Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Long range Bluetooth PCMCIA device

  1. #1
    Junior Member
    Join Date
    Dec 2006
    Posts
    42

    Question Long range Bluetooth PCMCIA device

    I've been wandering around looking for info about bluetooth linux compatible devices. So far I've found two lists of compatible devices and many how tos, but no further descriptions about the specs of the devices, range and so on.

    Has any of you got links to share with me? Any forum threads, lists or in-depth reviews that focus on either the range and capabilities of the devices or in it's special ability for pentesting would be useful. Actually any interesting link would do.

    I am looking for a PCMCIA device, as some of my old machines have the USB ports dead, and the main feature I look for is range. Of course, the more advanced features it supports, the best, as I want the toy to cut my teeth in bluetooth but also to be useful to master this area once I get into it. Any reccommendations are welcome too, based on personal experience or not.

    Thanks!

    PS: I know bluetooth is usually limited by a ten meter range, but I've read around that there is some special equipment with wider range support, but found no specific example of these devices. If never heard of this, just drop me a line with the normal device you use and that works good to pentest.

  2. #2
    Junior Member
    Join Date
    Dec 2006
    Posts
    42

    Default

    Oh, c'mon, someone has to have a Bluetooth PCMCIA device that works ok in backtrack.. or a link related to this..

  3. #3
    Junior Member
    Join Date
    Feb 2007
    Posts
    35

    Default

    its not PCMCIA, but have a look here if range is important:
    http://trifinite.org/trifinite_stuff_bluetooone.html

    I made one and it was relatively simple. I am sure you could adapt a PCMCIA device in a similar fashion...

  4. #4
    Junior Member
    Join Date
    Jan 2007
    Posts
    97

    Default

    Er....last time I saw a PCMCIA Bluetooth card was a Toshiba, and it was the very very early one that was not compatible with anything (even Toshiba laptops with built-in Bluetooth!). After that it has all been USB.

    Cheers,

    Mother
    In God we trust, all others we monitor

  5. #5
    Junior Member
    Join Date
    Dec 2006
    Posts
    42

    Default

    I'll check that one out Dan, thanks.

    And mother,... now it makes sense and I feel relieved...

    I guess I'll have to go for a USB! Suggestions accepted but not asking formally as still haven't done any research myself... ;P

  6. #6
    Junior Member
    Join Date
    Sep 2006
    Posts
    45

    Default

    hey i'm using the Belkin f8t001 version 2 bluetooth dongle.
    Its spec is 100 Metres which seems fair judging by eye which devices it picks up. I use a 2 metre usb extension cable (male to female) and paperclip it to my bedroom curtain to catch people nearby.

    I haven't gotton into pentesting on bluetooth very much as i haven't yet figured how to identify which phones are which from the BD_address (i think blueprint does it)

    maybe we can hook up on msn or something and exchange ideas to progress faster when learning?

  7. #7
    Junior Member
    Join Date
    Dec 2006
    Posts
    42

    Default

    Thanks for details aliosity. One question though: which OS you've got it working with? I've been googling your device and many people seem to have had problems with it.. if it's working in Backtrack for you, could you give me the hw version if there is such thing in this device -better to go ultra safe!-.

    I don't like Instant Messengers, but I'll drop you a note with alternatives.

    Dan, can I ask you what kind of antenna you've attached to the device and how much do you estimate the range to be before getting to noisy to be useful? The DIY looks very promising, so I might as well go for it just for fun!

  8. #8
    Junior Member
    Join Date
    Feb 2007
    Posts
    35

    Default

    Quote Originally Posted by madmanu View Post
    Dan, can I ask you what kind of antenna you've attached to the device and how much do you estimate the range to be before getting to noisy to be useful? The DIY looks very promising, so I might as well go for it just for fun!
    I have a number of antennas depending on what I want to achieve. I have a homemade YAGI antenna, made out of a pringles can. Thats good for 400-500metres, line of sight. Goes down really well when doing presentations to senior management on bluetooth insecurity.

    I also have a commercially purchased YAGI antenna that is about 20dbi and good for about 2 miles, line of sight.

    I have several other non-directional antennas aswell between 5-15dbi.

    I got all this for demonstrating bluetooth insecurities to the company I work for... breaking into phones, pdas & headsets as examples. Do bear in mind that the amplification is only one way, so its great for sending commands to the device... not so reliable at receiving responses!

    Basically, if you are not comfortable making your own antenna, then any 802.11b-g wireless antenna will/should work. This is because both Bluetooth and 802.11b-g operate on 2.4ghz (802.11a operates on 5ghz, so ignore that). Therefore they need the same antenna lengths etc!

