Bluetooth low energy data packet sniffing and Bluetooth packet capture replay

Category: Tag:

Bluetooth low energy packet sniffing

Tools:
Bluetooth sniffing tool: nrf51822-Dongle one

Wireshark

One Android phone

Here, nrf51822 is used in combination with Wireshark to capture low energy Bluetooth data packets;

The appearance of nrf51822:

Steps

1. Go to the nrf official website (https://www.nordicsemi.com) to download the corresponding Segger-jlink tool, Dongle toolkit, and Sniffer python script. There are also operating documents in the same, because the official documentation is very detailed, here only Introduce key operations;

2. Open the Wireshark software, Go to Help> About Wireshark, click Folders, and double-click Extcappath.

3. Unzip the nrf_sniffer_(version)_(hash).zip file to this directory, and copy the contents of the extcap directory to this directory, as shown in the figure below.

4. Open the Wireshark software, Edit> Configuration Profiles, select Profile_nRF_Sniffer-(version), and confirm.

5. Use Segger-jlink to flash the corresponding firmware to Dongle, restart wireshark, you can see the following;

At this time, the sniffing of Bluetooth low energy data packets has been completed;

Idea change-alternative way of capturing packets

If the scenario is that an Android phone is connected to a Bluetooth device, there is a way to capture data packets of Bluetooth communication;

1. Open the mobile developer options;

2. Enter the developer option and open the Bluetooth packet log; (or start the Bluetooth HCI information collection log, etc., different mobile phones have different names, and the generated files are not the same)

3. After the setting is completed, turn on the Bluetooth, connect the device, and operate, the communication data at this time will be recorded;

4. Search for the recorded files. The files are generally named like this: btsnoop_hciXXX;

5. Finally, open the recorded file with Wireshark;

other

There is another way, using the CC2540 USB Dongle, which I personally feel is not as easy to use as the above two methods.

The capture interface is as follows, there is no interpretation of wireshark;

 

Bluetooth capture and replay:

 

System environment:
kali

tool:
Bluetooth adapter
bluez
hcionfig
hcitool
gatttool

Tool command analysis:

Check the Bluetooth adapter, open and run the Bluetooth adapter;

hcitool lescan can search for surrounding Bluetooth devices, and display the device type and mac address;

gatttool -b {MAC} -I can connect to Bluetooth devices;

Here I use the Bluetooth that comes with the virtual machine and the laptop. I don’t know if it is the problem of the virtual machine or the Bluetooth. Bluetooth can be recognized, but an error will be reported when I use it. Need to troubleshoot whether an additional Bluetooth adapter is needed or the virtual machine cannot be used;

 

Btlehuice, realize Bluetooth man-in-the-middle attack
Another test method:

https://github.com/DigitalSecurity/btlejuice

Btlehuice, provides a GUI and can perform replay attacks.

app: nrf connect

The same test method, capture the packet to find the handle and value, use the app to find the handle, and send the corresponding handle and value.

 

Reviews

There are no reviews yet.

Be the first to review “Bluetooth low energy data packet sniffing and Bluetooth packet capture replay”

Your email address will not be published. Required fields are marked *