قالب وردپرس درنا توس
Home / Tips and Tricks / How to Target Bluetooth Devices with Bettercap «Null Byte :: WonderHowTo

How to Target Bluetooth Devices with Bettercap «Null Byte :: WonderHowTo



Unbelievably many devices use Bluetooth or Bluetooth Low Energy for communication. These devices are rarely turned off and in some cases deliberately used as tracking devices for lost items. Bluetooth devices support randomization of MAC addresses, but many manufacturers do not use them. Therefore, tools like Bettercap can be used to search and track Bluetooth devices.

What type of devices use Bluetooth devices?

Nowadays, you may expect devices like laptops and smartphones to use Bluetooth radios. Increasingly, Bluetooth is finding its way into almost everything, from smart locators to finding lost items, to smart police holsters calling home when a gun is pulled discovered with Bettercap. The difference in how useful this information is usually depends on the device manufacturer, as Bluetooth, if implemented correctly, is a more secure protocol than Wi-Fi. Fortunately, many manufacturers do not opt ​​for device security for hackers, such as randomizing MAC addresses. As a result, these Bluetooth devices send the same MAC address everywhere.

This makes them easy to follow. It also makes it easy to see what kind of device is behind the Bluetooth radio. While we can see Bluetooth devices nearby randomly setting their MAC address, they'll probably look like many devices are broadcasting around us at roughly the same signal strength at regular intervals.

Bettercap for Bluetooth

Bettercap is the successor to Ettercap and offers attack modules for many different types of wireless and network technologies. Today, we're focusing on the Bluetooth module, but Bettercap has a lot more to offer than just Bluetooth hacking. Bettercap can also detect and attack Wi-Fi networks, and by default will start enumerating the devices on the network you are in when you start it. This feature works well for identifying and scanning Bluetooth devices.

The tool has a Bluetooth low energy suite, with which we can search far more than just Bluetooth devices nearby. We can search for the MAC address of each device in range and then use that MAC address to connect to and retrieve information about the device. Finally, we can write data to the device to try to exploit it, like a tag to track the device over time, even if it changes its MAC address.

What we can learn

Information is the first element of any attack. To get started, we need to get to know the manufacturer of the device so we can get information like the standard pairing PIN. Once we have identified the particular model behind the Bluetooth radio, we can search for specific information that can be used to hijack the device via Bluetooth.

When we scan a Bluetooth device, we get information we should not know. We can determine the version of the operating system running on the target device, the name of the device, the manufacturer, and even details such as the current battery level. When we learn that old software is running on a device, it's much easier to identify vulnerabilities that can be exploited. The first step is to recognize the device and scan it to find out more.

What you need

To follow this guide, I recommend starting with a full Kali Linux installation. Bettercap can be easily installed on multiple platforms, but Bluetooth does not work on macOS.

Step 1: Install Bettercap

If you have a fully updated and updated version of Kali installed, you can run apt install bettercap to install Bettercap and its dependencies. If you are working on a different Linux system, you can install Bettercap by running the following commands in a new terminal window.

  apt install golang
Get github.com/bettercap/bettercap
cd $ GOPATH / src / github.com / bettercap / bettercap
make build
sudo make install 

Step 2: Launch Bettercap

To launch Bettercap, simply run sudo bettercap in a terminal window.

  sudo bettercap 
  bettercap v2.17 (type & # 39; help & # 39; for a list of commands)

192.168.0.0/24> 192.168.0.37 »[02:19:21] [endpoint.new]   Endpoint 192.168.0.10, determined as 3c: dc: bc: 05: 77: d4 (Samsung Electronics Co., Ltd).
192.168.0.0/24> 192.168.0.37 »[02:19:22] [endpoint.new]   Endpoint 192.168.0.3 recognized as 50: 33: 8b: 68: 2d: 73 (Texas Instruments). 

As you can see, the network module is started by default and has already started to passively discover devices on the same network. Pretty cool! To view the most recent list of devices identified by us, enter net.show and press . Enter .

  192.168.0.0/24> 192.168.0.37 »net.show 
  + -------------- + --------------- ---- + ---- ----- + ------------------------------- + --- ----- + --- ---- + ---------- +
| IP ▴ | MAC | Name | Provider | Sent | Recvd | Seen |
+ -------------- + ------------------- + --------- + ---- --------------------------- + -------- + ------- + ----- ----- +
| 192.168.0.37 | 30: 52: cb: 6b: 76: 5f | wlan0 | Liteon Technology Corporation | 0 B | 0 B | 02:19:17 |
| 192.168.0.1 | 40: 70: 09: 7a: 64: 97 | Driveway | ARRIS Group, Inc. | 590 B | 0 B | 02:19:18 |
| | | | | | | |
| 192.168.0.3 | 50: 33: 8b: 68: 2d: 73 | | Texas Instruments | 1.8 kB | 0 B | 02:20:42 |
| 192.168.0.10 | 3c: dc: bc: 05: 77: d4 | | Samsung Electronics Co., Ltd. | 515 B | 0 B | 02:20:41 |
| 192.168.0.65 | 00: 26: bb: 1c: a0: 87 | | Apple, Inc. | 1,1 kB | 0 B | 02:20:40 |
+ -------------- + ------------------- + --------- + ---- --------------------------- + -------- + ------- + ----- ----- +

↑ 0 B / ↓ 131 kB / 1078 pkts 

To stop this module, you can run net.recon off to stop detection.

Step 3: Now Run the Bluetooth Sniffing Module

let's start bluetooth detection! To start, enter ble.recon at and press . Enter .

  192.168.0.0/24> 192.168.0.37 »ble.recon on 
  [02:23:55] [sys.log] [inf]   ble.recon device is being initialized ...
[02:23:55] [sys.log] [inf]   The ble.recon status has been changed in PoweredOn
192.168.0.0/24> 192.168.0.37 »[02:23:55] [sys.log] [inf]   ble.recon starts detection ...
192.168.0.0/24> 192.168.0.37 »[02:23:55] [ble.device.new]   New BLE device detected as 69: B0: 77: 33: 32: B7 (Apple, Inc.) -77 dBm.
192.168.0.0/24> 192.168.0.37 »[02:23:55] [ble.device.new]   New BLE device as 11: 8D: A3: DD: 6F: 23 (Apple, Inc.) -62 dBm detected.
192.168.0.0/24> 192.168.0.37 »[02:23:55] [ble.device.new]   New BLE device as 00: 74: BB: 1E: 51: 22 (Microsoft) -68 dBm detected.
192.168.0.0/24> 192.168.0.37 »[02:23:55] [ble.device.new]   New BLE device detected as 35: DE: BF: 24: DE: 02 (Microsoft) -57 dBm.
192.168.0.0/24> 192.168.0.37 »[02:23:55] [ble.device.new]   New BLE device recognized as 26: 22: 8E: AC: BC: 47 (Microsoft) -89 dBm.
192.168.0.0/24> 192.168.0.37 »[02:23:55] [ble.device.new]   New BLE device detected as 40: 16: 3B: ED: EF: 21 (Samsung Electronics Co., Ltd) -92 dBm.
192.168.0.0/24> 192.168.0.37 »[02:23:55] [ble.device.new]   New BLE device recognized as 56: 73: E6: EA: CE: C5 (Apple, Inc.) -51 dBm.
192.168.0.0/24> 192.168.0.37 »[02:23:56] [ble.device.new]   New BLE device tile detected as C9: 58: 1F: 16: 7A: 43 -79 dBm.
192.168.0.0/24> 192.168.0.37 »[02:23:56] [ble.device.new]   New BLE device as 5B: FA: 11: B5: B1: 3B (Apple, Inc.) -64 dBm detected.
192.168.0.0/24> 192.168.0.37 »[02:23:56] [ble.device.new]   New BLE device as 66: 8D: 90: 81: 2B: C5 (Apple, Inc.) -83 dBm detected.
192.168.0.0/24> 192.168.0.37 »[02:23:57] [ble.device.new]   New BLE device detected as F8: 04: 2E: B0: 57: 73 (Samsung Electro-Mechanics (Thailand)) -87 dBm.
192.168.0.0/24> 192.168.0.37 »[02:23:59] [ble.device.new]   New BLE device recognized as 39: 71: FA: 71: 9F: 53 (Apple, Inc.) -94 dBm.
192.168.0.0/24> 192.168.0.37 »[02:24:01] [ble.device.new]   New BLE device as 6A: 95: 78: A8: 8D: FC (Microsoft) -94 dBm detected.
192.168.0.0/24> 192.168.0.37 »[02:24:04] [ble.device.new]   New BLE device detected as 1A: 53: E5: 84: E2: 10 (Microsoft) -95 dBm.
192.168.0.0/24> 192.168.0.37 »

