Command-line Interface ====================== Mirage provides a command line interface, allowing to easily manipulate modules and background tasks. To run the command line interface, just type the following command in a terminal : :: $ mirage Listing the existing modules ----------------------------- The ``list`` command displays a list of the existing modules : :: ~~> list ┌Modules─────────────┬────────────┬────────────────────────────────────────────────────────────────────────────┐ │ Name │ Type │ Description │ ├────────────────────┼────────────┼────────────────────────────────────────────────────────────────────────────┤ │ wifi_info │ info │ Information module for Wifi interface │ │ ble_hijack │ attack │ Hijacking module for Bluetooth Low Energy Connections │ │ ble_pair │ action │ Pairing module for Bluetooth Low Energy devices │ │ esb_info │ info │ Information module for Enhanced ShockBurst interface │ │ mosart_scan │ scan │ Scanning module for Mosart devices │ │ ble_adv │ spoofing │ Spoofing module simulating a Bluetooth Low Energy advertiser │ │ mosart_keylogger │ attack │ Keystrokes logger module for Mosart keyboard │ │ mosart_inject │ action │ Injection module for Mosart devices │ │ mouse_visualizer │ tool │ Visualization module allowing to display mice movements │ │ ble_mitm │ attack │ Man-in-the-Middle module for Bluetooth Low Energy devices │ │ esb_sniff │ sniff │ Sniffing module for Enhanced ShockBurst communications │ │ wifi_rogueap │ spoofing │ Spoofing module simulating a fake Access Point │ │ zigbee_deauth │ attack │ Deauthentication module for Zigbee networks │ │ esb_scan │ scan │ Scan module for Enhanced ShockBurst Devices │ │ ble_sniff │ sniff │ Sniffing module for Bluetooth Low Energy devices │ │ bt_scan │ scan │ Scan module for Bluetooth Devices │ │ ble_scan │ scan │ Scan module for Bluetooth Low Energy devices │ │ zigbee_floodassoc │ attack │ Flooding module for Zigbee communications │ │ esb_inject │ action │ Injection module for Enhanced ShockBurst communications │ │ ble_discover │ discover │ Discovery module for Bluetooth Low Energy ATT / GATT layers │ │ zigbee_info │ info │ Information module for Zigbee interface │ │ wifi_deauth │ attack │ Deauthentication module for WiFi networks │ │ ble_monitor │ monitoring │ HCI Monitoring module for Blutooth Low Energy │ │ ble_jam │ attack │ Jamming module for Bluetooth Low Energy advertisements and connections │ │ esb_prx │ spoofing │ This module permits the User to simulate an Enhanced ShockBurst PRX device │ │ zigbee_inject │ action │ Injection module for Zigbee communications │ │ mosart_keyinjector │ attack │ Keystrokes injection module for Mosart keyboard │ │ mosart_info │ info │ Information module for Mosart interface │ │ ble_connect │ action │ Connection module for Bluetooth Low Energy devices │ │ esb_ptx │ spoofing │ This module permits the User to simulate an Enhanced ShockBurst PTX device │ │ ir_inject │ action │ Injection module for IR signals │ │ zigbee_sniff │ sniff │ Sniffing module for Zigbee communications │ │ bt_info │ info │ Information module for Bluetooth interface │ │ mosart_sniff │ sniff │ Sniffing module for Mosart devices │ │ zigbee_scan │ scan │ Scan module for Zigbee Devices │ │ ir_sniff │ sniff │ Sniffing module for IR signals │ │ ble_slave │ spoofing │ Spoofing module simulating a Bluetooth Low Energy slave │ │ ble_crack │ bruteforce │ Enumerates all possible values of PIN in order to find the Temporary Key │ │ wifi_scan │ scan │ Scan module for Wifi Access Point and Stations │ │ ble_master │ spoofing │ This module permits the User to interact with Bluetooth Low Energy slaves │ │ ble_info │ info │ Information module for Bluetooth Low Energy interface │ │ ir_info │ info │ Information module for IR interface │ └────────────────────┴────────────┴────────────────────────────────────────────────────────────────────────────┘ The ``list`` command allows to provide a filter, it permits to easily select some specific results : :: ~~> list scan ┌Modules──────┬──────┬────────────────────────────────────────────────┐ │ Name │ Type │ Description │ ├─────────────┼──────┼────────────────────────────────────────────────┤ │ mosart_scan │ scan │ Scanning module for Mosart devices │ │ esb_scan │ scan │ Scan module for Enhanced ShockBurst Devices │ │ bt_scan │ scan │ Scan module for Bluetooth Devices │ │ ble_scan │ scan │ Scan module for Bluetooth Low Energy devices │ │ zigbee_scan │ scan │ Scan module for Zigbee Devices │ │ wifi_scan │ scan │ Scan module for Wifi Access Point and Stations │ └─────────────┴──────┴────────────────────────────────────────────────┘ Loading, configuring and running a module ------------------------------------------ Loading a module can be done using the ``load`` command : :: ~~> load ble_info [INFO] Module ble_info loaded ! << ble_info >>~~> When a module is loaded, the prompt changes and indicates the name of the loaded module. You can display information by using the ``info`` command : :: << ble_info >>~~> info ┌ble_info──┬────────────┬──────┬───────────────────────────────────────────────────────┐ │ Name │ Technology │ Type │ Description │ ├──────────┼────────────┼──────┼───────────────────────────────────────────────────────┤ │ ble_info │ ble │ info │ Information module for Bluetooth Low Energy interface │ └──────────┴────────────┴──────┴───────────────────────────────────────────────────────┘ :: You can display the input parameters and their current values using ``args`` or ``showargs`` : :: << ble_info >>~~> args ┌ble_info───┬───────┐ │ Name │ Value │ ├───────────┼───────┤ │ INTERFACE │ hci0 │ └───────────┴───────┘ If you want to modify a parameter's value, uses the ``set`` command : :: << ble_info >>~~> set INTERFACE microbit0 << ble_info >>~~> args ┌ble_info───┬───────────┐ │ Name │ Value │ ├───────────┼───────────┤ │ INTERFACE │ microbit0 │ └───────────┴───────────┘ Finally, you can run the module by entering the command ``run`` : :: << ble_info >>~~> run Loading, configuring and running a sequence of modules ------------------------------------------------------ Mirage provides a chaining operator ``|``, similar to the pipe UNIX operator. It runs multiple modules sequentially and propagates the output parameters of a given module to the input parameters of the next one. It allows to easily combine existing modules to describe complex attack workflows without writing a single line of code. Loading a sequence of module is very similar to loading a single module : :: ~~> load ble_connect|ble_discover [INFO] Module ble_connect loaded ! [INFO] Module ble_discover loaded ! Please note that in a sequence of modules, input parameters are prefixed by the following pattern : ``.`` : :: << ble_connect|ble_discover >>~~> args ┌ble_connect1──────────────────┬───────────────────┐ │ Name │ Value │ ├──────────────────────────────┼───────────────────┤ │ ble_connect1.INTERFACE │ hci0 │ │ ble_connect1.TARGET │ fc:58:fa:a1:26:6b │ │ ble_connect1.TIMEOUT │ 3 │ │ ble_connect1.CONNECTION_TYPE │ public │ └──────────────────────────────┴───────────────────┘ ┌ble_discover2───────────────┬─────────────────────┐ │ Name │ Value │ ├────────────────────────────┼─────────────────────┤ │ ble_discover2.INTERFACE │ hci0 │ │ ble_discover2.START_HANDLE │ 0x0001 │ │ ble_discover2.END_HANDLE │ 0xFFFF │ │ ble_discover2.WHAT │ all │ │ ble_discover2.FILTER │ │ │ ble_discover2.FILTER_BY │ │ │ ble_discover2.ATT_FILE │ /tmp/discovered.ini │ │ ble_discover2.GATT_FILE │ /tmp/gatt.ini │ └────────────────────────────┴─────────────────────┘ If you want to modify the value of an attribute, you can use ``set`` as follows : :: << ble_connect|ble_discover >>~~> set ble_connect1.INTERFACE hci1 << ble_connect|ble_discover >>~~> set ble_discover2.WHAT attributes << ble_connect|ble_discover >>~~> args ┌ble_connect1──────────────────┬───────────────────┐ │ Name │ Value │ ├──────────────────────────────┼───────────────────┤ │ ble_connect1.INTERFACE │ hci1 │ │ ble_connect1.TARGET │ fc:58:fa:a1:26:6b │ │ ble_connect1.TIMEOUT │ 3 │ │ ble_connect1.CONNECTION_TYPE │ public │ └──────────────────────────────┴───────────────────┘ ┌ble_discover2───────────────┬─────────────────────┐ │ Name │ Value │ ├────────────────────────────┼─────────────────────┤ │ ble_discover2.INTERFACE │ hci0 │ │ ble_discover2.START_HANDLE │ 0x0001 │ │ ble_discover2.END_HANDLE │ 0xFFFF │ │ ble_discover2.WHAT │ attributes │ │ ble_discover2.FILTER │ │ │ ble_discover2.FILTER_BY │ │ │ ble_discover2.ATT_FILE │ /tmp/discovered.ini │ │ ble_discover2.GATT_FILE │ /tmp/gatt.ini │ └────────────────────────────┴─────────────────────┘ You can run the sequence by entering the following command : :: << ble_connect|ble_discover >>~~> run Manipulating the background tasks ---------------------------------- A background task is a daemon process : Mirage provides an API allowing to easily run code in background. You can list the existing background tasks by typing the ``tasks`` command : :: ~~> tasks ┌Background Tasks──────┬─────────┬────────────────────────────────────┐ │ PID │ Name │ State │ Output │ ├───────┼──────────────┼─────────┼────────────────────────────────────┤ │ 30513 │ helloworld │ running │ /tmp/mirage/helloworld-30513.out │ │ 30548 │ helloworld.1 │ running │ /tmp/mirage/helloworld.1-30548.out │ └───────┴──────────────┴─────────┴────────────────────────────────────┘ You can also provide a filter pattern : :: ~~> tasks 548 ┌Background Tasks──────┬─────────┬────────────────────────────────────┐ │ PID │ Name │ State │ Output │ ├───────┼──────────────┼─────────┼────────────────────────────────────┤ │ 30548 │ helloworld.1 │ running │ /tmp/mirage/helloworld.1-30548.out │ └───────┴──────────────┴─────────┴────────────────────────────────────┘ You can stop a task by using the ``stop`` command : :: ~~> stop helloworld.1 ~~> tasks ┌Background Tasks────┬─────────┬──────────────────────────────────┐ │ PID │ Name │ State │ Output │ ├───────┼────────────┼─────────┼──────────────────────────────────┤ │ 30513 │ helloworld │ running │ /tmp/mirage/helloworld-30513.out │ └───────┴────────────┴─────────┴──────────────────────────────────┘ You can start a task using the ``start`` command : :: ~~> tasks ┌Background Tasks─────┬─────────┬────────┐ │ PID │ Name │ State │ Output │ ├──────┼──────────────┼─────────┼────────┤ │ None │ helloworld │ stopped │ │ │ None │ helloworld.1 │ stopped │ │ └──────┴──────────────┴─────────┴────────┘ ~~> start helloworld ~~> tasks ┌Background Tasks──────┬─────────┬──────────────────────────────────┐ │ PID │ Name │ State │ Output │ ├───────┼──────────────┼─────────┼──────────────────────────────────┤ │ 30673 │ helloworld │ running │ /tmp/mirage/helloworld-30673.out │ │ None │ helloworld.1 │ stopped │ │ └───────┴──────────────┴─────────┴──────────────────────────────────┘ Finally, you can restart a task using the ``restart`` command : :: ~~> tasks ┌Background Tasks──────┬─────────┬──────────────────────────────────┐ │ PID │ Name │ State │ Output │ ├───────┼──────────────┼─────────┼──────────────────────────────────┤ │ 30762 │ helloworld │ running │ /tmp/mirage/helloworld-30762.out │ │ None │ helloworld.1 │ stopped │ │ └───────┴──────────────┴─────────┴──────────────────────────────────┘ ~~> restart helloworld ~~> tasks ┌Background Tasks──────┬─────────┬──────────────────────────────────┐ │ PID │ Name │ State │ Output │ ├───────┼──────────────┼─────────┼──────────────────────────────────┤ │ None │ helloworld.1 │ stopped │ │ │ 30774 │ helloworld │ running │ /tmp/mirage/helloworld-30774.out │ └───────┴──────────────┴─────────┴──────────────────────────────────┘ Generating a module or a scenario --------------------------------- Mirage provides two commands allowing to easily generate a new module or a new scenario : ``create_module`` and ``create_scenario``. To create a new module, just type the following command and answer the questions : :: ~~> create_module [QUESTION] Module's name : newmod [QUESTION] Module's description : Test module [QUESTION] Module's type : test [QUESTION] Module's technology [ble] : [QUESTION] Module's dependencies (separated by commas) : ble_sniff,ble_scan [QUESTION] Input parameter #1 (name) : INTERFACE [QUESTION] Input parameter #1 (default value) : hci0 [QUESTION] Input parameter #2 (name) : PARAM1 [QUESTION] Input parameter #2 (default value) : value1 [QUESTION] Input parameter #3 (name) : [SUCCESS] Module newmod successfully generated : /home/user/.mirage/modules/newmod.py It will generates the following code : :: from mirage.core import module from mirage.libs import utils,ble class newmod(module.WirelessModule): def init(self): self.technology = "ble" self.type = "test" self.description = "Test module" self.args = {'INTERFACE': 'hci0', 'PARAM1': 'value1'} self.dependencies = ["ble_sniff","ble_scan"] def run(self): # Enter your code here. return self.ok({}) To create a new scenario, type the following command and answer the questions : :: ~~> create_scenario [QUESTION] Scenario's name : test [SUCCESS] Scenario test successfully generated : /home/user/.mirage/scenarios/test.py It generates the following code : :: from mirage.core import scenario from mirage.libs import io,ble,bt,utils class test(scenario.Scenario): def onStart(self): return True def onEnd(self): return True def onKey(self,key): return True Clearing the screen ------------------- You can clear the screen by using the ``clear`` command : :: ~~> clear Exiting the Command Line Interface ----------------------------------- You can exit the framework using the ``exit`` command : :: ~~> exit List of available commands -------------------------- +------------------------+-------------------------------------------------------------------------+ | Command | Description | +========================+=========================================================================+ | list [pattern] | displays the list of modules | +------------------------+-------------------------------------------------------------------------+ | load | loads a specific module | +------------------------+-------------------------------------------------------------------------+ | info | displays the informations of the loaded module | +------------------------+-------------------------------------------------------------------------+ | args | displays the input parameters of the loaded module | +------------------------+-------------------------------------------------------------------------+ | showargs | displays the input parameters of the loaded module (alias of ``args``) | +------------------------+-------------------------------------------------------------------------+ | set | changes the value of a specific input parameter of the loaded module | +------------------------+-------------------------------------------------------------------------+ | run | executes the loaded module | +------------------------+-------------------------------------------------------------------------+ | tasks [pattern] | displays the list of background tasks | +------------------------+-------------------------------------------------------------------------+ | start | starts a specific background task | +------------------------+-------------------------------------------------------------------------+ | restart | restarts a specific background task | +------------------------+-------------------------------------------------------------------------+ | stop | stops a specific background task | +------------------------+-------------------------------------------------------------------------+ | create_module | generates the source code of a new module | +------------------------+-------------------------------------------------------------------------+ | create_scenario | generates the source code of a new scenario | +------------------------+-------------------------------------------------------------------------+ | clear | clears the screen | +------------------------+-------------------------------------------------------------------------+ | exit | exits Mirage | +------------------------+-------------------------------------------------------------------------+