Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/fO-000/bluing

An intelligence gathering tool for hacking Bluetooth
https://github.com/fO-000/bluing

android ble bluetooth bluetooth-classic br-edr hacking hacking-tool intelligent-gathering iot linux python scanner security spoofing

Last synced: about 1 month ago
JSON representation

An intelligence gathering tool for hacking Bluetooth

Awesome Lists containing this project

README

        

Bluing


为 hack 蓝牙而生的情报收集工具


English · 简体中文








Bluing(前身为 [bluescan](https://pypi.org/project/bluescan/))是一个主要基于 Python 实现的蓝牙情报收集工具。它可以帮助我们窥探蓝牙这种复杂协议的内部结构或是 hack 蓝牙设备。其主要特性如下:

![](https://raw.githubusercontent.com/fO-000/bluing/master/assets/bluing-features-mermaid-mindmap-cn.svg)

## 安装

Bluing 部分依赖 Linux 官方的 [BlueZ](http://www.bluez.org/) 蓝牙协议栈,因此它仅支持在 Linux 上运行。执行如下命令可安装依赖包:

```sh
sudo apt install python3-pip python3-dev libcairo2-dev libgirepository1.0-dev \
libbluetooth-dev libdbus-1-dev bluez-tools python3-cairo-dev \
rfkill meson patchelf bluez ubertooth adb python-is-python3
```

目前 bluing 的分发途径是 [PyPI](https://pypi.org/project/bluing/),且仅支持 Python 3.10。安装命令如下:

```sh
sudo pip3.10 install bluing
```

## 使用

> * 神说:“要有**彩色**。”就有了[**彩色**](https://fo-000.github.io/bluing/index-cn.html#-使用)。
> * 可以先了解下[推荐的硬件](https://fo-000.github.io/bluing/index-cn.html#-硬件推荐)。

$ bluing --help


An intelligence gathering tool for hacking Bluetooth

Usage:
bluing [-h | --help]
bluing (-v | --version)
bluing [-i &lthci>] --clean BD_ADDR
bluing --flash-micro-bit
bluing &ltcommand> [&ltargs>...]

Arguments:
BD_ADDR Bluetooth device address

Options:
-h, --help Print this help and quit
-v, --version Print version information and quit
-i &lthci> HCI device
--clean Clean cached data of a remote device
--flash-micro-bit Download the dedicated firmware to micro:bit(s)

Commands:
br Basic Rate system, includes an optional Enhanced Data Rate (EDR) extension
le Low Energy system
android Android Bluetooth stack
spoof Spoof with new local device information
plugin Manage plugins

Run `bluing &ltcommand> --help` for more information on a command.

### `br` 命令:Basic Rate system

$ bluing br --help


Usage:
bluing br [-h | --help]
bluing br [-i &lthci>] [--inquiry-len=&ltn>] --inquiry
bluing br [-i &lthci>] --sdp BD_ADDR
bluing br [-i &lthci>] --local --sdp
bluing br [-i &lthci>] --lmp-features BD_ADDR
bluing br [-i &lthci>] --local --lmp-features
bluing br [-i &lthci>] --stack BD_ADDR
bluing br [-i &lthci>] --local --stack
bluing br [-i &lthci>] [--inquiry-scan] --mon-incoming-conn
bluing br --org=&ltname> --timeout=&ltsec> --sniff-and-guess-bd-addr

Arguments:
BD_ADDR BR/EDR Bluetooth device address

Options:
-h, --help Print this help and quit
-i &lthci> HCI device
--local Target a local BR/EDR device instead of a remote one
--inquiry Discover other nearby BR/EDR controllers
--inquiry-len=&ltn> Maximum amount of time (added to --ext-inquiry-len=&ltn>)
specified before the Inquiry is halted.
Time = n * 1.28 s
Time range: 1.28 to 61.44 s
Range of n: 0x01 to 0x30 [default: 8]
--ext-inquiry-len=&ltn> Extended_Inquiry_Length measured in number of
Baseband slots.
Interval Length = n * 0.625 ms (1 Baseband slot)
Time Range: 0 to 40.9 s
Range of n: 0x0000 to 0xFFFF [default: 0]
--sdp Retrieve information from the SDP database of a
remote BR/EDR device
--lmp-features Read LMP features of a remote BR/EDR device
--stack Determine the Bluetooth stack type of a remote BR/EDR device
--mon-incoming-conn Print incoming connection from other nearby BR/EDR devices
--inquiry-scan Enable the Inquiry Scan
--sniff-and-guess-bd-addr Sniff SAPs of BD_ADDRs over the air, then guess the
address based on the organization name. Need at
least one Ubertooth device
--org=&ltname> An organization name in the OUI.txt
--timeout=&ltsec> Timeout in second(s)

#### `--inquiry`:发现附近其他的 BR/EDR 控制器

$ sudo bluing br --inquiry


[INFO] Discovering other nearby BR/EDR Controllers on hci0 for 10.24 sec

BD_ADDR: B0:C9:52:45:33:13 (GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD)
Page scan repetition mode: 1 (R1)
Reserved: 0x02
CoD: 0x5a020c
Service Class: 0b1011010000
Telephony
Object Transfer
Capturing
Networking
Major Device Class: 0b00010, Phone
Clock offset: 0x50D5
RSSI: -61
Extended inquiry response:
Complete Local Name: old man phone
Complete List of 16-bit Service Class UUIDs
0x1105 OBEXObjectPush
0x110a AudioSource
0x110c A/V_RemoteControlTarget
0x110e A/V_RemoteControl
0x1112 Headset - Audio Gateway (AG)
0x1115 PANU
0x1116 NAP
0x111f HandsfreeAudioGateway
0x112d SIM_Access
0x112f Phonebook Access - PSE
0x1200 PnPInformation
0x1132 Message Access Server
Complete List of 32-bit Service Class UUIDs
None
Complete List of 128-bit Service Class UUIDs
A49EAA15-CB06-495C-9F4F-BB80A90CDF00
00000000-0000-0000-0000-000000000000
... ...

[INFO] Requesting the names of all discovered devices...
B0:C9:52:45:33:13 : old man phone
... ...

#### `--sdp`:检索远端 BD/EDR 设备的 SDP 数据库信息

$ sudo bluing br --sdp 34:13:46:23:6A:4D


Scanning
Number of service records: 18

Service Record
0x0000: ServiceRecordHandle (uint32)
0x0001000d
0x0001: ServiceClassIDList (sequence)
0x1105: OBEXObjectPush
0x0004: ProtocolDescriptorList (sequence)
0x0100: L2CAP
0x0003: RFCOMM
channel: 0x0c
0x0008: OBEX
0x0005: BrowseGroupList (sequence)
0x1002: PublicBrowseRoot
0x0009: BluetoothProfileDescriptorList (sequence)
0x1105: OBEXObjectPush v1.2
0x0100: ServiceName (guess) (text)
OBEX Object Push
0x0200: GoepL2CapPsm (guess) (uint16)
0x1023
0x0303: SupportedFormatsList (guess) (sequence)
0x01: vCard 2.1
0x02: vCard 3.0
0x03: vCal 1.0
0x04: iCal 2.0
0xff: Any type of object
... ...

#### `--lmp-features`:读取远端 BR/EDR 设备的 LMP 特性

$ sudo bluing br --lmp-features 6A:8D:99:33:56:AE


Version
Version:
Bluetooth Core Specification 5.2 (LMP)
Bluetooth Core Specification 5.2 (LL)
Manufacturer name: HiSilicon Technologies CO., LIMITED
Subversion: 33561

LMP features
3 slot packets: True
5 slot packets: True
Encryption: True
Slot offset: True
Timing accuracy: True
Role switch: True
Hold mode: False
Sniff mode: True
Previously used: False
Power control requests: True
Channel quality driven data rate (CQDDR): True
... ...

Extended LMP features
Page 1
Secure Simple Pairing (Host Support): True
LE Supported (Host): True
Simultaneous LE and BR/EDR to Same Device Capable (Host): True
Secure Connections (Host Support): True
Page 2
Connectionless Slave Broadcast - Master Operation: False
Connectionless Slave Broadcast - Slave Operation: False
Synchronization Train: False
Synchronization Scan: False
HCI_Inquiry_Response_Notification event: True
... ...

#### `--mon-incoming-conn`:打印附近其他 BR/EDR 设备进来的连接

$ sudo bluing br --inquiry-scan --mon-incoming-conn


[INFO] Inquiry_Scan_Interval: 4096, 2560.0 ms
Inquiry_Scan_Window: 4096, 2560.0 ms
[INFO] Inquiry Scan and Page Scan enabled

A0:DE:0F:99:EF:78 incoming
CoD: 0x5a020c
Service Class: 0b1011010000
Telephony
Object Transfer
Capturing
Networking
Major Device Class: 0b00010, Phone
link type: 0x01 - ACL
... ...

#### `--sniff-and-guess-bd-addr`:嗅探并推测附近的 BD_ADDR

$ bluing br --org='Huawei Device Co., Ltd.' --timeout=600 --sniff-and-guess-bd-addr


[INFO] Possible BD_ADDR(s) for ??:??:99:4C:45:C3
24:A7:99:4C:45:C3

[INFO] Possible BD_ADDR(s) for ??:??:E4:2D:69:EE
BC:1A:E4:2D:69:EE
D0:05:E4:2D:69:EE
30:AA:E4:2D:69:EE

[INFO] Possible BD_ADDR(s) for ??:??:15:60:81:7F
64:23:15:60:81:7F
D4:74:15:60:81:7F
... ...

### `le` 命令:Low Energy system

$ bluing le --help


Usage:
bluing le [-h | --help]
bluing le [-i &lthci>] [--scan-type=&lttype>] [--timeout=&ltsec>] [--sort=&ltkey>] --scan
bluing le [-i &lthci>] --pairing-feature [--timeout=&ltsec>] [--addr-type=&lttype>] PEER_ADDR
bluing le [-i &lthci>] --ll-feature-set [--timeout=&ltsec>] [--addr-type=&lttype>] PEER_ADDR
bluing le [-i &lthci>] --gatt [--io-cap=&ltname>] [--addr-type=&lttype>] PEER_ADDR
bluing le [-i &lthci>] --local --gatt
bluing le [-i &lthci>] --mon-incoming-conn
bluing le [--channel=&ltnum>] --sniff-adv

Arguments:
PEER_ADDR LE Bluetooth device address

Options:
-h, --help Print this help and quit
-i &lthci> HCI device
--scan Discover advertising devices nearby
--scan-type=&lttype> The type of scan to perform. active or passive [default: active]
--sort=&ltkey> Sort the discovered devices by key, only support RSSI
now [default: rssi]
--ll-feature-set Read LL FeatureSet of a remote LE device
--pairing-feature Request the pairing feature of a remote LE device
--timeout=&ltsec> Duration of the LE scanning, but may not be precise [default: 10]
--gatt Discover GATT Profile hierarchy of a remote LE device
--io-cap=&ltname> Set IO capability of the agent. Available value:
DisplayOnly, DisplayYesNo, KeyboardOnly, NoInputNoOutput,
KeyboardDisplay (KeyboardOnly) [default: NoInputNoOutput]
--addr-type=&lttype> Type of the LE address, public or random
--sniff-adv Sniff advertising physical channel PDU. Need at least
one micro:bit
--channel=&ltnum> LE advertising physical channel, 37, 38 or 39 [default: 37,38,39]
--device=&lt/dev/tty> Device to use, comma separated (e.g., /dev/ttyUSB0,/dev/ttyUSB1,/dev/ttyUSB2)
Only needed if using NRF51 devices other than micro:bit (e.g., Bluefruit)

#### `--scan`:发现附近正在 advertising 的设备

$ sudo bluing le --scan


[WARNING] You might want to spoof your LE address before doing an active scan
[INFO] LE active scanning on hci0 for 10 sec
Scanning

----------------LE Devices Scan Result----------------
Addr: 74:A3:4A:D4:78:55 (ZIMI CORPORATION)
Addr type: public
Connectable: True
RSSI: -68 dBm
General Access Profile:
Flags:
LE General Discoverable Mode
BR/EDR Not Supported
Service Data - 16-bit UUID:
UUID: 0x95FE
Data: 9055990701b743e34aa3740e00
Appearance: 0000
Tx Power Level: 0 dBm (pathloss 68 dBm)
Complete Local Name: Mesh Mi Switch
... ...

#### `--ll-feature-set`:读取远端 LE 设备的 LL FeatureSet

$ sudo bluing le --ll-feature-set --addr-type=public 18:D9:8F:77:24:F1


[INFO] Reading LL FeatureSet of 18:D9:8F:77:24:F1 on hci0
Reading
LE LL Features:
LE Encryption: True
Connection Parameters Request Procedure: False
Extended Reject Indication: False
Slave-initiated Features Exchange: False
LE Ping: False
LE Data Packet Length Extension: True
LL Privacy: False
Extended Scanner Filter Policies: False
LE 2M PHY: False
Stable Modulation Index - Transmitter: False
Stable Modulation Index - Receiver: False
... ...

#### `--pairing-feature`:请求远端 LE 设备的 pairing feature

$ sudo bluing le --pairing-feature --addr-type=public 18:D9:8F:77:24:F1


[INFO] Requesting pairing feature of 18:D9:8F:77:24:F1 on hci0
Requesting
Pairing Response
IO Capability: 0x03 - NoInputNoOutput
OOB data flag: 0x00 - Not Present
AuthReq: 0x01
Maximum Encryption Key Size: 16
Initiator Key Distribution: 0x00
EncKey: False
IdKey: False
SignKey: False
LinkKey: False
RFU: 0b0000
Responder Key Distribution: 0x01
EncKey: True
IdKey: False
SignKey: False
LinkKey: False
RFU: 0b0000

#### `--gatt`:发现远端 LE 设备 GATT Profile 的层次结构

$ sudo bluing le --gatt --addr-type=public 18:D9:8F:77:24:F1


Connecting
Discovering all primary services
Discovering all characteristics of service 0x0001
... ...
Discovering all descriptors of characteristic 0x0002
... ...
Reading value of the descriptor 0x0013
... ...

----------------GATT Scan Result----------------
Number of services: 6

Service (0x0100 - 0x0112, 7 characteristics)
Declaration
Handle: 0x0100
Type: 2800 (Primary Service declaration)
Value: 1812 (Human Interface Device)
Permissions: Read (no authen/author)

Characteristic (2 descriptors)
Declaration
Handle: 0x010d
Type: 2803 (Characteristic declaration)
Value:
Properties: Read, Write Without Response, Write, Notify
Handle: 0x010e
UUID: 2A4D (Report)
Permissions: Read (no authen/author)

Value
Handle: 0x0302
Type: 4A02 (Unknown)
Value: Read Not Permitted
Permissions: Higher layer specific

Descriptor
Handle: 0x010f
Type: 2902 (Client Characteristic Configuration declaration)
Value: b'\x00\x00'
Permissions: Read (no authen/author), Write (higher layer specifies authen/author)
... ...

#### `--sniff-adv`:嗅探 advertising physical channel PDU

$ sudo bluing le --sniff-adv


[INFO] Using micro:bit /dev/ttyACM2 on channel 37
[INFO] Using micro:bit /dev/ttyACM1 on channel 38
[INFO] Using micro:bit /dev/ttyACM0 on channel 39
[INFO] micro:bit 38 < Ready -> Start
[INFO] micro:bit 37 < Ready -> Start
[INFO] micro:bit 39 < Ready -> Start
[38] [ADV_NONCONN_IND]
random AdvA: 28:7A:88:B2:35:0B
[39] [ADV_IND]
public AdvA: A4:E4:72:B1:CB:8D
[37] [SCAN_REQ]
random ScanA: 6A:90:0C:07:3E:14
random AdvA: 7D:9B:A8:5A:F2:81
... ...

### `android` 命令: Android 蓝牙协议栈

$ bluing android --help


Usage:
bluing android [-h | --help]
bluing android [-t &ltid>] --collect-btsnoop-log [-o &ltfile>]

Options:
-h, --help Display this help and quit
-t &ltid> Use android device with given transport id. This option
will be ignored when only one device is available
--collect-btsnoop-log Collect the btsnoop log being generated to a local file,
default ./btsnoop_hci.log
-o &ltfile> Place the output into [default: ./btsnoop_hci.log]

#### `--collect-btsnoop-log`: 收集正在产生的 btsnoop log

$ bluing android -t 3 --collect-btsnoop-log -o btsnoop_hci.log; file btsnoop_hci.log


btsnoop_hci.log: BTSnoop version 1, HCI UART (H4)

### `spoof` 命令:使用新的设备信息做欺骗

$ bluing spoof --help


Usage:
bluing spoof [-h | --help]
bluing spoof [-i &lthci>] --bd-addr=&ltBD_ADDR>
bluing spoof [-i &lthci>] --cls-of-dev=&ltnum>
bluing spoof --host-name=&ltname>
bluing spoof [-i &lthci>] --alias=&ltalias>

Options:
-h, --help Print this help and quit
-i &lthci> HCI device
--bd-addr=&ltBD_ADDR> Spoof with a new BD_ADDR
--cls-of-dev=&ltnum> Spoof with a new Class of Device
--host-name=&ltname> Spoof with a new host name
--alias=&ltalias> Spoof with a new alias

#### `--bd-addr=`:使用新的设备地址做欺骗

该功能当前基于 `spooftooph` 完成。如果在 Kali Linux 上使用它,先执行 `sudo apt install spooftooph` 即可完成安装。但在 Ubuntu 上使用时,则需要手动编译安装 [`spooftooph`](https://gitlab.com/kalilinux/packages/spooftooph)。

$ sudo bluing spoof --bd-addr=AA:BB:CC:DD:EE:FF


[WARNING] The original HCI device number may have been changed
[INFO] BD_ADDR changed: 11:22:33:44:55:66 -> AA:BB:CC:DD:EE:FF

#### `--cls-of-dev=`:使用新的设备类型做欺骗

$ sudo bluing spoof --cls-of-dev=0x6c0100


No output when successful

#### `--host-name=`:使用新的主机名做欺骗

$ sudo bluing spoof --host-name=Bluing


No output when successful

#### `--alias=`:使用新的控制器别名做欺骗

$ sudo bluing spoof --alias='Bluing Alias'


No output when successful

### `plugin` 命令:插件管理

$ bluing plugin --help


$ bluing plugin --help

Usage:
bluing plugin [-h | --help]
bluing plugin &ltcommand> [&ltargs>...]

Options:
-h, --help Display this help and quit

Commands:
list List installed plugins
install Install a plugin
uninstall Uninstall a plugin
run Run a plugin

## 硬件推荐

### 蓝牙适配器

很多 bluing 功能都需要访问蓝牙适配器。虽然可以使用 Linux 物理机自带的适配器或让 Linux 虚拟机**独占**宿主机的适配器,但是为了更稳定地运行 bluing,仍建议使用外接的 USB 蓝牙适配器,比如 [Parani UD100-G03](http://www.senanetworks.com/ud100-g03.html)。

### Original micro:bit(可选)

Bluing 在嗅探 advertising physical channel PDU 时 ([`le --sniff-adv`](https://fo-000.github.io/bluing/index-cn.html#--sniff-adv%E5%97%85%E6%8E%A2-advertising-physical-channel-pdu)),至少需要 1 块 [original micro:bit](https://microbit.org/get-started/user-guide/overview/#original-micro:bit),且推荐同时使用 3 块。这些 micro:bit 需要运行 bluing 提供的专用固件。将 micro:bit 接入 Linux 后,执行如下命令便可刷写预先构建好的固件:


bluing --flash-micro-bit

除了 original micro:bit,使用 nRF51822 的其他板子也可以被支持,比如 Adafruit Bluefruit LE Friend 和 BLE400 with Core51822,但可能需要修改串口引脚的对应关系。

### Ubertooth One(可选)

当嗅探并推测附近的 BD_ADDR 时 ([`br --sniff-and-guess-bd-addr`](https://fo-000.github.io/bluing/index-cn.html#--sniff-and-guess-bd-addr%E5%97%85%E6%8E%A2%E5%B9%B6%E6%8E%A8%E6%B5%8B%E9%99%84%E8%BF%91%E7%9A%84-bd_addr)),bluing 需要用到一块 [Ubertooth One](https://greatscottgadgets.com/ubertoothone/)。

## FAQ

### `rfkill` 无法找到 hci0

异常消息如下:

```txt
Exception: Can't find the ID of hci0 in rfkill
```

该异常可能因为老版本的 rfkill 不支持 `-r` 和 `-n` 选项而导致,比如:


$ cat /etc/os-release | head -n 2
NAME="Ubuntu"
VERSION="16.10 (Yakkety Yak)"

$ rfkill --version
rfkill 0.5-1ubuntu3 (Ubuntu)

此时升级 rfkill 到较新的版本可以解决该问题,比如:


$ cat /etc/os-release | head -n 2
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"

$ rfkill --version
rfkill from util-linux 2.38.1

### 管理命令 `scanend` 执行失败了

错误消息如下:

```txt
ERROR: Failed to execute management command 'scanend' (code: 11, error: Rejected)
```

可通过重启 Bluetooth 服务尝试解决该问题。命令如下:


sudo systemctl restart bluetooth.service