Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Telefonica/Airdrop-Crazy
Airdrop Crazy
https://github.com/Telefonica/Airdrop-Crazy
Last synced: about 1 month ago
JSON representation
Airdrop Crazy
- Host: GitHub
- URL: https://github.com/Telefonica/Airdrop-Crazy
- Owner: Telefonica
- License: gpl-3.0
- Created: 2019-10-29T11:24:45.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2020-05-15T09:10:41.000Z (over 4 years ago)
- Last Synced: 2024-09-28T00:44:50.792Z (3 months ago)
- Language: Python
- Size: 27.1 MB
- Stars: 56
- Watchers: 11
- Forks: 6
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-starz - Telefonica/Airdrop-Crazy - Airdrop Crazy (Python)
README
# Airdrop Crazy
[![Python Version][python-image]][python-url]
[![License][license-image]][license-url]
## Disclaimer
These scripts are experimental PoCs that show what an attacker get from Apple devices if they sniff Bluetooth traffic.
***This project is created only for educational purposes and cannot be used for law violation or personal gain.
The author of this project is not responsible for any possible harm caused by the materials of this project***
This project is a hard fork of the project created by the Hexway team called [Apple bleee](https://github.com/hexway/apple_bleee)
## Requirements
I have adapted those scripts deleting all the function that was not available and refactoring the scripts in order to use a more Pythonic and modern way to organize the code. Please read carefully the [OWL](https://github.com/seemoo-lab/owl) and [Opendrop](https://github.com/seemoo-lab/opendrop) documentation in order to understand what's going on underneath these scripts.
Also, you need for the airdrop part an **Active Monitor Network Card** as the Authors said, the **Atheros AR9280** should work but you can use the **TP-LINK Archer T2U/T1U** if you want a usb card.
We have tested the tool with Ubuntu 18.03 and Linux 5+ Kernel due to the TP-Link Archer requieremnets
## Installation
```
# clone main repo
git clone https://github.com/ElevenPaths/Airdrop-Crazy && cd ./airdrop_crazy
sudo ./install.sh [NGROK_AUTH_TOKEN] [IFACE]
```
**To change the wireless interface, bluetooth interface or channel just go to airdropcrazy/src/__init__.py**
### Raspberry
* Donwload this version of raspbian Buster: http://downloads.raspberrypi.org/raspbian/images/raspbian-2019-09-30/
* Download the firmware for the mediatech card TP-Link T2U: http://anduin.linuxfromscratch.org/sources/linux-firmware/mediatek/mt7610u.bin
* Copy the ``mt7610u.bin``firmawre to the raspberry path ``/lib/firmware/mediatek``
* Run ``sudo modprobe -r mt76x0`` and then ``sudo modprobe mt76x0``
## How to use
Before using the tool, check that your Bluetooth adapter is connected
```
hcitool dev
Devices:
hci0 XX:XX:XX:XX:XX:XX
```
Then make sure you have downloaded **owl** and you have a compatible network card that supports active framing.
There are two main ways to use the tool:
* **Server mode**: Follow the instructions to run the tool with the app and local server
* **CLI Scripts**: Run the scripts local with the cli
### Server Mode
In this mode, you need the companion iOS app to display the information, these are all the requirements:
* [Ngrok](https://ngrok.com): To expose the local server to the app, just follow the instructions in the webpage.
* [XCode](https://developer.apple.com/xcode/): To compile the SwiftUI project.
First you need to select the wirless interface in `airdrop_crazy/src/views.py`, in the code line `airdrop_leak = AirdropLeak(iface="")`
Then you need to
Now you just need to run the local server with ```bash bootstrap.sh``` or ```python3 app.py```.
And then scan the qr generated with the app.
### CLI: ble_read_script.py
This script sniffs `BLE` traffic and displays status messages from Apple devices.
Moreover, the tool detects requests for password sharing from Apple devices. In these packets, we can get first 3 bytes of sha256(phone_number) and could try to guess the original phone number using prepared tables with phone hash values.
```bash
python3 ble_read_state.py -h
usage: ble_read_state.py [-h] [-t TTL] [-b BLE_IFACE] [-w W_IFACE] [-s] [-a]
Apple bleee. Apple device sniffer
---chipik
optional arguments:
-h, --help show this help message and exit
-t TTL, --ttl TTL Time To Live
-b BLE_IFACE, --ble_iface BLE_IFACE
Bluetooth inteface
-w W_IFACE, --w_iface W_IFACE
Wireless Interface
-s, --ssid Get SSID from request
-a, --airdrop Get info from AWDL airdrop
-d, --debug Debug mode
```
For monitoring you can just run the script without any parameters
```bash
sudo python3 ble_read_state.py
```
press `Ctrl+q` to exit
### CLI: airdrop_leak.py
This script allows to get mobile phone number of any user who will try to send file via AirDrop
For this script, we'll need `AWDL` interface. **Never use owl with the -N flag as it could lead into problems, always check if you have active monitor mode**
Now, you can run the script
```bash
python3 airdrop_leak.py -h
usage: airdrop_leak.py [-h] [-n NAME] [-i IFACE] [-p PHONE] [-m MAIL]
AirPods advertise spoofing PoC
---chipik
optional arguments:
-h, --help show this help message and exit
-n NAME, --name NAME Name of the interface
-i IFACE, --iface IFACE
Wireless inteface
-p PHONE, --phone PHONE
phone
-m MAIL, --mail MAIL mail
```
With no params, the script just displays phone hash and ipv6 address of the sender
```bash
sudo python3 airdrop_leak.py
```
### CLI: adv_wifi.py
This script sends `BLE` messages with WiFi password sharing request. This PoC shows that an attacker can trigger a pop up message on the target device if he/she knows any phone/email that exists on the victim's device
```bash
python3 adv_wifi.py -h
usage: adv_wifi.py [-h] [-p PHONE] [-e EMAIL] [-a APPLEID] -s SSID
[-i INTERVAL]
WiFi password sharing spoofing PoC
---chipik
optional arguments:
-h, --help show this help message and exit
-p PHONE, --phone PHONE
Phone number (example: 39217XXX514)
-e EMAIL, --email EMAIL
Email address (example: [email protected])
-a APPLEID, --appleid APPLEID
Email address (example: [email protected])
-s SSID, --ssid SSID WiFi SSID (example: test)
-i INTERVAL, --interval INTERVAL
Advertising interval
```
For a WiFi password request, we'll need to specify any contact (email/phone) that exists in a victim's contacts and the SSID of a WiFi network the victim knows
```bash
sudo python3 adv_wifi.py -e [email protected] -s hexway
```
### CLI: adv_airpods.py
This script mimics AirPods by sending `BLE` messages
```bash
python3 adv_airpods.py -h
usage: adv_airpods.py [-h] [-i INTERVAL] [-r] [-b BLE_IFACE]
AirPods advertise spoofing PoC
---chipik
optional arguments:
-h, --help show this help message and exit
-i INTERVAL, --interval INTERVAL
Advertising interval
-r, --random Send random charge values
-b BLE_IFACE, --ble_iface BLE_IFACE
Bluetooth inteface
```
Let's send `BLE` messages with random charge values for headphones
```bash
sudo python3 adv_airpods.py -r
```
### Api phone
This service allows to build a service to request the hashed phones, just update the generate_number/generate_hashes functions in views.py to adapt to your phone number requirements.
## Troubleshooting
If you have problem finding your bluetooth dongle, might be an issue from bluez. Just run these commands:
``
sudo add-apt-repository ppa:bluetooth/bluez
sudo apt update
sudo apt install bluez
``
And restart your machine
If your are working in a virtual machine in macOS Catalina you might wanna change the default hci behaviour introduced with this command:
``
sudo nvram bluetoothHostControllerSwitchBehavior="never"
``
## Contacts
* [Lucas Fernandez](https://twitter.com/lucferbux)
* [Pablo Gonzalez](https://twitter.com/pablogonzalezpe)
[python-image]: https://img.shields.io/badge/Python-3.7-yellow
[python-url]: https://www.python.org
[license-image]: https://img.shields.io/badge/License-GPL-blue.svg
[license-url]: LICENSE