Bluing(前身为 bluescan)是一个主要基于 Python 实现的蓝牙情报收集工具。它可以帮助我们窥探蓝牙这种复杂协议的内部结构或是 hack 蓝牙设备。其主要特性如下:
Bluing 部分依赖 Linux 官方的 BlueZ 蓝牙协议栈,因此它仅支持在 Linux 上运行。执行如下命令可安装依赖包:
sudo apt install python3-pip python3-dev libcairo2-dev libgirepository1.0-dev \
libbluetooth-dev libdbus-1-dev bluez-tools python3-cairo-dev \
rfkill meson patchelf bluez ubertooth adb python-is-python3
目前 bluing 的分发途径是 PyPI,且仅支持 Python 3.10。安装命令如下:
sudo pip3.10 install bluing
$ bluing --help
An intelligence gathering tool for hacking Bluetooth Usage: bluing [-h | --help] bluing (-v | --version) bluing [-i <hci>] --clean BD_ADDR bluing --flash-micro-bit bluing <command> [<args>...] Arguments: BD_ADDR Bluetooth device address Options: -h, --help Print this help and quit -v, --version Print version information and quit -i <hci> HCI device --clean Clean cached data of a remote device --flash-micro-bit Download the dedicated firmware to micro:bit(s) Commands: br Basic Rate system, includes an optional Enhanced Data Rate (EDR) extension le Low Energy system android Android Bluetooth stack spoof Spoof with new local device information plugin Manage plugins Run `bluing <command> --help` for more information on a command.
$ bluing br --help
Usage: bluing br [-h | --help] bluing br [-i <hci>] [--inquiry-len=<n>] --inquiry bluing br [-i <hci>] --sdp BD_ADDR bluing br [-i <hci>] --local --sdp bluing br [-i <hci>] --lmp-features BD_ADDR bluing br [-i <hci>] --local --lmp-features bluing br [-i <hci>] --stack BD_ADDR bluing br [-i <hci>] --local --stack bluing br [-i <hci>] [--inquiry-scan] --mon-incoming-conn bluing br --org=<name> --timeout=<sec> --sniff-and-guess-bd-addr Arguments: BD_ADDR BR/EDR Bluetooth device address Options: -h, --help Print this help and quit -i <hci> HCI device --local Target a local BR/EDR device instead of a remote one --inquiry Discover other nearby BR/EDR controllers --inquiry-len=<n> Maximum amount of time (added to --ext-inquiry-len=<n>) specified before the Inquiry is halted. Time = n * 1.28 s Time range: 1.28 to 61.44 s Range of n: 0x01 to 0x30 [default: 8] --ext-inquiry-len=<n> Extended_Inquiry_Length measured in number of Baseband slots. Interval Length = n * 0.625 ms (1 Baseband slot) Time Range: 0 to 40.9 s Range of n: 0x0000 to 0xFFFF [default: 0] --sdp Retrieve information from the SDP database of a remote BR/EDR device --lmp-features Read LMP features of a remote BR/EDR device --stack Determine the Bluetooth stack type of a remote BR/EDR device --mon-incoming-conn Print incoming connection from other nearby BR/EDR devices --inquiry-scan Enable the Inquiry Scan --sniff-and-guess-bd-addr Sniff SAPs of BD_ADDRs over the air, then guess the address based on the organization name. Need at least one Ubertooth device --org=<name> An organization name in the OUI.txt --timeout=<sec> Timeout in second(s)
$ sudo bluing br --inquiry
[INFO] Discovering other nearby BR/EDR Controllers on hci0 for 10.24 sec BD_ADDR: B0:C9:52:45:33:13 (GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD) Page scan repetition mode: 1 (R1) Reserved: 0x02 CoD: 0x5a020c Service Class: 0b1011010000 Telephony Object Transfer Capturing Networking Major Device Class: 0b00010, Phone Clock offset: 0x50D5 RSSI: -61 Extended inquiry response: Complete Local Name: old man phone Complete List of 16-bit Service Class UUIDs 0x1105 OBEXObjectPush 0x110a AudioSource 0x110c A/V_RemoteControlTarget 0x110e A/V_RemoteControl 0x1112 Headset - Audio Gateway (AG) 0x1115 PANU 0x1116 NAP 0x111f HandsfreeAudioGateway 0x112d SIM_Access 0x112f Phonebook Access - PSE 0x1200 PnPInformation 0x1132 Message Access Server Complete List of 32-bit Service Class UUIDs None Complete List of 128-bit Service Class UUIDs A49EAA15-CB06-495C-9F4F-BB80A90CDF00 00000000-0000-0000-0000-000000000000 ... ... [INFO] Requesting the names of all discovered devices... B0:C9:52:45:33:13 : old man phone ... ...
