Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/fO-000/bluescan
An intelligence gathering tool for hacking Bluetooth
https://github.com/fO-000/bluescan
android ble bluetooth bluetooth-classic br-edr hacking hacking-tool intelligent-gathering iot linux python scanner security spoofing
Last synced: about 2 months ago
JSON representation
An intelligence gathering tool for hacking Bluetooth
- Host: GitHub
- URL: https://github.com/fO-000/bluescan
- Owner: fO-000
- License: gpl-3.0
- Created: 2019-09-18T09:46:13.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2023-04-23T09:44:31.000Z (over 1 year ago)
- Last Synced: 2024-04-09T23:49:40.319Z (5 months ago)
- Topics: android, ble, bluetooth, bluetooth-classic, br-edr, hacking, hacking-tool, intelligent-gathering, iot, linux, python, scanner, security, spoofing
- Language: Python
- Homepage:
- Size: 6.57 MB
- Stars: 680
- Watchers: 19
- Forks: 98
- Open Issues: 11
-
Metadata Files:
- Readme: README-cn.md
- License: LICENSE.txt
Awesome Lists containing this project
README
Bluing
为 hack 蓝牙而生的情报收集工具
%20%7C%20Kali%202022.4%20(x64)%20%7C%20Kali%20NetHunter%202022.4%20(aarch64)-brightgreen)
Bluing(前身为 [bluescan](https://pypi.org/project/bluescan/))是一个主要基于 Python 实现的蓝牙情报收集工具。它可以帮助我们窥探蓝牙这种复杂协议的内部结构或是 hack 蓝牙设备。其主要特性如下:
## 安装
Bluing 部分依赖 Linux 官方的 [BlueZ](http://www.bluez.org/) 蓝牙协议栈,因此它仅支持在 Linux 上运行。执行如下命令可安装依赖包:
```sh
sudo apt install python3-pip python3-dev libcairo2-dev libgirepository1.0-dev \
libbluetooth-dev libdbus-1-dev bluez-tools python3-cairo-dev \
rfkill meson patchelf bluez ubertooth adb python-is-python3
```
目前 bluing 的分发途径是 [PyPI](https://pypi.org/project/bluing/),且仅支持 Python 3.10。安装命令如下:
```sh
sudo pip3.10 install bluing
```
## 使用
> * 神说:“要有**彩色**。”就有了[**彩色**](https://fo-000.github.io/bluing/index-cn.html#-使用)。
> * 可以先了解下[推荐的硬件](https://fo-000.github.io/bluing/index-cn.html#-硬件推荐)。
$ bluing --help
An intelligence gathering tool for hacking Bluetooth
Usage:
bluing [-h | --help]
bluing (-v | --version)
bluing [-i <hci>] --clean BD_ADDR
bluing --flash-micro-bit
bluing <command> [<args>...]
Arguments:
BD_ADDR Bluetooth device address
Options:
-h, --help Print this help and quit
-v, --version Print version information and quit
-i <hci> HCI device
--clean Clean cached data of a remote device
--flash-micro-bit Download the dedicated firmware to micro:bit(s)
Commands:
br Basic Rate system, includes an optional Enhanced Data Rate (EDR) extension
le Low Energy system
android Android Bluetooth stack
spoof Spoof with new local device information
plugin Manage plugins
Run `bluing <command> --help` for more information on a command.
### `br` 命令:Basic Rate system
$ bluing br --help
Usage:
bluing br [-h | --help]
bluing br [-i <hci>] [--inquiry-len=<n>] --inquiry
bluing br [-i <hci>] --sdp BD_ADDR
bluing br [-i <hci>] --local --sdp
bluing br [-i <hci>] --lmp-features BD_ADDR
bluing br [-i <hci>] --local --lmp-features
bluing br [-i <hci>] --stack BD_ADDR
bluing br [-i <hci>] --local --stack
bluing br [-i <hci>] [--inquiry-scan] --mon-incoming-conn
bluing br --org=<name> --timeout=<sec> --sniff-and-guess-bd-addr
Arguments:
BD_ADDR BR/EDR Bluetooth device address
Options:
-h, --help Print this help and quit
-i <hci> HCI device
--local Target a local BR/EDR device instead of a remote one
--inquiry Discover other nearby BR/EDR controllers
--inquiry-len=<n> Maximum amount of time (added to --ext-inquiry-len=<n>)
specified before the Inquiry is halted.
Time = n * 1.28 s
Time range: 1.28 to 61.44 s
Range of n: 0x01 to 0x30 [default: 8]
--ext-inquiry-len=<n> Extended_Inquiry_Length measured in number of
Baseband slots.
Interval Length = n * 0.625 ms (1 Baseband slot)
Time Range: 0 to 40.9 s
Range of n: 0x0000 to 0xFFFF [default: 0]
--sdp Retrieve information from the SDP database of a
remote BR/EDR device
--lmp-features Read LMP features of a remote BR/EDR device
--stack Determine the Bluetooth stack type of a remote BR/EDR device
--mon-incoming-conn Print incoming connection from other nearby BR/EDR devices
--inquiry-scan Enable the Inquiry Scan
--sniff-and-guess-bd-addr Sniff SAPs of BD_ADDRs over the air, then guess the
address based on the organization name. Need at
least one Ubertooth device
--org=<name> An organization name in the OUI.txt
--timeout=<sec> Timeout in second(s)
#### `--inquiry`:发现附近其他的 BR/EDR 控制器
$ sudo bluing br --inquiry
[INFO] Discovering other nearby BR/EDR Controllers on hci0 for 10.24 sec
BD_ADDR: B0:C9:52:45:33:13 (GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD)
Page scan repetition mode: 1 (R1)
Reserved: 0x02
CoD: 0x5a020c
Service Class: 0b1011010000
Telephony
Object Transfer
Capturing
Networking
Major Device Class: 0b00010, Phone
Clock offset: 0x50D5
RSSI: -61
Extended inquiry response:
Complete Local Name: old man phone
Complete List of 16-bit Service Class UUIDs
0x1105 OBEXObjectPush
0x110a AudioSource
0x110c A/V_RemoteControlTarget
0x110e A/V_RemoteControl
0x1112 Headset - Audio Gateway (AG)
0x1115 PANU
0x1116 NAP
0x111f HandsfreeAudioGateway
0x112d SIM_Access
0x112f Phonebook Access - PSE
0x1200 PnPInformation
0x1132 Message Access Server
Complete List of 32-bit Service Class UUIDs
None
Complete List of 128-bit Service Class UUIDs
A49EAA15-CB06-495C-9F4F-BB80A90CDF00
00000000-0000-0000-0000-000000000000
... ...
[INFO] Requesting the names of all discovered devices...
B0:C9:52:45:33:13 : old man phone
... ...
#### `--sdp`:检索远端 BD/EDR 设备的 SDP 数据库信息
$ sudo bluing br --sdp 34:13:46:23:6A:4D
Scanning ⠋
Number of service records: 18
Service Record
0x0000: ServiceRecordHandle (uint32)
0x0001000d
0x0001: ServiceClassIDList (sequence)
0x1105: OBEXObjectPush
0x0004: ProtocolDescriptorList (sequence)
0x0100: L2CAP
0x0003: RFCOMM
channel: 0x0c
0x0008: OBEX
0x0005: BrowseGroupList (sequence)
0x1002: PublicBrowseRoot
0x0009: BluetoothProfileDescriptorList (sequence)
0x1105: OBEXObjectPush v1.2
0x0100: ServiceName (guess) (text)
OBEX Object Push
0x0200: GoepL2CapPsm (guess) (uint16)
0x1023
0x0303: SupportedFormatsList (guess) (sequence)
0x01: vCard 2.1
0x02: vCard 3.0
0x03: vCal 1.0
0x04: iCal 2.0
0xff: Any type of object
... ...
#### `--lmp-features`:读取远端 BR/EDR 设备的 LMP 特性
$ sudo bluing br --lmp-features 6A:8D:99:33:56:AE
Version
Version:
Bluetooth Core Specification 5.2 (LMP)
Bluetooth Core Specification 5.2 (LL)
Manufacturer name: HiSilicon Technologies CO., LIMITED
Subversion: 33561
LMP features
3 slot packets: True
5 slot packets: True
Encryption: True
Slot offset: True
Timing accuracy: True
Role switch: True
Hold mode: False
Sniff mode: True
Previously used: False
Power control requests: True
Channel quality driven data rate (CQDDR): True
... ...
Extended LMP features
Page 1
Secure Simple Pairing (Host Support): True
LE Supported (Host): True
Simultaneous LE and BR/EDR to Same Device Capable (Host): True
Secure Connections (Host Support): True
Page 2
Connectionless Slave Broadcast - Master Operation: False
Connectionless Slave Broadcast - Slave Operation: False
Synchronization Train: False
Synchronization Scan: False
HCI_Inquiry_Response_Notification event: True
... ...
#### `--mon-incoming-conn`:打印附近其他 BR/EDR 设备进来的连接
$ sudo bluing br --inquiry-scan --mon-incoming-conn
[INFO] Inquiry_Scan_Interval: 4096, 2560.0 ms
Inquiry_Scan_Window: 4096, 2560.0 ms
[INFO] Inquiry Scan and Page Scan enabled
A0:DE:0F:99:EF:78 incoming
CoD: 0x5a020c
Service Class: 0b1011010000
Telephony
Object Transfer
Capturing
Networking
Major Device Class: 0b00010, Phone
link type: 0x01 - ACL
... ...
#### `--sniff-and-guess-bd-addr`:嗅探并推测附近的 BD_ADDR
$ bluing br --org='Huawei Device Co., Ltd.' --timeout=600 --sniff-and-guess-bd-addr
[INFO] Possible BD_ADDR(s) for ??:??:99:4C:45:C3
24:A7:99:4C:45:C3
[INFO] Possible BD_ADDR(s) for ??:??:E4:2D:69:EE
BC:1A:E4:2D:69:EE
D0:05:E4:2D:69:EE
30:AA:E4:2D:69:EE
[INFO] Possible BD_ADDR(s) for ??:??:15:60:81:7F
64:23:15:60:81:7F
D4:74:15:60:81:7F
... ...
### `le` 命令:Low Energy system
$ bluing le --help
Usage:
bluing le [-h | --help]
bluing le [-i <hci>] [--scan-type=<type>] [--timeout=<sec>] [--sort=<key>] --scan
bluing le [-i <hci>] --pairing-feature [--timeout=<sec>] [--addr-type=<type>] PEER_ADDR
bluing le [-i <hci>] --ll-feature-set [--timeout=<sec>] [--addr-type=<type>] PEER_ADDR
bluing le [-i <hci>] --gatt [--io-cap=<name>] [--addr-type=<type>] PEER_ADDR
bluing le [-i <hci>] --local --gatt
bluing le [-i <hci>] --mon-incoming-conn
bluing le [--channel=<num>] --sniff-adv
Arguments:
PEER_ADDR LE Bluetooth device address
Options:
-h, --help Print this help and quit
-i <hci> HCI device
--scan Discover advertising devices nearby
--scan-type=<type> The type of scan to perform. active or passive [default: active]
--sort=<key> Sort the discovered devices by key, only support RSSI
now [default: rssi]
--ll-feature-set Read LL FeatureSet of a remote LE device
--pairing-feature Request the pairing feature of a remote LE device
--timeout=<sec> Duration of the LE scanning, but may not be precise [default: 10]
--gatt Discover GATT Profile hierarchy of a remote LE device
--io-cap=<name> Set IO capability of the agent. Available value:
DisplayOnly, DisplayYesNo, KeyboardOnly, NoInputNoOutput,
KeyboardDisplay (KeyboardOnly) [default: NoInputNoOutput]
--addr-type=<type> Type of the LE address, public or random
--sniff-adv Sniff advertising physical channel PDU. Need at least
one micro:bit
--channel=<num> LE advertising physical channel, 37, 38 or 39 [default: 37,38,39]
--device=</dev/tty> Device to use, comma separated (e.g., /dev/ttyUSB0,/dev/ttyUSB1,/dev/ttyUSB2)
Only needed if using NRF51 devices other than micro:bit (e.g., Bluefruit)
#### `--scan`:发现附近正在 advertising 的设备
$ sudo bluing le --scan
[WARNING] You might want to spoof your LE address before doing an active scan
[INFO] LE active scanning on hci0 for 10 sec
Scanning ⠴
----------------LE Devices Scan Result----------------
Addr: 74:A3:4A:D4:78:55 (ZIMI CORPORATION)
Addr type: public
Connectable: True
RSSI: -68 dBm
General Access Profile:
Flags:
LE General Discoverable Mode
BR/EDR Not Supported
Service Data - 16-bit UUID:
UUID: 0x95FE
Data: 9055990701b743e34aa3740e00
Appearance: 0000
Tx Power Level: 0 dBm (pathloss 68 dBm)
Complete Local Name: Mesh Mi Switch
... ...
#### `--ll-feature-set`:读取远端 LE 设备的 LL FeatureSet
$ sudo bluing le --ll-feature-set --addr-type=public 18:D9:8F:77:24:F1
[INFO] Reading LL FeatureSet of 18:D9:8F:77:24:F1 on hci0
Reading ⠼
LE LL Features:
LE Encryption: True
Connection Parameters Request Procedure: False
Extended Reject Indication: False
Slave-initiated Features Exchange: False
LE Ping: False
LE Data Packet Length Extension: True
LL Privacy: False
Extended Scanner Filter Policies: False
LE 2M PHY: False
Stable Modulation Index - Transmitter: False
Stable Modulation Index - Receiver: False
... ...
#### `--pairing-feature`:请求远端 LE 设备的 pairing feature
$ sudo bluing le --pairing-feature --addr-type=public 18:D9:8F:77:24:F1
[INFO] Requesting pairing feature of 18:D9:8F:77:24:F1 on hci0
Requesting ⠧
Pairing Response
IO Capability: 0x03 - NoInputNoOutput
OOB data flag: 0x00 - Not Present
AuthReq: 0x01
Maximum Encryption Key Size: 16
Initiator Key Distribution: 0x00
EncKey: False
IdKey: False
SignKey: False
LinkKey: False
RFU: 0b0000
Responder Key Distribution: 0x01
EncKey: True
IdKey: False
SignKey: False
LinkKey: False
RFU: 0b0000
#### `--gatt`:发现远端 LE 设备 GATT Profile 的层次结构
$ sudo bluing le --gatt --addr-type=public 18:D9:8F:77:24:F1
Connecting ⠋
Discovering all primary services ⠏
Discovering all characteristics of service 0x0001 ⠹
... ...
Discovering all descriptors of characteristic 0x0002 ⠼
... ...
Reading value of the descriptor 0x0013 ⠴
... ...
----------------GATT Scan Result----------------
Number of services: 6
Service (0x0100 - 0x0112, 7 characteristics)
Declaration
Handle: 0x0100
Type: 2800 (Primary Service declaration)
Value: 1812 (Human Interface Device)
Permissions: Read (no authen/author)
Characteristic (2 descriptors)
Declaration
Handle: 0x010d
Type: 2803 (Characteristic declaration)
Value:
Properties: Read, Write Without Response, Write, Notify
Handle: 0x010e
UUID: 2A4D (Report)
Permissions: Read (no authen/author)
Value
Handle: 0x0302
Type: 4A02 (Unknown)
Value: Read Not Permitted
Permissions: Higher layer specific
Descriptor
Handle: 0x010f
Type: 2902 (Client Characteristic Configuration declaration)
Value: b'\x00\x00'
Permissions: Read (no authen/author), Write (higher layer specifies authen/author)
... ...
#### `--sniff-adv`:嗅探 advertising physical channel PDU
$ sudo bluing le --sniff-adv
[INFO] Using micro:bit /dev/ttyACM2 on channel 37
[INFO] Using micro:bit /dev/ttyACM1 on channel 38
[INFO] Using micro:bit /dev/ttyACM0 on channel 39
[INFO] micro:bit 38 < Ready -> Start
[INFO] micro:bit 37 < Ready -> Start
[INFO] micro:bit 39 < Ready -> Start
[38] [ADV_NONCONN_IND]
random AdvA: 28:7A:88:B2:35:0B
[39] [ADV_IND]
public AdvA: A4:E4:72:B1:CB:8D
[37] [SCAN_REQ]
random ScanA: 6A:90:0C:07:3E:14
random AdvA: 7D:9B:A8:5A:F2:81
... ...
### `android` 命令: Android 蓝牙协议栈
$ bluing android --help
Usage:
bluing android [-h | --help]
bluing android [-t <id>] --collect-btsnoop-log [-o <file>]
Options:
-h, --help Display this help and quit
-t <id> Use android device with given transport id. This option
will be ignored when only one device is available
--collect-btsnoop-log Collect the btsnoop log being generated to a local file,
default ./btsnoop_hci.log
-o <file> Place the output into [default: ./btsnoop_hci.log]
#### `--collect-btsnoop-log`: 收集正在产生的 btsnoop log
$ bluing android -t 3 --collect-btsnoop-log -o btsnoop_hci.log; file btsnoop_hci.log
btsnoop_hci.log: BTSnoop version 1, HCI UART (H4)
### `spoof` 命令:使用新的设备信息做欺骗
$ bluing spoof --help
Usage:
bluing spoof [-h | --help]
bluing spoof [-i <hci>] --bd-addr=<BD_ADDR>
bluing spoof [-i <hci>] --cls-of-dev=<num>
bluing spoof --host-name=<name>
bluing spoof [-i <hci>] --alias=<alias>
Options:
-h, --help Print this help and quit
-i <hci> HCI device
--bd-addr=<BD_ADDR> Spoof with a new BD_ADDR
--cls-of-dev=<num> Spoof with a new Class of Device
--host-name=<name> Spoof with a new host name
--alias=<alias> Spoof with a new alias
#### `--bd-addr=`:使用新的设备地址做欺骗
该功能当前基于 `spooftooph` 完成。如果在 Kali Linux 上使用它,先执行 `sudo apt install spooftooph` 即可完成安装。但在 Ubuntu 上使用时,则需要手动编译安装 [`spooftooph`](https://gitlab.com/kalilinux/packages/spooftooph)。
$ sudo bluing spoof --bd-addr=AA:BB:CC:DD:EE:FF
[WARNING] The original HCI device number may have been changed
[INFO] BD_ADDR changed: 11:22:33:44:55:66 -> AA:BB:CC:DD:EE:FF
#### `--cls-of-dev=`:使用新的设备类型做欺骗
$ sudo bluing spoof --cls-of-dev=0x6c0100
No output when successful
#### `--host-name=`:使用新的主机名做欺骗
$ sudo bluing spoof --host-name=Bluing
No output when successful
#### `--alias=`:使用新的控制器别名做欺骗
$ sudo bluing spoof --alias='Bluing Alias'
No output when successful
### `plugin` 命令:插件管理
$ bluing plugin --help
$ bluing plugin --help
Usage:
bluing plugin [-h | --help]
bluing plugin <command> [<args>...]
Options:
-h, --help Display this help and quit
Commands:
list List installed plugins
install Install a plugin
uninstall Uninstall a plugin
run Run a plugin
## 硬件推荐
### 蓝牙适配器
很多 bluing 功能都需要访问蓝牙适配器。虽然可以使用 Linux 物理机自带的适配器或让 Linux 虚拟机**独占**宿主机的适配器,但是为了更稳定地运行 bluing,仍建议使用外接的 USB 蓝牙适配器,比如 [Parani UD100-G03](http://www.senanetworks.com/ud100-g03.html)。
### Original micro:bit(可选)
Bluing 在嗅探 advertising physical channel PDU 时 ([`le --sniff-adv`](https://fo-000.github.io/bluing/index-cn.html#--sniff-adv%E5%97%85%E6%8E%A2-advertising-physical-channel-pdu)),至少需要 1 块 [original micro:bit](https://microbit.org/get-started/user-guide/overview/#original-micro:bit),且推荐同时使用 3 块。这些 micro:bit 需要运行 bluing 提供的专用固件。将 micro:bit 接入 Linux 后,执行如下命令便可刷写预先构建好的固件:
bluing --flash-micro-bit
除了 original micro:bit,使用 nRF51822 的其他板子也可以被支持,比如 Adafruit Bluefruit LE Friend 和 BLE400 with Core51822,但可能需要修改串口引脚的对应关系。
### Ubertooth One(可选)
当嗅探并推测附近的 BD_ADDR 时 ([`br --sniff-and-guess-bd-addr`](https://fo-000.github.io/bluing/index-cn.html#--sniff-and-guess-bd-addr%E5%97%85%E6%8E%A2%E5%B9%B6%E6%8E%A8%E6%B5%8B%E9%99%84%E8%BF%91%E7%9A%84-bd_addr)),bluing 需要用到一块 [Ubertooth One](https://greatscottgadgets.com/ubertoothone/)。
## FAQ
### `rfkill` 无法找到 hci0
异常消息如下:
```txt
Exception: Can't find the ID of hci0 in rfkill
```
该异常可能因为老版本的 rfkill 不支持 `-r` 和 `-n` 选项而导致,比如:
$ cat /etc/os-release | head -n 2
NAME="Ubuntu"
VERSION="16.10 (Yakkety Yak)"
$ rfkill --version
rfkill 0.5-1ubuntu3 (Ubuntu)
此时升级 rfkill 到较新的版本可以解决该问题,比如:
$ cat /etc/os-release | head -n 2
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
$ rfkill --version
rfkill from util-linux 2.38.1
### 管理命令 `scanend` 执行失败了
错误消息如下:
```txt
ERROR: Failed to execute management command 'scanend' (code: 11, error: Rejected)
```
可通过重启 Bluetooth 服务尝试解决该问题。命令如下:
sudo systemctl restart bluetooth.service