brmlab

User Tools

Site Tools

You are here: Hackerspace Prague » Users » Yan » Bluetooth
user:yan:bluetooth

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
user:yan:bluetooth [2017/05/20 14:20] yanuser:yan:bluetooth [2017/05/20 14:34] – [Bluetooth] yan
Line 1: Line 1:
 ====== Bluetooth ====== ====== Bluetooth ======
-BlueZ has largery changed lately and bluetooth is not in centre of cummunity interest lately so guides are becoming outdated and harder to find. Aslo I did not found (but also did not searched intesively so maybe fault is on my side) any comprehensive documentation about nowadays state of Bluez, or bluez-utils respectively. I sum-up my observation into this wiki entry, maybe somebody will find something helpful here. +BlueZ has changed a lot lately and bluetooth is not in centre of community interest lately so guides are becoming outdated and harder to find. Also I did not find (but also did not search intesively so maybe fault is on my side) any comprehensive documentation about nowadays state of Bluez, or bluez-utils respectively. I summed up my observation into this wiki entry, maybe somebody will find something helpful here. 
  
-All possible notes written below are only hints meant to penetration testing and security enhancing and are not anyhow meant as primer to any illegal action.+All possible notes written below are only hints meant for penetration testing and security enhancing and are not meant as primer to any illegal action in any way.
  
 == what's outdated == == what's outdated ==
Line 18: Line 18:
   * **scan** - on/off scanning for devices   * **scan** - on/off scanning for devices
   * **visibility, pairablility, etc..** - none of my interest..   * **visibility, pairablility, etc..** - none of my interest..
-  * **info** - nice function, you need to use device "bt address" (analog of mac adres in case of normal network) as argument. Than it shows you everything which is known about that device - listening obex ports included.. - can basicaly slightly substitute sdptool in this case+  * **info** - nice function, you need to use device "bt address" (analog of mac address in case of normal network) as argument. Then it shows you everything which is known about that device - listening obex ports included.. - can basicaly slightly substitute sdptool in this case
  
  
 === passive monitoring (airodump like) & wireshark connection ===  === passive monitoring (airodump like) & wireshark connection === 
-Basically typical BT devices which are nowadays mounted into PC are not accustomed to be used to just scan ether and send all informations to PC, but just informs PC of things wihch radio finds somehow interesting or important or are requested. [[https://ask.wireshark.org/questions/15837/what-equipment-can-i-use-to-capture-bluetooth-packets#answer-container-15838 |1]] This mean, that basically nowadays I do not know about simple way how to put ordinary BT device into monitor mode. Solution for this problem is Ubertooth[[https://greatscottgadgets.com/ubertoothone/|2]] which is specially crafted hardware for this (and also bunch of other) purpose. Than through sequence of SW you can basically get it running in a waythat you can basicaly create kismet dump, which you can then interpret in wireshark.[[https://wiki.wireshark.org/CaptureSetup/Bluetooth|3]]+Basically typical BT devices which are nowadays mounted into PC are not accustomed to be used to just scan ether and send all informations to PC, but just informs PC of things whitch radio finds somehow interesting or important or are requested. [[https://ask.wireshark.org/questions/15837/what-equipment-can-i-use-to-capture-bluetooth-packets#answer-container-15838 |1]] This means that basically nowadays I do not know about simple way how to put ordinary BT device into monitor mode. Solution for this problem is Ubertooth[[https://greatscottgadgets.com/ubertoothone/|2]] which is specially crafted hardware for this (and also bunch of other) purpose. Then through sequence of SW you can basically get it running in a way that you can basicaly create kismet dump, which you can then interpret in wireshark.[[https://wiki.wireshark.org/CaptureSetup/Bluetooth|3]]
  
 === possible hacks ===  === possible hacks === 
-there is a nice page (hope it still works, if not, i'll try to paste it somewhere else) which basically sums up situation in problematics in 2005 (so it's pretty outdated, but probably usable to know when some older device comes into range)[[http://www.eetimes.com/document.asp?doc_id=1275730|4]], Then there is github repository owned by pwnieexpress, which was not managed from 2012, but keeps relatively long list of source code to various newer or older hacks.[[https://github.com/pwnieexpress/pwn_plug_sources/tree/master/src/bluetooth|5]] some other information can be found spreaded around internet, but basically many traces of original idea or notes can be found through links which are present in pwnieexpress repository readme files. From list of exploits which are named in above sources few looked interesting.+There is a nice page (hope it still works, if not, i'll try to paste it somewhere else) which basically sums up situation in problematics in 2005 (so it's pretty outdated, but probably usable when some older device comes into range)[[http://www.eetimes.com/document.asp?doc_id=1275730|4]], Then there is github repository owned by pwnieexpress, which was not managed from 2012, but keeps relatively long list of source code to various newer or older hacks.[[https://github.com/pwnieexpress/pwn_plug_sources/tree/master/src/bluetooth|5]] some other information can be found spread around internet, but basically many traces of original idea or notes can be found through links which are present in pwnieexpress repository readme files. From list of exploits which are named in above sources few looked interesting.
  
-  * **bluejacking, bluesnarfing etc** - basicaly working on older devices which has bad implementation of BT protocol, or ommit some security measures. Are nicely explained on BT linux forum [[http://www.backtrack-linux.org/forums/showthread.php?t=5637&s=f59f4f7919b89e8c9d16773560795863|6]] and are probably useless for newer devices.+  * **bluejacking, bluesnarfing etc** - working on older devices which have bad implementation of BT protocol, or ommit some security measures. Usage is nicely explained on BT linux forum [[http://www.backtrack-linux.org/forums/showthread.php?t=5637&s=f59f4f7919b89e8c9d16773560795863|6]]. They are probably useless for newer devices.
   * **HID attacks** - those can be probably easiest to fruitify - basically you should be able to intercept BT keyboard in manner that you can send your own commands through this interface or you can take aquistion of communication.   * **HID attacks** - those can be probably easiest to fruitify - basically you should be able to intercept BT keyboard in manner that you can send your own commands through this interface or you can take aquistion of communication.
-  * **carwhisperer** - have no idea how actual this SW really is, but people ussually change their mobile phone more often than their cars. It should be actually able to record communication in car or in opposite direction send some nice audio into vehicle.+  * **carwhisperer** - have no idea how actual this SW really is, but people ussually change their mobile phone more often than their cars. It should be able to record communication in car or in opposite direction play some nice audio into vehicle.
  
 ===== sources ===== ===== sources =====
user/yan/bluetooth.txt · Last modified: 2017/05/20 14:35 by yan