$ sudo bluing br --sdp 34:13:46:23:6A:4D
Scanning ⠋ Number of service records: 18 Service Record 0x0000: ServiceRecordHandle (uint32) 0x0001000d 0x0001: ServiceClassIDList (sequence) 0x1105: OBEXObjectPush 0x0004: ProtocolDescriptorList (sequence) 0x0100: L2CAP 0x0003: RFCOMM channel: 0x0c 0x0008: OBEX 0x0005: BrowseGroupList (sequence) 0x1002: PublicBrowseRoot 0x0009: BluetoothProfileDescriptorList (sequence) 0x1105: OBEXObjectPush v1.2 0x0100: ServiceName (guess) (text) OBEX Object Push 0x0200: GoepL2CapPsm (guess) (uint16) 0x1023 0x0303: SupportedFormatsList (guess) (sequence) 0x01: vCard 2.1 0x02: vCard 3.0 0x03: vCal 1.0 0x04: iCal 2.0 0xff: Any type of object ... ...
$ sudo bluing br --lmp-features 6A:8D:99:33:56:AE
Version Version: Bluetooth Core Specification 5.2 (LMP) Bluetooth Core Specification 5.2 (LL) Manufacturer name: HiSilicon Technologies CO., LIMITED Subversion: 33561 LMP features 3 slot packets: True 5 slot packets: True Encryption: True Slot offset: True Timing accuracy: True Role switch: True Hold mode: False Sniff mode: True Previously used: False Power control requests: True Channel quality driven data rate (CQDDR): True ... ... Extended LMP features Page 1 Secure Simple Pairing (Host Support): True LE Supported (Host): True Simultaneous LE and BR/EDR to Same Device Capable (Host): True Secure Connections (Host Support): True Page 2 Connectionless Slave Broadcast - Master Operation: False Connectionless Slave Broadcast - Slave Operation: False Synchronization Train: False Synchronization Scan: False HCI_Inquiry_Response_Notification event: True ... ...
$ sudo bluing br --inquiry-scan --mon-incoming-conn
[INFO] Inquiry_Scan_Interval: 4096, 2560.0 ms Inquiry_Scan_Window: 4096, 2560.0 ms [INFO] Inquiry Scan and Page Scan enabled A0:DE:0F:99:EF:78 incoming CoD: 0x5a020c Service Class: 0b1011010000 Telephony Object Transfer Capturing Networking Major Device Class: 0b00010, Phone link type: 0x01 - ACL ... ...
$ bluing br --org='Huawei Device Co., Ltd.' --timeout=600 --sniff-and-guess-bd-addr
[INFO] Possible BD_ADDR(s) for ??:??:99:4C:45:C3 24:A7:99:4C:45:C3 [INFO] Possible BD_ADDR(s) for ??:??:E4:2D:69:EE BC:1A:E4:2D:69:EE D0:05:E4:2D:69:EE 30:AA:E4:2D:69:EE [INFO] Possible BD_ADDR(s) for ??:??:15:60:81:7F 64:23:15:60:81:7F D4:74:15:60:81:7F ... ...
$ bluing le --help
Usage: bluing le [-h | --help] bluing le [-i <hci>] [--scan-type=<type>] [--timeout=<sec>] [--sort=<key>] --scan bluing le [-i <hci>] --pairing-feature [--timeout=<sec>] [--addr-type=<type>] PEER_ADDR bluing le [-i <hci>] --ll-feature-set [--timeout=<sec>] [--addr-type=<type>] PEER_ADDR bluing le [-i <hci>] --gatt [--io-cap=<name>] [--addr-type=<type>] PEER_ADDR bluing le [-i <hci>] --local --gatt bluing le [-i <hci>] --mon-incoming-conn bluing le [--channel=<num>] --sniff-adv Arguments: PEER_ADDR LE Bluetooth device address Options: -h, --help Print this help and quit -i <hci> HCI device --scan Discover advertising devices nearby --scan-type=<type> The type of scan to perform. active or passive [default: active] --sort=<key> Sort the discovered devices by key, only support RSSI now [default: rssi] --ll-feature-set Read LL FeatureSet of a remote LE device --pairing-feature Request the pairing feature of a remote LE device --timeout=<sec> Duration of the LE scanning, but may not be precise [default: 10] --gatt Discover GATT Profile hierarchy of a remote LE device --io-cap=<name> Set IO capability of the agent. Available value: DisplayOnly, DisplayYesNo, KeyboardOnly, NoInputNoOutput, KeyboardDisplay (KeyboardOnly) [default: NoInputNoOutput] --addr-type=<type> Type of the LE address, public or random --sniff-adv Sniff advertising physical channel PDU. Need at least one micro:bit --channel=<num> LE advertising physical channel, 37, 38 or 39 [default: 37,38,39] --device=</dev/tty> Device to use, comma separated (e.g., /dev/ttyUSB0,/dev/ttyUSB1,/dev/ttyUSB2) Only needed if using NRF51 devices other than micro:bit (e.g., Bluefruit)
$ sudo bluing le --scan
[WARNING] You might want to spoof your LE address before doing an active scan [INFO] LE active scanning on hci0 for 10 sec Scanning ⠴ ----------------LE Devices Scan Result---------------- Addr: 74:A3:4A:D4:78:55 (ZIMI CORPORATION) Addr type: public Connectable: True RSSI: -68 dBm General Access Profile: Flags: LE General Discoverable Mode BR/EDR Not Supported Service Data - 16-bit UUID: UUID: 0x95FE Data: 9055990701b743e34aa3740e00 Appearance: 0000 Tx Power Level: 0 dBm (pathloss 68 dBm) Complete Local Name: Mesh Mi Switch ... ...
$ sudo bluing le --ll-feature-set --addr-type=public 18:D9:8F:77:24:F1
[INFO] Reading LL FeatureSet of 18:D9:8F:77:24:F1 on hci0 Reading ⠼ LE LL Features: LE Encryption: True Connection Parameters Request Procedure: False Extended Reject Indication: False Slave-initiated Features Exchange: False LE Ping: False LE Data Packet Length Extension: True LL Privacy: False Extended Scanner Filter Policies: False LE 2M PHY: False Stable Modulation Index - Transmitter: False Stable Modulation Index - Receiver: False ... ...
$ sudo bluing le --pairing-feature --addr-type=public 18:D9:8F:77:24:F1
[INFO] Requesting pairing feature of 18:D9:8F:77:24:F1 on hci0 Requesting ⠧ Pairing Response IO Capability: 0x03 - NoInputNoOutput OOB data flag: 0x00 - Not Present AuthReq: 0x01 Maximum Encryption Key Size: 16 Initiator Key Distribution: 0x00 EncKey: False IdKey: False SignKey: False LinkKey: False RFU: 0b0000 Responder Key Distribution: 0x01 EncKey: True IdKey: False SignKey: False LinkKey: False RFU: 0b0000
$ sudo bluing le --gatt --addr-type=public 18:D9:8F:77:24:F1
Connecting ⠋ Discovering all primary services ⠏ Discovering all characteristics of service 0x0001 ⠹ ... ... Discovering all descriptors of characteristic 0x0002 ⠼ ... ... Reading value of the descriptor 0x0013 ⠴ ... ... ----------------GATT Scan Result---------------- Number of services: 6 Service (0x0100 - 0x0112, 7 characteristics) Declaration Handle: 0x0100 Type: 2800 (Primary Service declaration) Value: 1812 (Human Interface Device) Permissions: Read (no authen/author) Characteristic (2 descriptors) Declaration Handle: 0x010d Type: 2803 (Characteristic declaration) Value: Properties: Read, Write Without Response, Write, Notify Handle: 0x010e UUID: 2A4D (Report) Permissions: Read (no authen/author) Value Handle: 0x0302 Type: 4A02 (Unknown) Value: Read Not Permitted Permissions: Higher layer specific Descriptor Handle: 0x010f Type: 2902 (Client Characteristic Configuration declaration) Value: b'\x00\x00' Permissions: Read (no authen/author), Write (higher layer specifies authen/author) ... ...
$ sudo bluing le --sniff-adv
[INFO] Using micro:bit /dev/ttyACM2 on channel 37 [INFO] Using micro:bit /dev/ttyACM1 on channel 38 [INFO] Using micro:bit /dev/ttyACM0 on channel 39 [INFO] micro:bit 38 < Ready -> Start [INFO] micro:bit 37 < Ready -> Start [INFO] micro:bit 39 < Ready -> Start [38] [ADV_NONCONN_IND] random AdvA: 28:7A:88:B2:35:0B [39] [ADV_IND] public AdvA: A4:E4:72:B1:CB:8D [37] [SCAN_REQ] random ScanA: 6A:90:0C:07:3E:14 random AdvA: 7D:9B:A8:5A:F2:81 ... ...
$ bluing android --help
Usage: bluing android [-h | --help] bluing android [-t <id>] --collect-btsnoop-log [-o <file>] Options: -h, --help Display this help and quit -t <id> Use android device with given transport id. This option will be ignored when only one device is available --collect-btsnoop-log Collect the btsnoop log being generated to a local file, default ./btsnoop_hci.log -o <file> Place the output into [default: ./btsnoop_hci.log]
$ bluing android -t 3 --collect-btsnoop-log -o btsnoop_hci.log; file btsnoop_hci.log
btsnoop_hci.log: BTSnoop version 1, HCI UART (H4)
$ bluing spoof --help
Usage: bluing spoof [-h | --help] bluing spoof [-i <hci>] --bd-addr=<BD_ADDR> bluing spoof [-i <hci>] --cls-of-dev=<num> bluing spoof --host-name=<name> bluing spoof [-i <hci>] --alias=<alias> Options: -h, --help Print this help and quit -i <hci> HCI device --bd-addr=<BD_ADDR> Spoof with a new BD_ADDR --cls-of-dev=<num> Spoof with a new Class of Device --host-name=<name> Spoof with a new host name --alias=<alias> Spoof with a new alias
该功能当前基于 spooftooph
完成。如果在 Kali Linux 上使用它,先执行 sudo apt install spooftooph
即可完成安装。但在 Ubuntu 上使用时,则需要手动编译安装 spooftooph
。
$ sudo bluing spoof --bd-addr=AA:BB:CC:DD:EE:FF
[WARNING] The original HCI device number may have been changed [INFO] BD_ADDR changed: 11:22:33:44:55:66 -> AA:BB:CC:DD:EE:FF
$ sudo bluing spoof --cls-of-dev=0x6c0100
No output when successful
$ sudo bluing spoof --host-name=Bluing
No output when successful
$ sudo bluing spoof --alias='Bluing Alias'
No output when successful
$ bluing plugin --help
$ bluing plugin --help
Usage:
bluing plugin [-h | --help]
bluing plugin <command> [<args>...]
Options:
-h, --help Display this help and quit
Commands:
list List installed plugins
install Install a plugin
uninstall Uninstall a plugin
run Run a plugin
很多 bluing 功能都需要访问蓝牙适配器。虽然可以使用 Linux 物理机自带的适配器或让 Linux 虚拟机独占宿主机的适配器,但是为了更稳定地运行 bluing,仍建议使用外接的 USB 蓝牙适配器,比如 Parani UD100-G03。
Bluing 在嗅探 advertising physical channel PDU 时 (le --sniff-adv
),至少需要 1 块 original micro:bit,且推荐同时使用 3 块。这些 micro:bit 需要运行 bluing 提供的专用固件。将 micro:bit 接入 Linux 后,执行如下命令便可刷写预先构建好的固件:
bluing --flash-micro-bit
除了 original micro:bit,使用 nRF51822 的其他板子也可以被支持,比如 Adafruit Bluefruit LE Friend 和 BLE400 with Core51822,但可能需要修改串口引脚的对应关系。
当嗅探并推测附近的 BD_ADDR 时 (br --sniff-and-guess-bd-addr
),bluing 需要用到一块 Ubertooth One。
异常消息如下:
Exception: Can't find the ID of hci0 in rfkill
该异常可能因为老版本的 rfkill 不支持 -r
和 -n
选项而导致,比如:
$ cat /etc/os-release | head -n 2 NAME="Ubuntu" VERSION="16.10 (Yakkety Yak)" $ rfkill --version rfkill 0.5-1ubuntu3 (Ubuntu)
此时升级 rfkill 到较新的版本可以解决该问题,比如:
$ cat /etc/os-release | head -n 2 PRETTY_NAME="Kali GNU/Linux Rolling" NAME="Kali GNU/Linux" $ rfkill --version rfkill from util-linux 2.38.1
错误消息如下:
ERROR: Failed to execute management command 'scanend' (code: 11, error: Rejected)
可通过重启 Bluetooth 服务尝试解决该问题。命令如下:
sudo systemctl restart bluetooth.service