云南大学软件学院实验报告课程:无线网络安全实验学期:2017-2018学年春季学期任课教师:张云春专业:信息安全学号:________ 姓名: _______ 成绩:___________实验6蓝牙技术破解一、实验目的1.使用手机和相关蓝牙设备,开启蓝牙,对蓝牙技术进行深入学习,并模拟蓝牙技术的攻击。
2.使用专业工具对蓝牙PIN (个人身份码)进行破解。
二、实验内容1.简要分析蓝牙设备的两种认证方式“传统配对”和“安全简化配对”方式。
并对实验所选设备的认证模式进行确认。
传统配对:该种配对方式建立在两台设备的BD_ADDR,由发起者创建的16字节随机数,用户在两台设备上手动输入的PIN码(用户无法更改PIN码的固定PIN码”除外)。
安全简化配对:这种配对方式与传统配对方式最大的区别在于不需要手动输入pin码,在设备寻找到对方设备之后,双方计算后自动生成6位随机数,双方互相确认对方生成的随机数与自己的是否相同,如果相同,则确认了建立通信的对方的身份,完成配对。
为了后面步骤中截获pin码,这里实验设备选择了一台具有传统配对方式的塞班手机,并且因为没有硬件支持,笔记本电脑没有办法抓到蓝牙的数据包,所以选用了一台方便导出蓝牙日志文件的安卓手机。
在下图中,打开了开发者选项中的HCI信息收集日志。
■an钿电胃賢特睦Bl钛誉2.进行主动式设备扫描。
使用 Wireshark 等工具捕获“询呼扫描”和“询呼应答”等关键数据报文,并对其内容进行解析。
在塞班手机和安卓手机完成配对后,我们通过文件管理器找到安卓手机中的寻呼扫描:丄 0・Tig LLUII LI'V 丄丄nt2_truj气 z^eriL rie&eL2 0.072976 controller hostHCI_EVT 7 Rcvd Command Complete (Reset) 3 0/073347host controller HCI.CMD 4 Sent Read Buffer Size4 0.074213 eontrollerhostHCI^EVT 14 Rcvd Cammand Complete (Read B 耳Arnntrfil 1H ^T rm11 WnF Hn<?r Ru-Ff^r Si 7#7 Frame 2: 7 bytes on wire (56 bits)f 7 bytes ciaptured (56 bits) Encapsulstion type: Bluetooth H4 with linux header (99) Arrival Tiine : Jun 14, 291B 19:08:3S.405295000中国極准时间[Time shift for this packet : 000003003 seconids] 1528974518-405295000 seconds from previous c :呂ptured frame:072^7600© seconds][Time delta from previous displayed frame: 0.072976000 seconds] [Time since reference or first frame: 0r @72976000 seconds] Frame Number : 2Frame Length: 7 bytes (56 bits) 匚apture Length; 7 bytes (56 bits} [Framt is marked:. False] [Frsame is ienored: False]Paint -to-Point Direction: Received (1)[Protocols in frame : bluetooth:hc:i h4:bthc :i EYt][Sourc 已:controller] [Destination host]V Bluetootll HCI H4 [Direction: Rcvd (Oxei)] HCI Packet Type : HCI Event (0x64)7 Bluetooth HCI Event - Command Complete Event Code : Command Complete CQx9e) Parameter TotalLength : 4Number of Allowed Command Packets: 1 > Command Opcode: Reset (©xOcOS) Status: Success (&x06)「广nmmanrl 4 n -Framis >1 1设定扫描的周期以及扫描允许的参数I.LDtUestinatLeePTCt&CDLLer^-t 呂JJIE^127 0.299269hostcontrollerHCT-iCMD呂 S ent Write Current IAC LAP12S a.363S57controller hostHCI.EVT7 Rcvd Cc-wnjn^ Comp 1 ft* (Write Cmrr 一 1甜 0.303^4 heatcontroller Kl_CMD呂 S ant Write Inquiry ^can ActivityEncapsulation type; Bluetooth H4 with linux header (^9) Arrival Time: Jun 14, 2S1B IS:他估目.昭624*90內中国标確时间 [Time shift far this packetr 么的初閤舶曲 seconds] Epoch Time : !S2S974Sia .seconds[Time delta from previous captured frame: &.0^0^67*0®^ seconds] [Time delta from previous displayed f ranra-L 0.000067®90 seco 仃白空] [Time since reference ar first frame : ^.^3-9240^0 secwids] Frame Number: 129Frame Lengt h : 8 bjrtes (64 bits-}Capture Length: B bytes (64 bits) [Frame is marked; Ffllse] [Frame 15 ignored : False]Point-to-Point Dirictian : Sent (6) [Prat CK 口 1 $ in frame: bLuetoot h :hci_h4:ibthci_cmd ] btsnoop_hci.log 文件,导入到电脑中,使用WireShark 打开这个文件。
