Implement Mirage Extension

[nsidesm]

This Pull Request contains the work done during my Master Thesis. Since this single commit contains a lot of changes, i tried to clarify the work, which was done.

---

Modified Files:

---

mirage/libs/ble.py:

• Added Logic for nRF 52840 Zephyr hci_usb Device and corresponding MITM Mode.
• Added Secure Connection Packets (e.g. BLEPublicKey, BLEDHKeyCheck)
• Added logic to backup and restore Callbacks of Receivers
• Removed Packet Fragmentation Implementation (is now part of mirage/libs/bt.py)

mirage/libs/ble_utils/constants.py:

• Added LL Opcodes and Error Codes

mirage/libs/ble_utils/dissector.py:

• Fixed HIDMapping (was not working for my devices)

mirage/libs/ble_utils/packets.py

• Small Adjustments

mirage/libs/ble_utils/scapy_link_layers.py

• Added bindings for LL Encryption packets

mirage/libs/bt.py

• Added Packet Fragmentation Code
• Added Logic for nRF 52840 Zephyr hci_usb Device and corresponding MITM Mode.

mirage/libs/bt_utils/scapy_vendor_specific.py

• Added Zephyr HCI Commands

mirage/modules/ble_connect.py

• Added Logic to set new BD Address at each Start

mirage/modules/ble_discovery.py

• Added Discovery of Security Property

mirage/modules/ble_pair.py

• Added Option to modify Address
• Reduced Logging

---

New Files:

---

Cryptographic functions for secure connections pairing:

• mirage/libs/ble_utils/sc_crypto.py

Generic BLE Module, does nothing and is suitable for scenarios, which perform specific tasks:

• mirage/modules/ble_generic.py

BLE Relay Module (Requires the nRF 52840 Dongles with customized Zephyr hci_usb Firmware*):

• mirage/modules/ble_relay.py

Secure Connections MITM Module, uses downgrade attack to pair with both devices using Just Works Pairing:

• mirage/modules/ble_sc_mitm.py

Secure Connections Pairing Module, for pairing Secure Connections devices:

• mirage/modules: ble_sc_pair.py

Scenario to fuzz a writable GATT characteristic:

• mirage/scenarios/ble_att_fuzz.py

Scenario for Blue Door Attack https://dl.acm.org/doi/10.1145/3386901.3389025 (Requires the nRF 52840 Dongles with customized Zephyr hci_usb Firmware*):

• mirage/scenarios/ble_blue_door.py

Scenario for BlueMirror Attack https://ieeexplore.ieee.org/document/9474325:

• mirage/scenarios/ble_blue_mirror.py

Scenario for Fixed Coordinate Invalid Curve Attack https://dl.acm.org/doi/abs/10.1007/978-3-030-38471-5_11:

• mirage/scenarios/ble_fixed_coord_invalid_curve.py

Scenario for HID Injection Attack:

• mirage/scenarios/ble_hid_mitm.py

Scenario for KNOB Attack https://dl.acm.org/doi/10.1145/3394497:

• mirage/scenarios/ble_knob.py

Scenario for Replay Attacks (Without Pairing for Application Layer Security):

• mirage/scenarios/ble_replay.py

Scenario to scan for security Properties of the Device:

• mirage/scenarios/ble_scan_sec_req.py

Scenario to test cryptographic implementation of Secure Connections Cryptography:

• mirage/scenarios/ble_sc_crypto_test.py

Scenario for Zero LTK Attack https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks/issues/13:

• mirage/scenarios: ble_zero_ltk.py

---

* https://github.com/nsidesm/zephyr/tree/zephyr_hci_extension

[RCayre]

Hi, Thank you very much for this amazing PR. I don't have enough time to review it right know, but I'll do it as soon as possible. Thanks again for this great contribution !

[jsmif]

@nsidesm where can your masters thesis be found?