Jump to content

[PAYLOAD] Basic Bluetooth Scanner


blf
 Share

Recommended Posts

I thought we should have a payload that uses bluetooth, since I got the mini bluetooth dongle with my Owl... posting as my pull request was just accepted:

https://github.com/hak5/owl-payloads/tree/master/payloads/library/bluetooth/Bluetooth-Scanner

Scans for bluetooth devices, and optionally interrogates them (using hcitool info). Full README in the git repo.

Results look like:

root@Owl:~/loot/bluetooth_scan# cat 1565172658.bt.list
Wed Aug  7 10:10:59 UTC 2019    Startup
Wed Aug  7 10:18:25 UTC 2019            F8:38:80:B0:AA:AA       iPhone
Wed Aug  7 10:19:10 UTC 2019            30:21:19:C5:AA:BB       SCR1986BT-AS

With interrogate mode you get more detail as well:

root@Owl:~/loot/bluetooth_scan# cat 1565172658.bt.info
Begin F8:38:80:B0:AA:AA ----------------------
Requesting information ...
        BD Address:  F8:38:80:B0:AA:AA
        Device Name: iPhone
        LMP Version: 5.0 (0x9) LMP Subversion: 0x4307
        Manufacturer: Broadcom Corporation (15)
        Features page 0: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87
                <3-slot packets> <5-slot packets> <encryption> <slot offset>
                <timing accuracy> <role switch> <sniff mode> <RSSI>
                <channel quality> <SCO link> <HV2 packets> <HV3 packets>
                <u-law log> <A-law log> <CVSD> <paging scheme> <power control>
                <transparent SCO> <broadcast encrypt> <EDR ACL 2 Mbps>
                <EDR ACL 3 Mbps> <enhanced iscan> <interlaced iscan>
                <interlaced pscan> <inquiry with RSSI> <extended SCO>
                <EV4 packets> <EV5 packets> <AFH cap. slave>
                <AFH class. slave> <LE support> <3-slot EDR ACL>
                <5-slot EDR ACL> <sniff subrating> <pause encryption>
                <AFH cap. master> <AFH class. master> <EDR eSCO 2 Mbps>
                <EDR eSCO 3 Mbps> <3-slot EDR eSCO> <extended inquiry>
                <LE and BR/EDR> <simple pairing> <encapsulated PDU>
                <err. data report> <non-flush flag> <LSTO> <inquiry TX power>
                <EPC> <extended features>
        Features page 1: 0x0f 0x00 0x00 0x00 0x00 0x00 0x00 0x00
        Features page 2: 0x7f 0x0f 0x00 0x00 0x00 0x00 0x00 0x00
Begin 30:21:19:C5:BB:BB ----------------------
Requesting information ...
        BD Address:  30:21:19:C5:BB:BB
        Device Name: SCR1986BT-AS
        LMP Version: 3.0 (0x5) LMP Subversion: 0x1f4
        Manufacturer: CONWISE Technology Corporation Ltd (66)
        Features page 0: 0xbf 0x3a 0x85 0xfa 0x98 0x1d 0x59 0x87
                <3-slot packets> <5-slot packets> <encryption> <slot offset>
                <timing accuracy> <role switch> <sniff mode> <RSSI> <SCO link>
                <HV2 packets> <HV3 packets> <CVSD> <power control>
                <broadcast encrypt> <EDR ACL 2 Mbps> <enhanced iscan>
                <interlaced iscan> <interlaced pscan> <inquiry with RSSI>
                <extended SCO> <AFH cap. slave> <AFH class. slave>
                <3-slot EDR ACL> <5-slot EDR ACL> <pause encryption>
                <AFH cap. master> <AFH class. master> <extended inquiry>
                <simple pairing> <encapsulated PDU> <non-flush flag> <LSTO>
                <inquiry TX power> <EPC> <extended features>
        Features page 1: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Link to comment
Share on other sites

Just a quick qyuestion not so much abou the payload though...  How did you get the  Bluetooth dongle with your Owl?

I purchased the kit and it came with the WiFi dongle but not a Bluetooth dongle, and I don't remember seeing it as a product sold throuh Hak5's pages...  I'll look again but if I can't find it what do you recommend and if possible a link to point me to it?

 

Thanks

Link to comment
Share on other sites

10 minutes ago, Orca said:

Just a quick qyuestion not so much abou the payload though...  How did you get the  Bluetooth dongle with your Owl?

I purchased the kit and it came with the WiFi dongle but not a Bluetooth dongle, and I don't remember seeing it as a product sold throuh Hak5's pages...  I'll look again but if I can't find it what do you recommend and if possible a link to point me to it?

 

Thanks

I purchased the Owl @ DEFCON this year, and they offered it with or without the USB dongles -- this is what I got (also a separate wifi one). If you search for CSR8510 Bluetooth USB you can probably find tons of these, if you can't get it from Hak5 direct.

YQknlZr.jpg

Link to comment
Share on other sites

I can't seem to find that particular product in their offerings but I forgot I have an Ubertooth One that should do the same thing (I hope), it's just a little bigger.

P.S, looks like a nice and interesting payload, can't wait to get it loaded and running, once I find a capable dongle...

Thanks

Link to comment
Share on other sites

38 minutes ago, whizdumb said:

Speaking of the Ubertooth... Does the owl and this payload support them?

I don’t have one, but if it shows up as a regular Bluetooth device that hcitool can manage, then yes it should. If not, this payload would fail.

Link to comment
Share on other sites

2 hours ago, whizdumb said:

Speaking of the Ubertooth... Does the owl and this payload support them?