This discovery continues for as long as you want. Devices that have not been seen for some scans are automatically removed from the list.

Step 4: Identifying the hosts to test

After a few seconds, we have created a fairly large list. In a café, I was able to identify many devices at 2 o'clock in the morning. Enter ble.show and press Return .

  192.168.0.0/24> 192.168.0.37 »ble.show 
  + - -------- + ------------------- + ------ + -------------- ----------------------- + ----- --------------------- ----------------------------- ------------- + ------- - + ---------- +
| RSSI ▴ | MAC | Name | Provider | Flags | Connect | Seen |
+ --------- + ------------------- + ------ + ------------ ------------------------- + ------------------------ -------------------------------------------- + ----- ---- + ---------- +
| -51 dBm | 56: 73: e6: ea: ce: c5 | | Apple, Inc. | LE + BR / EDR (controller), LE + BR / EDR (host) | ✔ | 02:24:50 |
| -59 dBm | 35: de: bf: 24: DE: 02 | | Microsoft | | ✖ | 02:24:50 |
| -64 dBm | 5b: fa: 11: b5: b1: 3b | | Apple, Inc. | LE + BR / EDR (controller), LE + BR / EDR (host) | ✔ | 02:24:49 |
| -68 dBm | 69: b0: 77: 33: 32: b7 | | Apple, Inc. | LE + BR / EDR (controller), LE + BR / EDR (host) | ✔ | 02:24:50 |
| -71 dBm | 00: 74: bb: 1e: 51: 22 | | Microsoft | | ✖ | 02:24:50 |
| -75 dBm | 11: 8d: a3: dd: 6f: 23 | | Apple, Inc. | Limited recognizable, LE + BR / EDR (controller), LE + BR / EDR (host) | ✖ | 02:24:50 |
| -77 dBm | c9: 58: 1f: 16: 7a: 43 | Tile | | BR / EDR not supported | ✔ | 02:24:50 |
| -86 dBm | 4f: there: 70: 25: 35: 09 | | Google | | ✖ | 02:24:48 |
| -86 dBm | 66: 8d: 90: 81: 2b: c5 | | Apple, Inc. | LE + BR / EDR (controller), LE + BR / EDR (host) | ✔ | 02:24:46 |
| -88 dBm | f8: 04: 2e: b0: 57: 73 | | Samsung Electro-Mechanics (Thailand) | | ✖ | 02:24:48 |
| -90 dBm | 40: 16: 3b: ed: ef: 21 | | Samsung Electronics Co., Ltd. | | ✖ | 02:24:47 |
| -91 dBm | 1a: 53: e5: 84: e2: 10 | | Microsoft | | ✖ | 02:24:45 |
| -91 dBm | 26: 22: 8e: ac: bc: 47 | | Microsoft | | ✖ | 02:24:49 |
| -91 dBm | 61: b7: from: e4: 84: e7 | | Apple, Inc. | LE + BR / EDR (controller), LE + BR / EDR (host) | ✔ | 02:24:36 |
| -91 dBm | 6a: 95: 78: a8: 8d: fc | | Microsoft | | ✖ | 02:24:48 |
| -91 dBm | 7a: e8: 23: e7: b5: 59 | | Apple, Inc. | LE + BR / EDR (controller), LE + BR / EDR (host) | ✔ | 02:24:23 |
| -91 dBm | 7d: e3: 6c: c7: 12: 7c | | Apple, Inc. | LE + BR / EDR (controller), LE + BR / EDR (host) | ✔ | 02:24:44 |
| -95 dBm | 39: 71: fa: 71: 9f: 53 | | Apple, Inc. | Limited recognizable, LE + BR / EDR (controller), LE + BR / EDR (host) | ✖ | 02:24:41 |
+ --------- + ------------------- + ------ + ------------ ------------------------- + ------------------------ -------------------------------------------- + ----- ---- + ---------- +
192.168.0.0/24> 192.168.0.37 »[02:24:55] [ble.device.lost]   BLE device 7A: E8: 23: E7: B5: 59 (Apple, Inc.) lost.
192.168.0.0/24> 192.168.0.37 »[02:25

