WIRELESS VILLAGE - BLE CTF

Video thumbnail (Frame 0) Video thumbnail (Frame 501) Video thumbnail (Frame 1939) Video thumbnail (Frame 3729) Video thumbnail (Frame 5421) Video thumbnail (Frame 6624) Video thumbnail (Frame 7632) Video thumbnail (Frame 8461) Video thumbnail (Frame 9274) Video thumbnail (Frame 9623) Video thumbnail (Frame 10364) Video thumbnail (Frame 10998) Video thumbnail (Frame 13338) Video thumbnail (Frame 14008) Video thumbnail (Frame 16807) Video thumbnail (Frame 17216) Video thumbnail (Frame 18076) Video thumbnail (Frame 20888) Video thumbnail (Frame 21474)
Video in TIB AV-Portal: WIRELESS VILLAGE - BLE CTF

Formal Metadata

Title
WIRELESS VILLAGE - BLE CTF
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
The purpose of BLE CTF (https://github.com/hackgnar/ble ctf) is to teach the core concepts of Bluetooth low energy client and server interactions. While it has also been built to be fun, it was built with the intent to teach and reinforce core concepts that are needed to plunge into the world of Bluetooth hacking. After completing this CTF, you should have everything you need to start fiddling with any BLE GATT device you can find.
Hacker (term) Connectivity (graph theory) Projective plane Bit Twitter
Slide rule Server (computing) Inheritance (object-oriented programming) Server (computing) Multiplication sign Regular graph Stack (abstract data type) Data mining Regular graph Computer hardware Video game Right angle Text editor Information security Firmware Metropolitan area network Flag Firmware
Classical physics Server (computing) Standard deviation Server (computing) Multiplication sign Source code 1 (number) Shape (magazine) Connected space Prime ideal Software repository Order (biology) Energy level Cuboid Right angle Proxy server Computing platform Form (programming) Firmware
Scripting language Standard deviation Server (computing) Socket-Schnittstelle Server (computing) Source code Set (mathematics) Client (computing) Price index Client (computing) Entire function Visualization (computer graphics) Software Repository (publishing) Network socket Order (biology) Cuboid Utility software Berner Fachhochschule / Technik und Informatik Data structure Hacker (term) Software protection dongle
Slide rule Demo (music) Software repository Demo (music) Order (biology) POKE Videoconferencing Port scanner Flag Utility software Address space
Demo (music) God Firmware
Server (computing) Hexagon Film editing Software repository Single-precision floating-point format Order (biology) 1 (number) Flag Right angle Address space Exception handling
Flag
Server (computing) Freeware Easter egg <Programm> Feedback Multiplication sign Software developer Characteristic polynomial Feedback Client (computing) Entire function Connected space Revision control Order (biology) Computer hardware Revision control Energy level Utility software Firmware Firmware
Server (computing) Feedback Multiplication sign Projective plane Feedback Flash memory Disk read-and-write head Revision control Type theory Hooking Software Software repository Computer hardware Computer hardware Flag Energy level Firmware God Flag
Greatest element Feedback Expression Projective plane Goodness of fit Explosion Internet forum Blog Software repository Blog Chain Software repository Firmware Software development kit
I am Ryan I'm gonna be talking to you about a little project I did I released it a couple of months ago it's a CTF based on ble I'll kind of tell you a little bit in depth about why I did it and kind of some of the components of it and the makeup so it's my twitter handle at hack gnar if you want to send me anything
so the de facto who am i slide before I get started I worked at Atlassian I run the security intelligence team which is our dfi our team globally and our red team I'm an advisor for an endpoint security company named zipped in it was kind of like a past life of mine when I worked there but I'm happy at Alaska now I do a lot of Bluetooth stuff from my spare time I'm an old man skateboarder I like to skateboard a lot there's a picture of me trying to teach my kid to drop in on a quarter pipe anyone else here like to skateboard if you do there's a really cool skate park about 15 minutes from here that I went to the other day it's called like Arroyo Grande skate park it's like a really unique Park that's all like pump tracks it killed my legs in about 20 minutes but it was a lot of fun and then I'm a regular member of AHA as well which is an Austin thing a bunch of security nerds that get together once a month so
okay so on with this the important stuff what is this thing so the ble CTF is a Bluetooth Low Energy CTF it's built on an ESP 32 chipset so I did nothing with the hardware right I just wrote all the firmware for this thing that kind of hosts the whole entire CTF so there's my little disclaimer there that this chipset is not my creation design or manufacture or anything like that I just flashed the CTF to the firmware you can even flash it on the DC darknet badge this year because it's on the SP 32 so pretty cool I was glad to get my hands on one of those it's all written in C I actually got the SP 32 because I heard you could do it a micro Python you could run micro Python on it and I was like ah that'd be super quick I can do this like in five minutes but you can't do a micro Python stack and keep the Bluetooth stack at the same time so I just wrote it all and see the GATT server itself basically the firmware creates a GATT server which hosts the CTF and there's about 20 flags in total and they're all meant to kind of step you through editor of Li like from beginning to more advanced steps in Bluetooth Low Energy so why did I create
