Exemple #1
0
    def masterPairingRandom(self, packet):
        if self.getStage() == BLEMitmStage.ACTIVE_MITM:
            io.info("Pairing Random (from master) : random = " +
                    packet.random.hex())
            io.info("Storing mRand : " + packet.random.hex())
            self.mRand = packet.random[::-1]
            m = utils.loadModule("ble_crack")
            m["MASTER_RAND"] = self.mRand.hex()
            m["PAIRING_REQUEST"] = self.pReq.hex()
            m["PAIRING_RESPONSE"] = self.pRes.hex()
            m["INITIATOR_ADDRESS_TYPE"] = "public" if self.initiatorAddressType == b"\x00" else "random"
            m["INITIATOR_ADDRESS"] = self.initiatorAddress
            m["RESPONDER_ADDRESS_TYPE"] = "public" if self.responderAddressType == b"\x00" else "random"
            m["RESPONDER_ADDRESS"] = self.responderAddress
            m["MASTER_CONFIRM"] = self.mConfirm.hex()

            output = m.run()
            if output["success"]:
                self.pin = int(output["output"]["PIN"])
                self.temporaryKey = bytes.fromhex(
                    output["output"]["TEMPORARY_KEY"])
            else:
                self.pin = 0
                self.temporaryKey = b"\x00" * 16
            io.info("Redirecting to slave ...")

            self.a2sEmitter.sendp(ble.BLEPairingRandom(random=packet.random))
Exemple #2
0
	def crackTemporaryKey(self):
		m = utils.loadModule("ble_crack")
		if ( 	self.mRand is not None and
			self.pReq is not None and
			self.pRes is not None and
			self.initiatorAddressType is not None and
			self.initiatorAddress is not None and
			self.responderAddressType is not None and
			self.responderAddress is not None and
			self.mConfirm is not None	):

			m["MASTER_RAND"] = self.mRand.hex()
			m["PAIRING_REQUEST"] = self.pReq.hex()
			m["PAIRING_RESPONSE"] = self.pRes.hex()
			m["INITIATOR_ADDRESS_TYPE"] = self.initiatorAddressType
			m["INITIATOR_ADDRESS"] = self.initiatorAddress
			m["RESPONDER_ADDRESS_TYPE"] = self.responderAddressType
			m["RESPONDER_ADDRESS"] = self.responderAddress
			m["MASTER_CONFIRM"] = self.mConfirm.hex()

			output = m.execute()
			if output["success"]:
				self.pin = int(output["output"]["PIN"])
				self.temporaryKey = bytes.fromhex(output["output"]["TEMPORARY_KEY"])
				return True

		return False
Exemple #3
0
    def run(self):
        self.initEmittersAndReceivers()
        if self.checkCapabilities():

            hijackingModule = utils.loadModule("ble_sniff")
            hijackingModule["INTERFACE"] = self.args["INTERFACE"]
            hijackingModule["INTERFACEA"] = self.args["INTERFACEA"]
            hijackingModule["INTERFACEB"] = self.args["INTERFACEB"]
            hijackingModule["SNIFFING_MODE"] = self.args["HIJACKING_MODE"]
            hijackingModule["TARGET"] = self.args["TARGET"]
            hijackingModule["ACCESS_ADDRESS"] = self.args["ACCESS_ADDRESS"]
            hijackingModule["CRC_INIT"] = self.args["CRC_INIT"]
            hijackingModule["CHANNEL_MAP"] = self.args["CHANNEL_MAP"]
            if self.args["ROLE"].lower() == "slave":
                hijackingModule["HIJACKING_SLAVE"] = "yes"
            elif self.args["ROLE"].lower() == "master":
                hijackingModule["HIJACKING_MASTER"] = "yes"
            else:
                io.fail("You have to indicate the role to hijack !")
                return self.nok()
            hijackingModule["JAMMING"] = "no"
            hijackingModule["CHANNEL"] = self.args["CHANNEL"]
            hijackingModule["PCAP_FILE"] = ""
            output = hijackingModule.execute()
            if output["success"]:
                return self.ok(output["output"])
            else:
                return self.nok()
        else:
            io.fail("Interface provided (" + str(self.args["INTERFACE"]) +
                    ") is not able to hijack a connection.")
            return self.nok()
Exemple #4
0
    def pairing(
        self,
        active: ["active", "passive"] = "active",
        parameters:
        "!method:_autocompletePairingParameters" = "inputOutput=yesno|authentication=bonding|ltk=112233445566778899aabbccddeeff|rand=1122334455667788|ediv=12"
    ):
        self.receiver.removeCallbacks()
        self.initializeCallbacks()
        parameters = {
            param.split("=")[0]: param.split("=")[1]
            for param in parameters.split("|")
        }
        pairModule = utils.loadModule("ble_pair")
        pairModule["INTERFACE"] = self.args["INTERFACE"]
        pairModule["MODE"] = "slave"
        pairModule["ACTIVE"] = "yes" if active == "active" else "no"
        pairModule["KEYBOARD"] = "yes" if (
            "inputOutput" in parameters
            and "keyboard" in parameters["inputOutput"]) else "no"
        pairModule["YESNO"] = "yes" if ("inputOutput" in parameters and "yesno"
                                        in parameters["inputOutput"]) else "no"
        pairModule["DISPLAY"] = "yes" if (
            "inputOutput" in parameters
            and "display" in parameters["inputOutput"]) else "no"
        pairModule["CT2"] = "yes" if (
            "authentication" in parameters
            and "ct2" in parameters["authentication"]) else "no"
        pairModule["MITM"] = "yes" if (
            "authentication" in parameters
            and "mitm" in parameters["authentication"]) else "no"
        pairModule["BONDING"] = "yes" if (
            "authentication" in parameters
            and "bonding" in parameters["authentication"]) else "no"
        pairModule["SECURE_CONNECTIONS"] = "yes" if (
            "authentication" in parameters
            and "secureConnections" in parameters["authentication"]) else "no"
        pairModule["KEYPRESS"] = "yes" if (
            "authentication" in parameters
            and "keypress" in parameters["authentication"]) else "no"
        pairModule["LTK"] = parameters["ltk"] if "ltk" in parameters else ""
        pairModule["EDIV"] = parameters["ediv"] if "ediv" in parameters else ""
        pairModule["RAND"] = parameters["rand"] if "rand" in parameters else ""
        pairModule["IRK"] = parameters["irk"] if "irk" in parameters else ""
        pairModule["ADDR"] = parameters["addr"] if "addr" in parameters else ""
        pairModule["ADDR_TYPE"] = parameters[
            "addrType"] if "addrType" in parameters else ""
        pairModule["CSRK"] = parameters["csrk"] if "csrk" in parameters else ""
        pairModule["PIN"] = parameters["pin"] if "pin" in parameters else ""

        io.chart(["Name", "Value"],
                 [[k, v] for k, v in pairModule.args.items()],
                 "Input parameters")
        output = pairModule.execute()
        if output["success"]:
            if active == "active":
                io.success("Active pairing enabled !")
            else:
                io.success("Passive pairing enabled !")
        else:
            io.fail("An error occured during pairing !")
Exemple #5
0
	def initEmittersAndReceivers(self):
		if self.args["MITM_STRATEGY"] == "injection" and "butterfly" in self.args["INTERFACE"]:
			sniffModule = utils.loadModule("ble_sniff")
			sniffModule["INTERFACE"] = self.args["INTERFACE"]
			sniffModule["SNIFFING_MODE"] = "newConnections"
			sniffModule["TARGET"] = self.args["TARGET"]
			sniffModule["MITMING"] = "yes"
			output = sniffModule.execute()
			if not output["success"]:
				return False
			else:
				self.args["INTERFACE1"] = output["output"]["INTERFACE1"]
				self.args["INTERFACE2"] = output["output"]["INTERFACE2"]

		attackerToSlaveInterface = self.args["INTERFACE1"]
		attackerToMasterInterface = self.args["INTERFACE2"]

		self.a2sEmitter = self.getEmitter(interface=attackerToSlaveInterface)
		self.a2sReceiver = self.getReceiver(interface=attackerToSlaveInterface)

		self.a2mEmitter = self.getEmitter(interface=attackerToMasterInterface)
		self.a2mReceiver = self.getReceiver(interface=attackerToMasterInterface)

		if self.args["MITM_STRATEGY"] != "injection":
			if not self.a2mEmitter.isAddressChangeable() and utils.booleanArg(self.args["SLAVE_SPOOFING"]):
				io.warning("Interface "+attackerToMasterInterface+" is not able to change its address : "
					   "Address spoofing will not be enabled !")

		return True
Exemple #6
0
    def scan(self, seconds="10", startChannel="0", endChannel="99"):
        if self.emitter.isAutoAckEnabled():
            io.fail("You can't launch a scan when AutoAck is enabled.")
        else:
            m = utils.loadModule('esb_scan')
            m['INTERFACE'] = self.args['INTERFACE']
            m['TIME'] = seconds
            m['START_CHANNEL'] = startChannel
            m['END_CHANNEL'] = endChannel

            output = m.execute()
            self.currentChannel = self.emitter.getChannel()
            self.updatePrompt(self.target if self.target is not None else "")
            self.emitter.enterSnifferMode(self.args["TARGET"])
            if output["success"]:
                self.targets = []

                counter = 1
                while True:
                    if "TARGET" + str(counter) in output["output"]:
                        self.targets.append(output["output"]["TARGET" +
                                                             str(counter)])
                        counter += 1
                    else:
                        break
Exemple #7
0
 def scanDevices():
     m = utils.loadModule('ble_locate')
     m['DEVICE_CALLBACK'] = onDeviceFound
     m['SCAN_TYPE'] = 'devices'
     m['WINDOW'] = '50'
     m['TIME'] = ''
     m.execute()
Exemple #8
0
 def scanConnections():
     m = utils.loadModule('ble_locate')
     m['CONNECTION_CALLBACK'] = onConnectionFound
     m['SCAN_TYPE'] = 'connections'
     m['WINDOW'] = '1'
     m['TIME'] = ''
     m.execute()
Exemple #9
0
 def scan(self,
          seconds='6',
          display: ["address", "name", "company", "flags",
                    "data"] = "address,name"):
     if self.checkScanningCapabilities():
         m = utils.loadModule('ble_scan')
         m['INTERFACE'] = self.args['INTERFACE']
         m['TIME'] = seconds
         m['DISPLAY'] = display
         output = m.execute()
         if output["success"]:
             self.targets = []
             if "ADVERTISING_ADDRESS" in output["output"]:
                 self.targets = [output["output"]["ADVERTISING_ADDRESS"]]
             else:
                 counter = 1
                 while True:
                     if "ADVERTISING_ADDRESS" + str(
                             counter) in output["output"]:
                         self.targets.append(
                             output["output"]["ADVERTISING_ADDRESS" +
                                              str(counter)])
                         counter += 1
                     else:
                         break
     else:
         io.fail("Interface provided (" + str(self.args["INTERFACE"]) +
                 ") is not able to scan devices.")
Exemple #10
0
	def discover(self,what:"!method:_autocompleteDiscoverWhat"="all",start="0x0001",end="0xFFFF",filterby:["type","value"]="",filter=""):
		if self.receiver.isConnected():
			m = utils.loadModule('ble_discover')
			m["WHAT"] = what
			m['INTERFACE'] = self.args['INTERFACE']
			m["START_HANDLE"] = start
			m["END_HANDLE"] = end
			m["FILTER_BY"] = filterby
			m["FILTER"] = filter
			m.execute()
		else:
			io.fail("No active connections !")
Exemple #11
0
	def connect(self,target:"!attribute:targets"="",connectionType:["public","random"]=""):
		if self.checkConnectionCapabilities():
			target = self.args['TARGET'] if target=="" else target
			connectionType = self.args['CONNECTION_TYPE'] if connectionType=="" else connectionType
			if target == "":
				io.fail("You have to enter a valid BD address.")
			else:
				m = utils.loadModule('ble_connect')
				m['TARGET'] = target
				m['CONNECTION_TYPE'] = connectionType
				m['INTERFACE'] = self.args['INTERFACE']
				m['WAITING_TIME'] = "3"

				if m.execute()["success"]:
					self.updatePrompt(target)
		else:
			io.fail("Interface provided ("+str(self.args["INTERFACE"])+") is not able to initiate a connection.")
Exemple #12
0
	def advertising(self,type:"!method:_autocompleteAdvertisingType"="ADV_IND",data="",scanData="",intervalMin="200", intervalMax="210"):
		advModule = utils.loadModule("ble_adv")
		advModule["INTERFACE"] = self.args["INTERFACE"]
		advModule["ADVERTISING_TYPE"] = type
		advModule["ADVERTISING_DATA"] = data
		advModule["SCANNING_DATA"] = scanData
		advModule["INTERVAL_MIN"] = intervalMin
		advModule["INTERVAL_MAX"] = intervalMax
		output = advModule.execute()
		if output["success"]:
			io.success(	"Currently advertising : <<type="+type+
					"|intervalMin="+intervalMin+
					"|intervalMax="+intervalMax+
					"|advData="+data+
					"|scanData="+scanData+">> "
					)
		else:
			io.fail("An error occured during advertisements configuration !")
Exemple #13
0
 def jamNewConnections(self):
     jammingModule = utils.loadModule("ble_sniff")
     jammingModule["INTERFACE"] = self.args["INTERFACE"]
     jammingModule["INTERFACEA"] = self.args["INTERFACEA"]
     jammingModule["INTERFACEB"] = self.args["INTERFACEB"]
     jammingModule["CHANNEL"] = self.args["CHANNEL"]
     jammingModule["HIJACKING"] = "no"
     jammingModule["JAMMING"] = "yes"
     jammingModule["TARGET"] = self.args["TARGET"]
     jammingModule["SNIFFING_MODE"] = "newConnections"
     jammingModule["ACCESS_ADDRESS"] = ""
     jammingModule["CRC_INIT"] = ""
     jammingModule["CHANNEL_MAP"] = ""
     jammingModule["PCAP_FILE"] = ""
     output = jammingModule.execute()
     if output["success"]:
         return self.ok(output["output"])
     else:
         return self.nok()
Exemple #14
0
def mockSlave():
    m = utils.loadModule('ble_slave')
    m['SCENARIO'] = 'MockSlave'
    m['INTERFACE'] = 'hci0'
    m.execute()
Exemple #15
0
def mockMaster():
    m = utils.loadModule('ble_master')
    m['SCENARIO'] = 'MockMaster'
    m['INTERFACE'] = 'hci1'
    m.execute()