قالب وردپرس درنا توس
Home / Tips and Tricks / How to snoop on Bluetooth devices using Kali Linux «Null Byte :: WonderHowTo

How to snoop on Bluetooth devices using Kali Linux «Null Byte :: WonderHowTo



Although many people use Bluetooth every day, the majority do not know how it works or that it can be hacked. Bluetooth hacking provides a clear window into the world of the target. Almost every device has Bluetooth capabilities and people store a lot of personal information on their phones and tablets. Hack their Bluetooth connection and you may have access to all that data.

Although Bluetooth shares the same 2.4 GHz frequency as WiFi, the properties are different because the protocols are not quite the same. There is improved security, so popular WiFi hack tools don't work on Bluetooth.

First, they constantly jump in frequencies, so if you have two devices that communicate via Bluetooth, they both use an algorithm that shifts the frequency many times per second. That means we can't just sit and listen on one frequency because they jump back and forth everywhere. In the first place, it makes it difficult for an attacker to listen to the conversation.

Another feature is that Bluetooth does not negotiate a key such as Wi-Fi every time, where it is easy for everyone to participate and get out of the Wi-Fi network. Instead, Bluetooth negotiates a key once in the beginning, stores the secret key and refers to it every time it sees the same device. That means it is impossible to sit there and sniff the key because you have to be there the first time these devices communicate. Otherwise you get nothing useful and it is impossible to start a conversation with Wi-Fi.

However, we can still track nearby Bluetooth devices, read them, and even write specific features. That is why it is useful to do the exploration in case we can control the device, identify a vulnerability or later find a vulnerability that matches a neighborhood.

What you need for Bluetooth Recon [1
9659007] To start Bluetooth monitoring, you must have a fully updated version of Kali Linux installed because we are going to use Bluetooth tools built in to keep it super basic. To keep everything super basic, we install nothing extra & # 39; s and we can simply work with the Bluetooth tools that Kali Linux has as standard.

The built-in tools that we discuss below are hciconfig, hcitool, sdptool, l2ping and btscanner. Many of these tools are included in BlueZ, the standard Bluetooth protocol stack in almost every version of Linux, including Kali. (We will also use some specialized tools for Bluetooth reconstruction in Kali.)

Of course we have to be fairly close to hacking Bluetooth. With an excellent Bluetooth adapter that is required, you should be able to reach Bluetooth devices in a coffee shop, schoolroom, office and perhaps even in a neighbor's house.

Step 1: Turn on your Bluetooth adapter with hciconfig [19659007] If you are familiar with ifconfig for Wi-Fi cards and adapters, there is another tool similar to Bluetooth devices. And it is called hciconfig .

  ~ # hciconfig

hci0 Type: primary bus: USB
BD Address: ██: ██: ██: ██: ██: ██ ACL MTU: 1022: 8 SCO MTU: 183.5
DOWN
RX bytes: 574 acl: 0 sco: 0 events: 30 errors: 0
TX bytes: 368 acl: 0 sco: 0 commands: 30 errors: 0 

In my example we see a Bluetooth interface. It is what we will use to do all the things that we want to do with Bluetooth. You can see that the current status is disabled, which means that it cannot do anything, so the first thing we need to do to work with Bluetooth is to open our interface.

If we have a WiFi interface that is connected, but it is not ready yet, we can type ifconfig then the name of the interface and then up . Since hciconfig is basically the same as ifconfig, we can use many of the same commands, which you can see on the page man .

  ~ # man hciconfig

HCICONFIG (1) Linux system administration HCICONFIG (1)

NAME
hciconfig - configure Bluetooth devices

SHORT CONTENT
hciconfig -h
hciconfig [-a]
hciconfig [-a] hciX [command [command parameters]]

DESCRIPTION
hciconfig is used to configure Bluetooth devices. hciX is the name of
a Bluetooth device installed in the system. If hciX is not given, hci‐
config prints name and basic information about all Bluetooth devices
vices installed in the system. If hciX is given but is not a command
given, it prints basic information only on device hciX. Basic information
union is interface type, BD address, ACL MTU, SCO MTU, flags (up, init,
active, raw, page scan enabled, research scan enabled, research, authen‐
tication enabled, encryption enabled).

OPTIONS
-h, --help
Gives a list of possible commands.

-a, - all of them
Other than the basic information, printing functions, package type, link
policy, link mode, name, class, version.

COMMAND
up Open and initialize HCI device.
down Close HCI device.
reset Reset HCI device.
rstat Reset statistical counters.
auth Enable authentication (put device in security mode 3).
noauth Turn off authentication.
encrypt Enable encryption (put device in security mode 3).
noencrypt Disable encryption.
secmgr Enable security management (current kernel support is limited).
nosecmgr Disable security management.
piscan Enable page and research scan.
noscan Disable page and examination scan.
iscan Enable research scan, disable page scan.
pscan Turn on page scan, turn off search scan.
ptype [type] Without type, displays the current package types. Otherwise, all package types that are specified per type are set. type is a comma-separated list of package types, the possible package types being DM1, DM3, DM5, DH1, DH3, DH5, HV1, HV2, HV3.
name [name] Prints the local name without a name. Otherwise, set the local name to name.
class [class] Without class, prints class from device. Otherwise, the device class is set to class. class is a 24-bit hex number that describes the device class, as specified in section 1.2 of the Bluetooth Assigned Numers document.
voice [voice] Without vote, prints voting setting. Otherwise set the voting setting to vote. voice is a 16-bit hex number that describes the voice setting.
iac [iac] Without iac, the current IAC setting is printed. Otherwise set the IAC to iac.
inqtpl [level] Without level, the current transmit power level of the request prints. Otherwise the transmission power is set to level.
inqmode [mode] Without mode, the current exam mode is printed. Otherwise set the exam mode to mode.
inqdata [data] Prints the current research data without a name. Otherwise, set research data to data.
inqtype [type] Without type, print the current scan type scan. Otherwise, the exam scan type is set to the type.
inqparams [win:int] Non Profit: int, prints search scan window and interval. Otherwise, set the search scan window to win slots and the search scan interval to int slots.
pageparms [win:int] Non Profit: int, print page scan window and interval. Otherwise, set the page scan window to win slots and the page scan interval on int slots.
pageto [to] With no, print timeout page. Otherwise set the page timeout to .I for slots.
afhmode [mode] Without mode, prints the current AFH mode. Otherwise set the AFH mode to the mode.
sspmode [mode] Without mode, the current Simple Pairing mode is printed. Otherwise set the Easy Linking mode to the mode.
aclmtu mtu: pkt Sets ACL MTU to mtu bytes and ACL buffer size to pkt packets.
scomtu mtu: pkt Sets SCO MTU on mtu bytes and SCO buffer size on pkt packages.
delkey ​​ This command deletes the stored bdaddr link key from the device.
oobdata Retrieve local PIE data (invalidates previously read data).
assignments Show supported assignments.
functions Display of device functions.
version View version information.
revision View revision information.
lm [mode] Without mode, the link mode is printed. MASTER or SLAVE means respectively to request to become a master or to remain a slave when a connection request arrives. The additional keyword ACCEPT means that baseband connections are accepted even if there are no AF_BLUETOOTH connections. mode is NOT or a comma-separated keyword list, where possible MASTER and ACCEPT keywords. NONE sets linking policy to the default behavior of the remaining slave and not to accept baseband connections when there are no AF AFBLBLETOOTH connections. If MASTER is present, the device will request to become a master when a connection request is received. If ACCEPT is present, the device accepts basic band connections, even if there are no listening AF_BLUETOOTH connections.

AUTHORS
Written by Maxim Krasnyansky  and Marcel Holtmann


man page by Fabrizio Gennari 

BlueZ November 11, 2002 HCICONFIG (1)

Manual page hciconfig (1) line 147/169 (END) (press h for help or q to stop) 

We can see on the man page that this is used to configure Bluetooth devices, so if you that has an external Bluetooth device or something that is connected, you can also use that to see the connected devices and configure them correctly.

Now that we know a little more about hciconfig, let's continue and press Q to stop. We need to bring and market the Bluetooth device that we have discovered. Simply type hciconfig then the name of the device that we have found and up .

  ~ # hciconfig hci0 up 

Run the to see if it worked. hciconfig command again:

  ~ # hciconfig

hci0 Type: primary bus: USB
BD Address: ██: ██: ██: ██: ██: ██ ACL MTU: 1022: 8 SCO MTU: 183.5
ASCENDING
RX bytes: 1148 acl: 0 sco: 0 events: 60 errors: 0
TX bytes: 736 acl: 0 sco: 0 commands: 60 errors: 0 

Step 2: Scan to Bluetooth devices with hcitool

Now let's use hcitool to search for Bluetooth devices they send their discovery beacons (in discovery mode). First, let's look at the man page:

  ~ # man hciconfig

HCITOOL (1) Linux system administration HCITOOL (1)

NAME
hcitool - configure Bluetooth connections

SHORT CONTENT
hcitool [-h]
hcitool [-i] [command [command parameters]]

DESCRIPTION
hcitool is used to configure Bluetooth connections and some special
command to Bluetooth devices. If no order is given or if the
option -h is used, hcitool prints some usage information and is closed.

OPTIONS
-h Gives a list of possible commands

-i 
The command is applied to the hciX device, which must be the name
of an installed Bluetooth device. If not specified, the assignment
is sent to the first available Bluetooth device.

COMMAND
dev Display local devices
inquire about external devices. For each device detected, the Bluetooth device address, the clock offset, and the class are printed.
scan Inform for external devices. The device name is printed for each discovered device.
name  Print device name from external device with Bluetooth address bdaddr.
info  Print device name, version and supported functions of external device with Bluetooth address bdaddr.
spinq Start the periodic research process. No research results are printed.
epinq Exits the periodic investigation process.
cmd   [parameters]
                              Send a random HCI command to a local device. ogf, ocf and parameters are hexadecimal bytes.
con Show active baseband connections
cc [--role=m|s] [--pkt-type=] 
Make a baseband connection with an external device with Bluetooth address bdaddr. Option --pkt-type indicates a list of allowed package types.  is a comma-separated list of package types, the possible package types being DM1, DM3, DM5, DH1, DH3, DH5, HV1, HV2, HV3. The default is to allow all package types. Option - role can have the value m (do not allow roll switch, remain master) or s (allow roll switch, become slave if the peer asks to become master). Default is m.
dc  [reason]
                              Remove the baseband connection from an external device with Bluetooth address bdaddr. The reason may be one of the Bluetooth HCI error codes. The default is 19 for user terminated connections. The value must be given in decimal places.
sr       Switch role for the baseband connection from the external device to master or slave.
cpt  
                              Change package types for baseband connection to device with Bluetooth address bdaddr. package types is a comma-separated list of package types, the possible package types being DM1, DM3, DM5, DH1, DH3, DH5, HV1, HV2, HV3.
rssi  Display received signal strength information for connection to the device with Bluetooth address bdaddr.
lq  Display quality for connection to the device with Bluetooth address bdaddr.
tpl  [type]    Transmit power level display for connection to the device with Bluetooth address bdaddr. The type can be 0 for the current transmit power level (default setting) or 1 for the maximum transmit power level.
afh  Display AFH channel card for connection to the device with Bluetooth address bdaddr.
lp  [value]    No value displays pairing policy settings for connection to the device with Bluetooth address bdaddr. If value is given, set the link policy settings for that connection to value. Possible values ​​are RSWITCH, HOLD, SNIFF and PARK.
lst  [value]   No value, displays link connection timeout for connection to device with bdaddr Bluetooth address. If value is given, set the link monitoring timeout for that connection to value slots or to infinity if value is 0.
auth  Request verification for the device with Bluetooth address bdaddr.
enc  [encrypt enable]
                              Enable or disable encryption for the device with Bluetooth address bdaddr.
key  Change the connection connection key for the device with Bluetooth address bdaddr.
clkoff  Read the clock shift for the device with Bluetooth address bdaddr.
clock [bdaddr] [which clock]
                              Read the clock for the device with Bluetooth address bdaddr. The clock can be 0 for the local clock or 1 for the piconet clock (which is standard).
lescan [--privacy] [--passive] [--whitelist]  [--discovery=g|l]  [--duplicates]
                              Start LE scan
leinfo [--static] [--random] 
                              Receive external LE information
lewladd [--random] 
                              Add device to LE White list
lewlrm  Remove device from LE White List
lewlsz Read size of LE White List
lewlclr Clear LE White list
lerladd [--local irk] [--peer irk] [--random] 
                              Add device to LE solution list
lerlrm  Remove device from LE Resolve List
lerlclr Clear LE solution list
lerlsz Read size of LE solution list
enable lerlon LE address resolution
lerloff Disable LE address resolution
lecc [--static] [--random]    | [--whitelist]
Make an LE connection
ledc  [reason]
                              Terminate a LE connection
lecup     
                              LE connection update

AUTHORS
Written by Maxim Krasnyansky  and Marcel Holtmann


man page by Fabrizio Gennari 

BlueZ November 12, 2002 HCITOOL (1)

Manual page hcitool (1) line 154/176 (END) (press h for help or q to stop) 

Hcitool is used for configuring and performing various tasks such as scans, retrieving questions and names. This is very useful for learning more about the device, but some of these commands require a MAC address to use them.

Let's look at a few of these commands. First we will make a scan. It will use the Bluetooth interface to scan for nearby Bluetooth devices and present their MAC addresses for us for additional scans, questions or trying to find the name of the device.

  ~ # hcitool scan

Scanning ...
00: 1D: A5: 00: 09: 1D OBDII 

Above we see an OBD2 connector that is connected to a vehicle. That's pretty interesting. With the MAC address we can now execute another command for which we need a MAC address in the first place. Let's try to get the device name:

  ~ # hcitool name 00: 1D: A5: 00: 09: 1D

OBDII 

That should allow us to get the name of the device, but we already knew about that first scan. However, if we didn't know, we could learn more about it. For more information we can use the command inq :

  ~ # hcitool inq 00: 1D: A5: 00: 09: 1D

Scanning ...
00: 1D: A5: 00: 09: 1D clock shift: 0x21c0 class: ox5a020c 

Note that it also displays clock shift and the class. The class indicates the type of Bluetooth device and we can look up the code by going to the Bluetooth site. Or, as we will see later, some tools will do it for us.

Step 3: Scan for services with sdptool

For more information about services we can use a tool called sdptool to browse more about what is available on the device and learn about the features – maybe some we can and cannot do it. We need to use the MAC address again, but first let's see his man page:

  ~ # man sdptool

sdptool (1) General assignments Manual sdptool (1)

NAME
sdptool - manage and query SDP servers

SHORT CONTENT
sdptool [options] {command} [command parameters ...]

DESCRIPTION
sdptool provides the interface for performing SDP searches on Bluetooth
devices and managing a local SDP database.

COMMAND
The following commands are available. Bdaddr indicates in all cases
the device for searching or browsing. If used locally for bdaddr, then the
local SDP database is searched.

Services are identified and manipulated with a 4-byte record_handle
(NOT the service name). Search for the record_handle of a service
the "Service RecHandle" line in the search or browse results

search [--bdaddr bdaddr] [--tree] [--raw] [--xml]   service name
Search for services .. Well-known service names are DID, SP, DUN, LAN, FAX, OPUSH, FTP, HS, HF, HFAG, SAP, NAP, GN, PANU, HCRP, HID, CIP, A2SRC, A2SNK, AVRCT, AVRTG, UDIUE, UDITE and SYNCML.
browse [--tree] [--raw] [--xml] [bdaddr]
                   Browse all available services on the device specified by a Bluetooth address as a parameter.
records [--tree] [--raw] [--xml]   bdaddr
Retrieve all possible service records.
to add [ --handle=N --channel=N ]
Add a service to the local SDP database. You can specify a handle for this record with the --handle option. You can specify a channel to add the service to using the --channel option. NOTE: The configuration of local adapters is not updated and this command may only be used for SDP testing.
del record_handle
Remove a service from the local SDP database. NOTE: The configuration of local adapters is not updated and this command may only be used for SDP testing.
get [--tree] [--raw] [--xml]   [--bdaddr bdaddr] record_handle
Retrieve a service from the local SDP database.
setattr record_handle attrib_id attrib_value
Set or add an attribute to an SDP record.
setseq record_handle attrib_id attrib_values
Set an attribute string or add it to an SDP record.

OPTIONS
--help Provides help with using sdptool.

Examples
sdptool browse 00: 80: 98: 24: 15: 6D
browse sdptool locally
sdptool add DUN
sdptool del 0x10000

BUGS
Documentation needs to be improved.

AUTHOR
Maxim Krasnyansky . Man page written by Edd Dumbill .

sdptool (1)

Manual page sdptool (1) line 60/82 (END) (press h for help or q to stop) 

This allows us to configure, control and interrogate SDP (service discovery protocol) servers, so it is something that allows us to ask questions on Bluetooth devices and find out what exactly is going on with the permissions and what we can probably do with those services.

Close the man page and type sdptool and then browse followed by the MAC address we have recorded. [#19659010] ~ sdptool browse 00: 1D: A5: 00: 09: 1D

Browsing 00: 1D: A5: 00: 09: 1D …
Service name: SPP
Service RecHandle: 0x10001
Service class ID list:
"Serial port" (ox1101)
List of protocol descriptions:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 1

Here we can see a little more information about the communication, the protocols, and maybe we can even begin to discover if there is a vulnerability in the device or whether we can communicate directly with it. We may even be able to discover whether the MAC address uses randomization or the like.

Step 4: See if they can be reached with L2ping

Now that we have the MAC addresses of all devices in the area, we can ping them, whether they are in discovery mode or not, to see if they are are within reach. For me it's just one device.

  ~ ping 00: 1D: A5: 00: 09: 1D

Ping: 00: 1D: A5: 00: 09: 1D of ██: ██: ██: ██: ██: ██ (data size 44) ...
44 bytes from 00: 1D: A5: 00: 09: 1D id 0 time 37.57ms
44 bytes from 00: 1D: A5: 00: 09: 1D id 1 time 27.23ms
44 bytes from 00: 1D: A5: 00: 09: 1D id 2 times 27.59ms
44 bytes from 00: 1D: A5: 00: 09: 1D id 3 time 27.31ms
44 bytes from 00: 1D: A5: 00: 09: 1D id 4 times 40.99ms
44 bytes from 00: 1D: A5: 00: 09: 1D id 5 times 48.77ms
44 bytes from 00: 1D: A5: 00: 09: 1D id 6 time 59.93ms
44 bytes from 00: 1D: A5: 00: 09: 1D id 7 time 48.84ms
44 bytes from 00: 1D: A5: 00: 09: 1D id 8 times 67.59ms 

Step 5: Scan to Bluetooth devices with btscanner

Now it's time to move on to the last tool we go which is a fully graphical user interface to discover Bluetooth devices. It is called btscanner and once we have started it, we can simply type btscanner :

  ~ # btscanner

Open the OUI database
Reading the OUT database 

The interface can look similar to people familiar with the Kismet interface, which means we can actually do a lot of things in the command line layout with a GUI-like feel. It's really handy and cool because it means that by typing i we can start a search scan and find nearby devices that are Bluetooth, and it could allow us to To connect or set up an assignment or something similar.

We have found a device and it is the same Bluetooth device that we have previously found, and I am sure we can find other devices as they roll in. For now we can continue and press Enter to find out more about the device.

Here we can see the name of the device when it is first seen, the owner, which is interesting, and then some more information about the different functions what is being advertised for.

Press Q to return to the main window and as other devices are discovered or when they come within range, we can find them here and learn more about what the se devices do, what they communicate with, what they can do more, and more.

If you do not have Bluetooth on your computer, you can always connect a Bluetooth adapter, but you may want to check if it is compatible before continuing and through the problems. I'm not sure if every Bluetooth adapter works with every Linux program.

Above you can see that we have found a second device, so let's continue and click on it.

We can see that this is a smartphone – a Samsung device – and it has many more options and things we could do with it than our first device. We can already reach different devices. We can start getting to know them, maybe the software that runs behind them, and certainly see the services they advertise to understand if it's a good attack surface.

All of the above is done with a fully updated version of Kali Linux, and we did not have to install anything. So when you start new with Kali Linux, it's a great way to use some of the built-in tools to connect with Bluetooth devices around you and learn more about what each of these versatile and powerful tools in is from.

What we have learned so far

Today we have explored Bluetooth exploration and there are some more advanced things we can do with this information. Many Bluetooth devices do not bother making their MAC address random, which means that it will always be the same. That can be used to track a person from place to place.

For example, Tile Bluetooth trackers, where you can find a lost item from anyone who has run the app. That means that a person is traceable and there is no way to disable it. If you want to opt out of such tracking, you must turn off Bluetooth on devices such as a mobile phone. But for devices that of course have it turned on, such as a Tile tracker, there really is no other option than to leave it at home.

Don't miss it: How to target Bluetooth devices with Bettercap

Cover image via Shutterstock (1, 2)

Source link