Command-line Interface¶
Mirage provides a command line interface, allowing to easily manipulate modules and background tasks.
To run the command line interface, just type the following command in a terminal :
$ mirage
Listing the existing modules¶
The list command displays a list of the existing modules :
~~> list
┌Modules─────────────┬────────────┬────────────────────────────────────────────────────────────────────────────┐
│ Name │ Type │ Description │
├────────────────────┼────────────┼────────────────────────────────────────────────────────────────────────────┤
│ wifi_info │ info │ Information module for Wifi interface │
│ ble_hijack │ attack │ Hijacking module for Bluetooth Low Energy Connections │
│ ble_pair │ action │ Pairing module for Bluetooth Low Energy devices │
│ esb_info │ info │ Information module for Enhanced ShockBurst interface │
│ mosart_scan │ scan │ Scanning module for Mosart devices │
│ ble_adv │ spoofing │ Spoofing module simulating a Bluetooth Low Energy advertiser │
│ mosart_keylogger │ attack │ Keystrokes logger module for Mosart keyboard │
│ mosart_inject │ action │ Injection module for Mosart devices │
│ mouse_visualizer │ tool │ Visualization module allowing to display mice movements │
│ ble_mitm │ attack │ Man-in-the-Middle module for Bluetooth Low Energy devices │
│ esb_sniff │ sniff │ Sniffing module for Enhanced ShockBurst communications │
│ wifi_rogueap │ spoofing │ Spoofing module simulating a fake Access Point │
│ zigbee_deauth │ attack │ Deauthentication module for Zigbee networks │
│ esb_scan │ scan │ Scan module for Enhanced ShockBurst Devices │
│ ble_sniff │ sniff │ Sniffing module for Bluetooth Low Energy devices │
│ bt_scan │ scan │ Scan module for Bluetooth Devices │
│ ble_scan │ scan │ Scan module for Bluetooth Low Energy devices │
│ zigbee_floodassoc │ attack │ Flooding module for Zigbee communications │
│ esb_inject │ action │ Injection module for Enhanced ShockBurst communications │
│ ble_discover │ discover │ Discovery module for Bluetooth Low Energy ATT / GATT layers │
│ zigbee_info │ info │ Information module for Zigbee interface │
│ wifi_deauth │ attack │ Deauthentication module for WiFi networks │
│ ble_monitor │ monitoring │ HCI Monitoring module for Blutooth Low Energy │
│ ble_jam │ attack │ Jamming module for Bluetooth Low Energy advertisements and connections │
│ esb_prx │ spoofing │ This module permits the User to simulate an Enhanced ShockBurst PRX device │
│ zigbee_inject │ action │ Injection module for Zigbee communications │
│ mosart_keyinjector │ attack │ Keystrokes injection module for Mosart keyboard │
│ mosart_info │ info │ Information module for Mosart interface │
│ ble_connect │ action │ Connection module for Bluetooth Low Energy devices │
│ esb_ptx │ spoofing │ This module permits the User to simulate an Enhanced ShockBurst PTX device │
│ ir_inject │ action │ Injection module for IR signals │
│ zigbee_sniff │ sniff │ Sniffing module for Zigbee communications │
│ bt_info │ info │ Information module for Bluetooth interface │
│ mosart_sniff │ sniff │ Sniffing module for Mosart devices │
│ zigbee_scan │ scan │ Scan module for Zigbee Devices │
│ ir_sniff │ sniff │ Sniffing module for IR signals │
│ ble_slave │ spoofing │ Spoofing module simulating a Bluetooth Low Energy slave │
│ ble_crack │ bruteforce │ Enumerates all possible values of PIN in order to find the Temporary Key │
│ wifi_scan │ scan │ Scan module for Wifi Access Point and Stations │
│ ble_master │ spoofing │ This module permits the User to interact with Bluetooth Low Energy slaves │
│ ble_info │ info │ Information module for Bluetooth Low Energy interface │
│ ir_info │ info │ Information module for IR interface │
└────────────────────┴────────────┴────────────────────────────────────────────────────────────────────────────┘
The list command allows to provide a filter, it permits to easily select some specific results :
~~> list scan
┌Modules──────┬──────┬────────────────────────────────────────────────┐
│ Name │ Type │ Description │
├─────────────┼──────┼────────────────────────────────────────────────┤
│ mosart_scan │ scan │ Scanning module for Mosart devices │
│ esb_scan │ scan │ Scan module for Enhanced ShockBurst Devices │
│ bt_scan │ scan │ Scan module for Bluetooth Devices │
│ ble_scan │ scan │ Scan module for Bluetooth Low Energy devices │
│ zigbee_scan │ scan │ Scan module for Zigbee Devices │
│ wifi_scan │ scan │ Scan module for Wifi Access Point and Stations │
└─────────────┴──────┴────────────────────────────────────────────────┘
Loading, configuring and running a module¶
Loading a module can be done using the load command :
~~> load ble_info
[INFO] Module ble_info loaded !
<< ble_info >>~~>
When a module is loaded, the prompt changes and indicates the name of the loaded module.
You can display information by using the info command :
<< ble_info >>~~> info
┌ble_info──┬────────────┬──────┬───────────────────────────────────────────────────────┐
│ Name │ Technology │ Type │ Description │
├──────────┼────────────┼──────┼───────────────────────────────────────────────────────┤
│ ble_info │ ble │ info │ Information module for Bluetooth Low Energy interface │
└──────────┴────────────┴──────┴───────────────────────────────────────────────────────┘
::
You can display the input parameters and their current values using args or showargs :
<< ble_info >>~~> args
┌ble_info───┬───────┐
│ Name │ Value │
├───────────┼───────┤
│ INTERFACE │ hci0 │
└───────────┴───────┘
If you want to modify a parameter’s value, uses the set command :
<< ble_info >>~~> set INTERFACE microbit0
<< ble_info >>~~> args
┌ble_info───┬───────────┐
│ Name │ Value │
├───────────┼───────────┤
│ INTERFACE │ microbit0 │
└───────────┴───────────┘
Finally, you can run the module by entering the command run :
<< ble_info >>~~> run
Loading, configuring and running a sequence of modules¶
Mirage provides a chaining operator |, similar to the pipe UNIX operator. It runs multiple modules sequentially and propagates the output parameters of a given module to the input parameters of the next one. It allows to easily combine existing modules to describe complex attack workflows without writing a single line of code.
Loading a sequence of module is very similar to loading a single module :
~~> load ble_connect|ble_discover
[INFO] Module ble_connect loaded !
[INFO] Module ble_discover loaded !
Please note that in a sequence of modules, input parameters are prefixed by the following pattern : <moduleName><moduleNumber>. :
<< ble_connect|ble_discover >>~~> args
┌ble_connect1──────────────────┬───────────────────┐
│ Name │ Value │
├──────────────────────────────┼───────────────────┤
│ ble_connect1.INTERFACE │ hci0 │
│ ble_connect1.TARGET │ fc:58:fa:a1:26:6b │
│ ble_connect1.TIMEOUT │ 3 │
│ ble_connect1.CONNECTION_TYPE │ public │
└──────────────────────────────┴───────────────────┘
┌ble_discover2───────────────┬─────────────────────┐
│ Name │ Value │
├────────────────────────────┼─────────────────────┤
│ ble_discover2.INTERFACE │ hci0 │
│ ble_discover2.START_HANDLE │ 0x0001 │
│ ble_discover2.END_HANDLE │ 0xFFFF │
│ ble_discover2.WHAT │ all │
│ ble_discover2.FILTER │ │
│ ble_discover2.FILTER_BY │ │
│ ble_discover2.ATT_FILE │ /tmp/discovered.ini │
│ ble_discover2.GATT_FILE │ /tmp/gatt.ini │
└────────────────────────────┴─────────────────────┘
If you want to modify the value of an attribute, you can use set as follows :
<< ble_connect|ble_discover >>~~> set ble_connect1.INTERFACE hci1
<< ble_connect|ble_discover >>~~> set ble_discover2.WHAT attributes
<< ble_connect|ble_discover >>~~> args
┌ble_connect1──────────────────┬───────────────────┐
│ Name │ Value │
├──────────────────────────────┼───────────────────┤
│ ble_connect1.INTERFACE │ hci1 │
│ ble_connect1.TARGET │ fc:58:fa:a1:26:6b │
│ ble_connect1.TIMEOUT │ 3 │
│ ble_connect1.CONNECTION_TYPE │ public │
└──────────────────────────────┴───────────────────┘
┌ble_discover2───────────────┬─────────────────────┐
│ Name │ Value │
├────────────────────────────┼─────────────────────┤
│ ble_discover2.INTERFACE │ hci0 │
│ ble_discover2.START_HANDLE │ 0x0001 │
│ ble_discover2.END_HANDLE │ 0xFFFF │
│ ble_discover2.WHAT │ attributes │
│ ble_discover2.FILTER │ │
│ ble_discover2.FILTER_BY │ │
│ ble_discover2.ATT_FILE │ /tmp/discovered.ini │
│ ble_discover2.GATT_FILE │ /tmp/gatt.ini │
└────────────────────────────┴─────────────────────┘
You can run the sequence by entering the following command :
<< ble_connect|ble_discover >>~~> run
Manipulating the background tasks¶
A background task is a daemon process : Mirage provides an API allowing to easily run code in background.
You can list the existing background tasks by typing the tasks command :
~~> tasks
┌Background Tasks──────┬─────────┬────────────────────────────────────┐
│ PID │ Name │ State │ Output │
├───────┼──────────────┼─────────┼────────────────────────────────────┤
│ 30513 │ helloworld │ running │ /tmp/mirage/helloworld-30513.out │
│ 30548 │ helloworld.1 │ running │ /tmp/mirage/helloworld.1-30548.out │
└───────┴──────────────┴─────────┴────────────────────────────────────┘
You can also provide a filter pattern :
~~> tasks 548
┌Background Tasks──────┬─────────┬────────────────────────────────────┐
│ PID │ Name │ State │ Output │
├───────┼──────────────┼─────────┼────────────────────────────────────┤
│ 30548 │ helloworld.1 │ running │ /tmp/mirage/helloworld.1-30548.out │
└───────┴──────────────┴─────────┴────────────────────────────────────┘
You can stop a task by using the stop command :
~~> stop helloworld.1
~~> tasks
┌Background Tasks────┬─────────┬──────────────────────────────────┐
│ PID │ Name │ State │ Output │
├───────┼────────────┼─────────┼──────────────────────────────────┤
│ 30513 │ helloworld │ running │ /tmp/mirage/helloworld-30513.out │
└───────┴────────────┴─────────┴──────────────────────────────────┘
You can start a task using the start command :
~~> tasks
┌Background Tasks─────┬─────────┬────────┐
│ PID │ Name │ State │ Output │
├──────┼──────────────┼─────────┼────────┤
│ None │ helloworld │ stopped │ │
│ None │ helloworld.1 │ stopped │ │
└──────┴──────────────┴─────────┴────────┘
~~> start helloworld
~~> tasks
┌Background Tasks──────┬─────────┬──────────────────────────────────┐
│ PID │ Name │ State │ Output │
├───────┼──────────────┼─────────┼──────────────────────────────────┤
│ 30673 │ helloworld │ running │ /tmp/mirage/helloworld-30673.out │
│ None │ helloworld.1 │ stopped │ │
└───────┴──────────────┴─────────┴──────────────────────────────────┘
Finally, you can restart a task using the restart command :
~~> tasks
┌Background Tasks──────┬─────────┬──────────────────────────────────┐
│ PID │ Name │ State │ Output │
├───────┼──────────────┼─────────┼──────────────────────────────────┤
│ 30762 │ helloworld │ running │ /tmp/mirage/helloworld-30762.out │
│ None │ helloworld.1 │ stopped │ │
└───────┴──────────────┴─────────┴──────────────────────────────────┘
~~> restart helloworld
~~> tasks
┌Background Tasks──────┬─────────┬──────────────────────────────────┐
│ PID │ Name │ State │ Output │
├───────┼──────────────┼─────────┼──────────────────────────────────┤
│ None │ helloworld.1 │ stopped │ │
│ 30774 │ helloworld │ running │ /tmp/mirage/helloworld-30774.out │
└───────┴──────────────┴─────────┴──────────────────────────────────┘
Generating a module or a scenario¶
Mirage provides two commands allowing to easily generate a new module or a new scenario : create_module and create_scenario.
To create a new module, just type the following command and answer the questions :
~~> create_module
[QUESTION] Module's name : newmod
[QUESTION] Module's description : Test module
[QUESTION] Module's type : test
[QUESTION] Module's technology [ble] :
[QUESTION] Module's dependencies (separated by commas) : ble_sniff,ble_scan
[QUESTION] Input parameter #1 (name) : INTERFACE
[QUESTION] Input parameter #1 (default value) : hci0
[QUESTION] Input parameter #2 (name) : PARAM1
[QUESTION] Input parameter #2 (default value) : value1
[QUESTION] Input parameter #3 (name) :
[SUCCESS] Module newmod successfully generated : /home/user/.mirage/modules/newmod.py
It will generates the following code :
from mirage.core import module
from mirage.libs import utils,ble
class newmod(module.WirelessModule):
def init(self):
self.technology = "ble"
self.type = "test"
self.description = "Test module"
self.args = {'INTERFACE': 'hci0', 'PARAM1': 'value1'}
self.dependencies = ["ble_sniff","ble_scan"]
def run(self):
# Enter your code here.
return self.ok({})
To create a new scenario, type the following command and answer the questions :
~~> create_scenario
[QUESTION] Scenario's name : test
[SUCCESS] Scenario test successfully generated : /home/user/.mirage/scenarios/test.py
It generates the following code :
from mirage.core import scenario
from mirage.libs import io,ble,bt,utils
class test(scenario.Scenario):
def onStart(self):
return True
def onEnd(self):
return True
def onKey(self,key):
return True
List of available commands¶
Command |
Description |
|---|---|
list [pattern] |
displays the list of modules |
load <module> |
loads a specific module |
info |
displays the informations of the loaded module |
args |
displays the input parameters of the loaded module |
showargs |
displays the input parameters of the loaded module (alias of |
set <name> <value> |
changes the value of a specific input parameter of the loaded module |
run |
executes the loaded module |
tasks [pattern] |
displays the list of background tasks |
start <task> |
starts a specific background task |
restart <task> |
restarts a specific background task |
stop <task> |
stops a specific background task |
create_module |
generates the source code of a new module |
create_scenario |
generates the source code of a new scenario |
clear |
clears the screen |
exit |
exits Mirage |