Page 1 of 6 123 ... LastLast
Results 1 to 10 of 197

Thread: [New Tutorial For BT3 ONLY]One bluetooth post to rule them all!

Hybrid View

  1. #1
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default [New Tutorial For BT3 ONLY]One bluetooth post to rule them all!

    Backtrack Ultimate Bluetooth Tutorial

    Hey all

    After I received lots of mail and requests I decided to shed some more light on bluetooth. In this tutorial I am going to be covering the following subjects...

    1) Setting up your bluetooth equipment
    2) Scanning and fingerprinting devices
    3) Connectivity and RFCOMM
    4) Bluebugging & Bluesnarfing

    And as a merry Christmas to all at remote exploits

    5) Making bluetooth sniffing hardware for $39.99

    Video tutorials on different subjects will be added to this post over the next week.

    OK lets begin the first subject might sound silly to most here but for the guys that just don't know I'm going to cover it anyway. To setup your bluetooth USB device simply plug it in and wait for 10 sec's. Then type in console

    Code:
    hciconfig hci0 up
    And you should have your adapter up and working, you can test with the following command .....

    Code:
    hciconfig -a
    And you should see something like the following .

    Code:
    hci0:   Type: USB
            BD Address: 00:11:22:33:44:55 ACL MTU: 678:8 SCO MTU: 48:10
            UP RUNNING
            RX bytes:85 acl:0 sco:0 events:9 errors:0
            TX bytes:33 acl:0 sco:0 commands:9 errors:0
            Features: 0xbf 0xfe 0x8d 0x78 0x08 0x18 0x00 0x00
            Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
            Link policy:
            Link mode: SLAVE ACCEPT
            Name: 'ISSCBTA'
            Class: 0x000000
            Service Classes: Unspecified
            Device Class: Miscellaneous,
            HCI Ver: 1.2 (0x2) HCI Rev: 0x1fe LMP Ver: 1.2 (0x2) LMP Subver: 0x1fe
            Manufacturer: Integrated System Solution Corp. (57)
    Ok if you are stuck at this point I would suggest you go out and buy a compatible USB dongle for backtrack But if you are still with me lets move on.

    Next is fingerprinting a bluetooth device. Fingerprinting is a term we use for profiling a device, and to do this backtrack has a collection of tools called bluez. Bluez is like the standard bluetooth package for linux. For fingerprinting we can use a couple of those tools. One is hcitool, we can use hcitool to scan for devices that are broadcasting. We scan with hcitool with the following command.

    Code:
    hcitool scan hci0
    And you should see something like ...

    Code:
    Scanning ...
            00:11:22:33:44:55       hackme
    You can also brute force scan for devices, backtrack also has you covered on this with a wonderful tool called btscanner. Btscanner can also inquiry scan You would use btscanner in a inquiry scan if you were wardriving.

    The other is Sdptool, sdptool will browse our device for open channels and tell us what services are available on what channels.

    We fingerprint devices with sdptool by issuing the following command

    Code:
    sdptool browse victim_Mac
    And you should see something like this .........

    Code:
    Service Name: Serial Port
    Service RecHandle: 0x10001
    Service Class ID List:
      "Serial Port" (0x1101)
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 2
    Profile Descriptor List:
      "Serial Port" (0x1101)
        Version: 0x0100
    
    Service Name: Dial-up Networking
    Service RecHandle: 0x10002
    Service Class ID List:
      "Dialup Networking" (0x1103)
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 3
    Profile Descriptor List:
      "Dialup Networking" (0x1103)
        Version: 0x0100
    
    Service Name: OBEX File Transfer
    Service RecHandle: 0x10007
    Service Class ID List:
      "OBEX File Transfer" (0x1106)
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 6
      "OBEX" (0x0008)
    Profile Descriptor List:
      "OBEX File Transfer" (0x1106)
        Version: 0x0100
    
    Service Name: Object Push
    Service RecHandle: 0x10008
    Service Class ID List:
      "OBEX Object Push" (0x1105)
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 7
      "OBEX" (0x0008)
    Profile Descriptor List:
      "OBEX Object Push" (0x1105)
        Version: 0x0100
    Lets take a look at what we have, on two we have a serial port/channel on three we have dial up on 6 we have OBEX ftp and on 7 we have OPUSH.

