Bluing
为 hack 蓝牙而生的情报收集工具
%20%7C%20Kali%202022.4%20(x64)%20%7C%20Kali%20NetHunter%202022.4%20(aarch64)-brightgreen){kind=icon}
Bluing(前身为 bluescan)是一个主要基于 Python 实现的蓝牙情报收集工具。它可以帮助我们窥探蓝牙这种复杂协议的内部结构或是 hack 蓝牙设备。其主要特性如下:
安装
Bluing 部分依赖 Linux 官方的 BlueZ 蓝牙协议栈,因此它仅支持在 Linux 上运行。执行如下命令可安装依赖包:
sudo apt install python3-pip python3-dev libcairo2-dev libgirepository1.0-dev \ libbluetooth-dev libdbus-1-dev bluez-tools python3-cairo-dev \ rfkill meson patchelf bluez ubertooth adb python-is-python3
目前 bluing 的分发途径是 PyPI,且仅支持 Python 3.10。安装命令如下:
sudo pip3.10 install bluing
使用
$ bluing --help
An intelligence gathering tool for hacking Bluetooth
Usage:
bluing [-h | --help]
bluing (-v | --version)
bluing [-i <hci>] --clean BD_ADDR
bluing --flash-micro-bit
bluing <command> [<args>...]
Arguments:
BD_ADDR Bluetooth device address
Options:
-h, --help Print this help and quit
-v, --version Print version information and quit
-i <hci> HCI device
--clean Clean cached data of a remote device
--flash-micro-bit Download the dedicated firmware to micro:bit(s)
Commands:
br Basic Rate system, includes an optional Enhanced Data Rate (EDR) extension
le Low Energy system
android Android Bluetooth stack
spoof Spoof with new local device information
plugin Manage plugins
Run `bluing <command> --help` for more information on a command.
br 命令:Basic Rate system
$ bluing br --help
Usage:
bluing br [-h | --help]
bluing br [-i <hci>] [--inquiry-len=<n>] --inquiry
bluing br [-i <hci>] --sdp BD_ADDR
bluing br [-i <hci>] --local --sdp
bluing br [-i <hci>] --lmp-features BD_ADDR
bluing br [-i <hci>] --local --lmp-features
bluing br [-i <hci>] --stack BD_ADDR
bluing br [-i <hci>] --local --stack
bluing br [-i <hci>] [--inquiry-scan] --mon-incoming-conn
bluing br --org=<name> --timeout=<sec> --sniff-and-guess-bd-addr
Arguments:
BD_ADDR BR/EDR Bluetooth device address
Options:
-h, --help Print this help and quit
-i <hci> HCI device
--local Target a local BR/EDR device instead of a remote one
--inquiry Discover other nearby BR/EDR controllers
--inquiry-len=<n> Maximum amount of time (added to --ext-inquiry-len=<n>)
specified before the Inquiry is halted.
Time = n * 1.28 s
Time range: 1.28 to 61.44 s
Range of n: 0x01 to 0x30 [default: 8]
--ext-inquiry-len=<n> Extended_Inquiry_Length measured in number of
Baseband slots.
Interval Length = n * 0.625 ms (1 Baseband slot)
Time Range: 0 to 40.9 s
Range of n: 0x0000 to 0xFFFF [default: 0]
--sdp Retrieve information from the SDP database of a
remote BR/EDR device
--lmp-features Read LMP features of a remote BR/EDR device
--stack Determine the Bluetooth stack type of a remote BR/EDR device
--mon-incoming-conn Print incoming connection from other nearby BR/EDR devices
--inquiry-scan Enable the Inquiry Scan
--sniff-and-guess-bd-addr Sniff SAPs of BD_ADDRs over the air, then guess the
address based on the organization name. Need at
least one Ubertooth device
--org=<name> An organization name in the OUI.txt
--timeout=<sec> Timeout in second(s)
--inquiry:发现附近其他的 BR/EDR 控制器
$ sudo bluing br --inquiry
[INFO] Discovering other nearby BR/EDR Controllers on hci0 for 10.24 sec BD_ADDR: B0:C9:52:45:33:13 (GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD) Page scan repetition mode: 1 (R1) Reserved: 0x02 CoD: 0x5a020c Service Class: 0b1011010000 Telephony Object Transfer Capturing Networking Major Device Class: 0b00010, Phone Clock offset: 0x50D5 RSSI: -61 Extended inquiry response: Complete Local Name: old man phone Complete List of 16-bit Service Class UUIDs 0x1105 OBEXObjectPush 0x110a AudioSource 0x110c A/V_RemoteControlTarget 0x110e A/V_RemoteControl 0x1112 Headset - Audio Gateway (AG) 0x1115 PANU 0x1116 NAP 0x111f HandsfreeAudioGateway 0x112d SIM_Access 0x112f Phonebook Access - PSE 0x1200 PnPInformation 0x1132 Message Access Server Complete List of 32-bit Service Class UUIDs None Complete List of 128-bit Service Class UUIDs A49EAA15-CB06-495C-9F4F-BB80A90CDF00 00000000-0000-0000-0000-000000000000 ... ... [INFO] Requesting the names of all discovered devices... B0:C9:52:45:33:13 : old man phone ... ...
--sdp:检索远端 BD/EDR 设备的 SDP 数据库信息
$ sudo bluing br --sdp 34:13:46:23:6A:4D
Scanning ⠋ Number of service records: 18 Service Record 0x0000: ServiceRecordHandle (uint32) 0x0001000d 0x0001: ServiceClassIDList (sequence) 0x1105: OBEXObjectPush 0x0004: ProtocolDescriptorList (sequence) 0x0100: L2CAP 0x0003: RFCOMM channel: 0x0c 0x0008: OBEX 0x0005: BrowseGroupList (sequence) 0x1002: PublicBrowseRoot 0x0009: BluetoothProfileDescriptorList (sequence) 0x1105: OBEXObjectPush v1.2 0x0100: ServiceName (guess) (text) OBEX Object Push 0x0200: GoepL2CapPsm (guess) (uint16) 0x1023 0x0303: SupportedFormatsList (guess) (sequence) 0x01: vCard 2.1 0x02: vCard 3.0 0x03: vCal 1.0 0x04: iCal 2.0 0xff: Any type of object ... ...
--lmp-features:读取远端 BR/EDR 设备的 LMP 特性
$ sudo bluing br --lmp-features 6A:8D:99:33:56:AE
Version Version: Bluetooth Core Specification 5.2 (LMP) Bluetooth Core Specification 5.2 (LL) Manufacturer name: HiSilicon Technologies CO., LIMITED Subversion: 33561 LMP features 3 slot packets: True 5 slot packets: True Encryption: True Slot offset: True Timing accuracy: True Role switch: True Hold mode: False Sniff mode: True Previously used: False Power control requests: True Channel quality driven data rate (CQDDR): True ... ... Extended LMP features Page 1 Secure Simple Pairing (Host Support): True LE Supported (Host): True Simultaneous LE and BR/EDR to Same Device Capable (Host): True Secure Connections (Host Support): True Page 2 Connectionless Slave Broadcast - Master Operation: False Connectionless Slave Broadcast - Slave Operation: False Synchronization Train: False Synchronization Scan: False HCI_Inquiry_Response_Notification event: True ... ...
--mon-incoming-conn:打印附近其他 BR/EDR 设备进来的连接
$ sudo bluing br --inquiry-scan --mon-incoming-conn
[INFO] Inquiry_Scan_Interval: 4096, 2560.0 ms Inquiry_Scan_Window: 4096, 2560.0 ms [INFO] Inquiry Scan and Page Scan enabled A0:DE:0F:99:EF:78 incoming CoD: 0x5a020c Service Class: 0b1011010000 Telephony Object Transfer Capturing Networking Major Device Class: 0b00010, Phone link type: 0x01 - ACL ... ...
--sniff-and-guess-bd-addr:嗅探并推测附近的 BD_ADDR
$ bluing br --org='Huawei Device Co., Ltd.' --timeout=600 --sniff-and-guess-bd-addr
[INFO] Possible BD_ADDR(s) for ??:??:99:4C:45:C3 24:A7:99:4C:45:C3 [INFO] Possible BD_ADDR(s) for ??:??:E4:2D:69:EE BC:1A:E4:2D:69:EE D0:05:E4:2D:69:EE 30:AA:E4:2D:69:EE [INFO] Possible BD_ADDR(s) for ??:??:15:60:81:7F 64:23:15:60:81:7F D4:74:15:60:81:7F ... ...
le 命令:Low Energy system
$ bluing le --help
Usage:
bluing le [-h | --help]
bluing le [-i <hci>] [--scan-type=<type>] [--timeout=<sec>] [--sort=<key>] --scan
bluing le [-i <hci>] --pairing-feature [--timeout=<sec>] [--addr-type=<type>] PEER_ADDR
bluing le [-i <hci>] --ll-feature-set [--timeout=<sec>] [--addr-type=<type>] PEER_ADDR
bluing le [-i <hci>] --gatt [--io-cap=<name>] [--addr-type=<type>] PEER_ADDR
bluing le [-i <hci>] --local --gatt
bluing le [-i <hci>] --mon-incoming-conn
bluing le [--channel=<num>] --sniff-adv
Arguments:
PEER_ADDR LE Bluetooth device address
Options:
-h, --help Print this help and quit
-i <hci> HCI device
--scan Discover advertising devices nearby
--scan-type=<type> The type of scan to perform. active or passive [default: active]
--sort=<key> Sort the discovered devices by key, only support RSSI
now [default: rssi]
--ll-feature-set Read LL FeatureSet of a remote LE device
--pairing-feature Request the pairing feature of a remote LE device
--timeout=<sec> Duration of the LE scanning, but may not be precise [default: 10]
--gatt Discover GATT Profile hierarchy of a remote LE device
--io-cap=<name> Set IO capability of the agent. Available value:
DisplayOnly, DisplayYesNo, KeyboardOnly, NoInputNoOutput,
KeyboardDisplay (KeyboardOnly) [default: NoInputNoOutput]
--addr-type=<type> Type of the LE address, public or random
--sniff-adv Sniff advertising physical channel PDU. Need at least
one micro:bit
--channel=<num> LE advertising physical channel, 37, 38 or 39 [default: 37,38,39]
--device=</dev/tty> Device to use, comma separated (e.g., /dev/ttyUSB0,/dev/ttyUSB1,/dev/ttyUSB2)
Only needed if using NRF51 devices other than micro:bit (e.g., Bluefruit)
--scan:发现附近正在 advertising 的设备
$ sudo bluing le --scan
[WARNING] You might want to spoof your LE address before doing an active scan [INFO] LE active scanning on hci0 for 10 sec Scanning ⠴ ----------------LE Devices Scan Result---------------- Addr: 74:A3:4A:D4:78:55 (ZIMI CORPORATION) Addr type: public Connectable: True RSSI: -68 dBm General Access Profile: Flags: LE General Discoverable Mode BR/EDR Not Supported Service Data - 16-bit UUID: UUID: 0x95FE Data: 9055990701b743e34aa3740e00 Appearance: 0000 Tx Power Level: 0 dBm (pathloss 68 dBm) Complete Local Name: Mesh Mi Switch ... ...
--ll-feature-set:读取远端 LE 设备的 LL FeatureSet
$ sudo bluing le --ll-feature-set --addr-type=public 18:D9:8F:77:24:F1
[INFO] Reading LL FeatureSet of 18:D9:8F:77:24:F1 on hci0 Reading ⠼ LE LL Features: LE Encryption: True Connection Parameters Request Procedure: False Extended Reject Indication: False Slave-initiated Features Exchange: False LE Ping: False LE Data Packet Length Extension: True LL Privacy: False Extended Scanner Filter Policies: False LE 2M PHY: False Stable Modulation Index - Transmitter: False Stable Modulation Index - Receiver: False ... ...
--pairing-feature:请求远端 LE 设备的 pairing feature
$ sudo bluing le --pairing-feature --addr-type=public 18:D9:8F:77:24:F1
[INFO] Requesting pairing feature of 18:D9:8F:77:24:F1 on hci0 Requesting ⠧ Pairing Response IO Capability: 0x03 - NoInputNoOutput OOB data flag: 0x00 - Not Present AuthReq: 0x01 Maximum Encryption Key Size: 16 Initiator Key Distribution: 0x00 EncKey: False IdKey: False SignKey: False LinkKey: False RFU: 0b0000 Responder Key Distribution: 0x01 EncKey: True IdKey: False SignKey: False LinkKey: False RFU: 0b0000
--gatt:发现远端 LE 设备 GATT Profile 的层次结构
$ sudo bluing le --gatt --addr-type=public 18:D9:8F:77:24:F1
Connecting ⠋ Discovering all primary services ⠏ Discovering all characteristics of service 0x0001 ⠹ ... ... Discovering all descriptors of characteristic 0x0002 ⠼ ... ... Reading value of the descriptor 0x0013 ⠴ ... ... ----------------GATT Scan Result---------------- Number of services: 6 Service (0x0100 - 0x0112, 7 characteristics) Declaration Handle: 0x0100 Type: 2800 (Primary Service declaration) Value: 1812 (Human Interface Device) Permissions: Read (no authen/author) Characteristic (2 descriptors) Declaration Handle: 0x010d Type: 2803 (Characteristic declaration) Value: Properties: Read, Write Without Response, Write, Notify Handle: 0x010e UUID: 2A4D (Report) Permissions: Read (no authen/author) Value Handle: 0x0302 Type: 4A02 (Unknown) Value: Read Not Permitted Permissions: Higher layer specific Descriptor Handle: 0x010f Type: 2902 (Client Characteristic Configuration declaration) Value: b'\x00\x00' Permissions: Read (no authen/author), Write (higher layer specifies authen/author) ... ...
--sniff-adv:嗅探 advertising physical channel PDU
$ sudo bluing le --sniff-adv
[INFO] Using micro:bit /dev/ttyACM2 on channel 37 [INFO] Using micro:bit /dev/ttyACM1 on channel 38 [INFO] Using micro:bit /dev/ttyACM0 on channel 39 [INFO] micro:bit 38 < Ready -> Start [INFO] micro:bit 37 < Ready -> Start [INFO] micro:bit 39 < Ready -> Start [38] [ADV_NONCONN_IND] random AdvA: 28:7A:88:B2:35:0B [39] [ADV_IND] public AdvA: A4:E4:72:B1:CB:8D [37] [SCAN_REQ] random ScanA: 6A:90:0C:07:3E:14 random AdvA: 7D:9B:A8:5A:F2:81 ... ...
android 命令: Android 蓝牙协议栈
$ bluing android --help
Usage:
bluing android [-h | --help]
bluing android [-t <id>] --collect-btsnoop-log [-o <file>]
Options:
-h, --help Display this help and quit
-t <id> Use android device with given transport id. This option
will be ignored when only one device is available
--collect-btsnoop-log Collect the btsnoop log being generated to a local file,
default ./btsnoop_hci.log
-o <file> Place the output into [default: ./btsnoop_hci.log]
--collect-btsnoop-log: 收集正在产生的 btsnoop log
$ bluing android -t 3 --collect-btsnoop-log -o btsnoop_hci.log; file btsnoop_hci.log
btsnoop_hci.log: BTSnoop version 1, HCI UART (H4)
spoof 命令:使用新的设备信息做欺骗
$ bluing spoof --help
Usage:
bluing spoof [-h | --help]
bluing spoof [-i <hci>] --bd-addr=<BD_ADDR>
bluing spoof [-i <hci>] --cls-of-dev=<num>
bluing spoof --host-name=<name>
bluing spoof [-i <hci>] --alias=<alias>
Options:
-h, --help Print this help and quit
-i <hci> HCI device
--bd-addr=<BD_ADDR> Spoof with a new BD_ADDR
--cls-of-dev=<num> Spoof with a new Class of Device
--host-name=<name> Spoof with a new host name
--alias=<alias> Spoof with a new alias
--bd-addr=<BD_ADDR>:使用新的设备地址做欺骗
该功能当前基于 spooftooph 完成。如果在 Kali Linux 上使用它,先执行 sudo apt install spooftooph 即可完成安装。但在 Ubuntu 上使用时,则需要手动编译安装 spooftooph。
$ sudo bluing spoof --bd-addr=AA:BB:CC:DD:EE:FF
[WARNING] The original HCI device number may have been changed [INFO] BD_ADDR changed: 11:22:33:44:55:66 -> AA:BB:CC:DD:EE:FF
--cls-of-dev=<num>:使用新的设备类型做欺骗
$ sudo bluing spoof --cls-of-dev=0x6c0100
No output when successful
--host-name=<name>:使用新的主机名做欺骗
$ sudo bluing spoof --host-name=Bluing
No output when successful
--alias=<alias>:使用新的控制器别名做欺骗
$ sudo bluing spoof --alias='Bluing Alias'
No output when successful
plugin 命令:插件管理
$ bluing plugin --help
$ bluing plugin --help
Usage:
bluing plugin [-h | --help]
bluing plugin <command> [<args>...]
Options:
-h, --help Display this help and quit
Commands:
list List installed plugins
install Install a plugin
uninstall Uninstall a plugin
run Run a plugin
硬件推荐
蓝牙适配器
很多 bluing 功能都需要访问蓝牙适配器。虽然可以使用 Linux 物理机自带的适配器或让 Linux 虚拟机独占宿主机的适配器,但是为了更稳定地运行 bluing,仍建议使用外接的 USB 蓝牙适配器,比如 Parani UD100-G03。
Original micro:bit(可选)
Bluing 在嗅探 advertising physical channel PDU 时 (le --sniff-adv),至少需要 1 块 original micro:bit,且推荐同时使用 3 块。这些 micro:bit 需要运行 bluing 提供的专用固件。将 micro:bit 接入 Linux 后,执行如下命令便可刷写预先构建好的固件:
bluing --flash-micro-bit
除了 original micro:bit,使用 nRF51822 的其他板子也可以被支持,比如 Adafruit Bluefruit LE Friend 和 BLE400 with Core51822,但可能需要修改串口引脚的对应关系。
Ubertooth One(可选)
当嗅探并推测附近的 BD_ADDR 时 (br --sniff-and-guess-bd-addr),bluing 需要用到一块 Ubertooth One。
FAQ
rfkill 无法找到 hci0
异常消息如下:
Exception: Can't find the ID of hci0 in rfkill
该异常可能因为老版本的 rfkill 不支持 -r 和 -n 选项而导致,比如:
$ cat /etc/os-release | head -n 2 NAME="Ubuntu" VERSION="16.10 (Yakkety Yak)" $ rfkill --version rfkill 0.5-1ubuntu3 (Ubuntu)
此时升级 rfkill 到较新的版本可以解决该问题,比如:
$ cat /etc/os-release | head -n 2 PRETTY_NAME="Kali GNU/Linux Rolling" NAME="Kali GNU/Linux" $ rfkill --version rfkill from util-linux 2.38.1
管理命令 scanend 执行失败了
错误消息如下:
ERROR: Failed to execute management command 'scanend' (code: 11, error: Rejected)
可通过重启 Bluetooth 服务尝试解决该问题。命令如下:
sudo systemctl restart bluetooth.service