Jump to content


Active Members
  • Content Count

  • Joined

  • Last visited

About blf

  • Rank
  1. Valid points on the nature of the scan, it is not a passive activity. BlueZ is the Linux Bluetooth protocol stack. I didn’t realize dongles shared the same MAC by default. That’s interesting. I will look at adding some code to the payload to change these if desired.
  2. Boot into arming mode with your bluetooth dongle attached, then enable it with: hciconfig hci0 up Make sure there is another active bluetooth device around, then run: hcitool scan Does this produce output? This is the first thing that the bluetooth scan payload does. Also, try running the payload manually in arming mode. Make sure it's executable, then run it: chmod +x /root/payload/payload.txt ./root/payload/payload.txt While it's running, check /tmp/payload.log to see if there is any output. Let me know how it goes.
  3. @Orca hci devices are kind of like network interfaces, you have to “up” them. Run “hciconfig” with no arguments; if you have any BT devices supported by the hci tool stack, it will show up there, as say, hci0. You can then run “hciconfig hci0 up” to bring it up. After this, hcitool will see it and you can use it there. My payload will “up” whatever device is defined in the config variable in the script, during the “runonce” function. Knowing the small amount I do about the ubertooth, I’m guessing it has more interesting things you can do with it than the basic “what’s out there” scan I’m doing here. If I had one I’d be learning about it and writing a payload for it!
  4. I don’t have one, but if it shows up as a regular Bluetooth device that hcitool can manage, then yes it should. If not, this payload would fail.
  5. I purchased the Owl @ DEFCON this year, and they offered it with or without the USB dongles -- this is what I got (also a separate wifi one). If you search for CSR8510 Bluetooth USB you can probably find tons of these, if you can't get it from Hak5 direct.
  6. I thought we should have a payload that uses bluetooth, since I got the mini bluetooth dongle with my Owl... posting as my pull request was just accepted: https://github.com/hak5/owl-payloads/tree/master/payloads/library/bluetooth/Bluetooth-Scanner Scans for bluetooth devices, and optionally interrogates them (using hcitool info). Full README in the git repo. Results look like: root@Owl:~/loot/bluetooth_scan# cat 1565172658.bt.list Wed Aug 7 10:10:59 UTC 2019 Startup Wed Aug 7 10:18:25 UTC 2019 F8:38:80:B0:AA:AA iPhone Wed Aug 7 10:19:10 UTC 2019 30:21:19:C5:AA:BB SCR1986BT-AS With interrogate mode you get more detail as well: root@Owl:~/loot/bluetooth_scan# cat 1565172658.bt.info Begin F8:38:80:B0:AA:AA ---------------------- Requesting information ... BD Address: F8:38:80:B0:AA:AA Device Name: iPhone LMP Version: 5.0 (0x9) LMP Subversion: 0x4307 Manufacturer: Broadcom Corporation (15) Features page 0: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87 <3-slot packets> <5-slot packets> <encryption> <slot offset> <timing accuracy> <role switch> <sniff mode> <RSSI> <channel quality> <SCO link> <HV2 packets> <HV3 packets> <u-law log> <A-law log> <CVSD> <paging scheme> <power control> <transparent SCO> <broadcast encrypt> <EDR ACL 2 Mbps> <EDR ACL 3 Mbps> <enhanced iscan> <interlaced iscan> <interlaced pscan> <inquiry with RSSI> <extended SCO> <EV4 packets> <EV5 packets> <AFH cap. slave> <AFH class. slave> <LE support> <3-slot EDR ACL> <5-slot EDR ACL> <sniff subrating> <pause encryption> <AFH cap. master> <AFH class. master> <EDR eSCO 2 Mbps> <EDR eSCO 3 Mbps> <3-slot EDR eSCO> <extended inquiry> <LE and BR/EDR> <simple pairing> <encapsulated PDU> <err. data report> <non-flush flag> <LSTO> <inquiry TX power> <EPC> <extended features> Features page 1: 0x0f 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Features page 2: 0x7f 0x0f 0x00 0x00 0x00 0x00 0x00 0x00 Begin 30:21:19:C5:BB:BB ---------------------- Requesting information ... BD Address: 30:21:19:C5:BB:BB Device Name: SCR1986BT-AS LMP Version: 3.0 (0x5) LMP Subversion: 0x1f4 Manufacturer: CONWISE Technology Corporation Ltd (66) Features page 0: 0xbf 0x3a 0x85 0xfa 0x98 0x1d 0x59 0x87 <3-slot packets> <5-slot packets> <encryption> <slot offset> <timing accuracy> <role switch> <sniff mode> <RSSI> <SCO link> <HV2 packets> <HV3 packets> <CVSD> <power control> <broadcast encrypt> <EDR ACL 2 Mbps> <enhanced iscan> <interlaced iscan> <interlaced pscan> <inquiry with RSSI> <extended SCO> <AFH cap. slave> <AFH class. slave> <3-slot EDR ACL> <5-slot EDR ACL> <pause encryption> <AFH cap. master> <AFH class. master> <extended inquiry> <simple pairing> <encapsulated PDU> <non-flush flag> <LSTO> <inquiry TX power> <EPC> <extended features> Features page 1: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00
  7. Do you have a WiFi dongle installed in the USB port opposite the pigtail? I’m thinking this won’t work while you’re also logged in via SSH over the built in WiFi adapter.
  8. You can't run the payload directly if it uses extensions. The Owl will source the extensions first and then execute the payload. What you're seeing is the because the WIFI_CONNECT function from the extensions directory isn't present, because it hasn't been sourced. If you want to run it manually you could try running "source" on the extensions then executing the payload (not sure any of this will actually work interactively since I assume you're using the same wifi).
  9. vepr -- Try booting to arming mode, ssh in, and chmod +x /root/payload/payload.txt. I read through the doc again noticed it says they source extensions, and execute the payload. I made my payload executable and it worked. Seems obvious in retrospect but the ".txt" extension had my brain thinking it did something other than directly run it.
  10. I haven't tried this payload, but my home-grown payload has the same problem -- never runs (none of my output gets written), and the LED just goes blank. I tried putting it straight into /root/payload/payload.txt, and I also tried deleting it from there and letting the owl copy it from an ext4 USB (it did). No difference. Works fine when run from arming mode with "source payload.txt". I'd like to know if there are any debug logs we can enable to show what's happening/not happening in attack mode, so I can attempt to troubleshoot it.
  11. The thing that confused me is trying to read the directions for the Owl thinking that all the LED states applied to the firmware upgrade. I don't think they really do. The device as delivered comes with a special loader. You need to understand how it works, then you can start paying attention to the normal doc. Above, I think Dr@tg0N documented the loader's behavior well. When you plug the device in to power, you'll get: One solid blink LED off Rapid blinking Slightly less rapid blinking : - entering SELECT mode for firmware update - THIS IS WHEN YOU PRESS THE BUTTON TO START THE UPGRADE. I formatted a drive FAT32, placed the bin on its root, put that USB drive into the USB port on the Owl furthest from the pigtail (remember, closer to the pigtail just passes through to the host) and plugged the Owl in. After the blinks transition from rapid blinking (#3) to slightly less rapid blinking (#4), I pressed the button. The light eventually went solid, which means the upgrade was happening. Eventually it switched to slow steady on/off blinking. I unplugged the device and removed the USB storage. On the next bootup, if you do nothing, it will eventually go into slow blinking which means there is no payload. In this state you'll see no wifi network. To do that, you'll need to go into arming mode, here's how I reliably have done that: Nothing attached, plug Owl in to power on. LED behavior: One solid blink Medium flash (booting; for maybe 10-15 seconds) Solid for a few seconds. Very fast flashing THIS IS WHEN YOU PRESS THE BUTTON TO ENTER ARMING MODE. Double flashing begins; this means you're in arming mode. (Double flashing to my eye looks like the LED is solid on, but going off twice in a row at an interval.) Now that you're in arming mode, you'll have an open Wifi network called Owl_XXXX where XXXX is the last 4 of your device's MAC. You can connect to that SSID and SSH to root@, password hak5owl. If anyone would like to see a video of how to get into arming mode I can probably oblige. Too late for me to demonstrate the upgrade.
  • Create New...