homewsn/bsniffhub

[](https://github.com/homewsn/bsniffhub/releases) [](https://github.com/homewsn/bsniffhub/actions?workflow%3Atest) [](https://ci.appveyor.com/project/homewsn/bsniffhub) [](https://scan.coverity.com/projects/homewsn-bsniffhub) ### Bsniffhub Bsniffhub 是一个将蓝牙低功耗（BLE）嗅探器与 Wireshark 接口的实用程序，用于捕获、解密和显示无线流量。
Bsniffhub 结合了以下功能： * 支持多种通过虚拟 USB 串口通信的 BLE 嗅探器类型，例如 Blesniff、Sniffle、nRF Sniffer、SmartRF Packet Sniffer 2 或 STM32WB BLE Sniffer * 确保启动 Wireshark 并通过本地管道向其馈送数据包 * 支持多种用于 PCAP 文件和 Wireshark 的 BLE 链路层头部类型，例如 LINKTYPE_BLUETOOTH_LE_LL、[LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR](https://www.tcpdump.org/linktypes/LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR.html) 和 [LINKTYPE_NORDIC_BLE](https://www.tcpdump.org/linktypes/LINKTYPE_NORDIC_BLE.html)；这些类型的解析器已包含在 Wireshark 分发包中 * 如果 BLE 设备使用传统配对方法并采用 Just Works 或 Passkey Entry 关联模型，则获取临时密钥（TK）、计算短期密钥（STK）并随后捕获长期密钥（LTK） * 当使用安全连接方法且至少一个 BLE 设备使用调试密钥时，计算 LTK * 如果 LTK 已知或可以提供，则解密流量 Bsniffhub 既可用于配合 BLE 嗅探器工作，也可用于解密来自 PCAP 和 PCAPNG 文件的 BLE 流量。 Bsniffhub 同时提供控制台版本和图形用户界面版本，并且可以构建用于 Linux 或 Windows 系统。 #### 依赖项 * [libpcap](https://www.tcpdump.org/#latest-releases) （或 Windows 下的 [Npcap SDK](https://nmap.org/npcap/#download)） * [TinyCrypt 密码库](https://github.com/intel/tinycrypt) * [IUP 可移植用户界面](http://webserver2.tecgraf.puc-rio.br/iup/) （用于 GUI 版本） #### 构建（Linux） 要构建控制台和 GUI 两个版本： ``` $ make ``` 或 ``` $ make bsniffhub $ make bsniffhubgui ``` 请确保已安装 Wireshark。 #### 构建（Windows） 从 GitHub 下载 [最新发布版本](https://github.com/homewsn/bsniffhub/releases) 的 zip 包并解压，或克隆 bsniffhub 仓库。 你需要自行下载 [Npcap SDK](https://nmap.org/npcap/#download)，因为其许可证禁止分发，并将其解压到 `bsniffhub/msvs/lib/npcap` 目录。 你需要相应的 [IUP 库](lib/iup/ReadMe.md#downloading-and-installation-windows) 来构建 GUI 版本。 TinyCrypt 密码库的源文件已包含在 `bsniffhub/lib/tinycrypt` 中。
打开 MSVC 2017 解决方案，如果需要，在 bsniffhubgui 项目属性中更改 IUP 库的路径，然后构建解决方案或单个项目。
请确保已安装 Wireshark 和 Npcap 运行时库。 #### 使用方法（Linux） 控制台版本有以下选项： ``` $ ./bsniffhub One of the options -s or -r is required. Usage: bsniffhub -s -p [-b ] [-c ] [-f ] [-R ] [-m ] [-i ] [-e] [-w ] [-l ] [-n] [-L ] [-W ] bsniffhub -r [-w ] [-l ] [-n] [-L ] [-W ] Mandatory arguments for sniffer device input: -s Sniffer device: 'B' - Blesniff 'N3' - nRF Sniffer v3 'N4' - nRF Sniffer v4 'S' - Sniffle 'T' - SmartRF Packet Sniffer 2 'WB' - STM32WB BLE Sniffer -p Serial port name Optional argument for sniffer device input: -b Serial port baudrate (def: from sniffer guide) -c Primary advertising channel(s) to listen on: 37, 38 or 39 (def: 37,38,39 for Blesniff and nRF Sniffer, 37 for others) -R Filter sniffer packets by minimum RSSI -m Filter sniffer packets by advertiser MAC -i Filter sniffer packets by advertiser IRK -e Sniffle follow connections on secondary advertising channels -f Blesniff follow mode: 'conn' - connection 'pa' - periodic advertising 'cis' - connected isochronous stream ('conn' is also required) 'bis' - broadcast isochronous stream ('pa' is also required) (def: conn,pa,cis,bis) Mandatory argument for PCAP file input: -r PCAP input file name