Page 19 of 20 FirstFirst ... 917181920 LastLast
Results 181 to 190 of 197

Thread: [New Tutorial For BT3 ONLY]One bluetooth post to rule them all!

  1. #181
    Just burned their ISO
    Join Date
    Dec 2008
    Posts
    24

    Talking It all works

    Ok I have managed to make a sniffing dongle work both in BT3 and in Windows. It is a dLink BT120 C1 flashed with 47bc4.dfu I am waiting on my second dongle to arrive so that I can start scanning. My intentions is to pass on what I learn from all this so I am inclined on writing a step by step tutorial for all this. From what I read here there is not much to do since blutooth technology has evolved and no longer vulnerable "Yeah right!" just like every OS and software out there. I do not believe that is no longer vulnerable its just that none have been found yet or published but this is what its all about right! finding the vulnerabilities and properly documenting them so that we can protect ourselves and our customers, companies etc.... So I want to test test test and post my findings those who wish to do the same are welcome to post.

  2. #182
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    2

    Default

    So, I read almost the whole post and learned a lot from doing so. I got all the pieces (firmware, frontline for windows, frontline.c) together except the flashable bt dongle.

    But before buying one so that I can experiment on my own I have some questions left:
    Did someone sucessfully sniff a phone<->phone pairing (from let's say 2m distance)? my understanding is, that the pc<->phone paairing is sniffed by the dongle right next to the dongle used to pair (since the usb slots are close together on the pc). What impact has a small distance (<5m) on the accuracy of the sniffing?

    How do I proceed after successfully cracking the link key? Are there known procedures to exploit the gathered information? Like storing the link key, spoofing the bt_addr and connecting as the second phone "in disguise"?

    Somehow all I read so far stops after cracking the PIN/LK... but that is where it gets interesting. The LK is useless if i can't go further from there.

    So before investing in a dongle (D-Link DBT-120 rev. C ...with the risk of getting the one with the non-ext firmware?!) it would be nice if someone could comment on the above.

    Cheers

    EDIT:

    My friend has a bluetooth dongle with
    Code:
    hci0:   Type: USB
            BD Address: 00:09:DD:50:0A:6E ACL MTU: 384:8 SCO MTU: 64:8
            HCI 19.2
            Chip version: BlueCore4-External
            Max key size: 56 bit
            SCO mapping:  HCI
    He was so kind to allow me playing around with it and now I got
    Code:
    hci0:   Type: USB
            BD Address: 00:09:DD:50:0A:6E ACL MTU: 0:0 SCO MTU: 0:0
            UP RUNNING RAW
            RX bytes:6 acl:0 sco:0 events:0 errors:0
            TX bytes:0 acl:0 sco:0 commands:0 errors:0


    I tested sniffing 2 mobile phones pairing. They were ~2m away from my desktop computer with the sniffing dongle and it worked like a charm. Captured the pairing, cracked the pin and the link key.

    Now I wonder how I/the attacker can take advantage of this. I imagine one could spoof the bt_addr, change the class to 0x5a0204, store the cracked link key in /var/lib/bluetooth/<spoofed-address>/linkkeys and try to connect to the phone. Unfortunately I can only change the bt_addr of the sniffing stick (but that one is unusable because of the change firmware). I don't want to change the firmware back
    Any comments on how to proceed with the findings of the sniffing-cracking-process?

  3. #183
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    11

    Default go further

    hey, since you got a link key you dont need a sniffer anymore. just spoof bt address of your scanner stick ( it should be bc chip) and do obex ftp...
    more in here:
    hxxp://seguridadmobile.blogspot.com/2008/11/sniffing-bluetooth-pairing.html

  4. #184
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    2

    Default I'm a lazy bastard :(

    Hello donpee,
    thanks for your reply. I know that I wouldn't actually need the sniffer anymore when I plan to "continue" the attack. But I still want to play around with it (and demonstrate it to my friend and others). The Link you provided is very interesting and sums it all up quite nicely.
    But I still struggle with "how to disguise your PC as the other phone".

    What do I have to change?
    1.) obviously the bt_addr (that is clear to me)
    2.) what about the device class? do i have to change it via hcid.conf, to 0x5A0204 for example?

    Where to store the key? I guess it should be /var/lib/bluetooth/<spoofed-address>/linkkeys

    Is the key given by btpincrack in reverse order? Compare hXXp://seguridadmobile.blogspot.com/2008/11/sniffing-bluetooth-pairing.html -> bottom half, where he checks if its the right key

    And finaly, is there a obexftp-alternative/variant where you can browse the device like a lokal filesystem with ls and cd? this xml-format is quite nasty for the eyes and all these commands just to learn about the next subfolder name... seems so uncomfortable

    Thanks for all your help so far
    Regards

  5. #185
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    11

    Default i'm lazy too

    hey doktor, as soon as you got a key you dont need to change anything in your equipment and a key is already in bt /var/lib/bluetooth/<spoofed-address>/linkkeys folder.
    in link hXXp://seguridadmobile at the bottom there are bt screen with cracked key and pin and under it are keys in attacked paired devices just for compare....
    i think you gotta type all that crap, there is no alternative....
    try 'attack' tool included in bt3.
    why do you want to to "disguise your PC as the other phone"? its a device class matter.
    good luck

  6. #186
    Just burned his ISO
    Join Date
    Jul 2007
    Posts
    5

    Default

    Something that I think has gone wrong on this thread is the distinction of when you need a flashed dongle and when you need it original. BTscanner won't work with a flashed, and (obviously) frontline won't work without.
    So does anything other than frontline.c mmake use of a flashed dongle?

    Where do I find a copy of the frontline.c source.

    Last not least, a DBT-120 H/W Ver.:B3 works, a Typhoon 20007 can be flashed, looks fine but doesn't return data. I only tried version 47, if anything else works, I'll report.

  7. #187
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    11

    Default

    you gotta use sniffer and scanner dongles @ the same time in frontline.c or dr.green's bluesmash. google for frontline.c sourse.
    stay in touch

  8. #188
    Just burned his ISO
    Join Date
    Jul 2007
    Posts
    5

    Default

    I googled "frontline.c source" yesterday, and I did it again today just to be sure. But it wasn't to be found. Could anybody help.

    Also, are you saying I need two dongles to use frontline.c and bluesmash? I'm sniffing the traffic between two phones.

  9. #189
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by rudolf View Post
    I googled "frontline.c source" yesterday, and I did it again today just to be sure. But it wasn't to be found. Could anybody help.
    Frontline.c should already be in BT3 look for it with locate fronline.c
    BTW a ".c" is a file extension for a program or application in c as such there really is no "source" other than the mentioned file.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  10. #190
    Just burned his ISO
    Join Date
    Jul 2007
    Posts
    5

    Default

    I have googled...
    I have searched BBT2 and BT3...
    I saw the link to sorbo/darkircop.org on the bluesmash page.
    I know what .c means...
    I would even copy the .h too

    So instead of telling me the obvious, could someone help me find the source for frontline please?

Page 19 of 20 FirstFirst ... 917181920 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •