Penetration Testing mailing list archives

Re: Bluetooth testing...

From: Joshua Wright <jwright () hasborg com>
Date: Thu, 07 Aug 2008 16:37:53 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Serg B wrote:
| Thanks for all replies so far, just a quick update with more detail...
| I am planning to be using a Linux based laptop with a USB bluetooth
| dongle...
|
| Not sure if the equipment is right or not, so any feedback on that
| front is also appreciated.

The tools mentioned by various posters such as BlueMaho and BlueDiving
are all useful, though some functionality may not work as expected.
Best to become comfortable with the code and what is being called (often
external executables) and use those tools directly instead.

~From a hardware perspective, I have had a lot of luck with the Zoom
Bluetooth USB dongle on Linux (http://tinyurl.com/5pn485).  It is easy
to modify to accept an external 2.4 GHz antenna, is a class 1
transmitter (e.g. 100 mW), supports Bluetooth 2.0 extensions (including
RSSI reporting introduced in Bluetooth 1.2) and works well on Linux and
Windows systems.

Instructions on modifying this dongle to work with an external antenna
are available from Gary Coleman (aka KF):
http://www.digitalmunition.com/zoom-mod/ in 4 succinct steps.

If you are hardcore about Bluetooth testing, you'll want to identify
devices in non-discoverable mode too.  The talk about using RedFang or
other brute-force mechanisms to do this is BS; you need to use a
software-defined radio such as the USRP and GNURadio with Dominic
Spill's gr-bluetooth code:

http://www.cs.ucl.ac.uk/staff/a.bittau/gr-bluetooth.tar.gz
http://www.usenix.org/event/woot07/tech/full_papers/spill/spill.pdf

This will run you ~$1000/USD with a USRP Software Defined Radio
(www.ettus.com) and the USRP Flex2400 2.4 GHz receiver.  Alternatively,
you can snag a Cognio Spectrum Expert card that will give you the same
information (~$3000/USD) and it runs on Windows.

For either solution, you will get the last 3-bytes of the BD_ADDR of a
Bluetooth device actively transmitting, regardless of whether it is
discoverable or not.  With the last 3-bytes of the BD_ADDR, you can
brute-force the first three bytes of BD_ADDR (representing the OUI)
using the list of common Bluetooth OUI's from the BNAP, BNAP project:

http://802.15ninja.net/bnapbnap/

I modified btscanner to search through the list of common OUI's given
the last three bytes of BD_ADDR, available here:

http://www.willhackforsushi.com/code/btscanner-2.1-lapsearch.tgz
http://www.willhackforsushi.com/Home/Entries/2007/10/8_Headset_Attack_Demo_At_SANS_NS2007_Las_Vegas.html

Make sure you do a "./configure ; make ; make install" to get the files
in the right places.  Press "l" to enter the LAP and start searching
(faster if you have multiple dongles connected; I usually use 4 at the
same time).  If you run into a problem, please drop me a note.

The bottom line is that Bluetooth analysis is still a big mystery to
lots of end-users and pen-testers, and I personally feel that it doesn't
get the attention it deserves.  We spend a bunch of time going over
exploiting Bluetooth in my SANS Wireless Penetration Testing course
(http://www.sans.org/training/description.php?mid=3) on day 5,
specifically on how to apply Bluetooth security testing in a pen-test
engagement.  Students also get the Zoom USB dongle as part of the class
(along with an AirPcap TX and drivers for Linux and Windows, and the
BU-353 USB GPS).

One last parting note; don't overlook the basic stuff in a pen-test
engagement.  I have been successful in getting lots of critical data
from Bluetooth phones using nothing more devious than the Nokia PC Suite
software on many occasions.

- -Josh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iQIVAwUBSJtdIDWX3FIa1TkuAQJAZxAAhwvLyTPXLBDVXOCrN4La2vdOGPnBqnch
5yk5kermjRfkCE7OUrQ7YOWPaNNMe6HPUsvAqK6fgSVEhIoNlpONDtuE1Ff63aut
M1P2DnG2at6VYeTdd1qyOyzh3ncZ15POPNoE2hf12gZHMNy9CjIx38HUYFy66+0M
Midm6loASPlxB8adQosKSLFRJ1J3PFBnVL/fMZr5lyaHIDiuMMVXwnlKrCqIYqsq
1t0wPV5qiDS+0mFDRap2UmyaybuBWpewiSgZ7iWaHDVscDcHSZc/9tyL1IQmpPD1
T+bigSOw9G56gIEMFaVXc8UgM30m9/Pq0cYq7BwHaxoUndaNEa2Ph4SdAFfDlF8W
1tLKAzxv75URk74tXwYkDYIgYWBELv7/1MAurbRRgZ+AOF1lrRYRoyHcdAgW79hI
OHCyoMevmCQvQ10ZZP/j05xTjoBzmd0vnSRyruHC4YIhNtoYkLzgeJHEaUPjnLD2
Aegaos5Sy4kPncuHje6k4WOWAgS2e4EAvGicKaCiBDWlLaEsfVV0zkyRPJjPfL3X
FBg46HVO7AiTVqJYrjlYfi5nqT2yrKwi+Tb64WhjiuUgD7MsdZJBVpkariS2a/u0
yjmZ7URriHIb6ghzE3Ps9fLVWVqhLTofeaQLc/cmRyt8vt41ubCglKggzsi4BnjO
6BUSBiR3veQ=
=WOKF
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes inSecuring Web Applications

Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Current thread:

Bluetooth testing... Serg B (Aug 06)
- Re: Bluetooth testing... Nikhil Wagholikar (Aug 07)
  - Re: Bluetooth testing... Taras P. Ivashchenko (Aug 07)
- Re: Bluetooth testing... the.soylent (Aug 07)
- RE: Bluetooth testing... Roni Bachar (Aug 07)
  - Re: Bluetooth testing... Serg B (Aug 07)
    - Re: Bluetooth testing... Joshua Wright (Aug 07)
- Re: Bluetooth testing... Mark Owen (Aug 07)
- Re: Bluetooth testing... Angel Garcia Moreno (Aug 07)
- Re: Bluetooth testing... Orlin Gueorguiev (Aug 07)
- Re: Bluetooth testing... Robin Wood (Aug 07)
- <Possible follow-ups>
- Re: Bluetooth testing... Luca.carettoni (Aug 07)