Mirage documentation

Presentation

Mirage is a powerful and modular framework dedicated to the security analysis of wireless communications. It currently provides :

• multiple lightweight and hackable wireless protocol stacks (e.g. Bluetooth Low Energy, Enhanced ShockBurst, WiFi, Zigbee …)

• multiple highly customizable offensive modules (e.g. Man-in-the-Middle, sniffing, jamming, hijacking, cloning …)

• mutiple modules dedicated to information gathering (e.g. applicative layers dumping, scanning …)

• mutiple experimental offensive modules based on InjectaBLE attack (e.g. Bluetooth Low Energy injection, Slave and Master hijacking, MiTM …)

• a chaining operator allowing to easily combine attack modules in order to build complex attack workflows

• support of multiple devices, such as HCI devices, Crazy Radio PA, RZUSBStick, BTLEJack, Nordic, Sniffle, ButteRFly and Ubertooth sniffers

• an user-friendly development environment allowing to easily write new modules or customize existing ones

• an experimental Software defined radio architecture, allowing to sniff and inject packets using HackRF One

Note

Mirage is greatly inspired by the amazing work of the following security researchers :

• Damien Cauquil (virtualabs): BTLEJuice, BTLEJack, RadioBit

• Mike Ryan: PyBT, crackle

• Slawomir Jasek: GATTacker

• Marc Newlin: MouseJack

• Joshua Wright: Killerbee

• GreatScottGadgets and the contributors of the Ubertooth project

Getting started

• Installation
• Overview
  • Architecture
  • Modules
  • Modes
  • Getting started

Mirage in a nutshell

• Command-line Interface
  • Listing the existing modules
  • Loading, configuring and running a module
  • Loading, configuring and running a sequence of modules
  • Manipulating the background tasks
  • Generating a module or a scenario
  • Clearing the screen
  • Exiting the Command Line Interface
  • List of available commands
• Direct execution
  • Listing the existing modules
  • Configuring and running a module
  • Configuring and running a sequence of modules
  • Generating a module or a scenario
  • Modifying the verbosity level
  • List of available parameters
• Modules
  • Presentation
  • List of Bluetooth Low Energy modules
  • List of Enhanced ShockBurst modules
  • List of Mosart modules
  • List of WiFi modules
  • List of Zigbee modules
  • List of Infrared Radiations modules
  • Writing your own module
    • Generating a new module
    • Understanding the module environment
    • Manipulating the input parameters
    • Interacting with the user
    • Launching tasks in background
    • Manipulating the time-related functions
    • Manipulating a module from another one
    • Integrating scenarios in your module
• Chaining operator
• Configuration file
• Supported Devices
  • Bluetooth Low Energy Devices
    • HCI Device
    • BTLEJack Device
    • Ubertooth Device
    • NRFSniffer Device
    • Sniffle Device
    • ButteRFly Device
    • HackRF Device
    • ADB Device
    • HCIDump
    • BLE PCAP Files
  • Enhanced ShockBurst Devices
    • ESB RFStorm Device
    • ESB PCAP Files
  • Mosart Devices
    • Mosart RFStorm Device
    • Mosart PCAP Files
  • WiFi Devices
    • WiFi Device
  • Zigbee Devices
    • RZUSBStick Device
    • HackRF Device
    • Zigbee PCAP Files
  • Infrared Radiations Devices
    • IRMA Device
• Emitters and Receivers
  • Presentation
  • Using an existing Emitter or Receiver
  • Integrating a new protocol
• Scenarios
  • Writing a scenario
  • Integrating scenarios in a module

Tutorials

• InjectaBLE attacks
  • Compiling and flashing the ButteRFly firmware
  • Injecting packets into an established connection
  • Hijacking the Master role (experimental)
  • Hijacking the Slave role (experimental)
  • Performing an injection-based Man-in-the-Middle attack (experimental)

Supported protocols

• Bluetooth Low Energy protocol
  • Bluetooth Low Energy modules
  • Importing the Bluetooth Low Energy software components
  • Interacting with the protocol
  • Bluetooth Low Energy packets
  • ATT, GATT and Security Manager Dissectors
  • ATT / GATT server
  • Cryptographic functions
• Enhanced ShockBurst protocol
  • Enhanced ShockBurst modules
  • Importing the Enhanced ShockBurst software components
  • Interacting with the protocol
  • Enhanced ShockBurst packets
  • Enhanced ShockBurst Dissectors
  • Acknowledgment packets
  • HID helpers
  • DuckyScript parser
• Mosart protocol
  • Mosart modules
  • Importing the Mosart software components
  • Interacting with the protocol
  • Mosart packets
  • Mosart Dissectors
  • Dongle Acknowledgement and Sync packets
  • HID helpers
  • DuckyScript parser
• IEEE 802.11 protocol
  • WiFi modules
  • Importing the WiFi software components
  • Interacting with the protocol
  • Wifi frames
• Zigbee protocol
  • Zigbee modules
  • Importing the Zigbee software components
  • Interacting with the protocol
  • Zigbee packets
• Infrared Radiations protocols
  • Infrared Radiations modules
  • Importing the IR software components
  • Interacting with the protocols
  • IR signals

List of modules

• List of Bluetooth Low Energy Modules
  • ble_info
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • ble_connect
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • ble_master
    • Presentation
    • Compatible devices
    • Input parameters
    • Scenario signals
    • Commands
    • Usage
      • CLI mode
      • Customizing the behaviour using scenarios
  • ble_slave
    • Presentation
    • Compatible devices
    • Input parameters
    • Scenario signals
    • Commands
    • Usage
      • Creating a simple Device
      • Cloning an existing Device
      • Customizing the behaviour using scenarios
  • ble_pair
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • ble_discover
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • ble_scan
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • ble_adv
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • ble_sniff
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Scenario signals
    • Usage
      • Sniffing a new connection
      • Pairing process
      • Dealing with Encryption
      • Sniffing an existing connection
      • Sniffing advertisements
      • Injecting malicious packets using a scenario
  • ble_hijack
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
      • Hijacking the master role in a new connection
      • Hijacking the master role in an existing connection
      • Hijacking the slave role in a new connection
  • ble_jam
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
      • Jamming a new connection
      • Jamming an existing connection
      • Jamming the advertisements transmitted by a specific device
      • Jamming the advertisements containing a specific pattern
  • ble_mitm
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Scenario signals
    • Usage
      • Identifying the interfaces
      • Basic usage (classic Man-in-the-Middle)
      • Basic usage (injection-based Man-in-the-Middle)
      • Pairing process
      • Dealing with encryption
      • Customizing the behaviour using scenarios
  • ble_crack
    • Presentation
    • Input parameters
    • Output parameters
    • Usage
  • ble_monitor
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Scenario signals
    • Usage
      • Basic usage
      • Customizing the behaviour using scenarios
• List of Enhanced ShockBurst Modules
  • esb_info
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • esb_scan
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • esb_sniff
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
      • Basic Usage
      • Performing a replay attack
      • Capturing and displaying the mouse movements
  • esb_inject
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
      • Basic Usage
      • Performing a replay attack
  • esb_prx
    • Presentation
    • Compatible devices
    • Input parameters
    • Scenario signals
    • Commands
    • Usage
      • CLI mode
      • Customizing the behaviour using scenarios
  • esb_ptx
    • Presentation
    • Compatible devices
    • Input parameters
    • Scenario signals
    • Commands
    • Usage
      • CLI mode
      • Customizing the behaviour using scenarios
      • Performing keystrokes injection attacks
  • esb_mitm
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Scenario signals
    • Usage
      • Basic Usage
      • Customizing the behaviour using scenarios
• List of Mosart Modules
  • mosart_info
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • mosart_scan
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • mosart_sniff
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
      • Basic Usage
      • Performing a replay attack
      • Capturing and displaying the mouse movements
  • mosart_inject
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
      • Basic Usage
      • Performing a replay attack
  • mosart_keylogger
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • mosart_keyinjector
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
      • Basic Usage
• List of 802.11 Modules
  • wifi_info
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • wifi_scan
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • wifi_rogueap
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • wifi_deauth
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
• List of Zigbee Modules
  • zigbee_info
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • zigbee_scan
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • zigbee_inject
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
      • Basic Usage
      • Performing a replay attack
  • zigbee_sniff
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
      • Basic Usage
      • Performing a replay attack
  • zigbee_deauth
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • zigbee_floodassoc
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
• List of Infrared Radiations Modules
  • ir_info
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
  • ir_sniff
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Usage
      • Basic Usage
      • Performing a replay attack
  • ir_inject
    • Presentation
    • Compatible devices
    • Input parameters
    • Output parameters
    • Output parameters
    • Usage
      • Basic Usage
      • Performing a replay attack

API

• mirage.libs package
  • Subpackages
    • mirage.libs.ble_utils package
      • Submodules
      • mirage.libs.ble_utils.adb module
      • mirage.libs.ble_utils.hcidump module
      • mirage.libs.ble_utils.pcap module
      • mirage.libs.ble_utils.btlejack module
      • mirage.libs.ble_utils.ubertooth module
      • mirage.libs.ble_utils.nrfsniffer module
      • mirage.libs.ble_utils.sniffle module
      • mirage.libs.ble_utils.butterfly module
      • mirage.libs.ble_utils.hackrf module
      • mirage.libs.ble_utils.decoders module
      • mirage.libs.ble_utils.encoders module
      • mirage.libs.ble_utils.crypto module
      • mirage.libs.ble_utils.att_server module
      • mirage.libs.ble_utils.dissectors module
      • mirage.libs.ble_utils.helpers module
      • mirage.libs.ble_utils.packets module
      • mirage.libs.ble_utils.scapy_hci_layers module
      • mirage.libs.ble_utils.scapy_hci_layers module
      • mirage.libs.ble_utils.scapy_btlejack_layers module
      • mirage.libs.ble_utils.scapy_link_layers module
    • mirage.libs.bt_utils package
      • Submodules
      • mirage.libs.bt_utils.assigned_numbers module
      • mirage.libs.bt_utils.constants module
      • mirage.libs.bt_utils.hciconfig module
      • mirage.libs.bt_utils.packets module
      • mirage.libs.bt_utils.scapy_layers module
      • mirage.libs.bt_utils.scapy_ubertooth_layers module
      • mirage.libs.bt_utils.scapy_vendor_specific module
      • mirage.libs.bt_utils.ubertooth module
      • Module contents
    • mirage.libs.wifi_utils package
      • Submodules
      • mirage.libs.wifi_utils.constants module
      • mirage.libs.wifi_utils.packets module
      • Module contents
    • mirage.libs.esb_utils package
      • Submodules
      • mirage.libs.esb_utils.rfstorm module
      • mirage.libs.esb_utils.dissectors module
      • mirage.libs.esb_utils.constants module
      • mirage.libs.esb_utils.pcap module
      • mirage.libs.esb_utils.helpers module
      • mirage.libs.esb_utils.packets module
      • mirage.libs.esb_utils.scapy_esb_layers module
    • mirage.libs.mosart_utils package
      • Submodules
      • mirage.libs.mosart_utils.rfstorm module
      • mirage.libs.mosart_utils.dissectors module
      • mirage.libs.mosart_utils.constants module
      • mirage.libs.mosart_utils.pcap module
      • mirage.libs.mosart_utils.helpers module
      • mirage.libs.mosart_utils.keyboard_codes module
      • mirage.libs.mosart_utils.packets module
      • mirage.libs.mosart_utils.scapy_mosart_layers module
    • mirage.libs.zigbee_utils package
      • Submodules
      • mirage.libs.zigbee_utils.rzusbstick module
      • mirage.libs.zigbee_utils.hackrf module
      • mirage.libs.zigbee_utils.encoders module
      • mirage.libs.zigbee_utils.decoders module
      • mirage.libs.zigbee_utils.constants module
      • mirage.libs.zigbee_utils.pcap module
      • mirage.libs.zigbee_utils.helpers module
      • mirage.libs.zigbee_utils.packets module
      • mirage.libs.zigbee_utils.scapy_xbee_layers module
    • mirage.libs.ir_utils package
      • Submodules
      • mirage.libs.ir_utils.irma module
      • mirage.libs.ir_utils.packets module
      • mirage.libs.ir_utils.scapy_irma_layers module
    • mirage.libs.wireless_utils package
      • Submodules
      • mirage.libs.wireless_utils.callbacks module
      • mirage.libs.wireless_utils.device module
      • mirage.libs.wireless_utils.packetQueue module
      • mirage.libs.wireless_utils.packets module
      • mirage.libs.wireless_utils.butterfly module
      • mirage.libs.wireless_utils.pcapDevice module
      • mirage.libs.wireless_utils.scapy_butterfly_layers module
      • Module contents
    • mirage.libs.common package
      • Subpackages
        • mirage.libs.common.sdr package
          • Submodules
          • mirage.libs.common.sdr.hardware module
          • mirage.libs.common.sdr.sinks module
          • mirage.libs.common.sdr.sources module
          • mirage.libs.common.sdr.demodulators module
          • mirage.libs.common.sdr.modulators module
          • mirage.libs.common.sdr.decoders module
          • mirage.libs.common.sdr.encoders module
          • mirage.libs.common.sdr.pipeline module
          • mirage.libs.common.sdr.hackrf_definitions
      • Submodules
      • mirage.libs.common.hid module
      • mirage.libs.common.parsers module
  • Submodules
  • mirage.libs.ble module
  • mirage.libs.bt module
  • mirage.libs.wifi module
  • mirage.libs.esb module
  • mirage.libs.mosart module
  • mirage.libs.zigbee module
  • mirage.libs.ir module
  • mirage.libs.io module
  • mirage.libs.utils module
  • mirage.libs.wireless module
• mirage.core package
  • Submodules
  • mirage.core.app module
  • mirage.core.argParser module
  • mirage.core.config module
  • mirage.core.interpreter module
  • mirage.core.loader module
  • mirage.core.module module
  • mirage.core.scenario module
  • mirage.core.task module
  • mirage.core.taskManager module