Page 11 of 20 FirstFirst ... 910111213 ... LastLast
Results 101 to 110 of 197

Thread: [New Tutorial For BT3 ONLY]One bluetooth post to rule them all!

  1. #101
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Sorry about the late reply.

    I cannot download the dump file, I keep getting invalid session? It might be a error at rapidshare so I'l try later in the evening.

  2. #102
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default

    Hmm its coming up invalid for me too.

    I'll try re-do it later.

  3. #103
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    2

    Default Where to enter your passkey for outgoing connection authentication success

    Hello everyone,

    This is my first post and would like to say that Dr GrEen is very informative in many aspects of pen testing. I would also like to thank you Dr GrEen, for the various information you have posted on this site, which has kept me lurking and learning for 5 months. I finally found something I can contribute, so here goes.

    I was having the same authentication issue, as Hongman, where I would try to connect with any program from Back Track 3 Beta which prompted the phone for a passkey and found that typing in the passkey on the phone (seems everyone is using "1234") would end in a "connection refused". After Googling "hcid.conf outgoing passkey", because I took the time to read the hcid.conf completely the billionth time around and found it said incoming passkey, I came across entering the passkey I wanted into the following file:

    kwrite /etc/bluetooth/passkeys/default <-- type in just the passkey no quotes & save.
    I was able to verify the pin when typing it into my MetroPCS Motorola V3M. I have only had success connecting to a phone, so far, using obexftp and the following commands:

    First get the directory tree.
    obexftp -b BD_ADDR -c / -l
    To download files
    obexftp -b BD_ADDR -c /Picture -g example.jpg
    to upload Files
    obexftp -b BD_ADDR -c /Picture -p example.jpg
    Got the above info here hxxp://xxx.go2linux.org/transfer-files-with-bluetooth-Linux.
    Also to have your phone "discoverable" you need to add to the hcid.conf the following:

    # Inquiry and Page scan
    iscan enable; pscan enable;
    discovto 0;
    I was not able to try the discovery mode, as my phone only connects to bluetooth headsets and I have a Targus ACB10US USB dongle with Broadcom chipset. BCCMD reports "unsupported device" , but I will be purchasing something better shortly.

    One last thing, I noticed I would never see PSCAN ISCAN in the "hciconfig -a" output until I entered this command:

    hciconfig hci0 piscan

    One last last thing, I made the following script file called "bluetoothsetup" saved to /mnt/sda1, as I use BT3usb:

    hciconfig hci0 up
    hciconfig hci0 down
    hciconfig hci0 reset
    cp -f /mnt/sda1/backups/targusinfo/hcid.conf /etc/bluetooth/hcid.conf
    cp -f /mnt/sda1/backups/targusinfo/default /etc/bluetooth/passkey/default <-- can't get this to work yet
    mknod -m 666 /dev/rfcomm0 c 216 8
    mknod -m 666 /dev/rfcomm1 c 216 17
    mknod -m 666 /dev/rfcomm2 c 216 16
    sdptool add --channel=8 DUN
    sdptool add --channel=16 FTP
    sdptool add --channel=17 OPUSH
    bash /etc/rc.d/rc.bluetooth restart
    hciconfig hci0 piscan
    hciconfig -a
    I just open up a console and type "/mnt/sda1/backups/targusinfo/bluetoothsetup". No more retyping all that in everytime I reboot!



    P.S. I named my device "HitYesThenType1234" and then used bluebugger to initiate a connection to the wifes phone, without her knowing I was doing it. Guess what? She followed the directions and I was authenticated with her phone, where I pushed up a picture of some naked guy (using obexftp commands above). I then went to her and asked to take a picture of our daughter, which I did, then proceeded to question her about the naked picture. After some heckling, I told her what I did and got a "how clever, your way better looking, but if it was Antonio Banderas...." That Social Engineering is a mofo, ain't it...

  4. #104
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default

    lol, very nicely done.

    I am very busy at the moment with Work but as soon as I get a spare few I will try re-upload that file and also try the above.

    Thanks for your contributions, great first post!

