A Node.js package for BLE (Bluetooth Low Energy) security assessment using Man-in-the-Middle and other attacks.
Prerequisites
see:
https://github.com/sandeepmistry/noble
https://github.com/sandeepmistry/bleno
Install
npm install gattacker
Usage
Configure
Running both components Set up variables in config.env:
- NOBLE_HCI_DEVICE_ID : noble ("central", ws-slave) device
- BLENO_HCI_DEVICE_ID : bleno ("peripheral", advertise) device
- WS_SLAVE : IP address of ws-slave box
- DEVICES_PATH : path to store json files
Start "central" device
sudo node ws-slave
Debug:
DEBUG=ws-slave sudo node ws-slave
Scanning
Scan for advertisements
node scan
Explore services and characteristics
node scan <peripheral>
Hook configuration (option)
For active request/response tampering configure hook functions for characteristic in device's json services file.
Example:
{
"uuid": "06d1e5e779ad4a718faa373789f7d93c",
"name": null,
"properties": [
"write",
"notify"
],
"startHandle": 8,
"valueHandle": 9,
"endHandle": 10,
"descriptors": [
{
"handle": 10,
"uuid": "2902",
"value": ""
}
],
"hooks": {
"dynamicWrite": "dynamicWriteFunction",
"dynamicNotify": "customLog"
}
}
dynamic: connect to original device
static: do not connect to original device, run the tampering function locally
It will try to invoke the specified function from hookFunctions, include your own. A few examples provided in hookFunctions subdir.
staticValue - static value
Start "peripheral" device
node advertise -a <advertisement_json_file> [ -s <services_json_file> ]
MAC address cloning
For many applications it is necessary to clone MAC address of original device. A helper tool bdaddr from Bluez is provided in helpers/bdaddr.
cd helpers/bdaddr
make
./mac_adv -a <advertisement_json_file> [ -s <services_json_file> ]
Troubleshooting
Turn off, cross fingers, try again ;)
reset device
hciconfig <hci_interface> reset
Running ws-slave and advertise on the same box
With this configuration you may experience various problems.
Try switching NOBLE_HCI_INTERFACE and BLENO_HCI_INTERFACE
hcidump debug
hcidump -x -t <hci_interface>
FAQ, more information
FAQ: https://github.com/securing/gattacker/wiki/FAQ
More information: www.gattack.io