Step 5: Scanning and Interacting with Devices

After we identify a device of interest, we can query it with Bettercap. The key is to know the MAC address of the destination.

Based on the above scan, the device with the strongest signal is an Apple device with the MAC address 56: 73: e6: ea: ce: c5. We can direct a scan of this device by entering ble.enum 56: 73: e6: ea: ce: c5 to list device details.

  192.168.0.0/24> 192.168. 0.37 »ble.enum 56: 73: e6: ea: ce: c5 
  [02:27:30] [sys.log] [inf]   ble.recon connecting to 56: 73: e6: ea: ce: c5 ...
192.168.0.0/24> 192.168.0.37 »[02:27:30] [sys.log] [inf]   ble.recon connected, lists all things for 56: 73: E6: EA: CE: C5 on!
192.168.0.0/24> 192.168.0.37 »
+ -------------- + ---------------------------------- --------------------------- + ------------------ + --- ------------ +
| Handles | Service> Features | Properties | Data |
+ -------------- + ---------------------------------- --------------------------- + ------------------ + --- ------------ +
| 0001 -> 0005 | General Access (1800) | | |
| 0002 | Device name (2a00) | read | iPhone |
| 0004 | Appearance (2a01) | read | Generic phone |
| 0006 -> 0009 | General attribute (1801) | | |
| 0007 | Service changed (2a05) | specify | |
| 000a -> 000e | Apple Continuity Service (d0611e78bbb44591a5f8487910ae4366) | | |
| 000b | 8667556c9a374c9184ed54ee27d90049 | write, notify, x | |
| 000f -> 0013 | 9fa480e0496745429390d343dc5d04ae | | |
| 0010 | af0badb15b9943cd917aa77bc549e3cc | write, notify, x | |
+ -------------- + ---------------------------------- --------------------------- + ------------------ + --- ------------ +
192.168.0.0/24> 192.168.0.37 »[02:27:30] [sys.log] [inf]   ble.recon disconnects 56: 73: E6: EA: CE: C5 ...
192.168.0.0/24> 192.168.0.37 »[02:27:30] [sys.log] [inf]   ble.recon device disconnected, detection is restored.
192.168.0.0/24> 192.168.0.37 »[02:27:30] [ble.device.lost]   The BLE device 73: 13: D4: 64: AF: 7D (Apple, Inc.) has been lost. 

As you can see, there are some services that allow us to write data!

Let's try to write data in a feature. After another scan, a device with the MAC address 7e: dc: 48: 7c: 77: ea and a writable field named "69d1d8f345e149a898219bbdfdaad9d9" will be found. You can write the value of "ffffffffffffffff" to this device by entering the command ble.write TheMacAddress TheFieldToWriteTo ValueToWrite as shown in the following example.

  192.168.0.0/24> 192.168.0.37 »ble 7e: dc: 48: 7c: 77: ea 69d1d8f345e149a898219bbdfdaad9d9 ffffffffffffffff 
  [02:38:22] [sys.log] [inf]   ble.recon connects to 7e: dc: 48: 7c: 77: ea ...
192.168.0.0/24> 192.168.0.37 »[02:38:22] [sys.log] [inf]   ble.recon connected, lists all things for 7E: DC: 48: 7C: 77: EA on!
192.168.0.0/24> 192.168.0.37 »[02:38:23] [sys.log] [inf]   ble.recon writes 8 bytes in properties 69d1d8f345e149a898219bbdfdaad9d9 ...
192.168.0.0/24> 192.168.0.37 »[02:38:23] [sys.log] [err]   ble.recon error while writing: insufficient authentication
192.168.0.0/24> 192.168.0.37 »
+ -------------- + ---------------------------------- ------------------------------------ + ------------- ----- + ----------------------------- +
| Handles | Service> Features | Properties | Data |
+ -------------- + ---------------------------------- ------------------------------------ + ------------- ----- + ----------------------------- +
| 0001 -> 0005 | General Access (1800) | | |
| 0002 | Device name (2a00) | read | iPhone |
| 0004 | Appearance (2a01) | read | Generic phone |
| 0006 -> 0009 | General attribute (1801) | | |
| 0007 | Service changed (2a05) | specify | |
| 000a -> 000e | Apple Continuity Service (d0611e78bbb44591a5f8487910ae4366) | | |
| 000b | 8667556c9a374c9184ed54ee27d90049 | write, notify, x | |
| 000f -> 0013 | 9fa480e0496745429390d343dc5d04ae | | |
| 0010 | af0badb15b9943cd917aa77bc549e3cc | write, notify, x | |
| 0014 -> 0017 | Battery Service (180f) | | |
| 0015 | Battery level (2a19) | read, notify | insufficient authentication |
| 0018 -> 001d | Time Service (1805) | | |
| 0019 | Current time (2a2b) | read, notify | insufficient authentication |
| 001c | Local time information (2a0f) | read | insufficient authentication |
| 001e -> 0022 | Device Information (180a) | | |
| 001f | Manufacturer name String (2a29) | read | Apple Inc. |
| 0021 | Model Number (2a24) | read | iPhone9,1 |
| 0023 -> 002c | Apple Notification Center Service (7905f431b5ce4e99a40f4b1e122d00d0) | | |
| 0024 | 69d1d8f345e149a898219bbdfdaad9d9 | write, x | |
| 0027 | 9fbf120d630142d98c5825e699a21dbd | to notify | |
| 002a | 22eac6e924d64bb5be44b36ace7c7bfb | to notify | |
| 002d -> 0038 | Apple Media Service (89d3502b0f36433a8ef4c502ad55f8dc) | | |
| 002e | 9b3c81d857b14a8ab8df0e56f7ca51c2 | write, notify, x | |
| 0032 | 2f7cabce808d411f9a0cbb92ba96c102 | write, notify, x | |
| 0036 | c6b2f38c23ab46d8a6aba3a870bbd5d7 | read, write, x | insufficient authentication |
+ -------------- + ---------------------------------- ------------------------------------ + ------------- ----- + ----------------------------- +
192.168.0.0/24> 192.168.0.37 »[02:38:23] [sys.log] [inf]   ble.recon disconnects 7E: DC: 48: 7C: 77: EA ... 

Many devices could not write to this Bluetooth device. When we learn that a device is running a service with a vulnerability that we can exploit by writing to a value, we can use Bettercap to look for ways to exploit nearby devices. We can also use these fields to finger devices with random MAC address mapping because the values ​​uniquely identify a device that changes other properties, such as the MAC address, to avoid correlation.

Bluetooth devices are everywhere

In our sample scan we spotted many Bluetooth devices nearby, even late at night in a relatively empty cafe. One of these devices was a tile-branded tracker that never changed its MAC address, but others were smart devices that turned on the MAC address they were transferring over time. We can handle this with Bettercap by reading the values ​​of features like battery life to compare them and see if a Bluetooth device is the same as we saw recently.

With the ability to write data, we can even "tag" a device with a value so we can clearly identify it later. The ability to detect and unmask Bluetooth wireless transmissions is useful for tracking the people and devices behind them. Knowing the type of hardware and version of software used by a detected device gives you the best chance of successfully attacking it.

I hope you liked this guide to scanning and tracking Bluetooth devices with Bettercap! If you have questions about this tutorial on Bluetooth snooping or have a comment, see the following section for a comment. You can also follow me on Twitter @KodyKinzie .

Do not miss: ] How to Hack Bluetooth Like Mr. Robot

Cover photo and screenshots of Kody / Null Byte




Source link