this thing right I think like throughout the years I've done a lot of Bluetooth talks and just a lot of Bluetooth research and there wasn't like a de facto standard way to educate people on Bluetooth Low Energy even in Bluetooth classic it's the same problem so I created this ETF and it's really you know kind of like an entry level learning platform in order to get you ramped up to the skill set that you can start tinkering and hacking on Bluetooth Low Energy GATT servers low cost of entry right you can get these chips from China for about five dollars so I didn't want to make anything that was super expensive you need no prior Bluetooth experience if you want to get started with this don't think that's you know like I've had my colleague Christian who's in the audience he had no Bluetooth experience before I used him as a guinea pig on the CTF to make sure that people could actually go through this thing from start to finish without knowing bluetooth and I wanted to get more people involved I do a lot of Bluetooth talks and a lot of times I just see people's eyes glaze over and like they have no idea what I'm talking about so I just wanted more people involved in this so and I'd never written a GATT server before so it was a challenge into myself all right so what do you need to
get started as I mentioned you'll need an e SP 32 of any form shape whatever manufacturer you can buy them on eBay for five dollars you can buy them on prime if you're impatient and get it the next day for ten dollars or if you don't want to flash it at all I sell overpriced ones for either twenty dollars or a beer and they're just pretty flashed with the CTF so and if you are getting one that's not pre flashed you'll need the source code which is in my repo that I'll share later basically you just compile it up and then you flash it to the ESP 32 and then I would recommend that you have a Linux box in order to do the CTF a lot of people have contacted me and they're like oh I just did it on my phone with NRF Connect you can't but I think you're you're better off with a with a Linux box and using standard Linux tools so
from the software side like I mentioned if you're using standard Linux box you can really do the entire CTF with HTI util and gat tool there's other tools that help you know evil socket some own evil sockets to Blair Wow if I'm pronouncing it wrong let me know it's really useful for visualizing a GATT server and seeing everything that's running on it so really great tool for you you don't need it you can't actually do the whole CTF emboli but it's really nice in order to just kind of visualize what's going on and then I provide a vagrant script in the source repository as well that will just spin up an Ubuntu box with all the tools that you need on it if you're not running a Linux box and you're doing out on something like OS X
cool well you what will you learn right if you do the CTO from start to finish it teaches you all the basics of Bluetooth Low Energy like and interacting with the GATT server so you'll learn how to do reads in many ways you'll learn how to do writes in many ways notifications and notification tricks indication and indication tricks you'll learn to tinker with a lot of the client settings on a bluetooth dongle and like HCI util and things like that and you'll learn a lot of the server structures that you will see in the GATT server and there's a lot of other stuff in there but these are kind of like the basics that you'll take away after you finish the CTF cool so I
embedded a video demo see if it even works so here's me is it it's going over there but not over here this is just showing getting started right like doing a HDI util scan and finding the CTF so basically after you plug in the SP 32 and it's live you'll do a scan and you'll find the the MAC address that you'll need in order to just kind of poke around with it and the next one is
flag one this is not like a spoiler you can only get flag one by actually sorry the text is a little small there I'll post these slides to my git repo afterwards though see if I can make it
start yes for this just do this way so here I
have the to get repo up and I don't god it's not working over there yeah I got demo
okay so flag one is it get me you can only get it from reading the documentation and the whole purpose of it is to actually just make sure that you know how to properly do a get read and a gat right so here on the left side
you'll see the repo the repo hosts a hint for every single flag none of the hints watch to give you a straight takeaway on how to actually get the flag except for a flag one because flag one's just meant to be like kind of cut and paste you you swap out your MAC address and then you submit your flag value to the the GATT server so here in the bottom I'm just kind of going to read one character handle there's one handle inside of the GATT server that will basically tell you your score out of 20 so you have a 0 out of 20 or you have a 1 out of 20 but not it depends how many Flags you've submitted so the first thing we're gonna do here is we're gonna read that we'll see that we have a 0 out of 20 score then after that we're gonna take the value for flag' 1 which is given to you in the documentation and we're going to do a GATT tool right of that value and you can do these GATT writes with either GATT or you can use blasts really nice way to do it searching for a lot of the ASCII values because you can submit the ascii straight and not have to convert the hex to ascii so it's a nice way to do it and then after that we're just going to go ahead and we're going to read the flag handle again and we'll see that we have a score of 1 out of 20 instead of 0 out of 20 and then just for kind of clarity as well we'll go ahead to amble read the GATT server with black in order to show all the values which is a lot more nice way to actually visualize the whole thing so it's gonna be coming next
he's got cooler ASCII graphics too me too so but here you can see we now have
a you know one out of twenty could be submitted the first flag
cool as for extras there's kind of like some extras here as I mentioned you can do this whole CTF with just basics using HDI util and gat tool but I had a lot of people say hey you know like I wanted something that was more complex and I needed an uber tooth or anything like that I didn't make that is a requirement because you know as I mentioned before I wanted this to be very entry level and cheap and so but it is a great utility for learning to tinker with your uber tooth or NRF sniffer firmware so as you kind of do the whole entire CTF you know the values that you're submitting from the client to the server so sniffing the traffic with the new per tooth or an MI or Nordics mi semiconductor sniffer firmware you know what values you're looking for in the pcap files so it makes for a really nice tool a lot of people have trouble when they first get into sniffing traffic with the new bur tooth or NRF connect or an RF Nordic firmer sniffer from lava because it's kind of fickle sometimes when you try to first sniff that you know that initial connection in order to follow all the packets and end up all your data into pcap so this is a really nice way to kind of learn how to hone your skills in those tools as well another little easter egg too is there's actually two LEDs on this version of the SP 32 development hardware that I'm using and so anytime anyone like when you first fire it up only the red lights on and then anytime anyone ever does a like a GATT read on any of your characteristics the blue light turns on so it's really fun way to just like walk around the conference and see if anyone's actually looking at your Bluetooth I've actually had a couple of them like running the whole entire time through besides Def Con and black hat and I haven't had a blue light turned on once so it kind of gives you a little idea of how many people were actually just actively you know scanning all Bluetooth devices out there and as I mentioned that released
this a few months ago and I've had like really great feedback a lot of people just saying that it's a great tool to learn Bluetooth from the ground up I was actually impressed with all the feedback I've gotten so if you have done the CTF and you've given me feedback thank you very much I appreciate it but my feet my favorite feedback is this
one there's an intern who lives in Minnesota misses github repo there he wrote a he forked the whole project to a fantasy RPG Bluetooth Low Energy CTF so basically as you complete flags you kill a lot like goblins and trolls and you know get cool swords and stuff so I was like just so amazing that's a really cool project so I don't know but if you want to check out his stuff it's there I think his repo name is just bt bt l ee CTF underbar fun cool future work so I
really love feedback I love critical feedback as well and I realized that a lot of people want more advanced versions at the CTF so here's some of the future work that I'm working on and some of the timelines that I kind of gave myself so some of the stuff that I want to do for this version is to randomize all the flag values so every time that you do make and make flash you have randomized values in the actual GATT server and then I submitted this to a couple CTFs for upcoming conferences and if I get accepted then I want to write a C T FD harness for it so the SP 32 s are actually dual-band you can do Wi-Fi and bluetooth on it so it actually be really easy to just kind of hook up a networking harness to C T FD so you can actually keep scores and have like 20 of these things spread out and then everyone can actually do their own CTF and then you can see the scores in the competition so so those are the two things for version 1 I'm gonna be adding and then in late September I've started work on v2 I hope to have it done by late September and this one's just evil laughs I took like every single like evil GATT trick that I've learned and could think of and I've kind of started iterating it into pox right now and I'm gonna just plug it all together and then have something in late September a lot of people it's probably gonna make you bang your head on the table and pull out all your hair and you'll think that it's broken but there's a lot of evil god stuff you can do that you just don't see in in any device but once you start using API is encoding it all and see and getting low level with it there's a lot of really nasty stuff you can do and then in late January probably around Shenmue time I'm trying to get a v3 out which would actually be to ESP 30 twos so that would actually have a requirement that you would need some type of sniffer hardware whether it be an uber tooth or the Nordic semiconductor sniffer firmware so so those are my rough deadlines and I hope to get them done by then a couple
of shout outs thanks to everyone that's actually done it I really appreciate the feedback my friend Alec who I was drinking beers with that shmoocon and kind of came up with this idea for the CTF christian for making btle CTF stickers for me because it's something I probably would have never done any was a good guinea pig and then all my aha ah? people for listening to all my bluetooth talks and then
here's the resources if you want to check out the project the repos on the bottom or you can just ping me read my blog I have a couple write-ups on it as well but yeah that's it questions where it gets cool I got a bag full of these things too if you want one just come talk to me oh how did I get into attacking Bluetooth I don't know I I started working on the uber tooth firmware back when it was released I did a Def Con talk about it before Dominic did so I have that one on him he's not paying attention to me but anywho but that's how I got into it I just started playing around with the uber tooth and then had a lot of fun with it and started just playing with Bluetooth yeah the question is what is the tool chain I'm using to flash the espys it's just uh what does the manufacturer forum just the typical apk for it the expressive software development kit so that's it for a couple of these you can actually use like I've never done it but apparently you can flash a lot of the esps with like Arduino and stuff like that but I don't know if it'll work or not I just use the expressive SDK other questions all right that's it thank you for coming [Applause]
Feedback