The Owl will see the Ubertooth when you do a 'lsusb'.

It doesn't list any local devices in the Owl when you do a 'hcitools dev'

Thiis is what I get when I connect my Ubertooth:

BusyBox v1.30.1 () built-in shell (ash)

 .___.
 {o,o}
 /)__)  Hak5 Signal Owl
  "  "  Version 1.0.0
=======================================
 Built on OpenWRT 19.07
=======================================
root@Owl:~# hcitool dev
Devices:
root@Owl:~# lsusb
Bus 001 Device 002: ID 1d50:6002 OpenMoko, Inc. Ubertooth One
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
root@Owl:~# 

Link to comment
Share on other sites

@Orca

hci devices are kind of like network interfaces, you have to “up” them.

Run “hciconfig” with no arguments; if you have any BT devices supported by the hci tool stack, it will show up there, as say, hci0.

You can then run “hciconfig hci0 up” to bring it up.

After this, hcitool will see it and you can use it there. My payload will “up” whatever device is defined in the config variable in the script, during the “runonce” function.

Knowing the small amount I do about the ubertooth, I’m guessing it has more interesting things you can do with it than the basic “what’s out there” scan I’m doing here. If I had one I’d be learning about it and writing a payload for it!

Link to comment
Share on other sites

20 hours ago, blf said:

@Orca

hci devices are kind of like network interfaces, you have to “up” them.

Run “hciconfig” with no arguments; if you have any BT devices supported by the hci tool stack, it will show up there, as say, hci0.

 

I'll continue this here but I think it might be better in the main Owl forum since this may no longer be a Payload problem or issue.

@bif Thanks!!!  Learning everyday and loving it...  so I started looking into the hcitools and hciconfig on the surface and I don't think the Ubertooth is currently supported.

When I do a lsusb I get:

  root@Owl:~# lsusb
      Bus 001 Device 002: ID 1d50:6002 OpenMoko, Inc. Ubertooth One

so the Owl sees the Ubertooth plugged in.

But when I do a hciconfig I get:nothing.

 

I picked up a couple of CSR 4.0 Bluetooth dongles and I did the same things.

When I do a lsusb I get:

  root@Owl:~# lsusb
      Bus 001 Device 002: ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode)

When I do a hciconfig I get:

  root@Owl:~# hciconfig
      hci0:    Type: Primary  Bus: USB
          BD Address: 00:1A:7D:DA:71:11  ACL MTU: 679:9  SCO MTU: 48:16
          DOWN 
          RX bytes:574 acl:0 sco:0 events:30 errors:0
          TX bytes:368 acl:0 sco:0 commands:30 errors:0
 

So it does show with this new dongle... BUT...

When I do a hcitools hci0 up I get:

  root@Owl:~# hciconfig hci0 up
      Can't init device hci0: Not supported (122)
      root@Owl:~# 

I took a look at the hciconfig -h and tried to do a reset and still got a return that it wasn't supported...

Now one thing to note on my end and I'm not sure what's going on if this is me or if there is a real problem.

For me to do the text captures from the terminal and make sure I was making notes of everything I was doing I came across a problem where when I booted and SSH into the Owl i did the hciconfig and hcitools command snd nothing happened.  Just nothing but a command prompt.  I could have sworn I had the Bluetooth dongle attached, but I'm assuming that if there is not an hci capable device on the Owl the Owl will not load the tools.  Is that correct?

This is the dongle I just picked up.  Is this a problem?

Multiform Bluetooth Wireless Adapter

P.S. Thanks for the info/help I really really appreciate it..  and I'm willing to keep experimenting to keep learning...

 

Edited by Orca
Link to comment
Share on other sites

  • 2 weeks later...

*******Signal Owl bluetooth scan x MacOS bluetooth bug*******

       Before running bluetooth scans or interrogation be aware of your bluetooth MAC address and name on your Signal Owl.  Certain OS such as macOS are vulnerable to an advanced form of the Bluejacking attack which can be demonstrated when macOS logs the Signal Owl bluetooth scanner running hcitool interrogation.

       With the Signal Owl, running hcitool info <MAC address> results in macOS logging forensic evidence of the scan on the macOS in the bluetooth property list located in /YourStartupDrive/Library/Preferences/com.apple.Bluetooth.plist.

       Also, A smart target running macOS can catch on and know that someone is running bluetooth scans in the area because the bluetooth adapter’s MAC address is 00:1A:7D:DA:71:13 and the name string is “BlueZ 5.50” which will show up in the target’s property list.

       A remedy to this problem for Signal Owl users would be to change the bluetooth MAC address and at the very least changing the name string from “BlueZ 5.50” to a “NEW_NAME” to make the scan stealthy.

       hciconfig hci0 name NEW_NAME

       I usually use bdaddr to change the bluetooth MAC address.

++++++MacOS bluetooth bug++++++

       Users of macOS should be aware that an attacker can alter data through bluetooth so they should monitor the bluetooth property list file if they use bluetooth or erase the file periodically.

       This is a major issue for international travelers and others that use bluetooth.  A possible attack scenario would be an attacker, such as an enemy nation, puts illegal data on the traveler’s MacBook Pro wirelessly through bluetooth, then arrests the traveler and seizes the MacBook Pro just to get to other sensitive data.

 

*******Protect Your Scans & MacOS Bluetooth*******

Link to comment
Share on other sites

Valid points on the nature of the scan, it is not a passive activity.

BlueZ is the Linux Bluetooth protocol stack. I didn’t realize dongles shared the same MAC by default. That’s interesting. I will look at adding some code to the payload to change these if desired.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...