Bluetooth
Tools
Bluetooth configuration
Requirements and configuration for Kali Linux.
$ sudo apt-get install bluetooth blueman bluez
$ sudo systemctl start bluetooth
$ sudo hciconfig hci0 up
Enumerate Bluetooth devices
[!CAUTION]
apt
doesn't have a recent version of bluez, recompile it with the following lines.
wget https://www.kernel.org/pub/linux/bluetooth/bluez-5.18.tar.xz
dpkg --get-selections | grep -v deinstall | grep bluez
tar xvf bluez-5.18.tar.xz
sudo apt-get install libglib2.0-dev libdbus-1-dev libusb-dev libudev-dev libical-dev systemd libreadline-dev
.configure --enable-library
make -j8 && sudo make install
sudo cp attrib/gatttool /usr/local/bin/
BLE - Enumerate services and characteristics
BLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server.
-
Using bettercap/bettercap
-
Using hackgnar/bleah
Using bluez/gatttool, we can enumerate the services and their characteristics, use sudo gatttool -b $MAC -I
to have an interactive gatttool shell:
- Services: They are set of provided features and associated behaviors to interact with the peripheral. Each service contains a collection of characteristics.
- Characteristics: Characteristics are defined attribute types that contain a single logical value
MAC=30:AE:A4:2A:54:8A
$ gatttool -b $MAC --primary
attr handle = 0x0001, end grp handle = 0x0005 uuid: 00001801-0000-1000-8000-00805f9b34fb
attr handle = 0x0014, end grp handle = 0x001c uuid: 00001800-0000-1000-8000-00805f9b34fb
attr handle = 0x0028, end grp handle = 0xffff uuid: 000000ff-0000-1000-8000-00805f9b34fb
# Services whose UUID start with 00001801 and 00001800 are special values defined in the norm
# The other is a custom one which holds the CTF
$ gatttool -b $MAC --characteristics
handle = 0x0002, char properties = 0x20, char value handle = 0x0003, uuid = 00002a05-0000-1000-8000-00805f9b34fb
handle = 0x0015, char properties = 0x02, char value handle = 0x0016, uuid = 00002a00-0000-1000-8000-00805f9b34fb
BLE - Read data
Read data with gatttool
-
List characteristics
-
Read characteristic at char handle
[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c Characteristic value/descriptor: 44 65 63 72 79 70 74 20 74 68 65 20 6d 65 73 73 61 67 65 2c 20 77 72 69 74 65 20 74 68 65 20 64 65 63 72 79 70 74 65 64 20 76 61 6c 75 65 20 61 6e 64 20 72 65 61 64 20 62 61 63 6b 20 74 68 65 20 72 65 73 70 6f 6e 73 65 20 74 6f 20 66 6c 61 67 2e 20 45 6e 63 72 79 70 74 65 64 20 6d 65 73 73 61 67 65 3a 20 63 34 64 33 32 38 36 35 37 61 39 64 62 33 64 66 65 39 31 64 33 36 36 36 62 39 34 31 62 33 36 31
One liner to read a characteristic
BLE - Read notification/indication
$ gatttool -b $MAC -a 0x0040 --char-write-req --value=0100 --listen
$ gatttool -b $MAC -a 0x0044 --char-write-req --value=0200 --listen
BLE - Write data
-
Using bettercap/bettercap
-
Using bluez/gatttool
$ gatttool -b $MAC --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps) # With char-write, we perform a Write Command and don't expect a response from the server # With char-write-req, we perform a Write Request and expect a response from the server $ gatttool -b $MAC -a 0x0050 --char-write-req --value=$(echo -n 'hello' | xxd -p) # inside gatttool shell [00:1A:7D:DA:71:06][LE]> char-write-req 0x000c 476f6f64205061646177616e21212121 [00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c Characteristic value/descriptor: 43 6f 6e [...] 2e
Bluetooth MAC
Change the Bluetooth MAC address
Sniff Bluetooth communication
Using Ubertooth
You need 3 ubertooth.
ubertooth-btle -U 0 -A 37 -f -c bulb_37.pcap
ubertooth-btle -U 1 -A 38 -f -c bulb_38.pcap
ubertooth-btle -U 2 -A 39 -f -c bulb_39.pcap
Using Micro::Bit
Using Android HCI
Enable the Bluetooth HCI log on the device via Developer Options.
It works like a hook in the stack to capture all the HCI packets in a file. For most Android devices, the log file is at
/sdcard/btsnoop_hci.log
or/sdcard/oem_log/btsnoop/
$ adb devices
$ adb pull /sdcard/oem_log/btsnoop/<your log file>.log
$ adb pull /sdcard/btsnoop_hci.log
$ adb bugreport filename
Challenges
- BLE HackMe - works with nRF Connect (Android),
- hackgnar/ble_ctf - A Bluetooth low energy capture the flag
References
- A Practical Introduction to Bluetooth Low Energy security without any special hardware - Slawomir Jasek - 19 November 2020
- Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero - Matteo Mandolini & Luca Bongiorni
- BLE CTF - wiki.elvis.science - Embedded Lab Vienna for IOT & Security
- BLUETOOTH LOW ENERGY CTF - WRITE UP - ECLECTIC KOALA
- BLECTF, a "Capture The Flag" hardware platform based on Bluetooth Low Energy BLE + Write-Up - Hacker de Cabecera febrero 04, 2020