• Stars
    star
    515
  • Rank 85,879 (Top 2 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 9 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Man in the Middle analysis tool for Bluetooth.

Btproxy

(Unsupported)

Bluetooth Proxy tool

Walkthrough

Tested Devices

  • Pebble Steel smart watch
  • Moto 360 smart watch
  • OBDLink OBD-II Bluetooth Dongle
  • Withings Smart Baby Monitor

If you have tried anything else, please let me know at conorpp (at) vt (dot) edu.

Dependencies

  • Need at least 1 Bluetooth card (either USB or internal).
  • Need to be running Linux or another *nix.
  • BlueZ 4

For a debian system, run

sudo apt-get install bluez bluez-tools libbluetooth-dev python-dev

Installation

sudo python setup.py install

Running

To run a simple MiTM or proxy on two devices, run

btproxy <master-bt-mac-address> <slave-bt-mac-address>

Run btproxy to get a list of command arguments.

Example

# This will connect to the slave 40:14:33:66:CC:FF device and 
# wait for a connection from the master F1:64:F3:31:67:88 device
btproxy F1:64:F3:31:67:88 40:14:33:66:CC:FF

Where the master is typically the phone and the slave mac address is typically the other peripherial device (smart watch, headphones, keyboard, obd2 dongle, etc).

The master is the device the sends the connection request and the slave is the device listening for something to connect to it.

After the proxy connects to the slave device and the master connects to the proxy device, you will be able to see traffic and modify it.

How to find the BT MAC Address?

Well, you can look it up in the settings usually for a phone. The most robost way is to put the device in advertising mode and scan for it.

There are two ways to scan for devices: scanning and inquiring. hcitool can be used to do this:

hcitool scan
hcitool inq

To get a list of services on a device:

sdptool records <bt-address>

Usage

Some devices may restrict connecting based on the name, class, or address of another bluetooth device.
So the program will lookup those three properties of the target devices to be proxied, and then clone them onto the proxying adapter(s).

Then it will first try connecting to the slave device from the cloned master adaptor. It will make a socket for each service hosted by the slave and relay traffic for each one independently.

After the slave is connected, the cloned slave adaptor will be set to be listening for a connection from the master. At this point, the real master device should connect to the adaptor. After the master connects, the proxied connection is complete.

Using only one adapter

This program uses either 1 or 2 Bluetooth adapters. If you use one adapter, then only the slave device will be cloned. Both devices will be cloned if 2 adapters are used; this might be necessary for more restrictive Bluetooth devices.

Advanced Usage

Manipulation of the traffic can be handled via python by passing an inline script. Just implement the master_cb and slave_cb callback functions. This are called upon receiving data and the returned data is sent back out to the corresponding device.

# replace.py
def master_cb(req):
    """
        Received something from master, about to be sent to slave.
    """
    print '<< ', repr(req)
    open('mastermessages.log', 'a+b').write(req)
    return req

def slave_cb(res):
    """
        Same as above but it's from slave about to be sent to master
    """
    print '>> ', repr(res)
    open('slavemessages.log', 'a+b').write(res)
    return res

Also see the example functions for manipulating Pebble watch traffic in replace.py

This code can be edited and reloaded during runtime by entering 'r' into the program console. This avoids the pains of reconnecting. Any errors will be caught and regular transmission will continue.

TODO

  • BLE
  • Improve the file logging of the traffic and make it more interactive for
  • replays/manipulation.
  • Indicate which service is which in the output.
  • Provide control for disconnecting/connecting services.
  • PCAP file support
  • ncurses?

How it works

This program starts by killing the bluetoothd process, running it again with a LD_PRELOAD pointed to a wrapper for the bind system call to block bluetoothd from binding to L2CAP port 1 (SDP). All SDP traffic goes over L2CAP port 1 so this makes it easy to MiTM/forward between the two devices and we don't have to worry about mimicking the advertising.

The program first scans each device for their name and device class to make accurate clones. It will append the string '_btproxy' to each name to make them distinguishable from a user perspective. Alternatively, you can specify the names to use at the command line.

The program then scans the services of the slave device. It makes a socket connection to each service and open a listening port for the master device to connect to. Once the master connects, the Proxy/MiTM is complete and output will be sent to STDOUT.

Notes

Some bluetooth devices have different methods of pairing which makes this process more complicated. Right now it supports SPP and legacy pin pairing.

This program doesn't yet have support for Bluetooth Low Energy. A similiar approach to BLE can be taken.

Errors

btproxy or bluetoothd hangs

If you are using bluez 5, you should try uninstalling and installing bluez 4. I've had problems with bluez 5 hanging.

error accessing bluetooth device

Make sure the bluetooth adaptors are plugged in and enabled.

Run

    # See the list of all adaptors
    hciconfig -a

    # Enable
    sudo hciconfig hciX up

    # if you get this message
    Can't init device hci0: Operation not possible due to RF-kill (132)

    # Then try unblocking it with the rfkill command
    sudo rfkill unblock all

UserWarning: <path>/.python-eggs is writable by group/others

Fix

chmod g-rw,o-x <path>/.python-eggs

More Repositories

1

u2f-zero

U2F USB token optimized for physical security, affordability, and style
C
2,419
star
2

MiTM-HTTP-Proxy

A simple, low level http/https proxy server with MiTM pranking features.
C
50
star
3

bitsliced-aes

A bitsliced implementation of ECB and CTR AES
C
46
star
4

efm8-arduino-programmer

Program EFM8 devices using an arduino
C++
43
star
5

3d-maze-generator

This is a parametric model for a 3D maze. Generates openscad which can render to STL.
Python
37
star
6

u2f-one

Moved to https://github.com/SoloKeysSec/solo
C
12
star
7

bitflipper

Combinatorially flip bits by brute force until a file is no longer corrupted.
C
10
star
8

solo-business-card

A flex PCB business card that also works as a Solo
9
star
9

SMT-Gravity-Holder

7
star
10

learn-synopsys

A hello world project to learn synopsys and make a multiplier circuit
Verilog
4
star
11

Hokie-Enhancement-Suite

A large improvement to the time table of classes page
JavaScript
3
star
12

em-strip-pcb

This is a PCB with traces that make a "coil" on a 2 layer board for the purposes of emulating 2 tracks for magnetic strip readers.
KiCad Layout
3
star
13

taciturn-quack

Testing the "unlimited" storage offered on Google Drive.
Shell
2
star
14

conorpp.github.com

HTML
2
star
15

room-climate

Room climate monitor device and server
Arduino
2
star
16

codesign-challenge-2015

My 2015 hardware software codesign challenge solution
C
2
star
17

footprints

Python
2
star
18

local-sitemap-generator

Generates a XML sitemap using a local directory tree
Shell
2
star
19

mboot-js

Access NXP bootloaders using Nodejs or Chrome WebUSB (in progress)
TypeScript
2
star
20

blhost-macos

Latest blhost from NXP with patches to run on latest MacOS
C++
2
star
21

altera-openadc

OpenADC support for Altera Cyclone V
Verilog
2
star
22

Dockerfiles

Dockerfiles for creating docker containers I use
2
star
23

furry-waffle

openADC to DE1-SOC Cyclone V adapter board
KiCad Layout
1
star
24

crispy-pancake

Altera technology based clock glitcher for injecting faults
Verilog
1
star
25

learn-cuda

Reworking Cuda examples to learn Cuda
Cuda
1
star
26

smart-shirt

Smart shirt project
C
1
star
27

FirstAndroidApp

An app filled with random utilities. Sensors, timers, web API's.
Java
1
star
28

date-version

Generate a version based on a major and date. Because usually users just care how recent a version is.
Rust
1
star
29

u2f-zero-landing-page

Landing page for U2F Zero
CSS
1
star
30

aeropress-press

3D parts and BOM for automated press for Aeropress.
OpenSCAD
1
star
31

small-printing

This is a very lightweight (~150 lines) of printing routines in C intended for small embedded applications
C
1
star
32

NerfGunTurret

Skeletal tracking nerf gun turret
C#
1
star
33

crispy-octo-garbanzo

Looking at information leakage in shared GPU clusters
Cuda
1
star