Page 1 of 5 123 ... LastLast
Results 1 to 10 of 41

Thread: Blue|Smash v2.0 dev

  1. #1
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Lightbulb Blue|Smash v2.0 dev

    Hey guys

    Now I'm starting to get to grips with python and blue tooth, I've decided to completely revise Blue|Smash.

    Blue|Smash will now be using sqlite to store all data,. Also Blue|Smash will include more exploits, Full autopwn function Scan, profile and exploit every discoverable device in range, Bluetooth chat, ATSMS, CSR dongle modifier and hopefully some sort of HID attack

    Ideas, requests ETC would be appreciated

    Rel1k can I still use your menu ?

    UPDATE 27.02.2008

    Code:
    #!/usr/bin/python
    ##############################################################################
    #                                                                            #
    # Blue|Smash - A menu driven frontend for bluetooth pentesters.              #
    #                                                                            #
    # Created by: Zarren Spry (drgr33n)                                          #
    # Copyright (C) 2008 Zarren Spry (drgr33n) zarren2@hotmail.co.uk             #
    #                                                                            #
    # This program is free software; you can redistribute it and/or modify it    #
    # under the terms of the GNU General Public License version 3 as             #
    # published by the Free Software Foundation; version 3.                      #
    #                                                                            #
    # This program is distributed in the hope that it will be useful, but        #
    # WITHOUT ANY WARRANTY; without even the implied warranty of                 #
    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU          #
    # General Public License for more details.                                   #
    #                                                                            #
    ##############################################################################
    
    ##### Welcome Screen #####
    
    version = "2.0a"
    
    print """   
     _     _                                         _     
    | |   | |                                       | |    
    | |__ | | _   _ _____ _____ ___ ____  _____  ___| |__  
    |  _ \| || | | | ___ (_____)___)    \(____ |/___)  _ \ 
    | |_) ) || |_| | ____|    |___ | | | / ___ |___ | | | |
    |____/ \_)____/|_____)    (___/|_|_|_\_____(___/|_| |_|
                                                            
    		     Version: %s
    
    A menu driven bluetooth pentesting tool for the Back|Track 
    live CD.
    
    By Zarren Spry AKA Drgr33n, Mail me @ zarren2@hotmail.co.uk
    
    
    """ % (version)
    
    ##### End Welcom Screen #####
    
    try:
      import os,time,sys,struct,array,fcntl
      from pysqlite2 import dbapi2 as sqlite
      from bluetooth import *
      from bluetooth import _bluetooth as bt
      from select import *
      import uuid as btid
    except ImportError, e:
        print "Your system is missing some dependencies, Please read the README file."
        sys.exit(1)
    ##### Hardware Check #####
    
    print "Checking to see if HCI device exists...."
    try:
      sock = bt.hci_open_dev()
      results = bt.hci_inquiry(sock, duration=2, flush_cache=True)
    except bt.error:
      print "No Local Device Detected! Please check your hardware"
      print "Blue|Smash will now exit!"
      sys.exit(1)
    ##### End Hardware Check #####
    
    ##### Load / Create Sqlite DB #####
    
    while 1 == 1:
      try:
        db_menu = raw_input("""DB Menu ...: 
    	
        1) Load existing DB
        2) Create new DB
      
        Enter a number...:
        """)
        if db_menu == ('1'):
          db_name = raw_input("Enter path to file and filename, for eg '/root/foo.db'..:")
          db_con = sqlite.connect (db_name)
          break
        if db_menu == ('2'):
          db_name = raw_input("Choose a name for your DB ....:")
          if os.path.exists(db_name):
            db_name = raw_input("DB already exists! Choose another name ...:")
            db_con = sqlite.connect (db_name)
          else:
            db_con = sqlite.connect (db_name)
          break
      except error:
        print """Error, Blue|Smash will now exit
        
        If you are experiencing troubles, please email me at zarren2@hotmail.co.uk
        """
    db_cursor = db_con.cursor()
    
    ##### End Load / Create Sqlite DB #####
    
    ##### Scan Functions #####
    
    # Inquiry Scan
    
    class MyDiscoverer(DeviceDiscoverer):
      def pre_inquiry(self):
        print "Searching for Devices, Please be patient..."
        self.done = False
      def device_discovered(self, address, device_class, name):
        major_classes = ( "Miscellaneous",
                           "Computer",
                           "Phone",
                           "LAN/Network Access point",
                           "Audio/Video",
                           "Peripheral",
                           "Imaging" )
        major_class = (device_class >> 8) & 0xf
        if major_class < 7:
          print "%s - %s Class of device %s"% (name, address, major_classes[major_class])
        else:
          print "%s - %s  Unknown"% (name, address)
      def inquiry_complete(self):
         self.done = True
         print "Done..."
        
