Penetration Testing mailing list archives
Re: Bluetooth testing...
From: Joshua Wright <jwright () hasborg com>
Date: Thu, 07 Aug 2008 16:37:53 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Serg B wrote: | Thanks for all replies so far, just a quick update with more detail... | I am planning to be using a Linux based laptop with a USB bluetooth | dongle... | | Not sure if the equipment is right or not, so any feedback on that | front is also appreciated. The tools mentioned by various posters such as BlueMaho and BlueDiving are all useful, though some functionality may not work as expected. Best to become comfortable with the code and what is being called (often external executables) and use those tools directly instead. ~From a hardware perspective, I have had a lot of luck with the Zoom Bluetooth USB dongle on Linux (http://tinyurl.com/5pn485). It is easy to modify to accept an external 2.4 GHz antenna, is a class 1 transmitter (e.g. 100 mW), supports Bluetooth 2.0 extensions (including RSSI reporting introduced in Bluetooth 1.2) and works well on Linux and Windows systems. Instructions on modifying this dongle to work with an external antenna are available from Gary Coleman (aka KF): http://www.digitalmunition.com/zoom-mod/ in 4 succinct steps. If you are hardcore about Bluetooth testing, you'll want to identify devices in non-discoverable mode too. The talk about using RedFang or other brute-force mechanisms to do this is BS; you need to use a software-defined radio such as the USRP and GNURadio with Dominic Spill's gr-bluetooth code: http://www.cs.ucl.ac.uk/staff/a.bittau/gr-bluetooth.tar.gz http://www.usenix.org/event/woot07/tech/full_papers/spill/spill.pdf This will run you ~$1000/USD with a USRP Software Defined Radio (www.ettus.com) and the USRP Flex2400 2.4 GHz receiver. Alternatively, you can snag a Cognio Spectrum Expert card that will give you the same information (~$3000/USD) and it runs on Windows. For either solution, you will get the last 3-bytes of the BD_ADDR of a Bluetooth device actively transmitting, regardless of whether it is discoverable or not. With the last 3-bytes of the BD_ADDR, you can brute-force the first three bytes of BD_ADDR (representing the OUI) using the list of common Bluetooth OUI's from the BNAP, BNAP project: http://802.15ninja.net/bnapbnap/ I modified btscanner to search through the list of common OUI's given the last three bytes of BD_ADDR, available here: http://www.willhackforsushi.com/code/btscanner-2.1-lapsearch.tgz http://www.willhackforsushi.com/Home/Entries/2007/10/8_Headset_Attack_Demo_At_SANS_NS2007_Las_Vegas.html Make sure you do a "./configure ; make ; make install" to get the files in the right places. Press "l" to enter the LAP and start searching (faster if you have multiple dongles connected; I usually use 4 at the same time). If you run into a problem, please drop me a note. The bottom line is that Bluetooth analysis is still a big mystery to lots of end-users and pen-testers, and I personally feel that it doesn't get the attention it deserves. We spend a bunch of time going over exploiting Bluetooth in my SANS Wireless Penetration Testing course (http://www.sans.org/training/description.php?mid=3) on day 5, specifically on how to apply Bluetooth security testing in a pen-test engagement. Students also get the Zoom USB dongle as part of the class (along with an AirPcap TX and drivers for Linux and Windows, and the BU-353 USB GPS). One last parting note; don't overlook the basic stuff in a pen-test engagement. I have been successful in getting lots of critical data from Bluetooth phones using nothing more devious than the Nokia PC Suite software on many occasions. - -Josh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iQIVAwUBSJtdIDWX3FIa1TkuAQJAZxAAhwvLyTPXLBDVXOCrN4La2vdOGPnBqnch 5yk5kermjRfkCE7OUrQ7YOWPaNNMe6HPUsvAqK6fgSVEhIoNlpONDtuE1Ff63aut M1P2DnG2at6VYeTdd1qyOyzh3ncZ15POPNoE2hf12gZHMNy9CjIx38HUYFy66+0M Midm6loASPlxB8adQosKSLFRJ1J3PFBnVL/fMZr5lyaHIDiuMMVXwnlKrCqIYqsq 1t0wPV5qiDS+0mFDRap2UmyaybuBWpewiSgZ7iWaHDVscDcHSZc/9tyL1IQmpPD1 T+bigSOw9G56gIEMFaVXc8UgM30m9/Pq0cYq7BwHaxoUndaNEa2Ph4SdAFfDlF8W 1tLKAzxv75URk74tXwYkDYIgYWBELv7/1MAurbRRgZ+AOF1lrRYRoyHcdAgW79hI OHCyoMevmCQvQ10ZZP/j05xTjoBzmd0vnSRyruHC4YIhNtoYkLzgeJHEaUPjnLD2 Aegaos5Sy4kPncuHje6k4WOWAgS2e4EAvGicKaCiBDWlLaEsfVV0zkyRPJjPfL3X FBg46HVO7AiTVqJYrjlYfi5nqT2yrKwi+Tb64WhjiuUgD7MsdZJBVpkariS2a/u0 yjmZ7URriHIb6ghzE3Ps9fLVWVqhLTofeaQLc/cmRyt8vt41ubCglKggzsi4BnjO 6BUSBiR3veQ= =WOKF -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: CenzicTop 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Bluetooth testing... Serg B (Aug 06)
- Re: Bluetooth testing... Nikhil Wagholikar (Aug 07)
- Re: Bluetooth testing... Taras P. Ivashchenko (Aug 07)
- Re: Bluetooth testing... the.soylent (Aug 07)
- RE: Bluetooth testing... Roni Bachar (Aug 07)
- Re: Bluetooth testing... Serg B (Aug 07)
- Re: Bluetooth testing... Joshua Wright (Aug 07)
- Re: Bluetooth testing... Serg B (Aug 07)
- Re: Bluetooth testing... Mark Owen (Aug 07)
- Re: Bluetooth testing... Angel Garcia Moreno (Aug 07)
- Re: Bluetooth testing... Orlin Gueorguiev (Aug 07)
- Re: Bluetooth testing... Robin Wood (Aug 07)
- <Possible follow-ups>
- Re: Bluetooth testing... Luca.carettoni (Aug 07)
- Re: Bluetooth testing... Nikhil Wagholikar (Aug 07)