blf Posted August 13, 2019 Share Posted August 13, 2019 I thought we should have a payload that uses bluetooth, since I got the mini bluetooth dongle with my Owl... posting as my pull request was just accepted: https://github.com/hak5/owl-payloads/tree/master/payloads/library/bluetooth/Bluetooth-Scanner Scans for bluetooth devices, and optionally interrogates them (using hcitool info). Full README in the git repo. Results look like: root@Owl:~/loot/bluetooth_scan# cat 1565172658.bt.list Wed Aug 7 10:10:59 UTC 2019 Startup Wed Aug 7 10:18:25 UTC 2019 F8:38:80:B0:AA:AA iPhone Wed Aug 7 10:19:10 UTC 2019 30:21:19:C5:AA:BB SCR1986BT-AS With interrogate mode you get more detail as well: root@Owl:~/loot/bluetooth_scan# cat 1565172658.bt.info Begin F8:38:80:B0:AA:AA ---------------------- Requesting information ... BD Address: F8:38:80:B0:AA:AA Device Name: iPhone LMP Version: 5.0 (0x9) LMP Subversion: 0x4307 Manufacturer: Broadcom Corporation (15) Features page 0: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87 <3-slot packets> <5-slot packets> <encryption> <slot offset> <timing accuracy> <role switch> <sniff mode> <RSSI> <channel quality> <SCO link> <HV2 packets> <HV3 packets> <u-law log> <A-law log> <CVSD> <paging scheme> <power control> <transparent SCO> <broadcast encrypt> <EDR ACL 2 Mbps> <EDR ACL 3 Mbps> <enhanced iscan> <interlaced iscan> <interlaced pscan> <inquiry with RSSI> <extended SCO> <EV4 packets> <EV5 packets> <AFH cap. slave> <AFH class. slave> <LE support> <3-slot EDR ACL> <5-slot EDR ACL> <sniff subrating> <pause encryption> <AFH cap. master> <AFH class. master> <EDR eSCO 2 Mbps> <EDR eSCO 3 Mbps> <3-slot EDR eSCO> <extended inquiry> <LE and BR/EDR> <simple pairing> <encapsulated PDU> <err. data report> <non-flush flag> <LSTO> <inquiry TX power> <EPC> <extended features> Features page 1: 0x0f 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Features page 2: 0x7f 0x0f 0x00 0x00 0x00 0x00 0x00 0x00 Begin 30:21:19:C5:BB:BB ---------------------- Requesting information ... BD Address: 30:21:19:C5:BB:BB Device Name: SCR1986BT-AS LMP Version: 3.0 (0x5) LMP Subversion: 0x1f4 Manufacturer: CONWISE Technology Corporation Ltd (66) Features page 0: 0xbf 0x3a 0x85 0xfa 0x98 0x1d 0x59 0x87 <3-slot packets> <5-slot packets> <encryption> <slot offset> <timing accuracy> <role switch> <sniff mode> <RSSI> <SCO link> <HV2 packets> <HV3 packets> <CVSD> <power control> <broadcast encrypt> <EDR ACL 2 Mbps> <enhanced iscan> <interlaced iscan> <interlaced pscan> <inquiry with RSSI> <extended SCO> <AFH cap. slave> <AFH class. slave> <3-slot EDR ACL> <5-slot EDR ACL> <pause encryption> <AFH cap. master> <AFH class. master> <extended inquiry> <simple pairing> <encapsulated PDU> <non-flush flag> <LSTO> <inquiry TX power> <EPC> <extended features> Features page 1: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Quote Link to comment Share on other sites More sharing options...
Orca Posted August 14, 2019 Share Posted August 14, 2019 Just a quick qyuestion not so much abou the payload though... How did you get the Bluetooth dongle with your Owl? I purchased the kit and it came with the WiFi dongle but not a Bluetooth dongle, and I don't remember seeing it as a product sold throuh Hak5's pages... I'll look again but if I can't find it what do you recommend and if possible a link to point me to it? Thanks Quote Link to comment Share on other sites More sharing options...
blf Posted August 14, 2019 Author Share Posted August 14, 2019 10 minutes ago, Orca said: Just a quick qyuestion not so much abou the payload though... How did you get the Bluetooth dongle with your Owl? I purchased the kit and it came with the WiFi dongle but not a Bluetooth dongle, and I don't remember seeing it as a product sold throuh Hak5's pages... I'll look again but if I can't find it what do you recommend and if possible a link to point me to it? Thanks I purchased the Owl @ DEFCON this year, and they offered it with or without the USB dongles -- this is what I got (also a separate wifi one). If you search for CSR8510 Bluetooth USB you can probably find tons of these, if you can't get it from Hak5 direct. Quote Link to comment Share on other sites More sharing options...
Orca Posted August 14, 2019 Share Posted August 14, 2019 I can't seem to find that particular product in their offerings but I forgot I have an Ubertooth One that should do the same thing (I hope), it's just a little bigger. P.S, looks like a nice and interesting payload, can't wait to get it loaded and running, once I find a capable dongle... Thanks Quote Link to comment Share on other sites More sharing options...
whizdumb Posted August 15, 2019 Share Posted August 15, 2019 On 8/14/2019 at 12:40 AM, Orca said: Ubertooth One Speaking of the Ubertooth... Does the owl and this payload support them? Quote Link to comment Share on other sites More sharing options...
blf Posted August 16, 2019 Author Share Posted August 16, 2019 38 minutes ago, whizdumb said: Speaking of the Ubertooth... Does the owl and this payload support them? I don’t have one, but if it shows up as a regular Bluetooth device that hcitool can manage, then yes it should. If not, this payload would fail. Quote Link to comment Share on other sites More sharing options...
Orca Posted August 16, 2019 Share Posted August 16, 2019 2 hours ago, whizdumb said: Speaking of the Ubertooth... Does the owl and this payload support them? The Owl will see the Ubertooth when you do a 'lsusb'. It doesn't list any local devices in the Owl when you do a 'hcitools dev' Thiis is what I get when I connect my Ubertooth: BusyBox v1.30.1 () built-in shell (ash) .___. {o,o} /)__) Hak5 Signal Owl " " Version 1.0.0 ======================================= Built on OpenWRT 19.07 ======================================= root@Owl:~# hcitool dev Devices: root@Owl:~# lsusb Bus 001 Device 002: ID 1d50:6002 OpenMoko, Inc. Ubertooth One Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub root@Owl:~# Quote Link to comment Share on other sites More sharing options...
blf Posted August 16, 2019 Author Share Posted August 16, 2019 @Orca hci devices are kind of like network interfaces, you have to “up” them. Run “hciconfig” with no arguments; if you have any BT devices supported by the hci tool stack, it will show up there, as say, hci0. You can then run “hciconfig hci0 up” to bring it up. After this, hcitool will see it and you can use it there. My payload will “up” whatever device is defined in the config variable in the script, during the “runonce” function. Knowing the small amount I do about the ubertooth, I’m guessing it has more interesting things you can do with it than the basic “what’s out there” scan I’m doing here. If I had one I’d be learning about it and writing a payload for it! Quote Link to comment Share on other sites More sharing options...
Orca Posted August 16, 2019 Share Posted August 16, 2019 (edited) 20 hours ago, blf said: @Orca hci devices are kind of like network interfaces, you have to “up” them. Run “hciconfig” with no arguments; if you have any BT devices supported by the hci tool stack, it will show up there, as say, hci0. I'll continue this here but I think it might be better in the main Owl forum since this may no longer be a Payload problem or issue. @bif Thanks!!! Learning everyday and loving it... so I started looking into the hcitools and hciconfig on the surface and I don't think the Ubertooth is currently supported. When I do a lsusb I get: root@Owl:~# lsusb Bus 001 Device 002: ID 1d50:6002 OpenMoko, Inc. Ubertooth One so the Owl sees the Ubertooth plugged in. But when I do a hciconfig I get:nothing. I picked up a couple of CSR 4.0 Bluetooth dongles and I did the same things. When I do a lsusb I get: root@Owl:~# lsusb Bus 001 Device 002: ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode) When I do a hciconfig I get: root@Owl:~# hciconfig hci0: Type: Primary Bus: USB BD Address: 00:1A:7D:DA:71:11 ACL MTU: 679:9 SCO MTU: 48:16 DOWN RX bytes:574 acl:0 sco:0 events:30 errors:0 TX bytes:368 acl:0 sco:0 commands:30 errors:0 So it does show with this new dongle... BUT... When I do a hcitools hci0 up I get: root@Owl:~# hciconfig hci0 up Can't init device hci0: Not supported (122) root@Owl:~# I took a look at the hciconfig -h and tried to do a reset and still got a return that it wasn't supported... Now one thing to note on my end and I'm not sure what's going on if this is me or if there is a real problem. For me to do the text captures from the terminal and make sure I was making notes of everything I was doing I came across a problem where when I booted and SSH into the Owl i did the hciconfig and hcitools command snd nothing happened. Just nothing but a command prompt. I could have sworn I had the Bluetooth dongle attached, but I'm assuming that if there is not an hci capable device on the Owl the Owl will not load the tools. Is that correct? This is the dongle I just picked up. Is this a problem? Multiform Bluetooth Wireless Adapter P.S. Thanks for the info/help I really really appreciate it.. and I'm willing to keep experimenting to keep learning... Edited August 16, 2019 by Orca Quote Link to comment Share on other sites More sharing options...
bleedjack Posted August 30, 2019 Share Posted August 30, 2019 *******Signal Owl bluetooth scan x MacOS bluetooth bug******* Before running bluetooth scans or interrogation be aware of your bluetooth MAC address and name on your Signal Owl. Certain OS such as macOS are vulnerable to an advanced form of the Bluejacking attack which can be demonstrated when macOS logs the Signal Owl bluetooth scanner running hcitool interrogation. With the Signal Owl, running hcitool info <MAC address> results in macOS logging forensic evidence of the scan on the macOS in the bluetooth property list located in /YourStartupDrive/Library/Preferences/com.apple.Bluetooth.plist. Also, A smart target running macOS can catch on and know that someone is running bluetooth scans in the area because the bluetooth adapter’s MAC address is 00:1A:7D:DA:71:13 and the name string is “BlueZ 5.50” which will show up in the target’s property list. A remedy to this problem for Signal Owl users would be to change the bluetooth MAC address and at the very least changing the name string from “BlueZ 5.50” to a “NEW_NAME” to make the scan stealthy. hciconfig hci0 name NEW_NAME I usually use bdaddr to change the bluetooth MAC address. ++++++MacOS bluetooth bug++++++ Users of macOS should be aware that an attacker can alter data through bluetooth so they should monitor the bluetooth property list file if they use bluetooth or erase the file periodically. This is a major issue for international travelers and others that use bluetooth. A possible attack scenario would be an attacker, such as an enemy nation, puts illegal data on the traveler’s MacBook Pro wirelessly through bluetooth, then arrests the traveler and seizes the MacBook Pro just to get to other sensitive data. *******Protect Your Scans & MacOS Bluetooth******* Quote Link to comment Share on other sites More sharing options...
blf Posted August 30, 2019 Author Share Posted August 30, 2019 Valid points on the nature of the scan, it is not a passive activity. BlueZ is the Linux Bluetooth protocol stack. I didn’t realize dongles shared the same MAC by default. That’s interesting. I will look at adding some code to the payload to change these if desired. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.