    # Brute Force Scan
    
    class Bruteforce_discover():
      def pre_inquiry(self):
        self.done = False
      def discover_devices(self, bruteforce1, bruteforce2):
        print "Scanning for devices... This could take a while..."
        bruteforce3=os.system("/pentest/bluetooth/redfang/fang -r %s-%s -o bluetooth-devices.txt"% (bruteforce1,bruteforce2))
        print "*** Results will be saved in bluetooth-devices.txt ***"
      def inquiry_complete(self):
         self.done = True
    
    ##### Fingerprint Functions #####
    
    # Browse Services on device
    
    class Browse_services():
      def pre_inquiry(self):
        self.done = False
      def find_services(self):
        dev_services = find_service(self, address = bdaddr)
      def inquiry_complete(self):
         self.done = True
    
    # Search for service
    
    class Search_services():
      def pre_inquiry(self):
        self.done = False
      def find_services(self):
        dev_services = find_service(self, address = bdaddr, name = search_str, uuid = search_uuid)
      def inquiry_complete(self):
         self.done = True
         
    ##### Connectivity Functions #####
    
    # Connect to a device
    
    def hci_connect():
      try:
        mac = raw_input("Enter the Device MAC address: ")
        dev = raw_input("Enter your device name (eg hci0): ")
        hci_connect = os.system("hcitool -i %s cc %s" % (dev,mac))
      except:
        print "Connection failed!"
        
    # Auth Device
    
    def hci_auth():
      try:
        mac = raw_input("Enter the Device MAC address: ")
        dev = raw_input("Enter your device name (eg hci0): ")
        hci_auth = os.system("hcitool -i %s key %s" % (dev,mac))
        print "Done"
      except:
        print "Authorize failed!"
        
    # Request PIN key
    
    def req_key():
      try:
        mac = raw_input("Enter the Device MAC address: ")
        dev = raw_input("Enter your device name (eg hci0): ")
        hci_connect = os.system("hcitool -i %s cc %s" % (dev,mac))
        hci_key = os.system("hcitool -i %s key %s" % (dev,mac))
        print "Done"
      except:
        print "Request key failed!"
        
    # Create a RFCOMM shell
    
    def rfcomm_con(mac,port,data):
      if len(mac) < 1:
        mac = raw_input("Enter the Device MAC address: ")
      if len(port) < 0:
        port = input("Enter the Channel to connect on: ")
      print "Connecting to \"%s\" on Channel %s" % (mac,port)
      try:
        sock = BluetoothSocket( RFCOMM )
        sock.connect((mac, port))
        print "You are now connected to \"%s\" on channel %s" % (mac,port)
        print "Type quit to exit."
        while True:
          if len(data) < 0:
    	print "No data passed, This is a raw shell..."
            data = raw_input()
          if data == 'quit': break
          sock.send(data)
        sock.close()
      except:
        print "Connection was closed !"
        
    # Create RFCOMM server
    
    def rfcomm_serv():
      print "Starting RFCOMM server..."
      server_sock = BluetoothSocket( RFCOMM )
      server_sock.bind(("",PORT_ANY))
      server_sock.listen(1)
    
      port = server_sock.getsockname()[1]
      try:
        uuid = btid.uuid1()
      except:
        print "Error! No UUID Generated"
        sys.exit(1)
      print "UUID Generated, Starting Server....."
      rfcomm_serv_name = raw_input("Enter Service Name ....")
      advertise_service( server_sock, rfcomm_serv_name,
                           service_id = "%s" % uuid,
                           service_classes = [ "%s" % uuid, SERIAL_PORT_CLASS ],
                           profiles = [ SERIAL_PORT_PROFILE ] )
      print "Waiting for connection on channel %d" % port
      client_sock, client_info = server_sock.accept()
      print "Accepted connection from ", client_info
      try:
        while True:
          data = client_sock.recv(1024)
          print "received [%s]" % data
      except IOError:
        pass
      print "disconnected"
      client_sock.close()
      server_sock.close()
    
    ##### End Connectivity Functions #####
    
    ##### Exploit Functions #####
    
    # Spoof MAC
    
    def spoof_mac():
      hci_dev = raw_input("What device would you like to use? eg 'hci0' ...:")
      print "Saving your old MAC address"
      try:
        old_mac = os.popen("hcitool -i %s dev > old_mac.txt"% (hci_dev))
        print "Save Sucsessful :D Your old MAC addr has been saved to old_mac.txt"
      except:
        print "Blue|Smash was unable to save your old MAC! :("
        sys.exit(1)
      vic_dev = MyDiscoverer()
      vic_dev.find_devices(lookup_names = True)
      while True:
        can_read, can_write, has_exc = select( [vic_dev], [], [] )
        if vic_dev in can_read:
          vic_dev.process_event()
        if vic_dev.done: 
          break
      victim_mac = raw_input("Choose a MAC from the list or enter your own...:")
      print "Changing MAC to - %s"% (victim_mac)
      try:
        os.popen("bdaddr -i %s -r -t %s"% (hci_dev,victim_mac))
        time.sleep(2)
        print "Spoof Sucsessfull :D Your new bd_addr is %s"% (victim_mac)
      except:
        print "Error! Spoof Unsucsessful :("
        sys.exit(1)
    
    
    print "looking good ;D"
    Cheers

  2. #2
    Just burned his ISO abyss's Avatar
    Join Date
    Aug 2007
    Posts
    16

    Default

    you are truly master of bluetooth realm!!!!
    The mind is like a parachute. It doesn’t work unless it’s open.

  3. #3
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Duno if that was a sarcastic comment or a genuine one ?? abyss

  4. #4
    Just burned his ISO abyss's Avatar
    Join Date
    Aug 2007
    Posts
    16

    Default

    Quote Originally Posted by Dr_GrEeN View Post
    Duno if that was a sarcastic comment or a genuine one ?? abyss
    genuine one!
    The mind is like a parachute. It doesn’t work unless it’s open.

  5. #5
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    I'll second that! Hopefully your development will be included in the final release of BT3. Thanks for all your hard work!

  6. #6
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Cheers guys Just read some more interesting stuff about link keys and how someone would go about extracting the key from a device. Looks like maybe we could use two dongles and use a modded sniffer to sniff and a normal dongle to spoof the slave of a device and inject a Link key request to the master and sniff the link key

    I'm still learning how to code in python and C, only started about 3 months ago so got a long way to go yet. I think I might be able to forge and inject a packet using the _bluetooth module in python, if not it will make a nice little challenge for my first C script

  7. #7
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    6

    Default

    This might be a stupid question and is actually my first post, only because the support here has been so great everything i have needed to know I just searched and found. How does one get this to run in BTv3beta or BTv2. I have both working properly with my machine.

  8. #8
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Hey Thyphen

    Blue-Smash v2.0 is still in dev m8t, only about 10 % at the mo lol But working on it. You can use v1.0d if you want, I cant remember the link so just go to my blog...

    http://drgr33nsblog.blogspot.com

    Surprised I havent had more feedback ?

  9. #9
    Junior Member xirtam's Avatar
    Join Date
    Dec 2007
    Posts
    45

    Default recomended adapter?

    dr green love blue smash been waiting for someone too release a bluetooth pentesting tool like this. just wondering if you could recommend an adapter that is compatible with backtrack 3 for use with your tool?
    Think outside the box

  10. #10
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Hey xirtam

    Thanks been working on v2.0 today, just finished most of the phone exploits and am half way through the HID attack. Just got the bthid virtual keyboard to compile finally and I'm going to test in a few days because I have no hardware to test it against.

    As for bluetooth devices there are so many and most will work with BackTrack. But if you would like to sniff packets you will need a bluetooth adapter with the csr BC04-EXT or BC02-EXT chipset because this has a 8mb flashable RAM that allows you to upgrade to frontline's FTS4BT firmware.

    I've tried sooooo many lol but I've always gone back to my trusty Fujitsu-Siemens Bluetooth v2.0 dongle that has the BCO4 chipset.

    http://www.google.co.uk/products?hl=...-8&sa=N&tab=wf

    I broke mine modding the firmware so I have two on order but every bodies sold out until the 9th of next month

    Others are the D-Link DBT-120

    http://www.google.co.uk/products?q=D...&hl=en&show=dd

    And the Toshiba PA3455U-1BTM

    http://www.google.co.uk/products?q=P...&hl=en&show=dd

    Hope this helps

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •