1. 基础工具
1.1 HCI 系列工具
|
1 2 3 4 |
hciconfig hciconfig hci0 version hcitool -i hci0 lescan hcidump -i hci0 -X |
1.2 gatttool (推荐指数: ★★★)
作为 bluez 代码的一部分,目前已被 deprecated,未通过 bluez 的 DBUS 接口,而是直接使用原生库与蓝牙设备交互(此处 bluez 指bluez用户态daemon及tools,非内核驱动)
|
1 2 3 4 5 6 |
# -t random 参数指定设备地址为随机地址,默认为public gatttool -t random -b AA:BB:CC:DD:EE:FF -I gatttool -t random -b AA:BB:CC:DD:EE:FF --char-write-req --handle=0x000e --value=1234 # Ps:修改本机蓝牙 Mac 地址,请自行编译 bluez,configure参数:–enable-experimental ./tools/bdaddr -i hci0 00:11:22:33:44:55 |
1.3 pygatt (推荐指数: ★★★)
python 库,封装 gatttool 命令,或通过 BGAPI 访问部分 USB 蓝牙设备; BLE设备不支持 -t random 参数,不建议使用
|
1 2 3 4 5 6 7 8 9 10 11 12 |
from pygatt import BLEAddressType, GATTToolBackend adapter = GATTToolBackend() adapter.start() def notification_callback(handle, value): print("Received data from [0x%04x]: %s" % (handle, binascii.hexlify(value))) print("Decoded: %s" % binascii.hexlify(decrypt(bytes(value[1:])))) dev = adapter.connect('AA:BB:CC:DD:EE:FF', address_type=BLEAddressType.random) dev.subscribe("xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", callback=notification_callback) # 注册 NOTIFY 回调函数 dev.char_write_handle(0x000e, [1, 2, 3, 4]) adapter.stop() |
1.4. bluez-tools
基于 bluez daemon 提供的 DBUS 接口封装一系列命令行工具
1.5. pybluez
python库,基于 socket(AF_BLUETOOTH...) 封装的 bluez 驱动接口,未经过 bluez daemon (待确认)
BLE 设备支持通过 pygattlib 提供
1.6. pygattlib (推荐指数: ★)
python 库,参考 gatttool 重新实现,针对 BLE 设备.
年久失修,debian 10 下安装成功,运行失败,大概率 segmentfault
|
1 2 3 4 |
from gattlib import GATTRequester req = GATTRequester('AA:BB:CC:DD:EE:FF', False) req.connect(channel_type='random') # channel_type default to 'public req.write_by_handle(0x10, str(bytearray([1, 2, 3, 4])))' |
1.7. gattlib
C库,提供 BLE GATT 相关接口,编译时选择使用 bluez Dbus 接口还是 bluez 的传统方式
2. 平台工具
2.1 bettercap (推荐指数: ★★★)
一个使用 Go 语言开发的多功能安全评估平台,支持 wifi、ble、hid、gps 等多种协议支持,具备 Web 控制台;
优势是对于 BLE Characteristics 属性的枚举较为简洁明了(即原来的 bleah),但是功能较为简陋。
参考: https://www.bettercap.org/modules/ble/
|
1 2 3 4 5 6 7 8 9 |
sudo bettercap -eval "caplets.update; ui.update; q" # 安装 web 组件 vim /usr/local/share/bettercap/caplets/http-ui.cap # 修改 API、Web 监听地址和用户名帐号等信息 sudo bettercap -caplet http-ui # 启动 webUI,或者使用 https-ui 启动 https 版本,对应配置文件为 https-ui.cap # 命令行下 BLE 扫描 ble.recon on ble.show ble.enum AA:BB:CC:DD:EE:FF ble.write AA:BB:CC:DD:EE:FF [UUID] 3132333435 # 十六进制串 |
2.2 BtleJuice (推荐指数: ★★★★)
通过两个蓝牙设备进行 BLE 中间人劫持,proxy 设备与本地设备通过 websocket 通讯,提供web界面方便查看、修改 BLE 读写报文;
中间人相关的功能设计借鉴自 gattacker
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# 1) 通过 nvm 安装 nodejs v8 的环境 (其他版本的node很大概率失败,建议使用低权限用户 “本地” 安装) curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.3/install.sh | bash nvm install 8.0.0 # 2) 安装依赖及 btlejuice sudo apt install bluetooth bluez libbluetooth-dev libudev-dev build-essential mkdir btlejuice; npm install btlejuice # 没有 -g 参数, 只安装在当前目录下 # 3) 给 node 二进制添加 net_raw 权限 sudo setcap cap_net_raw+eip $(eval readlink -f <code>which node</code>) # 4)运行 btlejuice sudo hciconfig hci0 up ./node_modules/.bin/btlejuice-proxy # 远程设备上运行 proxy ./node_modules/.bin/btlejuice -u [IP_OF_PROXY] -w -i hci0 -m XX:XX:XX:XX:XX:XX # -m 参数伪造 mac 地址,可能会失败,建议使用树莓派测试,或者尝试 bdaddr 手动修改 |
2.3 gattacker (推荐指数: ★★)
功能类似上文的 Btlejuice,但是易用性稍微差了点,建议直接使用 Btlejuice
2.4 BLESuite (推荐指数: ★)
nccgroup 的蓝牙安全评估工具,可以重放安卓 HCI log,并进行简单数据变异、Fuzz。
但是代码质量堪忧,很多功能实现有问题,replay 部分代码几乎未经测试, 跑起来全是 bug, 慎用。
(关联:BLE-Replay, 已停止维护,后作为 BLESuite 项目的一部分)
2.5 BTLE
可运行在 HackRF、BladeRF 等 SDR 设备上的 BLE 套件,支持跳频跟踪,功能大致等于 CC2540 + SmartRF Packet Sniffer
相关博客:https://sdr-x.github.io/BTLE-SNIFFER/
3. 参考资料:
- https://github.com/evilsocket/bleah/
- https://github.com/securing/gattacker
- https://raw.githubusercontent.com/securing/docs/master/whitepaper.pdf
- https://github.com/DigitalSecurity/btlejuice
- https://www.bettercap.org/modules/ble/
- https://docs.python.org/3.4/library/socket.html
- https://github.com/pybluez/pybluez/blob/master/bluez/btmodule.c
- https://github.com/torvalds/linux/blob/master/net/bluetooth/af_bluetooth.c
- https://stackoverflow.com/questions/51086932/ble-gatttool-interactive-shell-script
- https://www.landley.net/kdocs/ols/2006/ols2006v1-pages-421-426.pdf
- https://stackoverflow.com/questions/41407932/how-can-i-use-bluez5-dbus-api-in-c-to-pair-and-connect-new-devices
自动化测试、评估、fuzz 相关
-
Introducing BLESuite and BLE-Replay: Python Tools for Rapid Assessment of Bluetooth Low Energy Peripherals
nccgroup 的蓝牙安全评估工具 (即上文 BLESuite、BLE-Replay) -
Bluekitchen BTstack
某开源、轻量级蓝牙协议栈 -
低功耗藍芽協定安全模糊測試框架
文章不错,但是貌似没开源 -
Bluetooth® Profile Tuning Suite (PTS)
Bluetooth SIG 官方自动化测试工具 -
Bluetooth: With Low Energy comes Low Security
USENIX woot13, Ubertooth 设计原理,BLE协议细节、跳频跟踪、密钥破解
https://github.com/mikeryan/crackle
BLE 离线破解工具,crackle -
SweynTooth:UnleashingMayhemoverBluetoothLowEnergy
https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks
https://asset-group.github.io/disclosures/sweyntooth/
USENIX atc20,SweynTooth 工具的设计, 大量蓝牙芯片的漏洞挖掘, 属于 "over the air" Fuzz -
Frankenstein: Advanced Wireless Fuzzing toExploit New Bluetooth Escalation Targets
https://insinuator.net/2020/04/cve-2020-0022-an-android-8-0-9-0-bluetooth-zero-click-rce-bluefrag/
USENIX sec20, Frankenstein 工具设计、 安卓蓝牙 RCE 漏洞 BlueFrag, 主要关注了博通系列芯片
基于 Qemu 的模拟执行环境,Fuzz 效率较 "over the air" 高,同时与 Unicorn Engine 进行了对比 -
https://www.synopsys.com/blogs/software-security/sweyntooth-bluetooth-vulnerabilities-fuzz-testing/
-
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html
-
https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/ds-defensics-fuzztesting.pdf