    All are interesting And no we have a pretty good idea about what the device is and so on.

    Now on to the bit most people I speak to struggle with the dreaded RFCOMM :O. RFCOMM is a simple set of transport protocols, made on top of the L2CAP protocol, providing emulated RS-232 serial port. or in lamens terms they provide the language your device and laptop need to talk to each other.

    Now the first thing to do is to setup our bluetooth configuration so lets go over to the /etc dir and get stuck in.

    open /etc/bluetooth/hcid.conf and replace the lot with this

    Code:
    #
    # HCI daemon configuration file.
    #
    
    # HCId options
    options {
    	# Automatically initialize new devices
    	autoinit yes;
    
    	# Security Manager mode
    	#   none - Security manager disabled
    	#   auto - Use local PIN for incoming connections
    	#   user - Always ask user for a PIN
    	#
    	security auto;
    
    	# Pairing mode
    	#   none  - Pairing disabled
    	#   multi - Allow pairing with already paired devices
    	#   once  - Pair once and deny successive attempts
    	pairing multi;
    
    	# Default PIN code for incoming connections
    	passkey "1234";
    }
    
    # Default settings for HCI devices
    device {
    	# Local device name
    	#   %d - device id
    	#   %h - host name
    	name "device1";
    
    	# Local device class
    	class 0x000000;
    
    	# Default packet type
    	#pkt_type DH1,DM1,HV1;
    
    	# Inquiry and Page scan
    	iscan enable; pscan enable;
    
    	# Default link mode
    	#   none   - no specific policy 
    	#   accept - always accept incoming connections
    	#   master - become master on incoming connections,
    	#            deny role switch on outgoing connections
    	lm accept,master;
    
    	# Default link policy
    	#   none    - no specific policy
    	#   rswitch - allow role switch
    	#   hold    - allow hold mode
    	#   sniff   - allow sniff mode
    	#   park    - allow park mode
    	lp rswitch,hold,sniff,park;
    	auth enable;
    	encrypt enable;
    }
    You can setup your own passkey and name, also go over to a shell and type

    Code:
    hciconfig -a
    And copy the class to hcid.conf, save and exit. You could setup rfcomm here to but its a live cd.

    Now restart your bluetooth device like so

    Code:
    bash /etc/rc.d/rc.bluetooth restart
    And now we can setup our rfcomm binds, I will post a bash script when I have time but for now you will have to do it the manual way .

    First thing is to setup our devices .....

    Code:
    mknod -m 666 /dev/rfcomm0 c 216 3
    mknod -m 666 /dev/rfcomm1 c 216 6
    mknod -m 666 /dev/rfcomm2 c 216 7
    Ok what we did there is create three binds to our bluetooth device. First one is RFCOMM0 and is on channel 3 DUN Dial up, Second is RFCOMM1 and is on channel 6 FTP and the third is RFCOMM2 and is on channel 7 OBEX push.

    Now lets connect it all up with sdptool.

    Code:
    sdptool add --channel=3 DUN
    sdptool add --channel=6 FTP
    sdptool add --channel=7 OPUSH
    Now we have setup our bluetooth dongle correctly we can begin hacking

    If I were to talk you though every possible exploit there is for bluetooth it would take all next year and I still wouldn't be finished so the two hack are going to be bluesnarfer and bluebugger.

    Bluesnarfer connects to a target Bluetooth device via Bluetooth's OBEX Push profile. But instead of pushing a business card, it pulls, using a "get" request for files with known names, such as the phonebook file (telecom/pb.vcf) or the calendar file (telecom/cal.vcs), Bluebugger works in a similar way.
    Also bear in mind that these security flaws can still be used against you. With a little bit of social engineering you could pre pair a phone to your laptop and exploit it from then onwards. Stand by for a video of bluesnarfer and bluebugger successfully completing a hack on my samsung d600.

    Both are pretty strait forward to use now you have your bluetooth setup correctly. I'm not going to post commands because their is a video on the way. First bluebugger....

    Code:
    bluebugger 0.1 ( MaJoMu | www.codito.de )
    -----------------------------------------
    
    Usage: bluebugger [OPTIONS] -a <addr> [MODE]
    
           -a <addr>     = Bluetooth address of target
    
           Options:
           --------
           -m <name>     = Name to use when connecting (default: '')
           -d <device>   = Device to use (default: '/dev/rfcomm')
           -c <channel>  = Channelto use (default: 17)
           -n            = No device name lookup
           -t <timeout>  = Timeout in seconds for name lookup (default: 5)
           -o <file>     = Write output to <file>
    
           Mode:
           -----
           info                   = Read Phone Info   (default)
           phonebook              = Read Phonebook    (default)
           messages               = Read SMS Messages (default)
           dial <num>             = Dial number
           ATCMD                  = Custom Command (e.g. '+GMI')
    
           Note: Modes can be combined, e.g. 'info phonebook +GMI'
    And Bluesnarfer ......


    Code:
    bluesnarfer, version 0.1 -
    usage: bluesnarfer [options] [ATCMD] -b bt_addr
    
    ATCMD     : valid AT+CMD (GSM EXTENSION)
    
    TYPE      : valid phonebook type ..
    example   : "DC" (dialed call list)
                "SM" (SIM phonebook)
                "RC" (recevied call list)
                "XX" much more
    
    -b bdaddr : bluetooth device address
    -C chan   : bluetooth rfcomm channel
    
    -c ATCMD  : custom action
    -r N-M    : read phonebook entry N to M
    -w N-M    : delete phonebook entry N to M
    -f name   : search "name" in phonebook address
    -s TYPE   : select phonebook memory storage
    -l        : list aviable phonebook memory storage
    -i        : device info
    Now for the finally how to turn an ordinary USB bluetooth dongle into a $1000 dollar sniffing tool

  2. #2
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    I have never gotten any of the bluetooth BS to work. Awesome tutorial though!
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

  3. #3
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default Bluetooth sniffer

    Finally and to say merry xmas here it is, how to turn an ordinary USB dongle with a Cambridge Silicon Radio chipset into the FTS4BT sniffing dongle Before we begin I would like to say I do not hold any responsibility for anybody breaking their equipment. You are doing this at your own risk : but hey for $39 who cares

    I have been reading upon this for a while now and I was reading one of max@remote-exploit papers where he had changed the firmware using the bluez utilities to make the dongle go into RAW mode or promiscuous mode.

    EDIT

    Seems I was a bit keen in this tutorial as it turns out this mod was not successful after all. The reason being that there are two types of bluecore-4 chipset, BlueCore-4 rom and BlueCore-4 external. The ROM chip has the firmware embedded on the chip and the EXT model has external memory for the firmware. You need to be able to update the firmware to allow sniffing in windows.

    To find out if you have the right type of chipset, type ........


    Code:
    hciconfig hci* revision
    And if you see EXT excellent but see ROM and you are no go. Saying that ROM chipsets will still go into RAW mode and the FTS4BT software reads the device as compatible but calibration crashed for me.

    Also it must be in promiscuous mode because we see bytes via hciconfig and RAW on the modes ??? I'm looking into this more at the moment so as I learn more I will add.

    First lets backup your old firmware with dfutool.

    Code:
    dfutool -d hci0 archive backold.dfu
    Select the corresponding number to your card. Next lets fire up the card

    Code:
    hciconfig hci0 up
    This may not make sense now but it will very soon so pay attention lol. There are multiple places to read bytes on the stick. Depending on what card you are using these can be different. In general these are “Default” (0×0000), “param” (0×0008), “psi” (0×0001), “psf” (0×0002) and “psrom” (0×0004). If yours is different you cankeeptrying until you run out of numbers and then take the dongle back

    Now we have have to hunt down the value of the USB product & vendor identifier.

    To get the product ID type

    Code:
    bccmd psget -s 0x0000 0x02bf
    And you shroud see
    Code:
    USB product identifier: 0x0001 (1)
    And now the vendor ID

    Code:
    bccmd psget -s 0x0000 0x02be
    From what I have read most of the time the stuff you need to edit is on psf 0×0002 but yours may be different. But theres only five it can be Now lets write the new ID

    Code:
     bccmd psset -s 0×0000 0×02bf 0×0002
    Now check the changes were made

    Code:
    bccmd psget -s 0x0000 0x02bf
    And you should see now

    Code:
    USB product identifier: 0x0002 (2)
    Sucsess !!!!!!

    Now from what I have read 9 times out of ten you don't need to change your vendor ID but check to see if its 0×0a12 if not change that to.

    Code:
     bccmd psset -s 0×0000 0×02be 0×0a12
    And you are done, there is support for *nux but I have yet to find it but you can see it sniffing if you keep retyping hciconfig hci0 you will see the tx and rx byte rising and you are in RAW mode

    Code:
    drgr33n ~ # hciconfig hci0
    hci0:   Type: USB
            BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
            UP RUNNING RAW
            RX bytes:41281 acl:0 sco:0 events:0 errors:0
            TX bytes:42532 acl:0 sco:0 commands:1971 errors:0
    
    drgr33n ~ # hciconfig hci0
    hci0:   Type: USB
            BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
            UP RUNNING RAW
            RX bytes:41293 acl:0 sco:0 events:0 errors:0
            TX bytes:42535 acl:0 sco:0 commands:1972 errors:0
    
    drgr33n ~ # hciconfig hci0
    hci0:   Type: USB
            BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
            UP RUNNING RAW
            RX bytes:41305 acl:0 sco:0 events:0 errors:0
            TX bytes:42538 acl:0 sco:0 commands:1973 errors:0
    
    drgr33n ~ # hciconfig hci0
    hci0:   Type: USB
            BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
            UP RUNNING RAW
            RX bytes:41317 acl:0 sco:0 events:0 errors:0
            TX bytes:42541 acl:0 sco:0 commands:1974 errors:0
    
    drgr33n ~ # hciconfig hci0
    hci0:   Type: USB
            BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
            UP RUNNING RAW
            RX bytes:41329 acl:0 sco:0 events:0 errors:0
            TX bytes:42544 acl:0 sco:0 commands:1975 errors:0
    Now more and more stuff is coming out every month on this stuff so now it may seen pointless but give it 6 months and you will be laughing

    Merry Christmas !

  4. #4
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    http://www.5min.com/Video/Eavesdropp...eadsets-925061

    Funny Stuff.

    I was able to get most of this working, however, my headset was not vulnerable or something.
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

  5. #5
    Senior Member
    Join Date
    Jan 2006
    Posts
    1,334

    Default

    Very nice write up

    As you stated, this isn't an area that really gets much coverage, primarily because it has always been artificially *held* within the mega-bucks arena.
    But I suppose I can understand why, too

  6. #6
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Yea car whisperer is funny and a nice add too Cheers spankdidly

    @ Re@lity yep thats why we have to bring their $1000 dollar bill down to $39 ;D

  7. #7
    Member
    Join Date
    Jul 2007
    Posts
    104

    Default

    Just as some side info, if you are using a logitech bluetooth adapter that came with your keybaord/mouse you may get an issue with the hciconfig hci0 up command. To remedy this, enter the commands...
    hid2hci
    hciconfig hci0 up
    and last to make sure its up, hciconfig -a

    This probably doesn't apply to many people but oh well.
    (I had that problem though. Thanks google. )

  8. #8
    Member
    Join Date
    Nov 2007
    Posts
    220

    Default

    Dr_Green I love you !!!

    Will have a go at this lot the other side of the weekend

    Much appreciated.
    &#119;&#116;&#102;&#63;

  9. #9
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    4

    Default

    I'm kinda confused with the commands of bluesnarfer and bluebugger.

    Can someone please give me a a example of what I could put in.
    (Sorry for the noobiness)

    Again sorry for the noobiness, but can someone post a video of exactly everything that happens.
    Detail for details, instructions and all. I learn better when i see it, rather then looking at words.

  10. #10
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Thanks guys glad you liked it, sorry about the bad english and spelling, It was late last nite and I was running on about 10 % brainpower Just been through and sorted the odd really bad bits out.

Page 1 of 6 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •