So this is going to be a post which will probably be either updated when possible or deleted
depending on the progress I am able to make with bluetooth ;)
After getting interested in bluetooth again, I came to the conclusion that I really can't get much done at all..
Considering the amount of cash I have spent in the past on wireless adapters to test, getting a pre-paid mobile and a couple of bluetooth dongles and headsets to go crazy on didn't really seem like a bad idea.
So this will be a post containing some information on the bluetooth side of things that that I have been able to get through, which as it stands right now is horrifically little :|
The bluetooth tools included on BackTrack4 are all somewhat dated and their functionality with BackTrack4 not well documented, though bluetooth still forms a part of many wireless security courses, so I have a feeling it is simply a lack of documentation.
The phone I am using to test on is a Nokia 2720 with bluetooth visibility set to permanently visible (except with the tests of tbsearch & fang)
I have a couple of usb dongles, 2x Class 2 and 1x Class 1.
SCANNING FOR -AND LOGGING BLUETOOTH DEVICES
=============================================
First to ensure that the bluetooth devices are up and running ;
hciconfig
hciconfig hci0 up <-- in my case an internal bluetooth device
hciconfig hci1 up <-- in my case an external USB dongle
etc.
Getting more info on the bluetooth interface ;
hciconfig hci0 -a
There are numerous methods to scan for devices ;
hcitool
---------
hcitool is the most straightforward, comparable with using the iwlist scan option when checking for wireless.
hcitool dev
hcitool -i hci0 scan
hcitool -i hci0 inq
Alternatively you can use one of the many monitoring tools included in BT4 such as ;
BlueScan, Btscanner, ghettotooth, tbear
BlueScan
------------
BlueScan will show bdaddr of the device found along with name, manufacturer, active services and active channels along with time of discovery.
However have not figured out how to specify which interface to use; BlueScan always seems to want to use bdaddr of hci0.
After stopping the scan with Ctrl +C you are given 3 options;
1. Print to screen
2. Export results to log
3. Quit
cd /pentest/bluetooth/bluescan/
./bluescan
Btscanner
-------------
Btscanner uses all available bluetooth interfaces for scanning.
It opens an GUI and works similar to the oldschool Kismet, listing found bluetooth devices with the possibility to show further information on the devices when selected.
i <-- starts an inquiry scan
Enter <-- gives further info on the device selected
a <-- aborts the scan
Q <-- Quits the program
Results for the devices found are logged automatically with a directory created per bdaddr found.
For scanning for devices, I would say that so far as I have seen, this tool is the one to use.
edit
I have come to the conclusion that I am not fond of the way btscanner ;
> Does not enable the choosing of individual interface adapters.
> Logs all the information in separate folders, it makes sense in view of the information included, but it makes it harder to quickly view a list of bdaddr's, Names, Class etc.once programme quits.
btscanner
Further info after selecting the found device;
(
q to return to main menu)
ghettotooth
---------------
ghettotooth simply lists the bdaddr's and names of the devices found.
A log is made each time ghettotooth is started.
cd /pentest/bluetooth/ghettotooth/
perl ghettotooth.pl -h
perl ghettotooth.pl hci0
ls
T-bear
---------
A straightforward bluetooth device locator with options to log the results.
Whichever interface is entered to use, the screen shows hci0 as being in use after a few seconds
which is a bit confusing.
edit
Well after having played a bit more with them, I have decided that I like tbear the best for quick scans.
The reason is that you can choose which interface adapter to use (even though it doesnt correctly mention that on screen) and it is easy to view a quick list of what was found from the logs after quitting the programme. Plus it looks pretty ;)
cd /pentest/bluetooth/tbear/
./tbear -h
./tbear -i hci0 -l log
From what I have read, Tbear did originally come with a load of other tools (http://www.secguru.com/link/tbear_bluetooth_environment_auditing), but in BT4 there are just two other tools with tbear;
tanya &
tbsearch
tanya is a DoS tool for bluetooth, however haven't yet played enough with it to get it to work.
I would love to think that the author had a wife / GF called Tanya whose constant rattling reminded him of a DoS..
tbsearch is a tool to search for hidden bluetooth devices by checking bluetooth addresses and able to use multiple threads (multiple bluetooth interfaces)
So for instance if you know a device should be in the area and you have the bdaddr or a possible range you can search for it and tbsearch will find it, even if it is in hidden mode, and continue searching for others.
Its not a fast process however..
cd /pentest/bluetooth/tbear/
./tbsearch
./tbsearch -b 6C:9B:02:FF:97:2F hci0
(bluetooth on mobile set to 'hidden')
This process can be sped up a bit using multiple dongles, below I have a total of 4 devices checking it all out with a starting point 7 digits before the bdaddr, but as you can see it came back with a false positive..
(30 instead of 2f)
This happened more or less consistently when using multiple interfaces, checking for individual bdaddr's seems to work better when using a single interface with tbsearch.
./tbsearch -b 6C:9B:02:FF:97:29 hci0 hci1 hci2 hci3
redfang
----------
fang checks for 'hidden' bluetooth devices by scanning a range of bluetooth addresses similar to the above tbsearch but somewhat more refined and expanded.
fang appears to work better than tbsearch in detecting hidden devices using multuiple interfaces.
cd /pentest/bluetooth/redfang/
./fang -h
The below example is only testing the last 2 digits of the bdaddr of my test phone (set to hidden) using 4 bluetooth interfaces as above with tbsearch.
./fang -r 6C9B02FF9700-6C9B02FF973F -n 4
A word of warning, bluetooth and WiFi both use part of the 2.4 GHz band .. carrying out this attack with this many dongles basically caused my wireless network to suffer considerably..
This is the easy stuff, now there is a whole lot more to get my head around, but hopefully the motivation will continue to flow as I have to say, for the moment bluetooth feels a bit like ;
Some reference material ;
http://www.backtrack-linux.org/forums/backtrack-howtos/2583-dr_greens-bluesnarfer-bluebugger-guides-old-fourm.html
http://www.sans.edu/resources/securitylab/bluetooth.php
more to be added..please leave a comment if you have a link to helpful info.