    I actually have a 3com Bluetooth PCMCIA card 3CRWB6096 that I have been using with Debian in an HP Jornada 720. I haven't tried it with Backtrack as it was a bitch to get working in Debian... but it does work! It also has a flip out antenna... so I am sure could be appropriately modified.

    To the best of my knowledge and searching, there is no commercially available bluetooth device that comes with an external antenna jack.

    I have butchered a couple of things to take the external antenna jack, including an iPaq h3870 PDA (running Linux), which I use for auditing bluetooth enabled devices around the company with the 5dbi antenna. Its more discreet than carrying a laptop around!

    Hope that all helps

  9. #9
    Junior Member
    Join Date
    Sep 2006
    Posts
    45

    Default

    Hey madmanu, as far as i can see there's only the fccID left but i've uploaded a picture of the dongle to imageshack so you can see what it looks like.

    hxxp://img68.imageshack.us/my.php?image=dsc01068ec4.jpg
    I remember noting some people having troubles with other versions of the f8t001 but haven't seen problems with this one. (ver.2)
    I use Back|Ttrack final but it works on other OS's as well such as BT1, Knoppix, Xp to name a few.
    As far as penetration is concerned i can't really comment as i haven't been able to do anything except the helomoto on my spare V600 yet (no joy on using bluesnarfer cos of the rfcomm error seen about the forums) but it seems to find alot of devices with the Ghettototh script, i assume it's just a case of enumerating the BD_address to find vuln devices, maybe Dan could confirm this so i'm not barking up the wrong tree?

    PS Dan, thanks for the info on 802.11b/g working on same freq. as bluetooth, i may put my electronics skills to good use and make my own pringles YAGI


    hope these info's help
    any answers to my questions appreciated

    Al

  10. #10
    Junior Member
    Join Date
    Feb 2007
    Posts
    35

    Default

    Quote Originally Posted by aliosity View Post
    As far as penetration is concerned i can't really comment as i haven't been able to do anything except the helomoto on my spare V600 yet (no joy on using bluesnarfer cos of the rfcomm error seen about the forums) but it seems to find alot of devices with the Ghettototh script, i assume it's just a case of enumerating the BD_address to find vuln devices, maybe Dan could confirm this so i'm not barking up the wrong tree?

    PS Dan, thanks for the info on 802.11b/g working on same freq. as bluetooth, i may put my electronics skills to good use and make my own pringles YAGI


    hope these info's help
    any answers to my questions appreciated

    Al
    Right.. I tend to use BTscanner v2 rather than ghettotooth. I've tried both and I find btscanner a little better (i have also compiled it onto my iPAQ for mobility aswell as all the exploit tools). I am still using BT2 beta and probably wont upgrade for a long time... I know that the beta has btscanner2 installed out of the box... but I can't confirm whether it made it into the final release.

    in the btscanner docs there is information about the ranges of BT HW addresses that various devices occupy... this is useful when auditing as you can find *hidden* devices aswell as those that are set to a discoverable state (again, btscanner support brute force scanning).

    An inquiry scan will only show discoverable devices, a brute force scan allows you to scan a range of hardware addresses.

    when BTscanner picks up a device, it shows up in a list, like this:
    ┌───────────────────────────────────────────────── ─────────────────────────────┐
    │Time Address Clk off Class Name
    │2007/03/20 17:20:56 aa:bb:cc:dd:ee:ff 0x1ef2 0x520204 Nokia 6310

    You can scroll down with the arrow keys and select a particular device to reveal a wealth of information about it. Hit return and it expands details of the device, like this:

    ┌───────────────────────────────────────────────── ─────────────────────────────┐
    │RSSI: +0 LQ: 255 TXPWR: Cur -1
    │Address: aa:bb:cc:dd:ee:ff
    │Found by: gg:hh:ii:jj:kk:ll
    │OUI owner: MURATA MANUFACTURING CO., LTD.
    │First seen: 2007/03/20 17:20:56
    │Last seen: 2007/03/20 17:22:57
    │Name: Nokia 6310
    │Vulnerable to: Snarf
    │Clk off: 0x1ef4
    │Class: 0x520204
    │ Phone/Mobile
    │Services: Networking,Object Transfer,Telephony

    │HCI Version
    │-----------
    │LMP Version: 1.1 (0x1) LMP Subversion: 0x23b
    │Manufacturer: Nokia Mobile Phones (1)


    Which I think provides the information you're looking for (hit 'q' to get back to the list of devices).

    In terms of actually exploiting the phones.. there are plenty of howto's out on the web.. and the documentation that comes with the tools themselves. I have demonstrated all of the publicly known exploits at some point or another, and they are all relatively trivial to execute.

    I hope thats of help

    Dan

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •