Backtrack Ultimate Bluetooth Tutorial
Hey all
After I received lots of mail and requests I decided to shed some more light on bluetooth. In this tutorial I am going to be covering the following subjects...
1) Setting up your bluetooth equipment
2) Scanning and fingerprinting devices
3) Connectivity and RFCOMM
4) Bluebugging & Bluesnarfing
And as a merry Christmas to all at remote exploits
5) Making bluetooth sniffing hardware for $39.99
Video tutorials on different subjects will be added to this post over the next week.
OK lets begin the first subject might sound silly to most here but for the guys that just don't know I'm going to cover it anyway. To setup your bluetooth USB device simply plug it in and wait for 10 sec's. Then type in console
And you should have your adapter up and working, you can test with the following command .....
And you should see something like the following .
Code:
hci0: Type: USB
BD Address: 00:11:22:33:44:55 ACL MTU: 678:8 SCO MTU: 48:10
UP RUNNING
RX bytes:85 acl:0 sco:0 events:9 errors:0
TX bytes:33 acl:0 sco:0 commands:9 errors:0
Features: 0xbf 0xfe 0x8d 0x78 0x08 0x18 0x00 0x00
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'ISSCBTA'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 1.2 (0x2) HCI Rev: 0x1fe LMP Ver: 1.2 (0x2) LMP Subver: 0x1fe
Manufacturer: Integrated System Solution Corp. (57)
Ok if you are stuck at this point I would suggest you go out and buy a compatible USB dongle for backtrack But if you are still with me lets move on.
Next is fingerprinting a bluetooth device. Fingerprinting is a term we use for profiling a device, and to do this backtrack has a collection of tools called bluez. Bluez is like the standard bluetooth package for linux. For fingerprinting we can use a couple of those tools. One is hcitool, we can use hcitool to scan for devices that are broadcasting. We scan with hcitool with the following command.
And you should see something like ...
Code:
Scanning ...
00:11:22:33:44:55 hackme
You can also brute force scan for devices, backtrack also has you covered on this with a wonderful tool called btscanner. Btscanner can also inquiry scan You would use btscanner in a inquiry scan if you were wardriving.
The other is Sdptool, sdptool will browse our device for open channels and tell us what services are available on what channels.
We fingerprint devices with sdptool by issuing the following command
Code:
sdptool browse victim_Mac
And you should see something like this .........
Code:
Service Name: Serial Port
Service RecHandle: 0x10001
Service Class ID List:
"Serial Port" (0x1101)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 2
Profile Descriptor List:
"Serial Port" (0x1101)
Version: 0x0100
Service Name: Dial-up Networking
Service RecHandle: 0x10002
Service Class ID List:
"Dialup Networking" (0x1103)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 3
Profile Descriptor List:
"Dialup Networking" (0x1103)
Version: 0x0100
Service Name: OBEX File Transfer
Service RecHandle: 0x10007
Service Class ID List:
"OBEX File Transfer" (0x1106)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 6
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX File Transfer" (0x1106)
Version: 0x0100
Service Name: Object Push
Service RecHandle: 0x10008
Service Class ID List:
"OBEX Object Push" (0x1105)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 7
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX Object Push" (0x1105)
Version: 0x0100
Lets take a look at what we have, on two we have a serial port/channel on three we have dial up on 6 we have OBEX ftp and on 7 we have OPUSH.
All are interesting And no we have a pretty good idea about what the device is and so on.
Now on to the bit most people I speak to struggle with the dreaded RFCOMM :O. RFCOMM is a simple set of transport protocols, made on top of the L2CAP protocol, providing emulated RS-232 serial port. or in lamens terms they provide the language your device and laptop need to talk to each other.
Now the first thing to do is to setup our bluetooth configuration so lets go over to the /etc dir and get stuck in.
open /etc/bluetooth/hcid.conf and replace the lot with this
Code:
#
# HCI daemon configuration file.
#
# HCId options
options {
# Automatically initialize new devices
autoinit yes;
# Security Manager mode
# none - Security manager disabled
# auto - Use local PIN for incoming connections
# user - Always ask user for a PIN
#
security auto;
# Pairing mode
# none - Pairing disabled
# multi - Allow pairing with already paired devices
# once - Pair once and deny successive attempts
pairing multi;
# Default PIN code for incoming connections
passkey "1234";
}
# Default settings for HCI devices
device {
# Local device name
# %d - device id
# %h - host name
name "device1";
# Local device class
class 0x000000;
# Default packet type
#pkt_type DH1,DM1,HV1;
# Inquiry and Page scan
iscan enable; pscan enable;
# Default link mode
# none - no specific policy
# accept - always accept incoming connections
# master - become master on incoming connections,
# deny role switch on outgoing connections
lm accept,master;
# Default link policy
# none - no specific policy
# rswitch - allow role switch
# hold - allow hold mode
# sniff - allow sniff mode
# park - allow park mode
lp rswitch,hold,sniff,park;
auth enable;
encrypt enable;
}
You can setup your own passkey and name, also go over to a shell and type
And copy the class to hcid.conf, save and exit. You could setup rfcomm here to but its a live cd.
Now restart your bluetooth device like so
Code:
bash /etc/rc.d/rc.bluetooth restart
And now we can setup our rfcomm binds, I will post a bash script when I have time but for now you will have to do it the manual way .
First thing is to setup our devices .....
Code:
mknod -m 666 /dev/rfcomm0 c 216 3
mknod -m 666 /dev/rfcomm1 c 216 6
mknod -m 666 /dev/rfcomm2 c 216 7
Ok what we did there is create three binds to our bluetooth device. First one is RFCOMM0 and is on channel 3
DUN Dial up, Second is RFCOMM1 and is on channel 6
FTP and the third is RFCOMM2 and is on channel 7
OBEX push.
Now lets connect it all up with sdptool.
Code:
sdptool add --channel=3 DUN
sdptool add --channel=6 FTP
sdptool add --channel=7 OPUSH
Now we have setup our bluetooth dongle correctly we can begin hacking
Dr_GrEeN's Bluetooth Guides From old fourm.
So here's how I hacked my samsung d600.
Originally Posted by Dr_GrEeN
and oh yea RFCOMM Connection refused error is normally wrong channel. If after using bluebugger you get operation already in progress error type:
. Hope you guys are all well ?
