10.24 sec

BD_ADDR: B0:C9:52:45:33:13 (GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD)
Page scan repetition mode: 1 (R1)
Reserved: 0x02
CoD: 0x5a020c
    Service Class: 0b1011010000
        Telephony
        Object Transfer
        Capturing
        Networking
    Major Device Class: 0b00010, Phone
Clock offset: 0x50D5
RSSI: -61
Extended inquiry response: 
    Complete Local Name: old man phone
    Complete List of 16-bit Service Class UUIDs
        0x1105 OBEXObjectPush
        0x110a AudioSource
        0x110c A/V_RemoteControlTarget
        0x110e A/V_RemoteControl
        0x1112 Headset - Audio Gateway (AG)
        0x1115 PANU
        0x1116 NAP
        0x111f HandsfreeAudioGateway
        0x112d SIM_Access
        0x112f Phonebook Access - PSE
        0x1200 PnPInformation
        0x1132 Message Access Server
    Complete List of 32-bit Service Class UUIDs
        None
    Complete List of 128-bit Service Class UUIDs
        A49EAA15-CB06-495C-9F4F-BB80A90CDF00
        00000000-0000-0000-0000-000000000000
... ...


[INFO] Requesting the names of all discovered devices...
B0:C9:52:45:33:13 : old man phone
... ...

--sdp:检索远端 BD/EDR 设备的 SDP 数据库信息

$ sudo bluing br --sdp 34:13:46:23:6A:4D
Scanning 
Number of service records: 18 

Service Record
0x0000: ServiceRecordHandle (uint32)
	0x0001000d
0x0001: ServiceClassIDList (sequence)
	0x1105: OBEXObjectPush
0x0004: ProtocolDescriptorList (sequence)
	0x0100: L2CAP
	0x0003: RFCOMM
		channel: 0x0c
	0x0008: OBEX
0x0005: BrowseGroupList (sequence)
	0x1002: PublicBrowseRoot
0x0009: BluetoothProfileDescriptorList (sequence)
	0x1105: OBEXObjectPush v1.2
0x0100: ServiceName (guess) (text)
	OBEX Object Push 
0x0200: GoepL2CapPsm (guess) (uint16)
	0x1023
0x0303: SupportedFormatsList (guess) (sequence)
	0x01: vCard 2.1
	0x02: vCard 3.0
	0x03: vCal 1.0
	0x04: iCal 2.0
	0xff: Any type of object
... ...

--lmp-features:读取远端 BR/EDR 设备的 LMP 特性

$ sudo bluing br --lmp-features 6A:8D:99:33:56:AE
Version
    Version:
        Bluetooth Core Specification 5.2 (LMP)
        Bluetooth Core Specification 5.2 (LL)
    Manufacturer name: HiSilicon Technologies CO., LIMITED
    Subversion: 33561 

LMP features
    3 slot packets: True
    5 slot packets: True
    Encryption: True
    Slot offset: True
    Timing accuracy: True
    Role switch: True
    Hold mode: False
    Sniff mode: True
    Previously used: False
    Power control requests: True
    Channel quality driven data rate (CQDDR): True
    ... ...

Extended LMP features
Page 1
    Secure Simple Pairing (Host Support): True
    LE Supported (Host): True
    Simultaneous LE and BR/EDR to Same Device Capable (Host): True
    Secure Connections (Host Support): True
Page 2
    Connectionless Slave Broadcast - Master Operation: False
    Connectionless Slave Broadcast - Slave Operation: False
    Synchronization Train: False
    Synchronization Scan: False
    HCI_Inquiry_Response_Notification event:  True
    ... ...

--mon-incoming-conn:打印附近其他 BR/EDR 设备进来的连接

$ sudo bluing br --inquiry-scan --mon-incoming-conn
[INFO] Inquiry_Scan_Interval: 4096, 2560.0 ms
       Inquiry_Scan_Window:   4096, 2560.0 ms
[INFO] Inquiry Scan and Page Scan enabled

A0:DE:0F:99:EF:78 incoming
    CoD: 0x5a020c
        Service Class: 0b1011010000
            Telephony
            Object Transfer
            Capturing
            Networking
        Major Device Class: 0b00010, Phone
    link type: 0x01 - ACL
... ...

--sniff-and-guess-bd-addr:嗅探并推测附近的 BD_ADDR

$ bluing br --org='Huawei Device Co., Ltd.' --timeout=600 --sniff-and-guess-bd-addr
[INFO] Possible BD_ADDR(s) for ??:??:99:4C:45:C3
       24:A7:99:4C:45:C3

[INFO] Possible BD_ADDR(s) for ??:??:E4:2D:69:EE
       BC:1A:E4:2D:69:EE
       D0:05:E4:2D:69:EE
       30:AA:E4:2D:69:EE

[INFO] Possible BD_ADDR(s) for ??:??:15:60:81:7F
       64:23:15:60:81:7F
       D4:74:15:60:81:7F
... ...

le 命令:Low Energy system

$ bluing le --help
Usage:
    bluing le [-h | --help]
    bluing le [-i <hci>] [--scan-type=<type>] [--timeout=<sec>] [--sort=<key>] --scan
    bluing le [-i <hci>] --pairing-feature [--timeout=<sec>] [--addr-type=<type>] PEER_ADDR
    bluing le [-i <hci>] --ll-feature-set [--timeout=<sec>] [--addr-type=<type>] PEER_ADDR
    bluing le [-i <hci>] --gatt [--io-cap=<name>] [--addr-type=<type>] PEER_ADDR
    bluing le [-i <hci>] --local --gatt
    bluing le [-i <hci>] --mon-incoming-conn
    bluing le [--channel=<num>] --sniff-adv

Arguments:
    PEER_ADDR    LE Bluetooth device address

Options:
    -h, --help            Print this help and quit
    -i <hci>              HCI device
    --scan                Discover advertising devices nearby
    --scan-type=<type>    The type of scan to perform. active or passive [default: active]
    --sort=<key>          Sort the discovered devices by key, only support RSSI 
                          now [default: rssi]
    --ll-feature-set      Read LL FeatureSet of a remote LE device
    --pairing-feature     Request the pairing feature of a remote LE device
    --timeout=<sec>       Duration of the LE scanning, but may not be precise [default: 10]
    --gatt                Discover GATT Profile hierarchy of a remote LE device
    --io-cap=<name>       Set IO capability of the agent. Available value: 
                              DisplayOnly, DisplayYesNo, KeyboardOnly, NoInputNoOutput, 
                              KeyboardDisplay (KeyboardOnly) [default: NoInputNoOutput]
    --addr-type=<type>    Type of the LE address, public or random
    --sniff-adv           Sniff advertising physical channel PDU. Need at least 
                          one micro:bit
    --channel=<num>       LE advertising physical channel, 37, 38 or 39 [default: 37,38,39]
    --device=</dev/tty>   Device to use, comma separated (e.g., /dev/ttyUSB0,/dev/ttyUSB1,/dev/ttyUSB2)
                          Only needed if using NRF51 devices other than micro:bit (e.g., Bluefruit)

--scan:发现附近正在 advertising 的设备

$ sudo bluing le --scan
[WARNING] You might want to spoof your LE address before doing an active scan
[INFO] LE active scanning on hci0 for 10 sec
Scanning 

----------------LE Devices Scan Result----------------
Addr:        74:A3:4A:D4:78:55 (ZIMI CORPORATION)
Addr type:   public
Connectable: True
RSSI:        -68 dBm
General Access Profile:
    Flags: 
        LE General Discoverable Mode
        BR/EDR Not Supported
    Service Data - 16-bit UUID: 
        UUID: 0x95FE
        Data: 9055990701b743e34aa3740e00
    Appearance: 0000
    Tx Power Level: 0 dBm (pathloss 68 dBm)
    Complete Local Name: Mesh Mi Switch
... ...

--ll-feature-set:读取远端 LE 设备的 LL FeatureSet

$ sudo bluing le --ll-feature-set --addr-type=public 18:D9:8F:77:24:F1
[INFO] Reading LL FeatureSet of 18:D9:8F:77:24:F1 on hci0
Reading 
LE LL Features:
    LE Encryption: True
    Connection Parameters Request Procedure: False
    Extended Reject Indication: False
    Slave-initiated Features Exchange: False
    LE Ping: False
    LE Data Packet Length Extension: True
    LL Privacy: False
    Extended Scanner Filter Policies: False
    LE 2M PHY: False
    Stable Modulation Index - Transmitter: False
    Stable Modulation Index - Receiver: False
    ... ...

--pairing-feature:请求远端 LE 设备的 pairing feature

$ sudo bluing le --pairing-feature --addr-type=public 18:D9:8F:77:24:F1
[INFO] Requesting pairing feature of 18:D9:8F:77:24:F1 on hci0
Requesting 
Pairing Response
    IO Capability: 0x03 - NoInputNoOutput
    OOB data flag: 0x00 - Not Present
    AuthReq: 0x01
    Maximum Encryption Key Size: 16
Initiator Key Distribution: 0x00
        EncKey:  False
        IdKey:   False
        SignKey: False
        LinkKey: False
        RFU:     0b0000
Responder Key Distribution: 0x01
        EncKey:  True
        IdKey:   False
        SignKey: False
        LinkKey: False
        RFU:     0b0000

--gatt:发现远端 LE 设备 GATT Profile 的层次结构

$ sudo bluing le --gatt --addr-type=public 18:D9:8F:77:24:F1
Connecting 
Discovering all primary services 
Discovering all characteristics of service 0x0001 
... ...
Discovering all descriptors of characteristic 0x0002 
... ...
Reading value of the descriptor 0x0013 
... ... 

----------------GATT Scan Result----------------
Number of services: 6

Service (0x0100 - 0x0112, 7 characteristics)
    Declaration
        Handle: 0x0100
        Type:   2800 (Primary Service declaration)
        Value:  1812 (Human Interface Device)
        Permissions: Read (no authen/author)

    Characteristic (2 descriptors)
        Declaration
            Handle: 0x010d
            Type:   2803 (Characteristic declaration)
            Value:
                Properties: Read, Write Without Response, Write, Notify
                Handle:     0x010e
                UUID:       2A4D (Report)
            Permissions: Read (no authen/author)

        Value
            Handle: 0x0302
            Type:   4A02 (Unknown)
            Value:  Read Not Permitted
            Permissions: Higher layer specific

        Descriptor
            Handle: 0x010f
            Type:   2902 (Client Characteristic    Configuration declaration)
            Value:  b'\x00\x00'
            Permissions: Read (no authen/author), Write (higher layer specifies authen/author)
... ...

--sniff-adv:嗅探 advertising physical channel PDU

$ sudo bluing le --sniff-adv
[INFO] Using micro:bit /dev/ttyACM2 on channel 37
[INFO] Using micro:bit /dev/ttyACM1 on channel 38
[INFO] Using micro:bit /dev/ttyACM0 on channel 39
[INFO] micro:bit 38 < Ready -> Start
[INFO] micro:bit 37 < Ready -> Start
[INFO] micro:bit 39 < Ready -> Start
[38] [ADV_NONCONN_IND]
random AdvA: 28:7A:88:B2:35:0B
[39] [ADV_IND]
public AdvA: A4:E4:72:B1:CB:8D
[37] [SCAN_REQ]
random ScanA: 6A:90:0C:07:3E:14
random AdvA: 7D:9B:A8:5A:F2:81
... ...

android 命令: Android 蓝牙协议栈

$ bluing android --help
Usage:
    bluing android [-h | --help]
    bluing android [-t <id>] --collect-btsnoop-log [-o <file>]

Options:
    -h, --help               Display this help and quit
    -t <id>                  Use android device with given transport id. This option 
                             will be ignored when only one device is available
    --collect-btsnoop-log    Collect the btsnoop log being generated to a local file, 
                             default ./btsnoop_hci.log
    -o <file>                Place the output into  [default: ./btsnoop_hci.log]

