Blue|Smash v2.0 dev

[drgr33n]

Hey guys

Now I'm starting to get to grips with python and blue tooth, I've decided to completely revise Blue|Smash.

Blue|Smash will now be using sqlite to store all data,. Also Blue|Smash will include more exploits, Full autopwn function Scan, profile and exploit every discoverable device in range, Bluetooth chat, ATSMS, CSR dongle modifier and hopefully some sort of HID attack

Ideas, requests ETC would be appreciated

Rel1k can I still use your menu ?

UPDATE 27.02.2008

Code:

#!/usr/bin/python
##############################################################################
#                                                                            #
# Blue|Smash - A menu driven frontend for bluetooth pentesters.              #
#                                                                            #
# Created by: Zarren Spry (drgr33n)                                          #
# Copyright (C) 2008 Zarren Spry (drgr33n) zarren2@hotmail.co.uk             #
#                                                                            #
# This program is free software; you can redistribute it and/or modify it    #
# under the terms of the GNU General Public License version 3 as             #
# published by the Free Software Foundation; version 3.                      #
#                                                                            #
# This program is distributed in the hope that it will be useful, but        #
# WITHOUT ANY WARRANTY; without even the implied warranty of                 #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU          #
# General Public License for more details.                                   #
#                                                                            #
##############################################################################

##### Welcome Screen #####

version = "2.0a"

print """   
 _     _                                         _     
| |   | |                                       | |    
| |__ | | _   _ _____ _____ ___ ____  _____  ___| |__  
|  _ \| || | | | ___ (_____)___)    \(____ |/___)  _ \ 
| |_) ) || |_| | ____|    |___ | | | / ___ |___ | | | |
|____/ \_)____/|_____)    (___/|_|_|_\_____(___/|_| |_|
                                                        
		     Version: %s

A menu driven bluetooth pentesting tool for the Back|Track 
live CD.

By Zarren Spry AKA Drgr33n, Mail me @ zarren2@hotmail.co.uk


""" % (version)

##### End Welcom Screen #####

try:
  import os,time,sys,struct,array,fcntl
  from pysqlite2 import dbapi2 as sqlite
  from bluetooth import *
  from bluetooth import _bluetooth as bt
  from select import *
  import uuid as btid
except ImportError, e:
    print "Your system is missing some dependencies, Please read the README file."
    sys.exit(1)
##### Hardware Check #####

print "Checking to see if HCI device exists...."
try:
  sock = bt.hci_open_dev()
  results = bt.hci_inquiry(sock, duration=2, flush_cache=True)
except bt.error:
  print "No Local Device Detected! Please check your hardware"
  print "Blue|Smash will now exit!"
  sys.exit(1)
##### End Hardware Check #####

##### Load / Create Sqlite DB #####

while 1 == 1:
  try:
    db_menu = raw_input("""DB Menu ...: 
	
    1) Load existing DB
    2) Create new DB
  
    Enter a number...:
    """)
    if db_menu == ('1'):
      db_name = raw_input("Enter path to file and filename, for eg '/root/foo.db'..:")
      db_con = sqlite.connect (db_name)
      break
    if db_menu == ('2'):
      db_name = raw_input("Choose a name for your DB ....:")
      if os.path.exists(db_name):
        db_name = raw_input("DB already exists! Choose another name ...:")
        db_con = sqlite.connect (db_name)
      else:
        db_con = sqlite.connect (db_name)
      break
  except error:
    print """Error, Blue|Smash will now exit
    
    If you are experiencing troubles, please email me at zarren2@hotmail.co.uk
    """
db_cursor = db_con.cursor()

##### End Load / Create Sqlite DB #####

##### Scan Functions #####

# Inquiry Scan

class MyDiscoverer(DeviceDiscoverer):
  def pre_inquiry(self):
    print "Searching for Devices, Please be patient..."
    self.done = False
  def device_discovered(self, address, device_class, name):
    major_classes = ( "Miscellaneous",
                       "Computer",
                       "Phone",
                       "LAN/Network Access point",
                       "Audio/Video",
                       "Peripheral",
                       "Imaging" )
    major_class = (device_class >> 8) & 0xf
    if major_class < 7:
      print "%s - %s Class of device %s"% (name, address, major_classes[major_class])
    else:
      print "%s - %s  Unknown"% (name, address)
  def inquiry_complete(self):
     self.done = True
     print "Done..."
    
# Brute Force Scan

class Bruteforce_discover():
  def pre_inquiry(self):
    self.done = False
  def discover_devices(self, bruteforce1, bruteforce2):
    print "Scanning for devices... This could take a while..."
    bruteforce3=os.system("/pentest/bluetooth/redfang/fang -r %s-%s -o bluetooth-devices.txt"% (bruteforce1,bruteforce2))
    print "*** Results will be saved in bluetooth-devices.txt ***"
  def inquiry_complete(self):
     self.done = True

##### Fingerprint Functions #####

# Browse Services on device

class Browse_services():
  def pre_inquiry(self):
    self.done = False
  def find_services(self):
    dev_services = find_service(self, address = bdaddr)
  def inquiry_complete(self):
     self.done = True

# Search for service

class Search_services():
  def pre_inquiry(self):
    self.done = False
  def find_services(self):
    dev_services = find_service(self, address = bdaddr, name = search_str, uuid = search_uuid)
  def inquiry_complete(self):
     self.done = True
     
##### Connectivity Functions #####

# Connect to a device

def hci_connect():
  try:
    mac = raw_input("Enter the Device MAC address: ")
    dev = raw_input("Enter your device name (eg hci0): ")
    hci_connect = os.system("hcitool -i %s cc %s" % (dev,mac))
  except:
    print "Connection failed!"
    
# Auth Device

def hci_auth():
  try:
    mac = raw_input("Enter the Device MAC address: ")
    dev = raw_input("Enter your device name (eg hci0): ")
    hci_auth = os.system("hcitool -i %s key %s" % (dev,mac))
    print "Done"
  except:
    print "Authorize failed!"
    
# Request PIN key

def req_key():
  try:
    mac = raw_input("Enter the Device MAC address: ")
    dev = raw_input("Enter your device name (eg hci0): ")
    hci_connect = os.system("hcitool -i %s cc %s" % (dev,mac))
    hci_key = os.system("hcitool -i %s key %s" % (dev,mac))
    print "Done"
  except:
    print "Request key failed!"
    
# Create a RFCOMM shell

def rfcomm_con(mac,port,data):
  if len(mac) < 1:
    mac = raw_input("Enter the Device MAC address: ")
  if len(port) < 0:
    port = input("Enter the Channel to connect on: ")
  print "Connecting to \"%s\" on Channel %s" % (mac,port)
  try:
    sock = BluetoothSocket( RFCOMM )
    sock.connect((mac, port))
    print "You are now connected to \"%s\" on channel %s" % (mac,port)
    print "Type quit to exit."
    while True:
      if len(data) < 0:
	print "No data passed, This is a raw shell..."
        data = raw_input()
      if data == 'quit': break
      sock.send(data)
    sock.close()
  except:
    print "Connection was closed !"
    
# Create RFCOMM server

def rfcomm_serv():
  print "Starting RFCOMM server..."
  server_sock = BluetoothSocket( RFCOMM )
  server_sock.bind(("",PORT_ANY))
  server_sock.listen(1)

  port = server_sock.getsockname()[1]
  try:
    uuid = btid.uuid1()
  except:
    print "Error! No UUID Generated"
    sys.exit(1)
  print "UUID Generated, Starting Server....."
  rfcomm_serv_name = raw_input("Enter Service Name ....")
  advertise_service( server_sock, rfcomm_serv_name,
                       service_id = "%s" % uuid,
                       service_classes = [ "%s" % uuid, SERIAL_PORT_CLASS ],
                       profiles = [ SERIAL_PORT_PROFILE ] )
  print "Waiting for connection on channel %d" % port
  client_sock, client_info = server_sock.accept()
  print "Accepted connection from ", client_info
  try:
    while True:
      data = client_sock.recv(1024)
      print "received [%s]" % data
  except IOError:
    pass
  print "disconnected"
  client_sock.close()
  server_sock.close()

##### End Connectivity Functions #####

##### Exploit Functions #####

# Spoof MAC

def spoof_mac():
  hci_dev = raw_input("What device would you like to use? eg 'hci0' ...:")
  print "Saving your old MAC address"
  try:
    old_mac = os.popen("hcitool -i %s dev > old_mac.txt"% (hci_dev))
    print "Save Sucsessful :D Your old MAC addr has been saved to old_mac.txt"
  except:
    print "Blue|Smash was unable to save your old MAC! :("
    sys.exit(1)
  vic_dev = MyDiscoverer()
  vic_dev.find_devices(lookup_names = True)
  while True:
    can_read, can_write, has_exc = select( [vic_dev], [], [] )
    if vic_dev in can_read:
      vic_dev.process_event()
    if vic_dev.done: 
      break
  victim_mac = raw_input("Choose a MAC from the list or enter your own...:")
  print "Changing MAC to - %s"% (victim_mac)
  try:
    os.popen("bdaddr -i %s -r -t %s"% (hci_dev,victim_mac))
    time.sleep(2)
    print "Spoof Sucsessfull :D Your new bd_addr is %s"% (victim_mac)
  except:
    print "Error! Spoof Unsucsessful :("
    sys.exit(1)


print "looking good ;D"

Cheers

[abyss]

you are truly master of bluetooth realm!!!!

[drgr33n]

Duno if that was a sarcastic comment or a genuine one ?? abyss

[abyss]

Duno if that was a sarcastic comment or a genuine one ?? abyss

genuine one!

[williamc]

I'll second that! Hopefully your development will be included in the final release of BT3. Thanks for all your hard work!

[drgr33n]

Cheers guys Just read some more interesting stuff about link keys and how someone would go about extracting the key from a device. Looks like maybe we could use two dongles and use a modded sniffer to sniff and a normal dongle to spoof the slave of a device and inject a Link key request to the master and sniff the link key

I'm still learning how to code in python and C, only started about 3 months ago so got a long way to go yet. I think I might be able to forge and inject a packet using the _bluetooth module in python, if not it will make a nice little challenge for my first C script

[Thyphen]

This might be a stupid question and is actually my first post, only because the support here has been so great everything i have needed to know I just searched and found. How does one get this to run in BTv3beta or BTv2. I have both working properly with my machine.

[drgr33n]

Hey Thyphen

Blue-Smash v2.0 is still in dev m8t, only about 10 % at the mo lol But working on it. You can use v1.0d if you want, I cant remember the link so just go to my blog...

http://drgr33nsblog.blogspot.com

Surprised I havent had more feedback ?

[xirtam]

dr green love blue smash been waiting for someone too release a bluetooth pentesting tool like this. just wondering if you could recommend an adapter that is compatible with backtrack 3 for use with your tool?

[drgr33n]

Hey xirtam

Thanks been working on v2.0 today, just finished most of the phone exploits and am half way through the HID attack. Just got the bthid virtual keyboard to compile finally and I'm going to test in a few days because I have no hardware to test it against.

As for bluetooth devices there are so many and most will work with BackTrack. But if you would like to sniff packets you will need a bluetooth adapter with the csr BC04-EXT or BC02-EXT chipset because this has a 8mb flashable RAM that allows you to upgrade to frontline's FTS4BT firmware.

I've tried sooooo many lol but I've always gone back to my trusty Fujitsu-Siemens Bluetooth v2.0 dongle that has the BCO4 chipset.

http://www.google.co.uk/products?hl=...-8&sa=N&tab=wf

I broke mine modding the firmware so I have two on order but every bodies sold out until the 9th of next month

Others are the D-Link DBT-120

http://www.google.co.uk/products?q=D...&hl=en&show=dd

And the Toshiba PA3455U-1BTM

http://www.google.co.uk/products?q=P...&hl=en&show=dd

Hope this helps