  5. #105
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    8

    Default

    after readin this topic carefully i managed to get this working. i had to download newest bluez-libs, bluez-utils, bluez-firmware and bluez-hcitool (install in that order: firmware, libs, utils, hcitool) and then dr green's tutorial worked perfectly. but then i had to solve the connection refused issue (tried to write it to /etc/bluetooth/passkeys/default - bullseye ;d)

    i made the same script as thewheelieking, except those two cp-f lines cause a ihave backtrack on hdd and put it in /root/.kde/autostart

    rebooted and everything works just fine, but i still have to pair phones using 1234 pin.
    when i get connection refused i just randomly try other channels until it works.

    when i will have some time i'll post more specific output, what phones i tested and on which channels they connected.

    Since its no real use cause of the need to enter pin i am interested in some info on btcrack, i've looked on the google but no tutorials or manual whatsoever. Can you shed some light on this topic, pls?

    i had pdf with at commands somewhere, i'll post it as soon as i find it ;d

  6. #106
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Just a quick add instead of sifting through your saved sniffed packets for the ramdom numbers ETC I've only just found out you can use hcidump to read sorbo's dump file properly to extract the relevant data.

    Here's a dump of a link key exchange between my phone and my laptop.

    Code:
    drgr33n ~ # hcidump -V -r out
    HCI sniffer - Bluetooth packet analyzer ver 1.41
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > ACL data: handle 0 flags 0x02 dlen 10
        L2CAP(s): Info req: type 2
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > ACL data: handle 0 flags 0x02 dlen 12
        L2CAP(s): Info rsp: type 2 result 1
          Not supported
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    
    > HCI Event: Vendor (0xff) plen 20
    > HCI Event: Vendor (0xff) plen 20
    As you can see hcidump partially understands this, but doesn't know the op codes so just displays HCI event.

    You have to tell hcidump what manufacturer of device you are using. CSR's manuf code is 10 so we add this to hcidump and ...

    Code:
    HCI sniffer - Bluetooth packet analyzer ver 1.41
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): version_res(m): op code 38
          VersNr 3 (2.0)
          CompId 10 (Cambridge Silicon Radio)
          SubVersNr 3164
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): host_connection_req(m): op code 51
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): accepted(m): op code 3
          op code 51 (host_connection_req)
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): setup_complete(s): op code 49
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): packet_type_table_req(m): op code 127/11
          packet type table 1 (2/3Mbps)
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): set_AFH(m): op code 60
          AFH_instant 0x5072c
          AFH_mode 1
          AFH_channel_map 0xffffffffffffffffff7f
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): accepted_ext(m): op code 127/1
          op code 127/11 (packet_type_table_req)
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): channel_classification_req(m): op code 127/16
          AFH reporting mode 1
          AFH min interval 0x0640
          AFH max interval 0xbb80
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): in_rand(m): op code 8
          random number c93ebf1f5c9a7362a80a72414dfabeb1
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): accepted(m): op code 3
          op code 8 (in_rand)
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): comb_key(m): op code 9
          random number 0f34da046545e5a15a11639d71a067b6
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): comb_key(m): op code 9
          random number 8e429e343d0c330f1c00071806389c87
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): au_rand(m): op code 11
          random number 54fba1db6e2d0aabda8a06b9ff0a2ae8
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): sres(m): op code 12
          authentication response 1c890d81
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): au_rand(m): op code 11
          random number 760affcf59bec9e178556145a01ab630
    > HCI Event: Vendor (0xff) plen 20
    
        LMP(s): sres(m): op code 12
                  IN_RAND  c93ebf1f5c9a7362a80a72414dfabeb1
                  COMB_KEY 0f34da046545e5a15a11639d71a067b6 (M)
                  COMB_KEY 8e429e343d0c330f1c00071806389c87 (S)
                  AU_RAND  54fba1db6e2d0aabda8a06b9ff0a2ae8 SRES 1c890d81 (M)
                  AU_RAND  760affcf59bec9e178556145a01ab630 SRES b2b6be7f (S)
          authentication response b2b6be7f
    
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): setup_complete(m): op code 49
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): max_slot(m): op code 45
          max slots 5
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): max_slot_req(m): op code 46
          max slots 5
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): auto_rate(m): op code 35
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): auto_rate(s): op code 35
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): max_slot(s): op code 45
          max slots 5
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): timing_accuracy_req(s): op code 47
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): accepted(m): op code 3
          op code 46 (max_slot_req)
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): timing_accuracy_res(s): op code 48
          drift 250
          jitter 10
    > ACL data: handle 0 flags 0x02 dlen 10
        L2CAP(s): Info req: type 2
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): timing_accuracy_req(m): op code 47
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): timing_accuracy_res(m): op code 48
          drift 250
          jitter 10
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): feature_req(s): op code 39
          features 0xff 0xff 0x8f 0xfe 0x9b 0xf9 0x00 0x80
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): clkoffset_req(m): op code 5
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): feature_res(s): op code 40
          features 0xff 0xff 0x8d 0xfe 0x9b 0xf9 0x00 0x80
    > ACL data: handle 0 flags 0x02 dlen 12
        L2CAP(s): Info rsp: type 2 result 1
          Not supported
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): clkoffset_res(m): op code 6
          clock offset 0x34d4
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): name_req(s): op code 1
          name offset 0
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): supervision_timeout(m): op code 55
          supervision timeout 9600
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): name_res(s): op code 2
          name offset 0
          name length 8
          name fragment 'LG KG290'
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): name_req(m): op code 1
          name offset 0
    > HCI Event: Vendor (0xff) plen 20
        LMP(r): name_res(m): op code 2
          name offset 0
          name length 11
          name fragment 'drgr33n (0)'
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): preferred_rate(m): op code 36
          data rate 0x70
          Basic: use FEC, no packet-size preference
          EDR: use 3 Mbps packets, use 5-slot packets
    > HCI Event: Vendor (0xff) plen 20
        LMP(s): decr_power_req(m): op code 32
          future use 0x00
    I've removed alot of the l2cap packets, but now hcidump understands the op codes and displays all the info needed to crack the link key Alot easier to spot

    Hope this helps a few people out as it save me a good half hour I will add something to bluesmash later but I've been so busy lately I've barely got time for a coffee !!!!

  7. #107
    Member
    Join Date
    Jan 2010
    Posts
    83

    Default

    Dr_GrEeN, Is there a major difference between CSR firmware versions 46 and 49 used in your video? And what's the difference between say versions airsnifferdev46bc2.dfu and airsnifferdev46bc3.dfu, and airsnifferdev46bc4.dfu?

    Does the bc2, bc3, and bc4 correspond with the Bluecore#? (i.e. BC4 = Bluecore4)

  8. #108
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Does the bc2, bc3, and bc4 correspond with the Bluecore#? (i.e. BC4 = Bluecore4)
    Yes I believe so, as I tried it with a BC2 bluetooth dongle, and had to choose the airsnifferdev46bc2.dfu for it to fit.
    -Monkeys are like nature's humans.

  9. #109
    Junior Member aggtrfrad's Avatar
    Join Date
    Apr 2008
    Posts
    74

    Default

    hola
    heres my story (please read :P)
    -got my a7eng usb dongle today
    -changed product id to 0002, restart, works perfectly in raw mode
    -my stupidity gets in the game
    -i wanted to upgrade the firmware, so i can use it on windows-frontline, so i said lets us frontline's tool to upgrade firmware. started the tool, selected device, selected firmware (airsnifferdev47bc2.dfu), device changes automatically to dfu mode (dev id: ffff), im asked to install new drivers, starting upgrade, at the end of the upload i get an error: verification failed, maybe firmware doesnt match device
    -device stays in dfu mode, devid:ffff
    -i pluged in back to linux, hciconfig cannot see it, bccmd cannot see it as hci (also tried usb serial connection but no luck), dfutool can succesfully see it but:
    -it cannot start downloading firmware FROM the dongle TO my pc
    -it can start uploading firmware FROM my pc TO the dongle, but at the end it just says "Waiting for Device" and quits
    -device still at the same state
    -i also tried to restore to the old firmware with frontline's tool, starts uploading but at the end says device not responding
    -conclusion: I'm sorry if i wasnt clear but its a very screwed up case.
    edit:
    -hciconfig revision showed csr bc2 external
    -i saved the original firmware before flashing
    -Google is watching you

    -June 1, 2001, Microsoft CEO Steve Ballmer: "Linux is a cancer that attaches itself in an intellectual property sense to everything it touches."

  10. #110
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    You should be able to restore your old firmware on the dongle in linux using dfutool and your backup.
    -Monkeys are like nature's humans.

Page 11 of 20 FirstFirst ... 910111213 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •