链接地址: https://github.com/dhgdhg/Scapy-Note

十三.蓝牙

13.1.BluetoothHCISocket:scapy.layers.bluetooth.BluetoothHCISocket

这是与蓝牙控制器通信的“基础”级接口. 所有的东西都是建立在它上面的, 这代表了你可以用普通的蓝牙硬件得到的最接近物理层的东西.

  • iface
    • 如下iface应等于0, BluetoothHCISocket(0)
      # hcitool dev
      Devices:
              hci0    AA:AA:AA:AA:AA:AA

13.2.HCI_Hdr:scapy.layers.bluetooth.HCI_Hdr

HCI header

13.3.HCI_Command_Hdr:scapy.layers.bluetooth.HCI_Command_Hdr

HCI Command header

13.4.HCI_Cmd_LE_Set_Scan_Parameters:scapy.layers.bluetooth.HCI_Cmd_LE_Set_Scan_Parameters

LE设置扫描参数

  • type
    • 1: active模式
  • interval
    • 单位: slot:0.625ms
    • 每隔多久进行一次监听

13.5.HCI_Cmd_LE_Set_Scan_Enable:scapy.layers.bluetooth.HCI_Cmd_LE_Set_Scan_Enable

LE启用扫描

  • enable
    • True: 启用
    • False: 不启用
  • filter_dups
    • True: 不显示重复的报告
    • False: 显示重复的报告, 因为有时包含不同的数据

13.6.EIR_Hdr:scapy.layers.bluetooth.EIR_Hdr

EIR Header

  • type

    • 取值(可填数字或字符串)

      <details>
      • 详解: https://www.bluetooth.com/specifications/assigned-numbers/generic-access-profile

      • 0x01: "flags"

      • 0x02: "incomplete_list_16_bit_svc_uuids"

      • 0x03: "complete_list_16_bit_svc_uuids"

      • 0x04: "incomplete_list_32_bit_svc_uuids"

      • 0x05: "complete_list_32_bit_svc_uuids"

      • 0x06: "incomplete_list_128_bit_svc_uuids"

      • 0x07: "complete_list_128_bit_svc_uuids"

      • 0x08: "shortened_local_name"

      • 0x09: "complete_local_name"

      • 0x0a: "tx_power_level"

      • 0x0d: "class_of_device"

      • 0x0e: "simple_pairing_hash"

      • 0x0f: "simple_pairing_rand"

      • 0x10: "sec_mgr_tk"

      • 0x11: "sec_mgr_oob_flags"

      • 0x12: "slave_conn_intvl_range"

      • 0x14: "list_16_bit_svc_sollication_uuids"

      • 0x15: "list_128_bit_svc_sollication_uuids"

      • 0x16: "svc_data_16_bit_uuid"

      • 0x17: "pub_target_addr"

      • 0x18: "rand_target_addr"

      • 0x19: "appearance"

      • 0x1a: "adv_intvl"

      • 0x1b: "le_addr"

      • 0x1c: "le_role"

      • 0x1d: "simple_pairing_hash_256"

      • 0x1e: "simple_pairing_rand_256"

      • 0x1f: "list_32_bit_svc_sollication_uuids"

      • 0x20: "svc_data_32_bit_uuid"

      • 0x21: "svc_data_128_bit_uuid"

      • 0x22: "sec_conn_confirm"

      • 0x23: "sec_conn_rand"

      • 0x24: "uri"

      • 0x25: "indoor_positioning"

      • 0x26: "transport_discovery"

      • 0x27: "le_supported_features"

      • 0x28: "channel_map_update"

      • 0x29: "mesh_pb_adv"

      • 0x2a: "mesh_message"

      • 0x2b: "mesh_beacon"

      • 0x3d: "3d_information"

      • 0xff: "mfg_specific_data"

      </details>
  • len

    13.7.HCI_LE_Meta_Advertising_Report:scapy.layers.bluetooth.HCI_LE_Meta_Advertising_Report

    https://www.silabs.com/community/wireless/bluetooth/knowledge-base.entry.html/2017/02/10/bluetooth_advertisin-hGsf

    <details>
    • type

    • atype

      • 0: public
      • 1: random
    • addr

      • LEMAC地址
    • len

    • data

      • EIR_Hdr类型
    • rssi

      • RSSI代表接收信号强度指示器. 它是在接收设备上看到的信标信号的强度

        RSSI Range(meters)
        -115 dBm 2
        -84 dBm 4
        -81 dBm 10
        -77 dBm 20
        -72 dBm 30
        -69 dBm 40
        -65 dBm 60
        -59 dBm 70
          • 单位: 米
          • MP: Measured Power测量功率
            • 例:Measured Power = -69 (for kontakt BLE beacons)
          • N: 常数取决于环境因素,范围2-4
    </details>

    13.8.HCI_LE_Meta_Advertising_Reports:scapy.layers.bluetooth.HCI_LE_Meta_Advertising_Reports

    • len
      • 长度
    • reports
      • HCI_LE_Meta_Advertising_Report列表

    13.9.AltBeacon:scapy.contrib.altbeacon.AltBeacon

    AltBeacon是一个协议规范, 为邻近信标广告定义了消息格式. 设备发送AltBeacon邻近信标广告, 用于发信号通知其邻近的接收器. 发出的消息的内容包含接收设备可用于标识信标并计算其与信标的相对距离的信息. 接收设备可以将该信息用作上下文触发来执行过程并实现与靠近发射信标有关的行为.

    • 用法

        # 加载AltBeacon
        load_contrib('altbeacon')
      
        ab = AltBeacon(
            id1='2f234454-cf6d-4a0f-adf2-f4911ba9ffa6',
            id2=1,
            id3=2,
            tx_power=-59,
        )
      
        bt.sr(ab.build_set_advertising_data())
      <details> </details>
    • header

    • id1

      • 组织id

      • UUID

          UUID                   = time-low "-" time-mid "-"
                                  time-high-and-version "-"
                                  clock-seq-and-reserved
                                  clock-seq-low "-" node
          time-low               = 4hexOctet
          time-mid               = 2hexOctet
          time-high-and-version  = 2hexOctet
          clock-seq-and-reserved = hexOctet
          clock-seq-low          = hexOctet
          node                   = 6hexOctet
        
          Field                      Data Type                 Octet  Note
        
          time_low                   unsigned 32 bit integer   0-3    The low field of the timestamp
          time_mid                   unsigned 16 bit integer   4-5    The middle field of the timestamp                            
          time_hi_and_version        unsigned 16 bit integer   6-7    The high field of the timestamp multiplexed with the version number
          clock_seq_hi_and_reserved  unsigned 8  bit integer   8      The high field of the clock sequence multiplexed with the variant
          clock_seq_low              unsigned 8  bit integer   9      The low field of the clock sequence
          node                       unsigned 48 bit integer   10-15  The spatially unique node identifier
    • id2

      • 组id
    • id3

      • 信标id
    • tx_power

      • RSSI值
    • mfg_reserved

      • MFG RESERVED
      • 预留给制造商用于实现特殊功能

    13.10.Eddystone_URL:classscapy.contrib.eddystone.Eddystone_URL

    Eddystone-URL帧使用压缩的编码格式广播URL, 以使其更适合有限的广告包. 一旦被解码, 该URL可以被任何能够访问互联网的客户端使用. 例如, 如果Eddystone-URL信标要广播URL https://goo.gl/Aq18zF, 则接收到此数据包的任何客户端都可以选择访问该URL

    • 用法

        # 加载Eddystone
        load_contrib('eddystone')
      
        # Eddystone_URL.from_url(): 通过给定的URL返回一个Eddystone_URL对象
        #
        # build_set_advertising_data(): 生成能够被BLE发送的HCI_Cmd_LE_Set_Advertising_Data
        bt.sr(Eddystone_URL.from_url('https://scapy.net').build_set_advertising_data())
    • tx_power

      • RSSI值
    • url_scheme

      • 前缀编码方案
    • url

    13.11.Apple_BLE_Submessage:scapy.contrib.ibeacon.Apple_BLE_Submessage

    苹果基础子消息

    13.12.IBeacon_Data:scapy.contrib.ibeacon.IBeacon_Data

    iBeacon广播数据帧。在Apple_BLE_Submessage上创建。

    • 用法

        #加载ibeacon
        load_contrib('ibeacon')
      
        p = Apple_BLE_Submessage()/IBeacon_Data(
        uuid='fb0b57a2-8228-44cd-913a-94a122ba1206',
        major=1, minor=2)
      
        # build_set_advertising_data: 传入Apple_BLE_Submessage或Apple_BLE_Frame返回能被BLE发送的HCI_Cmd_LE_Set_Advertising_Data
        bt.sr(p.build_set_advertising_data())
      <details> </details>
    • uuid

      • 组织id

      • UUID

          UUID                   = time-low "-" time-mid "-"
                                  time-high-and-version "-"
                                  clock-seq-and-reserved
                                  clock-seq-low "-" node
          time-low               = 4hexOctet
          time-mid               = 2hexOctet
          time-high-and-version  = 2hexOctet
          clock-seq-and-reserved = hexOctet
          clock-seq-low          = hexOctet
          node                   = 6hexOctet
        
          Field                      Data Type                 Octet  Note
        
          time_low                   unsigned 32 bit integer   0-3    The low field of the timestamp
          time_mid                   unsigned 16 bit integer   4-5    The middle field of the timestamp                            
          time_hi_and_version        unsigned 16 bit integer   6-7    The high field of the timestamp multiplexed with the version number
          clock_seq_hi_and_reserved  unsigned 8  bit integer   8      The high field of the clock sequence multiplexed with the variant
          clock_seq_low              unsigned 8  bit integer   9      The low field of the clock sequence
          node                       unsigned 48 bit integer   10-15  The spatially unique node identifier
    • major

      • 进一步指定特定的iBeacon和用例。例如,这可以在UUID定义的更大区域内定义子区域。
    • minor

      • 允许进一步细分区域或用例,由应用程序开发人员指定。
    • tx_power

      • RSSI值

    13.13.技巧

    1. 第一步是打开基础蓝牙设备的HCI套接字
      • >>> bt = BluetoothHCISocket(0)
    2. 发现附近的设备
      1. 配置参数
        • bt.sr(HCI_Hdr()/HCI_Command_Hdr()/HCI_Cmd_LE_Set_Scan_Parameters(type=1))
      2. 启动扫描
        • bt.sr(HCI_Hdr()/HCI_Command_Hdr()/HCI_Cmd_LE_Set_Scan_Enable(enable=True,filter_dups=False))
      3. 开始抓包
        • adverts = bt.sniff(lfilter=lambda p: EIR_CompleteLocalName in p, prn=lambda x:(x.reports[0].addr,x.getlayer(EIR_CompleteLocalName).local_name))
      4. 收到数据包后, 禁用发现模式
        • bt.sr(HCI_Hdr()/HCI_Command_Hdr()/HCI_Cmd_LE_Set_Scan_Enable(enable=False))