Direct execution¶
Mirage allows to manipulate the framework directly from the bash environment by providing some parameters to the mirage binary.
Listing the existing modules¶
The --list argument displays a list of the existing modules :
$ mirage --list
┌Modules─────────────┬────────────┬────────────────────────────────────────────────────────────────────────────┐
│ Name │ Type │ Description │
├────────────────────┼────────────┼────────────────────────────────────────────────────────────────────────────┤
│ wifi_info │ info │ Information module for Wifi interface │
│ ble_hijack │ attack │ Hijacking module for Bluetooth Low Energy Connections │
│ ble_pair │ action │ Pairing module for Bluetooth Low Energy devices │
│ esb_info │ info │ Information module for Enhanced ShockBurst interface │
│ mosart_scan │ scan │ Scanning module for Mosart devices │
│ ble_adv │ spoofing │ Spoofing module simulating a Bluetooth Low Energy advertiser │
│ mosart_keylogger │ attack │ Keystrokes logger module for Mosart keyboard │
│ mosart_inject │ action │ Injection module for Mosart devices │
│ mouse_visualizer │ tool │ Visualization module allowing to display mice movements │
│ ble_mitm │ attack │ Man-in-the-Middle module for Bluetooth Low Energy devices │
│ esb_sniff │ sniff │ Sniffing module for Enhanced ShockBurst communications │
│ wifi_rogueap │ spoofing │ Spoofing module simulating a fake Access Point │
│ zigbee_deauth │ attack │ Deauthentication module for Zigbee networks │
│ esb_scan │ scan │ Scan module for Enhanced ShockBurst Devices │
│ ble_sniff │ sniff │ Sniffing module for Bluetooth Low Energy devices │
│ bt_scan │ scan │ Scan module for Bluetooth Devices │
│ ble_scan │ scan │ Scan module for Bluetooth Low Energy devices │
│ zigbee_floodassoc │ attack │ Flooding module for Zigbee communications │
│ esb_inject │ action │ Injection module for Enhanced ShockBurst communications │
│ ble_discover │ discover │ Discovery module for Bluetooth Low Energy ATT / GATT layers │
│ zigbee_info │ info │ Information module for Zigbee interface │
│ wifi_deauth │ attack │ Deauthentication module for WiFi networks │
│ ble_monitor │ monitoring │ HCI Monitoring module for Blutooth Low Energy │
│ ble_jam │ attack │ Jamming module for Bluetooth Low Energy advertisements and connections │
│ esb_prx │ spoofing │ This module permits the User to simulate an Enhanced ShockBurst PRX device │
│ zigbee_inject │ action │ Injection module for Zigbee communications │
│ mosart_keyinjector │ attack │ Keystrokes injection module for Mosart keyboard │
│ mosart_info │ info │ Information module for Mosart interface │
│ ble_connect │ action │ Connection module for Bluetooth Low Energy devices │
│ esb_ptx │ spoofing │ This module permits the User to simulate an Enhanced ShockBurst PTX device │
│ ir_inject │ action │ Injection module for IR signals │
│ zigbee_sniff │ sniff │ Sniffing module for Zigbee communications │
│ bt_info │ info │ Information module for Bluetooth interface │
│ mosart_sniff │ sniff │ Sniffing module for Mosart devices │
│ zigbee_scan │ scan │ Scan module for Zigbee Devices │
│ ir_sniff │ sniff │ Sniffing module for IR signals │
│ ble_slave │ spoofing │ Spoofing module simulating a Bluetooth Low Energy slave │
│ ble_crack │ bruteforce │ Enumerates all possible values of PIN in order to find the Temporary Key │
│ wifi_scan │ scan │ Scan module for Wifi Access Point and Stations │
│ ble_master │ spoofing │ This module permits the User to interact with Bluetooth Low Energy slaves │
│ ble_info │ info │ Information module for Bluetooth Low Energy interface │
│ ir_info │ info │ Information module for IR interface │
└────────────────────┴────────────┴────────────────────────────────────────────────────────────────────────────┘
The --list argument allows to provide a filter, it permits to easily select some specific results :
$ mirage --list=scan
┌Modules──────┬──────┬────────────────────────────────────────────────┐
│ Name │ Type │ Description │
├─────────────┼──────┼────────────────────────────────────────────────┤
│ mosart_scan │ scan │ Scanning module for Mosart devices │
│ esb_scan │ scan │ Scan module for Enhanced ShockBurst Devices │
│ bt_scan │ scan │ Scan module for Bluetooth Devices │
│ ble_scan │ scan │ Scan module for Bluetooth Low Energy devices │
│ zigbee_scan │ scan │ Scan module for Zigbee Devices │
│ wifi_scan │ scan │ Scan module for Wifi Access Point and Stations │
└─────────────┴──────┴────────────────────────────────────────────────┘
Configuring and running a module¶
Loading and running a specific module is quite simple from the command line interface :
$ mirage ble_info
You can list the input parameters available for the selected module by using the --args argument :
$ mirage ble_info --args
[INFO] Module ble_info loaded !
┌ble_info───┬───────┐
│ Name │ Value │
├───────────┼───────┤
│ INTERFACE │ hci0 │
└───────────┴───────┘
If you want to modify the value of a parameter, just use the following syntax :
$ mirage ble_info INTERFACE=hci1
Configuring and running a sequence of modules¶
Mirage provides a chaining operator |, similar to the pipe UNIX operator. It runs multiple modules sequentially and propagates the output parameters of a given module to the input parameters of the next one. It allows to easily combine existing modules to describe complex attack workflows without writing a single line of code.
Running a sequence of module is very similar to loading a single module :
$ mirage "ble_connect|ble_discover"
Please note that in a sequence of modules, input parameters are prefixed by the following pattern : <moduleName><moduleNumber>. :
$ mirage "ble_connect|ble_discover" --args
[INFO] Module ble_connect loaded !
[INFO] Module ble_discover loaded !
┌ble_connect1──────────────────┬───────────────────┐
│ Name │ Value │
├──────────────────────────────┼───────────────────┤
│ ble_connect1.INTERFACE │ hci0 │
│ ble_connect1.TARGET │ fc:58:fa:a1:26:6b │
│ ble_connect1.TIMEOUT │ 3 │
│ ble_connect1.CONNECTION_TYPE │ public │
└──────────────────────────────┴───────────────────┘
┌ble_discover2───────────────┬─────────────────────┐
│ Name │ Value │
├────────────────────────────┼─────────────────────┤
│ ble_discover2.INTERFACE │ hci0 │
│ ble_discover2.START_HANDLE │ 0x0001 │
│ ble_discover2.END_HANDLE │ 0xFFFF │
│ ble_discover2.WHAT │ all │
│ ble_discover2.FILTER │ │
│ ble_discover2.FILTER_BY │ │
│ ble_discover2.ATT_FILE │ /tmp/discovered.ini │
│ ble_discover2.GATT_FILE │ /tmp/gatt.ini │
└────────────────────────────┴─────────────────────┘
If you want to modify the value of an attribute, you can use the following syntax :
$ mirage "ble_connect|ble_discover" ble_connect1.INTERFACE=hci1 ble_discover2.WHAT=attributes
Generating a module or a scenario¶
Mirage provides two commands allowing to easily generate a new module or a new scenario : --create_module and --create_scenario.
Use the --create_module parameter and answer the questions to generate a new module :
$ mirage --create_module
[QUESTION] Module's name : newmod
[QUESTION] Module's description : Test module
[QUESTION] Module's type : test
[QUESTION] Module's technology [ble] :
[QUESTION] Module's dependencies (separated by commas) : ble_sniff,ble_scan
[QUESTION] Input parameter #1 (name) : INTERFACE
[QUESTION] Input parameter #1 (default value) : hci0
[QUESTION] Input parameter #2 (name) : PARAM1
[QUESTION] Input parameter #2 (default value) : value1
[QUESTION] Input parameter #3 (name) :
[SUCCESS] Module newmod successfully generated : /home/user/.mirage/modules/newmod.py
It will generates the following code :
from mirage.core import module
from mirage.libs import utils,ble
class newmod(module.WirelessModule):
def init(self):
self.technology = "ble"
self.type = "test"
self.description = "Test module"
self.args = {'INTERFACE': 'hci0', 'PARAM1': 'value1'}
self.dependencies = ["ble_sniff","ble_scan"]
def run(self):
# Enter your code here.
return self.ok({})
Use the --create_scenario parameter and answer the questions to generate a new scenario :
$ mirage --create_scenario
[QUESTION] Scenario's name : test
[SUCCESS] Scenario test successfully generated : /home/user/.mirage/scenarios/test.py
It generates the following code :
from mirage.core import scenario
from mirage.libs import io,ble,bt,utils
class test(scenario.Scenario):
def onStart(self):
return True
def onEnd(self):
return True
def onKey(self,key):
return True
Modifying the verbosity level¶
Mirage allows you to control the verbosity level. Mirage uses multiple functions to print something on the standard output :
Function |
Description |
Example of output |
|---|---|---|
io.info |
indicates an information message |
[INFO] new information message ! |
io.warning |
indicates a warning message |
[WARNING] new warning message ! |
io.success |
indicates a success message |
[SUCCESS] new success message ! |
io.fail |
indicates a failure message |
[FAIL] new failure message ! |
Multiple levels of verbosity are available, allowing to display a subset of messages :
Verbosity level |
Displayed type of messages |
|---|---|
NONE |
|
NO_INFO_AND_WARNING |
success, fail |
NO_INFO |
warning, success, fail |
ALL |
info, warning, success, fail |
In order to change the verbosity level, use the --verbosity parameters :
$ mirage --verbosity=NO_INFO_AND_WARNING
List of available parameters¶
Command |
Description |
|---|---|
|
Launch Mirage in Command Line Interface mode |
|
displays the list of existing modules (a filter pattern can be provided) |
|
loads <module> with the provided input parameters |
|
displays the input parameters of <module> |
|
generates a new module |
|
generates a new scenario |
|
changes the verbosity level |