Epoch Time: [Time deltav Bluetooth[Source:host][Destination: controller]v Bluetooth HCI H4[Direction: Sent (0x09)]HCI Packet Type: HCI Command (0x01)y Bluetooth HCI Command - Write Inquiry Scan ActivityCommand Opcode: Write Inquiry Scan Activity (0x0cle)Parameter Tot白1 Length: 4Interval: 2943 slots (1280 msec}Window: 18 slots (11.25 msec)「ResDons已in 卡r日me: 3301[Command-Response Delta: e.976ms]一339138.665502host controller HCI_CMD &Sent Inquiry 391138.072186controller host HC I_EVT 7Rcvd 匚ornmand Sta tL 139.479888controller host HC1_EV7 4&Rcvd LE Meta (LE * 3331B9.53466B controller host HCI EVT 4$Rcvd LE Meta (LE M > Franie389: 9 bytes on wire (72 bits), !3bytes captured(72 bits)7 Bluetooth[source;host] [Destination: controller]y Bluetooth HCI H4[Direction;sent (0x00)]HCI Packet Type: HCI Corwnand (6x^1) y Bluetooth HCI Command - InquiryCcmmand Opcode: Inquiry (0x0401)Parameter Total Length: 5LAP: 0x9e8b33Inqu iry Length: 10 (12□S sec)Num Responses: e「P E门ding in 于「3曲巳:耳81~|[Command-Pending Delta: 6 L684ms]寻呼应答:LJ区席忑炉与亍荷丽T KKilWo. Time Souorc?J>estinati-Mi Protozl Length Info 251 74,S&lS7e 匚grit roller hast HCI EVT13 Rcvd Inqmiry 艇弭rt wi-th RSSI 252 74.E303B9host controller HCI_CMD 4 S*nt Inquiry Cancel2&3 74.8B2950 cantraller host HCI EVT7 Rcvd Conmand Comclete tInauirvCapture Length: IE bytes (144 bits)[Frame is marked: False][Frame i$ ignor&d: False]Point-to-Point Direction: Received (1)[Protgcols in frame: bluetQQth:hci.h4;bthci■启匕七匚口阿口訂]w Bluetooth[Source: controller][Destination: host]V Bluetooth HCI H4[Direction: Rcvd (ex@l)]HCI Packet Type: HCI Event (0K04)7 Bluetooth HCI Event - Inquiry Result With RSSIEvent Code: inquiry Result with RSSI (&x22)Parameter Total J^eneth: IS ,responses: 1 —Q B D_ADDR:77:7b:13:dfr66:01 (77:7b:13:df:66:©1O」色Qgt it』Qn 代臼色:R1 f e;切]_—Reserved: 0x02> ef Device: 0囂5弓820毎(Phpn^:Cellular - services, Networking Capturing, ObjectTr3n5feT Telephpriy) 井组列表- 負罕• □区井丈小号丰秆串■ lnsi寸Tine2S2 74.&8«38$Sour«? host controller ProtcwolHCI.CMDLength4InfoSent inquiry Cancel253: 74.SS56 cpnrtrpller hast KI^EVT7Rcvd Command Complete(Inquiry Cancel) 254 74.883067host 亡ontroller HCI_CTO& Sent LE Set Scan Enable255 74,S84J037 controller host HO 二EVT 7 Rcvd Command Complete(LE Set Scan Enab Frame NumbEr: 25聲Fram« Length:7 bytes (56 bits)capture length: 7 bytes (5打bits)[F rame is imm r ked: F E ][Frame is ignored: False]Point-to-point Direction: Received Cl)[P rQtoc D1 S in -F rame: bl uetgqth: he i.h4: bthci^evt ]7 Bluetooth[Source: controller][Oestineitjon: host)V Bluetooth HCI H4[Direetien: Rcvd (0x01)]HCI Packet Type^ HCI Event 2x04)7 Bluetooth HCI Event - Command CompleteEvent Code: Coitimand CMiplete (exee>Parameter Total Length: 4Humber of Allaued Command Packets: 1> Conimsnd Opcode: Inquiry Cancel (0K M^2)Status^ Success (0x00}3.对蓝牙进行侦听,并使用Wireshark记录两个“传统蓝牙”设备之间的配对过程所对应的数据报文,从中获取关键字段的信息,包括:IN_RAND、两个COMB_KEY值、AU_RAND、SRES 等,给出必要的截图。