Skip to main content

Posts

Showing posts from July, 2022

Bluetooth Sniffing

There is no promisc mode for standard bluetooth firmwares. With tools such as hci dump we can only read our own traffic. "hcidump -X -i hci0" So to implement bluetooth sniffer we will use the bluetooth modules once again Lets start digging into the code to sniff bluetooth packets. ##Required Libraries ##Method 'hci_open_dev(0)' opens a raw socket to the first HCI device. ##In socket object we will set the properity HCI_FILTER to be able to recieve all HCI events and packets type. ##now inside while loop we will read 3 bytes from socket 1. first byte represents the type of HCI packet 2. second is HCI byte 3. length of the packet i.e. packet is dumped bytewise in hexedecimal unless type is a HCI_ACLDATA_PKT and if so we print the whole packet as ASCII string you can find the whole code in the following repository Bluetooth Sniffer Checkout some more hacking scripts SECURING SYSTEM

Bluetooth Spoofing

For two different chipsets Ericsson and CSR codes exist that allows us to set new bluetooth address ,which makes spoofing possible. we can examine chipset of our bluetooth dongle by runnning command 'hcidump -a' Lets start digging into the code ##required libraries ##check if bluetooth adddress is passed as an arguement to this script or not and if not simply print usage and exit ##split the bluetooth address by colon into its bytes ##open the raw socket to the hci device with help of 'hci_open_dev()' method ##this is a cryptical vendor command ,here we are appending the new bluetooth address in the CSR-vendor comamnd ##change the command to hexadecimal else ASCII value of single chars get set ##Now finally we send the command via HCI to the firmware. and once we update the bluetooth address we must reset the chip ,as this can be simply done by unplugging dongle and plugging it again. you can check the whole code in this repository bluetooth spoofin

blue bug exploit

some bluetooth device may contain a hidden channel that is not listed by sdp and to which one connect without any password protection. once connected one can send any AT command and the mobile phone will execute without question. This can be used to completely remote control the device. The possibility of this exploit go from reading the phone book , calender to sending the messages ,making calls etc. Search for nokia AT commands and start executing them while performing this attack. Lets start writing the code ##required libraries ##check if proper arguements are passed to the script or not and if not simply exit ##set the arguement values to the variable ##create a socket object from lightblue library and pass the bluetooth address and the channel id to the connect method of the socket object. and connect to the device. ##once the connection is made start executing the nokia AT commands and once we will exit the loop we will simply close the socket connection You ca

Blue Snarf Exploit

The Blue Snarf exploit connects to an OBEX-Push profile, which is implemented on most devices without any authentication, and tries to retrieve the telephone book as well as the calendar by issuing a OBEX GET. ##Required Libraries ##Check if required arguements are passed to script or not and if not exit ##assign the arguements passed to the variables ##create an object of the obex client and pass the parameters and connect ##open both the 'phonebook.vcf' and 'calender.vcf' files to store the data and use the get() method of lightblue to download the files. get method needs two parameter first is dictionary where key consist of path to the remote file ,and second the parameter is an open writable file handle in which content of file gets written and close the file handle via .close() method ##disconnect the connection made You can check the whole code under this repository blue_snarf_exploit Checkout some more hacking scripts

OBEX (OBject EXchange)

OBEX (OBject Exchange) is a communications protocol that facilitates binary transfers between bluetooth enabled devices. ##Libraries required ##check if the required arguements passed to script or not and if not exit ##assign the values recieved over arguements to the variables ##firstly we will create a new OBEXClient object by calling the "OBEXClient() and pass the Bluetooth address and channel as parameter" Then method connect tries to connect to the specified tupel ,and if the connection is made we use the put() method to send a file The first parameter for the put() method is dictionary ,this just defines the what the name of the file will be on remote device and second parameter is a file handle to a binary opened file.and the connections and socket are closed. You can check the complete code in this repo : OBEX Checkout some more hacking scripts SECURING SYSTEM BLUETOOTH

RCOMM Channel Scanner

Each service can be listed via SDP ,but its not an actual requirement .So thats where the RCOMM comes into the picture ,it will try to access all the 30 channels to see what is running on the target address. We can consider RCOMM scanning as the port scanning for bluetooth . It is making a full connection to each channel, no packet tricks, no nothing. If it reaches a channel that needs further authorization the owner of the scanned device is asked to authorize it and for an encrypted link layer to even enter a password. If the owner chooses to not authorize the connection the socket connection is closed. The user interaction needs time. Time we can use to determine whether the port is really closed or filtered. ##Implementation details: The Idea is to call the function alarm before executing connect. If the connect call doesn’t return before timeout seconds are reached the signal SIGALRM gets triggered, which executes our handler function sig_alrm_handler(), that was previously

SDP(Service Discovery Protocol) - Browser

SDP(Service Discovery Protocol) : A bluetooth device can be queried which services it offers. It returns information about the channel the service is running on ,the used protocol ,the service name and a short description. For this we will use the python module `bluetooth` ,for bluetooth related operations. ##Required libraries ##check if the parameters required to this script are passed or not and if not exit and print usage. ##use find_service() method ,it recieves the target address as parameter and return a list of services. As the list contains the dictionaries which items are the described properties service until list returned is not empty. you can clone the whole code in the following git repo : SDP Browser Checkout some more hacking scripts SECURING SYSTEM BLUETOOTH ATTACKS STEALING AND SNIFFING ATTACKS KALI LINUX HACKING COMMANDS CHEATSHEET

Bluetooth Scanner with python

Bluetooth is a wireless voice and data transmission technology, which can be built into mobile phones, PDAs, USB sticks, keyboards, mices, headsets, printers, telephone facilities in cars, navigation systems, new modern advertisement posters, umbrellas etc. In contrast to infrared, Bluetooth doesn’t rely on direct visual contact to connect to devices. Lets start the scripting the bluetooth scanner in the python we will use existing libraries for this . ##Modules Required - lightblue - bluetooth First of all we need to start our bluetooth device / turn on the bluetooth ##Method finddevices() returns the list of tuples as (hardware address ,device name ,device class) we can set the optional param getnames=False by doing this we can skip the name resolution but it maye take some extra time as bluetooth makes an extra connection just to resolve every name. you can clone the whole script from this repository : bluetooth_scanner Checkout some more hackin