Optional arguments for output (def: output to Wireshark): -w PCAP output file name -l Output link layer type number: '251' - LINKTYPE_BLUETOOTH_LE_LL '256' - LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR (def) '272' - LINKTYPE_NORDIC_BLE -n Don't try to decrypt -L LTK key for decrypting packets -W Path to Wireshark.exe Examples: bsniffhub -s B -l 272 -R -70 -c 37,38 -f conn,cis -L 6ab0580e966e7b61f4470dfb696b3799 bsniffhub -s T -p COM5 bsniffhub -s S -p COM40 -b 1000000 -W D:\Wireshark\Wireshark.exe bsniffhub -s N4 -p COM22 -l 251 -n -w C:\PCAP files\test.pcap bsniffhub -r input.pcap bsniffhub -r C:\PCAP files\input.pcap -l 272 -w C:\PCAP files\output.pcap ``` #### 使用方法（Windows） 参见 [使用方法（Linux）](#usage-linux) 为输出添加了一个额外的可选参数： ``` -W Path to Wireshark.exe ``` #### 示例（Linux） 运行 Wireshark，从 `/dev/ttyUSB2` 端口的 `Blesniff` 捕获数据包，并将带有 `LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR` 数据包头的捕获数据包馈送给 `Wireshark`，忽略 RSSI 小于 `-70` 的主广播信道上的广播数据包，仅关注连接 `conn` 和 CIS 数据包 `cis`（忽略周期性广播和 BIS 数据包），使用 LTK `6ab0580e966e7b61f4470dfb696b3799` 进行解密： ``` $ ./bsniffhub -s B -p /dev/ttyUSB2 -R -70 -f conn,cis -L 6ab0580e966e7b61f4470dfb696b3799 ``` 运行 Wireshark，从 `/dev/ttyUSB2` 端口的 `SmartRF Packet Sniffer 2` 捕获数据包，并将带有 `LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR` 数据包头的捕获数据包馈送给 `Wireshark`： ``` $ ./bsniffhub -s T -p /dev/ttyUSB2 ``` 运行 Wireshark，从波特率为 `921600 bps` 的 `/dev/ttyACM0` 端口的 `Sniffle` 捕获数据包，并将带有 `LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR` 数据包头的捕获数据包馈送给 `Wireshark`： ``` $ ./bsniffhub -s S -p /dev/ttyACM0 -b 921600 ``` 从 `/dev/ttyUSB0` 端口的 `nRF Sniffer 4` 捕获数据包，并将带有 `LINKTYPE_BLUETOOTH_LE_LL` 数据包头的捕获数据包保存到 `test.pcap` 文件中，不尝试解码： ``` $ ./bsniffhub -s N4 -p /dev/ttyUSB0 -l 251 -n -w test.pcap ``` 运行 Wireshark，打开 `input.pcap` 文件，并将带有 `LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR` 数据包头的数据包馈送给 `Wireshark`： ``` $ ./bsniffhub -r input.pcap ``` 打开 `input/input.pcap` 文件，并将带有 `LINKTYPE_NORDIC_BLE` 数据包头的数据包保存到 `output/output.pcap` 文件中： ``` $ ./bsniffhub -r input/input.pcap -l 272 -w output/output.pcap ``` #### 示例（Windows） 参见 [示例（Linux）](#examples-linux)，但如果 Wireshark 未安装在 `C:\Program Files\Wireshark\Wireshark.exe` 路径，你可以使用额外的可选参数 `-W`： ``` > bsniffhub -s S -p COM40 -W D:\\Wireshark\\Wireshark.exe ``` #### 如果 BLE 设备使用传统配对时获取 LTK 如果未使用 `-n` 选项，且 BLE 设备使用传统配对方法并采用 Just Works 或 Passkey Entry 关联模型，Bsniffhub 可以提供 TK、STK 和 LTK。你可以使用示例目录中相应的 pcap 文件进行演示。 使用 Just Works 关联模型的传统配对方法： ``` $ ./bsniffhub -rexamples/lp-justworks.pcap -wout.pcap examples/lp-justworks.pcap is loading ... Creating the out.pcap file ... File loading completed. Connection created. Channel selection algorithm #2 detected. Connection established. BLE Legacy pairing method detected. Just Works association model used. STK found: abfe42fb9efa80c5f0a0b92fd564ecad Encryption start detected. STK used. LTK found: 4cc7cbe225e6244cf5fae1b95021f080 Connection terminated. File processing completed. ``` 使用 Passkey Entry 关联模型的传统配对方法： ``` $ ./bsniffhub -rexamples/lp-passkeyentry-393699-initiator-displays-responder-inputs.pcap -wout.pcap examples/lp-passkeyentry-393699-initiator-displays-responder-inputs.pcap is loading ... Creating the out.pcap file ... File loading completed. Connection created. Channel selection algorithm #2 detected. Connection established. BLE Legacy pairing method detected. Passkey Entry association model used. Do you have the Passkey? No Please wait. Brute force method will be used to find the Passkey. The entered Passkey found: 393699 STK found: 6f4617cf841d5fdc4a4faac6bf4c521f Encryption start detected. STK used. LTK found: fd821e6a920e0339bbc9a27f4385a23d Connection terminated. File processing completed. ``` #### 如果 BLE 设备使用安全连接且带有调试密钥时获取 LTK 如果未使用 `-n` 选项，且 BLE 设备使用安全连接方法，并且至少一个设备使用调试密钥，Bsniffhub 可以提供 LTK。你可以使用示例目录中相应的 pcap 文件进行演示。 使用 Just Works 关联模型的安全连接方法： ``` $ ./bsniffhub -rexamples/sc-justworks.pcap -wout.pcap examples/sc-justworks.pcap is loading ... Creating the out.pcap file ... File loading completed. Connection created. Channel selection algorithm #2 detected. Connection established. BLE Secure Connection method detected. Just Works association model used. BLE Secure Connection Debug mode of the slave device detected. LTK found: 7df27955f679736a7a286b0566f88ad8 Encryption start detected. LTK used. Connection terminated. File processing completed. ``` 使用数字比较关联模型的安全连接方法： ``` $ ./bsniffhub -rexamples/sc-numericcomparison-380717.pcap -wout.pcap examples/sc-numericcomparison-380717.pcap is loading ... Creating the out.pcap file ... File loading completed. Connection created. Channel selection algorithm #2 detected. Connection established. BLE Secure Connection method detected. Numeric Comparison association model used. BLE Secure Connection Debug mode of the slave device detected. LTK found: 1047e6f9fbf05a2bfb850e0f45b00f92 The numeric compare value found: 380717 Encryption start detected. LTK used. Connection terminated. File processing completed. ``` #### 如果可以提供 LTK 时进行解密 通过在提示时输入密钥： ``` $ ./bsniffhub -rexamples/ltk-063F1154BC631D186D48A05B7F5DCD8F.pcap -wout.pcap examples/ltk-063F1154BC631D186D48A05B7F5DCD8F.pcap is loading ... Creating the out.pcap file ... File loading completed. Connection created. Channel selection algorithm #2 detected. Connection established. Encryption request detected, but LTK unknown. Do you have the Long Term Key (LTK)? Yes Please enter the LTK: 063F1154BC631D186D48A05B7F5DCD8F Encryption start detected. LTK used. Connection terminated. File processing completed. ``` 在命令行使用 -L 选项： ``` $ ./bsniffhub -rexamples/ltk-063F1154BC631D186D48A05B7F5DCD8F.pcap -L063F1154BC631D186D48A05B7F5DCD8F -wout.pcap examples/ltk-063F1154BC631D186D48A05B7F5DCD8F.pcap is loading ... Creating the out.pcap file ... File loading completed. Connection created. Channel selection algorithm #2 detected. Connection established. Encryption start detected. LTK used. Connection terminated. File processing completed. ```

标签：BLE嗅探, PCAP处理, Wireshark, 分析软件, 加密解密, 协议分析, 句柄查看, 嗅探器集成, 多设备支持, 客户端加密, 密钥计算, 嵌入式系统, 本地管道通信, 权限提升, 流量解密, 物联网安全, 系统分析, 网络分析, 网络嗅探工具, 蓝牙低功耗, 链路层分析