链接地址: https://github.com/dhgdhg/Scapy-Note
十三.蓝牙
13.1.BluetoothHCISocket:scapy.layers.bluetooth.BluetoothHCISocket
这是与蓝牙控制器通信的“基础”级接口. 所有的东西都是建立在它上面的, 这代表了你可以用普通的蓝牙硬件得到的最接近物理层的东西.
- iface
- 如下iface应等于0, BluetoothHCISocket(0)
# hcitool dev Devices: hci0 AA:AA:AA:AA:AA:AA
- 如下iface应等于0, BluetoothHCISocket(0)
13.2.HCI_Hdr:scapy.layers.bluetooth.HCI_Hdr
HCI header
13.3.HCI_Command_Hdr:scapy.layers.bluetooth.HCI_Command_Hdr
HCI Command header
13.4.HCI_Cmd_LE_Set_Scan_Parameters:scapy.layers.bluetooth.HCI_Cmd_LE_Set_Scan_Parameters
LE设置扫描参数
- type
- 1: active模式
- interval
- 单位: slot:0.625ms
- 每隔多久进行一次监听
13.5.HCI_Cmd_LE_Set_Scan_Enable:scapy.layers.bluetooth.HCI_Cmd_LE_Set_Scan_Enable
LE启用扫描
- enable
- True: 启用
- False: 不启用
- filter_dups
- True: 不显示重复的报告
- False: 显示重复的报告, 因为有时包含不同的数据
13.6.EIR_Hdr:scapy.layers.bluetooth.EIR_Hdr
EIR Header
type
取值(可填数字或字符串)
<details>详解: https://www.bluetooth.com/specifications/assigned-numbers/generic-access-profile
0x01: "flags"
0x02: "incomplete_list_16_bit_svc_uuids"
0x03: "complete_list_16_bit_svc_uuids"
0x04: "incomplete_list_32_bit_svc_uuids"
0x05: "complete_list_32_bit_svc_uuids"
0x06: "incomplete_list_128_bit_svc_uuids"
0x07: "complete_list_128_bit_svc_uuids"
0x08: "shortened_local_name"
0x09: "complete_local_name"
0x0a: "tx_power_level"
0x0d: "class_of_device"
0x0e: "simple_pairing_hash"
0x0f: "simple_pairing_rand"
0x10: "sec_mgr_tk"
0x11: "sec_mgr_oob_flags"
0x12: "slave_conn_intvl_range"
0x14: "list_16_bit_svc_sollication_uuids"
0x15: "list_128_bit_svc_sollication_uuids"
0x16: "svc_data_16_bit_uuid"
0x17: "pub_target_addr"
0x18: "rand_target_addr"
0x19: "appearance"
0x1a: "adv_intvl"
0x1b: "le_addr"
0x1c: "le_role"
0x1d: "simple_pairing_hash_256"
0x1e: "simple_pairing_rand_256"
0x1f: "list_32_bit_svc_sollication_uuids"
0x20: "svc_data_32_bit_uuid"
0x21: "svc_data_128_bit_uuid"
0x22: "sec_conn_confirm"
0x23: "sec_conn_rand"
0x24: "uri"
0x25: "indoor_positioning"
0x26: "transport_discovery"
0x27: "le_supported_features"
0x28: "channel_map_update"
0x29: "mesh_pb_adv"
0x2a: "mesh_message"
0x2b: "mesh_beacon"
0x3d: "3d_information"
0xff: "mfg_specific_data"
len
13.7.HCI_LE_Meta_Advertising_Report:scapy.layers.bluetooth.HCI_LE_Meta_Advertising_Report
<details>
type
- https://www.bluetooth.com/zh-cn/specifications/assigned-numbers/generic-access-profile/
- 0: conn_und
- ADV_IND: 可连接的无定向广告事件
- 1
- ADV_DIRECT_IND:可连接的定向广告事件
- 2
- ADV_NONCONN_IND:不可连接的无定向广告事件
- 3
- SCAN_REQ:扫描请求
- 4: scan_rsp
- CAN_RSP: 扫描响应
- 5
- CONNECT_REQ:连接请求
- 6
- ADV_SCAN_IND:可扫描的无定向广告事件
atype
- 0: public
- 1: random
addr
- LEMAC地址
len
data
- EIR_Hdr类型
rssi
RSSI代表接收信号强度指示器. 它是在接收设备上看到的信标信号的强度
RSSI Range(meters) -115 dBm 2 -84 dBm 4 -81 dBm 10 -77 dBm 20 -72 dBm 30 -69 dBm 40 -65 dBm 60 -59 dBm 70 - 单位: 米
- MP: Measured Power测量功率
- 例:Measured Power = -69 (for kontakt BLE beacons)
- N: 常数取决于环境因素,范围2-4
13.8.HCI_LE_Meta_Advertising_Reports:scapy.layers.bluetooth.HCI_LE_Meta_Advertising_Reports
- len
- 长度
- reports
- HCI_LE_Meta_Advertising_Report列表
13.9.AltBeacon:scapy.contrib.altbeacon.AltBeacon
AltBeacon是一个协议规范, 为邻近信标广告定义了消息格式. 设备发送AltBeacon邻近信标广告, 用于发信号通知其邻近的接收器. 发出的消息的内容包含接收设备可用于标识信标并计算其与信标的相对距离的信息. 接收设备可以将该信息用作上下文触发来执行过程并实现与靠近发射信标有关的行为.
用法
# 加载AltBeacon load_contrib('altbeacon') ab = AltBeacon( id1='2f234454-cf6d-4a0f-adf2-f4911ba9ffa6', id2=1, id3=2, tx_power=-59, ) bt.sr(ab.build_set_advertising_data())
<details> </details>header
id1
组织id
UUID
UUID = time-low "-" time-mid "-" time-high-and-version "-" clock-seq-and-reserved clock-seq-low "-" node time-low = 4hexOctet time-mid = 2hexOctet time-high-and-version = 2hexOctet clock-seq-and-reserved = hexOctet clock-seq-low = hexOctet node = 6hexOctet Field Data Type Octet Note time_low unsigned 32 bit integer 0-3 The low field of the timestamp time_mid unsigned 16 bit integer 4-5 The middle field of the timestamp time_hi_and_version unsigned 16 bit integer 6-7 The high field of the timestamp multiplexed with the version number clock_seq_hi_and_reserved unsigned 8 bit integer 8 The high field of the clock sequence multiplexed with the variant clock_seq_low unsigned 8 bit integer 9 The low field of the clock sequence node unsigned 48 bit integer 10-15 The spatially unique node identifier
id2
- 组id
id3
- 信标id
tx_power
- RSSI值
mfg_reserved
- MFG RESERVED
- 预留给制造商用于实现特殊功能
13.10.Eddystone_URL:classscapy.contrib.eddystone.Eddystone_URL
Eddystone-URL帧使用压缩的编码格式广播URL, 以使其更适合有限的广告包. 一旦被解码, 该URL可以被任何能够访问互联网的客户端使用. 例如, 如果Eddystone-URL信标要广播URL https://goo.gl/Aq18zF, 则接收到此数据包的任何客户端都可以选择访问该URL
用法
# 加载Eddystone load_contrib('eddystone') # Eddystone_URL.from_url(): 通过给定的URL返回一个Eddystone_URL对象 # # build_set_advertising_data(): 生成能够被BLE发送的HCI_Cmd_LE_Set_Advertising_Data bt.sr(Eddystone_URL.from_url('https://scapy.net').build_set_advertising_data())
tx_power
- RSSI值
url_scheme
- 前缀编码方案
url
13.11.Apple_BLE_Submessage:scapy.contrib.ibeacon.Apple_BLE_Submessage
苹果基础子消息
13.12.IBeacon_Data:scapy.contrib.ibeacon.IBeacon_Data
iBeacon广播数据帧。在Apple_BLE_Submessage上创建。
用法
#加载ibeacon load_contrib('ibeacon') p = Apple_BLE_Submessage()/IBeacon_Data( uuid='fb0b57a2-8228-44cd-913a-94a122ba1206', major=1, minor=2) # build_set_advertising_data: 传入Apple_BLE_Submessage或Apple_BLE_Frame返回能被BLE发送的HCI_Cmd_LE_Set_Advertising_Data bt.sr(p.build_set_advertising_data())
<details> </details>uuid
组织id
UUID
UUID = time-low "-" time-mid "-" time-high-and-version "-" clock-seq-and-reserved clock-seq-low "-" node time-low = 4hexOctet time-mid = 2hexOctet time-high-and-version = 2hexOctet clock-seq-and-reserved = hexOctet clock-seq-low = hexOctet node = 6hexOctet Field Data Type Octet Note time_low unsigned 32 bit integer 0-3 The low field of the timestamp time_mid unsigned 16 bit integer 4-5 The middle field of the timestamp time_hi_and_version unsigned 16 bit integer 6-7 The high field of the timestamp multiplexed with the version number clock_seq_hi_and_reserved unsigned 8 bit integer 8 The high field of the clock sequence multiplexed with the variant clock_seq_low unsigned 8 bit integer 9 The low field of the clock sequence node unsigned 48 bit integer 10-15 The spatially unique node identifier
major
- 进一步指定特定的iBeacon和用例。例如,这可以在UUID定义的更大区域内定义子区域。
minor
- 允许进一步细分区域或用例,由应用程序开发人员指定。
tx_power
- RSSI值
13.13.技巧
- 第一步是打开基础蓝牙设备的HCI套接字
>>> bt = BluetoothHCISocket(0)
- 发现附近的设备
- 配置参数
bt.sr(HCI_Hdr()/HCI_Command_Hdr()/HCI_Cmd_LE_Set_Scan_Parameters(type=1))
- 启动扫描
bt.sr(HCI_Hdr()/HCI_Command_Hdr()/HCI_Cmd_LE_Set_Scan_Enable(enable=True,filter_dups=False))
- 开始抓包
adverts = bt.sniff(lfilter=lambda p: EIR_CompleteLocalName in p, prn=lambda x:(x.reports[0].addr,x.getlayer(EIR_CompleteLocalName).local_name))
- 收到数据包后, 禁用发现模式
bt.sr(HCI_Hdr()/HCI_Command_Hdr()/HCI_Cmd_LE_Set_Scan_Enable(enable=False))
- 配置参数