قالب وردپرس درنا توس
Home / Tips and Tricks / Sniffing on Bluetooth devices with Kali Linux «Zero Byte :: WonderHowTo

Sniffing on Bluetooth devices with Kali Linux «Zero Byte :: WonderHowTo



Although many people use Bluetooth every day, most don't know how it works or whether it can be hacked. Bluetooth hacking gives you a clear insight into the world of the target. Almost every device has Bluetooth capabilities, and users store lots of personal information on their phones and tablets. Hack the Bluetooth connection and you may be able to access all of this data.

Although Bluetooth uses the same 2.4 GHz frequency as Wi-Fi, the properties differ because the protocols are not quite the same. There is improved security, so popular WiFi hacking tools don't work with Bluetooth.

On the one hand, the frequencies are constantly raised. So when two devices communicate via Bluetooth, both use an algorithm that shifts the frequency many times per second. That means we cannot just sit and listen on one frequency because they will bounce everywhere. An attacker can hardly hear the conversation.

Another feature is that Bluetooth does not negotiate a key every time, as is the case with Wi-Fi, the Wi-Fi network. Instead, Bluetooth initially negotiates a key, stores the secret key, and then references it every time it sees the same device. That said, it is impossible to sit there and sniff the key because you must be present the first time these devices communicate. Otherwise you will not get any useful information and it will be impossible to get into the conversation like with Wi-Fi.

However, we can track, read from, and even write specific information about nearby Bluetooth devices. For this reason, it is helpful to investigate if we can either take control of the device, identify a vulnerability, or later find a vulnerability that matches a nearby one.

What you need for Bluetooth education [1
9659007] In order to start Bluetooth monitoring, a fully updated version of Kali Linux must be installed, as we will use built-in Bluetooth tools to improve its functionality. To keep things as simple as possible, we do not install any additional tools and can only work with Kali Linux's Bluetooth tools.

The integrated tools we will cover below include hciconfig, hcitool, sdptool, l2ping, and btscanner. Many of these tools are included in BlueZ, the standard Bluetooth protocol stack in almost every Linux version, including Kali. (We will also use some special tools for Bluetooth reconnaissance in Kali.)

Of course, we have to be close to hacking Bluetooth. With an excellent Bluetooth adapter needed, you should be able to reach Bluetooth devices in a cafe, classroom, office, and maybe even in a neighboring house.

Step 1: Activate your Bluetooth adapter with hciconfig [19659007] If you are familiar with ifconfig for Wi-Fi cards and adapters, there is another tool that works for Bluetooth devices is similar. And it's called hciconfig .

  ~ # hciconfig

hci0 Type: Primary bus: USB
BD address: ██: ██: ██: ██: ██: ██ ACL MTU: 1022: 8 SCO MTU: 183.5
LOW
Receive bytes: 574 ACL: 0 SCO: 0 Events: 30 Errors: 0
TX bytes: 368 acl: 0 sco: 0 commands: 30 errors: 0 

In my example we see a Bluetooth interface. With that we will do all the things we want to do with Bluetooth. You can see that the current status is not available, which means that no action is possible. Therefore, we first need to go to our user interface to work with Bluetooth.

If we have a Wi-Fi user interface That is plugged in, but it is not yet active. We can then type ifconfig the name of the interface and then up . Since hciconfig is basically the same as ifconfig, we can use many of the same commands found on the man page .

  ~ # man hciconfig

Linux System Administration HCICONFIG (1) Linux System Administration HCICONFIG (1) Good

SURNAME
hciconfig - configure Bluetooth devices

SUMMARY
hciconfig -h
hciconfig [-a]
hciconfig [-a] hciX [command [command parameters]]

DESCRIPTION
Hciconfig is used to configure Bluetooth devices. hciX is the name of
a Bluetooth device installed in the system. If hciX is not specified,
config gives the name and basic information about all Bluetooth de‐
installed in the system if hciX is specified but is not a command
There is only basic information on the hciX device. Basic information
Information is interface type, BD address, ACL-MTU, SCO-MTU, flags (up, init,
Running, RAW, side scan activated, request scan activated, query, authentication
activated, encryption activated).

OPTIONS
-h, - help
Outputs a list of possible commands.

-a, --all
Other than the basic information, printing functions, package type, link
Policy, connection mode, name, class, version.

COMMANDS
Open and initialize the HCI device.
down Close HCI device.
reset Reset the HCI device.
rstat Reset statistics counter.
Activate authentication (puts the device in security mode 3).
noauth Disables authentication.
Enable encrypt encryption (puts the device in security mode 3).
noencrypt Disables encryption.
secmgr Activates the security manager (current kernel support is limited).
nosecmgr Disables the security manager.
Activate piscan page and request scan.
noscan Deactivates the page and request scan.
Activate iscan request scan, deactivate page scan.
pscan Activate the page scan and deactivate the request scan.
ptype [type] Displays the current package types without a type. Otherwise, all package types specified by type are specified. Type is a comma-separated list of packet types, where the possible packet types are DM1, DM3, DM5, DH1, DH3, DH5, HV1, HV2, HV3.
name [name] Without a name, the local name is printed. Otherwise the local name is set to name.
class [class] Without class, the device class prints. Otherwise the device class is set to class. class is a 24-bit hexadecimal number that describes the device class as specified in section 1.2 of the Bluetooth Assigned Numers document.
voice [voice] Without a voice, the language setting is printed. Otherwise the language setting is set to language. voice is a 16-bit hex number that describes the language setting.
iac [iac] Without iac the current IAC setting is printed. Otherwise the IAC is set to iac.
inqtpl [level] Outputs the current transmission power level of the query without a level. Otherwise, the transmission power for the query is set to the level.
inqmode [mode] Without mode, the current query mode is printed out. Otherwise the request mode is set to mode.
inqdata [data] Prints the current request data without a name. Otherwise, request data is set to data.
inqtype [type] Without type the current request scan type is printed out. Otherwise the request scan type is set to type.
inqparams [win:int] Without win: int the window and the interval for the request scan are printed. Otherwise, the query scan window is set to win slots and the query scan interval is set to int slots.
pageparms [win:int] Without win: int the window and the interval for the page scan are printed. Otherwise, the page scan window is set to win slots and the page scan interval is set to int slots.
pageto [to] With No to a page timeout is printed. Otherwise, the page time limit is set to .I for slots.
afhmode [mode] Without mode, the current AFH mode is printed out. Otherwise, the AFH mode is switched to the mode.
sspmode [mode] Without mode, the current simple pairing mode is printed. Otherwise the simple pairing mode is set to mode.
aclmtu mtu: pkt Sets the ACL MTU to mtu bytes and the ACL buffer size to pkt packets.
scomtu mtu: pkt Sets the SCO MTU to mtu bytes and the SCO buffer size to pkt packets.
delkey ​​ This command deletes the saved connection key for bdaddr from the device.
oobdata Get local OOB data (invalidates previously read data).
Commands Show supported commands.
Functions Show device functions.
version Show version information.
revision Show revision information.
lm [mode] Without mode the connection mode is printed. MASTER or SLAVE means asking for a master or slave when a connection request is received. The additional keyword ACCEPT means that baseband connections are accepted even if there are no AF_BLUETOOTH sockets ready to receive. mode is NONE or a comma-separated list of keywords, where possible keywords are MASTER and ACCEPT. NONE sets the connection policy to the standard behavior of the remaining slave and does not accept baseband connections if there are no AF_BLUETOOTH sockets ready to receive. If MASTER is present, the device asks to become master when a connection request is received. If ACCEPT is present, the device accepts baseband connections even if there are no AF_BLUETOOTH sockets ready to receive.

AUTHORS
Written by Maxim Krasnyansky  and Marcel Holtmann


Man page by Fabrizio Gennari 

BlueZ November 11, 2002 HCICONFIG (1)

Man page hciconfig (1) line 147/169 (END) (press h for help or q to exit) 

We can see in the man page that this is used to configure Bluetooth devices, so if you have this external Have a Bluetooth device When something is connected, you can also use it to view the connected devices and configure them accordingly.

Now that we know a little more about hciconfig, you can press Q to end the process. We have to take the found bluetooth device and call it up. Simply enter hciconfig then the name of the device found and up .

  ~ # hciconfig hci0 up 

To check if it worked, run the command . Command hciconfig again:

  ~ # hciconfig

hci0 Type: Primary bus: USB
BD address: ██: ██: ██: ██: ██: ██ ACL MTU: 1022: 8 SCO MTU: 183.5
UP RUNNING
Receive bytes: 1148 Acl: 0 Sco: 0 Events: 60 Errors: 0
TX bytes: 736 acl: 0 sco: 0 commands: 60 errors: 0 

Step 2: Search for Bluetooth devices with hcitool

Now use hcitool to search for Bluetooth devices who send their discovery beacons (in discovery mode). Let's take a look at the man page first:

  ~ # man hciconfig

HCITOOL (1) Linux System Administration HCITOOL (1) Good

SURNAME
hcitool - configure Bluetooth connections

SUMMARY
hcitool [-h]
hcitool [-i] [command [command parameters]]

DESCRIPTION
Hcitool is used to configure Bluetooth connections and some
Command to Bluetooth devices. If no command is given or if that
The -h option is used, hcitool prints some usage information and exits.

OPTIONS
-h Print a list of possible commands

-i 
The command is applied to the hciX device, which must be the name
an installed Bluetooth device. If not specified, the command
is sent to the first available Bluetooth device.

COMMANDS
dev Show local devices
Request inq remote devices. The Bluetooth device address, the time offset and the class are printed for each recognized device.
Request scan remote devices. The device name is printed for each recognized device.
name  Print the device name of the remote device with the Bluetooth address bdaddr.
info  Print device name, version and supported functions of the remote device with the Bluetooth address bdaddr.
spinq Starts the periodic polling process. No query results are printed.
epinq End periodic query process.
cmd   [parameters]
                              Passes any HCI command to the local device. ogf, ocf and parameters are hexadecimal bytes.
con Displays active baseband connections
cc [--role=m|s] [--pkt-type=] 
Establish a baseband connection to the remote device with the Bluetooth address bdaddr. The --pkt-type option provides a list of allowed packet types.  is a comma-separated list of packet types, the possible packet types being DM1, DM3, DM5, DH1, DH3, DH5, HV1, HV2, HV3. By default, all package types are allowed. The --role option can have the value m (do not allow role change, remain master) or s (allow role change, become slave if the peer requests a master). The standard is m.
dc  [reason]
                              Deleting the baseband connection from a remote device with the Bluetooth address bdaddr. The reason may be one of the Bluetooth HCI error codes. The default is 19 for user-disconnected connections. The value must be given in decimal.
sr       Switch role for the baseband connection from the remote device to the master or slave.
cpt  
                              Changes the packet types for the baseband connection to a device with the Bluetooth address bdaddr. Packet types is a comma-separated list of packet types, the possible packet types being DM1, DM3, DM5, DH1, DH3, DH5, HV1, HV2, HV3.
rssi  Show information about the received signal strength for the connection to the device with the Bluetooth address bdaddr.
lq  Displays the connection quality for the connection to the device with the Bluetooth address bdaddr.
tpl  [type]    Display of the transmission power for the connection to the device with the Bluetooth address bdaddr. The type can be 0 for the current transmit power level (which is the default) or 1 for the maximum transmit power level.
afh  Display of the AFH channel card for the connection to the device with the Bluetooth address bdaddr.
lp  [value]    Displays the settings for the connection policy for the connection to the device with the Bluetooth address bdaddr without value. If value is specified, the connection policy settings for this connection are set to value. Possible values ​​are RSWITCH, HOLD, SNIFF and PARK.
lst  [value]   Displays the timeout for the connection monitoring for the connection to the device with the Bluetooth address bdaddr without value. If value is specified, the connection monitoring timeout for this connection is set to value slots or to infinite if value is 0.
auth  Request authentication for the device with the Bluetooth address bdaddr.
enc  [encrypt enable]
                              Enable or disable encryption for the device with the Bluetooth address bdaddr.
Key  Change the connection key for the device with the Bluetooth address bdaddr.
clkoff  Reads the time offset for the device with the Bluetooth address bdaddr.
uhr [bdaddr] [which clock]
                              Reads the clock for the device with the Bluetooth address bdaddr. The clock can be 0 for the local clock or 1 for the piconet clock (default setting).
Start lescan [--privacy] [--passive] [--whitelist]  [--discovery=g|l]  [--duplicates]
                              LE scan
leinfo [--static] [--random] 
                              Get LE remote information
lewladd [--random] 
                              Add device to the LE whitelist
lewlrm  Remove device from the LE White List
Read lewlsz size of the LE White List
Delete lewlclr LE White List
lerladd [--local irk] [--peer irk] [--random] 
                              Add device to the LE resolution list
lerlrm  Remove device from the LE resolution list
Clear the LE resolution list
Read lerlsz size of the LE resolution list
Activate lerlon LE address resolution
lerloff Deactivates the LE address resolution
lecc [--static] [--random]    | [--whitelist]
Create an LE connection
ledc  [reason]
                              Disconnect an LE connection
lecup     
                              LE connection update

AUTHORS
Written by Maxim Krasnyansky  and Marcel Holtmann


Man page by Fabrizio Gennari 

BlueZ Nov 12 2002 HCITOOL (1)

Man page hcitool (1) line 154/176 (END) (press h for help or q to exit) 

hcitool is used to configure and perform various tasks such as scanning, querying and retrieving names. This is very useful to familiarize yourself with the device, but some of these commands require a MAC address.

Let's look at some of these commands. First we do a scan. It uses the Bluetooth interface to search for nearby Bluetooth devices and displays their MAC addresses so we can get additional scans, requests or the name of the device.

  ~ # hcitool scan

To scan ...
00: 1D: A5: 00: 09: 1D OBDII 

Above we see an OBD2 connector that is connected to a vehicle. It's pretty interesting. With the MAC address, we can now execute another command for which we first need a MAC address. Let's try to determine the name of the device:

  ~ # hcitool name 00: 1D: A5: 00: 09: 1D

OBDII 

This should allow us to get the name of the device, but we already knew it from this first scan. However, if we didn't know, we can learn more about it. For more information, use the inq :

  ~ # hcitool inq command 00: 1D: A5: 00: 09: 1D

To scan ...
00: 1D: A5: 00: 09: 1D clock offset: 0x21c0 class: ox5a020c 

Note that the clock offset and the class are also displayed. The class indicates what type of Bluetooth device it is. You can find the code on the Bluetooth site. Or, as we'll see later, some tools do this for us.

Step 3: Search for services with sdptool

To find out more about services, you can use the sdptool tool. Find out more about the functions and properties available on the device. Maybe we can't and we can't. We have to use the MAC address again, but first we also read the man page :

  ~ # man sdptool

sdptool (1) General commands manual sdptool (1)

SURNAME
sdptool - control and query the SDP server

SUMMARY
sdptool [options] {command} [command parameters ...]

DESCRIPTION
sdptool provides the interface for executing SDP queries under Bluetooth
Devices and management of a local SDP database.

COMMANDS
The following commands are available. In all cases, bdaddr states
the device to search or browse. If local is used for bdaddr, it is
The local SDP database is searched.

Services are identified and manipulated with a 4-byte record_handle
(NOT the service name). Search for a service's record_handle
the line "Service RecHandle" in the search or search results

Search [--bdaddr bdaddr] [--tree] [--raw] [--xml]   service name
Search for services. Known service names are DID, SP, DUN, LAN, FAX, OPUSH, FTP, HS, HF, HFAG, SAP, NAP, GN, PANU, HCRP, HIDDEN, CIP, A2SRC, A2SNK, AVRCT, AVRTG, UDIUE, UDITE and SYNCML ,
browse [--tree] [--raw] [--xml] [bdaddr]
                   Browse all available services on the device that are specified by a Bluetooth address as parameters.
Records [--tree] [--raw] [--xml]   bdaddr
Get all possible service records.
add [ --handle=N --channel=N ]
Add a service to the local SDP database. You can specify a handle for this record with the --handle option. The --channel option allows you to specify a channel on which to add the service. NOTE: The local adapter configuration is not updated and this command should only be used for SDP testing.
del record_handle
Remove a service from the local SDP database. NOTE: The local adapter configuration is not updated and this command should only be used for SDP testing.
get [--tree] [--raw] [--xml]   [--bdaddr bdaddr] record_handle
Get a service from the local SDP database.
setattr record_handle attrib_id attrib_value
Set or add an attribute to an SDP record.
setseq record_handle attrib_id attrib_values
Set or add an attribute sequence to an SDP record.

OPTIONS
--help Displays help on using sdptool.

Examples
sdptool browse 00: 80: 98: 24: 15: 6D
Search sdptool locally
sdptool add DUN
sdptool del 0x10000

BUGS
Documentation needs to be improved.

AUTHOR
Maxim Krasnyansky . Man page written by Edd Dumbill .

sdptool (1)

Manual page sdptool (1) line 60/82 (END) (press h for help or q to exit) 

This allows us to configure, control and query SDP servers (Service Discovery Protocol) to ask questions about Bluetooth devices and find out exactly what is going on with the permissions and what we can probably do with these services.

Exit the man page and type sdptool and then browse followed by the MAC address we recorded.

  ~ # sdptool browse 00: 1D: A5: 00: 09: 1D

Search from 00: 1D: A5: 00: 09: 1D ...
Service name: SPP
Service RecHandle: 0x10001
Service Class ID list:
"Serial interface" (ox1101)
Protokolldeskriptorliste:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 1 

Here we see a bit more information about the communication, the protocols and maybe we can even find out if the device has a security vulnerability or if we can directly communicate with it. Perhaps we can even find out whether MAC address randomization or the like is used.

Step 4: Check if they can be reached with L2ping.

Now that we have the MAC addresses of all the devices nearby, we can ping them. whether or not they are in discovery mode to determine if they are reachable. For me it's just a device.

  ~ # l2ping 00: 1D: A5: 00: 09: 1D

Ping: 00: 1D: A5: 00: 09: 1D from ██: ██: ██: ██: ██: ██ (data size 44) ...
44 bytes from 00: 1D: A5: 00: 09: 1D id 0 time 37.57ms
44 bytes from 00: 1D: A5: 00: 09: 1D id 1 time 27.23ms
44 bytes from 00: 1D: A5: 00: 09: 1D id 2 time 27.59ms
44 bytes from 00: 1D: A5: 00: 09: 1D id 3 time 27.31ms
44 bytes from 00: 1D: A5: 00: 09: 1D id 4 time 40.99ms
44 bytes from 00: 1D: A5: 00: 09: 1D id 5 time 48.77ms
44 bytes from 00: 1D: A5: 00: 09: 1D ID 6 time 59.93ms
44 bytes from 00: 1D: A5: 00: 09: 1D id 7 time 48.84ms
44 bytes from 00: 1D: A5: 00: 09: 1D ID 8 time 67.59 ms 

Step 5: Search for Bluetooth devices with btscanner

Now it is time to move on to the last tool we are dealing with This is a full-fledged graphical user interface that you can use to discover Bluetooth devices. It's called btscanner and once we've started it, we can just type btscanner :

  ~ # btscanner

Open the OUI database
Reading the OUT database 

The user interface may be similar to those familiar with the Kismet user interface, things in command line format with a GUI feel. It is really useful and cool because it means that by typing i we can start a query scan and find nearby Bluetooth devices that we can use to connect or set a command or something similar ,

We found a device and it's the same Bluetooth device we found before, and I'm sure we'll be able to Finding some other devices as they are Now we can go ahead and press Enter to learn more about the device.

Here we can see the name of the device when it is first seen, the owner who is interesting, and then some more information about the various functions that are advertised for.

To return to the main window, press Q and if other devices are discovered or if they are within range, we can find them here and learn more about them. These devices do what they communicate with and what else they do are still able and much more.

If You Don't Have Bluetooth on Your Computer You can always connect a Bluetooth adapter, but you may want to check if it is compatible before proceeding and fix the error. I'm not sure if every Bluetooth adapter will be compatible with every Linux program.

Above you can see that we have found a second device.

We can see that this is a smartphone – a Samsung device – and that it offers a lot more functions and possibilities than our first device. We are already able to search for different devices. We can start learning about them, maybe see the software that runs behind them and the services they advertise to understand if it's a good target or not version of Kali Linux, and we didn't have to install anything. If you're new to Kali Linux, this is a great way to use some of the built-in tools to reach and touch Bluetooth devices in your area, and learn more about what each of these versatile and powerful tools can do of.

What We Have Learned So Far

Today we examined Bluetooth detection and there are some more advanced things we can do with this information. Many Bluetooth devices don't bother to randomly assign their MAC address, which means that it always stays the same. This can be used to track a person from place to place.

For example Tile bluetooth trackers where you can find a lost item from anyone running the app. This means that a person is traceable and there is no way to turn them off. If you want to disable this type of tracking, you need to disable Bluetooth on devices such as cell phones. But for devices where it is of course switched on, such as. B. a tile tracker, there is really no other option than to just leave it at home. Image via Shutterstock (1, 2)


Source link