--collect-btsnoop-log: 收集正在产生的 btsnoop log

$ bluing android -t 3 --collect-btsnoop-log -o btsnoop_hci.log; file btsnoop_hci.log
btsnoop_hci.log: BTSnoop version 1, HCI UART (H4)

spoof 命令:使用新的设备信息做欺骗

$ bluing spoof --help
Usage:
    bluing spoof [-h | --help]
    bluing spoof [-i <hci>] --bd-addr=<BD_ADDR>
    bluing spoof [-i <hci>] --cls-of-dev=<num>
    bluing spoof --host-name=<name>
    bluing spoof [-i <hci>] --alias=<alias>

Options:
    -h, --help             Print this help and quit
    -i <hci>               HCI device
    --bd-addr=<BD_ADDR>    Spoof with a new BD_ADDR
    --cls-of-dev=<num>     Spoof with a new Class of Device
    --host-name=<name>     Spoof with a new host name
    --alias=<alias>        Spoof with a new alias

--bd-addr=<BD_ADDR>:使用新的设备地址做欺骗

该功能当前基于 spooftooph 完成。如果在 Kali Linux 上使用它,先执行 sudo apt install spooftooph 即可完成安装。但在 Ubuntu 上使用时,则需要手动编译安装 spooftooph

$ sudo bluing spoof --bd-addr=AA:BB:CC:DD:EE:FF
[WARNING] The original HCI device number may have been changed
[INFO] BD_ADDR changed: 11:22:33:44:55:66 -> AA:BB:CC:DD:EE:FF

--cls-of-dev=<num>:使用新的设备类型做欺骗

$ sudo bluing spoof --cls-of-dev=0x6c0100
No output when successful

--host-name=<name>:使用新的主机名做欺骗

$ sudo bluing spoof --host-name=Bluing
No output when successful

--alias=<alias>:使用新的控制器别名做欺骗

$ sudo bluing spoof --alias='Bluing Alias'
No output when successful

plugin 命令:插件管理

$ bluing plugin --help
$ bluing plugin --help

Usage:
    bluing plugin [-h | --help]
    bluing plugin <command> [<args>...]

Options:
    -h, --help    Display this help and quit

Commands:
    list         List installed plugins
    install      Install a plugin
    uninstall    Uninstall a plugin
    run          Run a plugin

硬件推荐

蓝牙适配器

很多 bluing 功能都需要访问蓝牙适配器。虽然可以使用 Linux 物理机自带的适配器或让 Linux 虚拟机独占宿主机的适配器,但是为了更稳定地运行 bluing,仍建议使用外接的 USB 蓝牙适配器,比如 Parani UD100-G03

Original micro:bit(可选)

Bluing 在嗅探 advertising physical channel PDU 时 (le --sniff-adv),至少需要 1 块 original micro:bit,且推荐同时使用 3 块。这些 micro:bit 需要运行 bluing 提供的专用固件。将 micro:bit 接入 Linux 后,执行如下命令便可刷写预先构建好的固件:

bluing --flash-micro-bit

除了 original micro:bit,使用 nRF51822 的其他板子也可以被支持,比如 Adafruit Bluefruit LE Friend 和 BLE400 with Core51822,但可能需要修改串口引脚的对应关系。

Ubertooth One(可选)

当嗅探并推测附近的 BD_ADDR 时 (br --sniff-and-guess-bd-addr),bluing 需要用到一块 Ubertooth One

FAQ

rfkill 无法找到 hci0

异常消息如下:

Exception: Can't find the ID of hci0 in rfkill

该异常可能因为老版本的 rfkill 不支持 -r-n 选项而导致,比如:

$ cat /etc/os-release | head -n 2
NAME="Ubuntu"
VERSION="16.10 (Yakkety Yak)"

$ rfkill --version
rfkill 0.5-1ubuntu3 (Ubuntu)

此时升级 rfkill 到较新的版本可以解决该问题,比如:

$ cat /etc/os-release | head -n 2
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"

$ rfkill --version
rfkill from util-linux 2.38.1

管理命令 scanend 执行失败了

错误消息如下:

ERROR: Failed to execute management command 'scanend' (code: 11, error: Rejected)

可通过重启 Bluetooth 服务尝试解决该问题。命令如下:

sudo systemctl restart bluetooth.service