Copyright © 2015 Michael Schloh von Bennewitz
Permission is granted to copy, distribute and/or
modify this document under the terms of the GNU Free
Documentation License, Version 1.3 or any later version
published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no
Back-Cover Texts. A copy of the license is included
in the document entitled “fdl-1.3.txt”
Warning: Passive
monitoring demos
Scanning the network…
Albert Einstein's IBM
Ada Lovelace's PDP-11
Method | Device | Passive | Active |
---|---|---|---|
802.3 capture | Ethernet tap | ✓ | ✕ |
802.11 MITM | Pineapple MKV | ✓ | ✕ |
BT/BLE capture | Ubertooth one | ✓ | ✕ |
Z-Wave/Zigbee | MuCCC Rad1o | ✕ | ✕ |
$ mosquitto_pub -h mqtt.devlol.org -t "devlol/winkekatze" -m "WINK"
$
Publishing to cat using mosquitto_pub(1)
NASA: “the highly automated communications process by which measurements are made and other data collected at remote or inaccessible points and transmitted to receiving equipment for monitoring.”
Wikipedia: “A telecommand is a command sent to control a remote system or systems not directly connected (e.g. via wires) to the place from which the telecommand is sent.”
// Simple subscribe client (use test.mosquitto.org?)
var mqtt = require('mqtt'), locli = mqtt.connect('mqtt://host/');
locli.subscribe('messages');
locli.on('message', function(topic, message) {
console.log(message.toString());
});
Subscribing topics via MQTT from the broker
// Simple publish client (use test.mosquitto.org?)
var mqtt = require('mqtt'), locli = mqtt.connect('mqtt://host/');
locli.publish('messages', 'Mqtt is pretty cool');
locli.end();
// Other MQTT features like last will
// testament, data retention, or QoS
Publishing messages via MQTT to the broker
Capture by MITM insertion
Easy capturing from Ethernet cable
Network topologies
Master operates on only one mode
BD_ADDR 00:06:66:42:21:52
// BlueZ samples
$ hcitool scan
Scanning ...
98:D6:XX:XX:XX:XX Nexus 4
00:0D:XX:XX:XX:XX Bluetooth Speaker
$ hcitool inq
Inquiring ...
98:D6:XX:XX:XX:XX clock offset: 0x0000 class: 0x5a020c
00:0D:XX:XX:XX:XX clock offset: 0x5a75 class: 0x240404
$ ./btclassify.py 0x5a020c 0x240404
0x5a020c: Phone (Smartphone): Telephony, Object Transfer, Capturing, Networking
0x240404: Audio/Video (Wearable Headset Device): Audio, Rendering
$ sdptool browse 98:D6:XX:XX:XX:XX | grep Service\ Name
Service Name: Headset Gateway
Service Name: Handsfree Gateway
$ sdptool records 00:0D:XX:XX:XX:XX
Service RecHandle: 0x10001
Service Class ID List:
"Audio Sink" (0x110b)
$ hcidump -w /tmp/inquriy.cap
$ wireshark && echo filter bthci.evt_code == 0x2f
Conducting reconnaissance with BlueZ
// Ubertooth samples
$ ubertooth-specan-ui
$ ubertooth-scan -s -t 40 -x
// Pair master and slave
$ ubertooth-rx
$ ubertooth-dump
$ sudo ubertooth-follow -l cafe00 -u 0x12 -a
Address given, assuming address is remote
Address: 00:00:12:CA:FE:00
AFH Map=0x3cffe01f0000007f01df
systime=1431730852 ch= 0 LAP=cafe00 err=0 clk100ns=1240630361 clk1=12257125 s=-71 n=-86 snr=15
Packet decoded with clock 0x40 (rv=1)
Type: POLL
Type: POLL
systime=1431730852 ch= 0 LAP=cafe00 err=2 clk100ns=1242681473 clk1=12257453 s=-17 n=-86 snr=69
Packet decoded with clock 0x40 (rv=1)
Type: POLL
Type: POLL
systime=1431730852 ch= 0 LAP=cafe00 err=0 clk100ns=1243456829 clk1=12257577 s=-16 n=-86 snr=70
Packet decoded with clock 0x40 (rv=1)
Type: DM1
LT_ADDR: 2
LLID: 0
flow: 0
payload length: 29
Data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Type: DM1
LT_ADDR: 2
LLID: 0
flow: 0
payload length: 29
Data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Conducting reconnaissance with Ubertooth
$ ubertooth-btle -f
systime=1431576352 freq=2402 addr=8e89bed6 delta_t=316892.462 ms
00 15 07 13 8c c0 1a 1c 02 01 1a 0b ff 4c 00 09 06 03 86 0a 00 00 07 8d d3 0a
Advertising / AA 8e89bed6 / 21 bytes
Channel Index: 37
Type: ADV_IND
AdvA: 1c:1a:c0:8c:13:07 (public)
AdvData: 02 01 1a 0b ff 4c 00 09 06 03 86 0a 00 00 07
Type 01 (Flags)
00011010
Type ff
4c 00 09 06 03 86 0a 00 00 07
Data: 07 13 8c c0 1a 1c 02 01 1a 0b ff 4c 00 09 06 03 86 0a 00 00 07
CRC: 8d d3 0a
systime=1431576415 freq=2402 addr=8e89bed6 delta_t=1280.003 ms
00 0d 53 6f e6 0e fd 08 02 01 18 03 19 c0 00 db b7 44
Advertising / AA 8e89bed6 / 13 bytes
Channel Index: 37
Type: ADV_IND
AdvA: 08:fd:0e:e6:6f:53 (public)
AdvData: 02 01 18 03 19 c0 00
Type 01 (Flags)
00011000
Type 19
c0 00
Data: 53 6f e6 0e fd 08 02 01 18 03 19 c0 00
CRC: db b7 44
...or via Wireshark(1)
$ ubertooth-btle -f -c /tmp/pipe
$ echo 'Filter connection requests and nonzero data packets...'
$ echo 'btle.type == 0x05 || (btle.data && btle.length > 0)'
Conducting BLE reconnaissance with Ubertooth
Dirty tricks
/etc/bluetooth/bt_stack.conf
IBM Redbooks (Ebook, 2014)
Building... with MQTT, Boyd et al
APress Open (Online Ebook, 2014)
Rethinking the IoT, Francis daCosta