search

RCayre / mirage

Mirage is a powerful and modular framework dedicated to the security analysis of wireless communications.
https://homepages.laas.fr/rcayre/mirage-documentation
MIT License
261 stars 48 forks source link

Error during HCI device instanciation : AttributeError: 'NoneType' object has no attribute 'send' #21

Open stabla opened 3 years ago

stabla commented 3 years ago

AttributeError: 'NoneType' object has no attribute 'send'

I was trying to execute a Man In The Middle attack with the ble_mitm module, but each time I reconfigure the BD Address manually, I got a failure, an AttributeError then it crashes. I have to kill the process to exit. The hci BD Address has been correctly modified tho.

Am I doing something that I shouldn't? Especially with tthe bdaddr command?

Logs Short version:


root@raspberrypi:/home/pi/mirage# ./mirage_launcher ble_mitm TARGET=FC:58:FA:14:F8:CE
[INFO] Module ble_mitm loaded !
[SUCCESS] HCI Device (hci0) successfully instanciated !
[SUCCESS] HCI Device (hci1) successfully instanciated !
[INFO] Entering SCAN stage ...
...
...
[INFO] Changing HCI Device (hci1) Address to : FC:58:FA:14:F8:CE
[INFO] Connecting to slave FC:58:FA:14:F8:CE...
[SUCCESS] BD Address successfully modified !
[FAIL] Error during HCI device instanciation !
Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.7/threading.py", line 917, in _bootstrap_inner
    self.run()
  File "/home/pi/mirage/mirage/libs/wireless_utils/packetQueue.py", line 19, in run
    self._target(*(self._args))
...
...
  File "/home/pi/mirage/mirage/libs/bt.py", line 89, in send
    self.socket.send(data)
AttributeError: 'NoneType' object has no attribute 'send'

Detailed version:

root@raspberrypi:/home/pi/mirage# ./mirage_launcher ble_mitm TARGET=FC:58:FA:14:F8:CE
[INFO] Module ble_mitm loaded !
[SUCCESS] HCI Device (hci0) successfully instanciated !
[SUCCESS] HCI Device (hci1) successfully instanciated !
[INFO] Entering SCAN stage ...
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=CC:6E:A4:1D:CA:8F | data=0201181bff75004204030113170501cc6ea41dca8f0000ce6ea41dca8e0001 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=CC:6E:A4:1D:CA:8F | data=1c085b41565d2053616d73756e6720536f756e64626172204d53353530 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=62:6B:6F:72:48:9A | data=03039ffe17169ffe0262506450496774416d4b6b00000177ff4a6064 >>
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=62:6B:6F:72:48:9A | data=09ffe000010eca6f5aa2 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=15:D0:69:41:B7:32 | data=1eff060001092002f03e5540970b4555d8f0bf6e09a62a42e22f06f63b6501 >>
[PACKET] << BLE - Advertisement Packet | type=ADV_IND | addr=FC:58:FA:14:F8:CE | data=0201060503e0ff02180709485431343037 >>
[SUCCESS] Found corresponding advertisement !
[PACKET] << BLE - Advertisement Packet | type=SCAN_RSP | addr=FC:58:FA:14:F8:CE | data=0709485431343037 >>
[INFO] Entering CLONE stage ...
[INFO] Changing HCI Device (hci1) Address to : FC:58:FA:14:F8:CE
[INFO] Connecting to slave FC:58:FA:14:F8:CE...
[SUCCESS] BD Address successfully modified !
[FAIL] Error during HCI device instanciation !
Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.7/threading.py", line 917, in _bootstrap_inner
    self.run()
  File "/home/pi/mirage/mirage/libs/wireless_utils/packetQueue.py", line 19, in run
    self._target(*(self._args))
  File "/home/pi/mirage/mirage/libs/wireless.py", line 206, in _task
    self._add(pkt)
  File "/home/pi/mirage/mirage/libs/wireless.py", line 186, in _add
    self._executeCallbacks(packet)
  File "/home/pi/mirage/mirage/libs/wireless.py", line 350, in _executeCallbacks
    callback.run(packet)
  File "/home/pi/mirage/mirage/libs/wireless_utils/callbacks.py", line 64, in run
    self.function(*args, **kwargs)
  File "/home/pi/mirage/mirage/core/scenario.py", line 62, in wrapper
    result = function(self,*args,**kwargs)
  File "/home/pi/mirage/mirage/modules/ble_mitm.py", line 114, in scanStage
    self.cloneStage(self.address,self.dataAdvInd,self.dataScanRsp,self.intervalMin,self.intervalMax,self.addrType)
  File "/home/pi/mirage/mirage/core/scenario.py", line 62, in wrapper
    result = function(self,*args,**kwargs)
  File "/home/pi/mirage/mirage/modules/ble_mitm.py", line 128, in cloneStage
    self.a2mEmitter.setScanningParameters(data=dataResponse)
  File "/home/pi/mirage/mirage/libs/ble.py", line 325, in setScanningParameters
    self._internalCommand(New_HCI_Cmd_LE_Set_Scan_Response_Data(data=advData,len=len(data)))
  File "/home/pi/mirage/mirage/libs/bt.py", line 130, in _internalCommand
    self.send(cmd)
  File "/home/pi/mirage/mirage/libs/bt.py", line 89, in send
    self.socket.send(data)
AttributeError: 'NoneType' object has no attribute 'send'
RCayre commented 3 years ago

Hi, thanks for reporting this issue. Could you please provide me the output of lsusb ? Regards, Romain Cayre

stabla commented 3 years ago

Hi,

Yes !

#lsusb
Bus 001 Device 020: ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode)
Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp. SMSC9512/9514 Fast Ethernet Adapter
Bus 001 Device 002: ID 0424:9514 Standard Microsystems Corp. SMC9514 Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
szbinks commented 3 years ago

Hi, I have the exact same problem but in a virtual machine, have you found a solution ?

I did a lsusb

lsusb

Bus 001 Device 007: ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode) Bus 001 Device 009: ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode) Bus 001 Device 002: ID 80ee:0021 VirtualBox USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

stabla commented 3 years ago

Hi @FabienOnGithub,

Still haven't found a proper way to fix this issue, yet, have you tried to run it with python3? Sometimes it helps

szbinks commented 3 years ago

Thanks for your reply ! I already tried to use python3 but unfortunately I still have the same error... It seems that the "send error" comes from the device which attempt to connect to Mirage. I tried with two devices : a Raspberry Pi 4 with Kali linux and my smartphone (a Samsung Galaxy S8 with Android 9). I always have the error with the Raspberry but I never had it with my phone. I still don't understand why but at least I could use Mirage.

RCayre commented 3 years ago

Hi, The problem is probably linked to the BD address modification of CSR dongles, because I have to reset the socket for this specific manufacturer. Try to replace : utils.wait(seconds=1) by utils.wait(seconds=3) in libs/bt.py at line 472.
Let me know if it solves the problem.

rriley commented 2 years ago

Hi,

I'm not the original poster, but I have the same problem with a Bluetooth adapter that uses a CSR chipset. I tried your patch (I tried 3 seconds and even tried it at 30 seconds) with no change. Do you have any other thoughts? I appreciate your time and help.

szbinks commented 2 years ago

Hello ! In my memories I litteraly SPAMMED until it works (I had a school project and the subject was to perform a MiTM so I just showed a succesful attempt). I still don't understand this error so I can't really help you sorry.

RCayre commented 2 years ago

Hi, Thanks for reporting this issue. Can you 1) run hcidump -i hciX 2) run Mirage and trigger the bug on hciX 3) provide me the output of hcidump, please ?