Bluetooth Reconnaissance: Watching Over Invisible

October 25, 2012, by | Start Discussion

Remember Paris Hilton case? All her confidential data was compromised through her mobile-phone. Though it was not Bluetooth attack but your handheld devices can be one of the best targets for attacks and Bluetooth can be major part of it.

The goal of the discovery process is to identify the presence of Bluetooth devices, and finding each device’s 48-bit MAC address which is known as BD_ADDR.

The challenging part in this step is finding the devices which are in invisible mode along with visible ones. So let’s do it…

First we will look at basics of Bluetooth and scanning-

Bluetooth specification defines 79 channels and devices hop across these channels at a rate of 1600 times per second.

#hciconfig

So here two Bluetooth interfaces are available hci0 and hci1. And hci1 is long-range external Bluetooth dongle which I am using for this demonstration.
Initially these interfaces are in Down state. Let’s make it UP

Scenario1: All devices are in visible mode

Android Setting

Ubuntu Setting

#hcitool scan

The above scan gives overall information that currently six Bluetooth devices are available and it also provided their names and BD_ADDR.

But it doesn’t give any idea of what type of device is. For ex: Akash can be mobile, or laptop or anything else.
So let’s make the inquiry scan.

#hcitool inq

Devices were discovered with their BD_ADDR, system clock information, and the device class.

In device class you can see underlined section of every class i.e.00, 02, 01 and 04. These are nothing but major device class bits from which we can find the type of device.

See the chart below:

Now if we made cross-check, the Akash’s BD_ADDR is 00:1d:6e:.. and its class is 0x50020c. So we can surely say it is Phone type Device by looking at chart.

btscanner tool does the same but it provides bt_names along with other specifications.

Bluemaho is Bluetooth penetration testing tool but it has also scanning option which provides very important piece of information.

I would like to remind you that till now we were scanning the devices which are in visible mode. But what about the devices which are not visible?

Redfang is the tool in which we can scan devices that are in invisible mode by giving the range.

000000000000-ffffffffffff. But scanning every mac (BD_ADDR) may take some years to finish up. If the devices are in vicinity, we can see manufacturer and find the mac prefixes for the device. And can give approximate ranges to redfang,

Source: http://hwaddress.com/

Here I am giving very small range i.e. 0007abffcf85-0007abffcf90 to demonstrate the tool. Once it scans that BD_ADDRESS which is in invisible mode, it will show all information about it.

You can clearly see the BD_ADDRESS along with bt_name.

But finding the BT_ADDR of devices whose WiFi is also on is little bit simple as compared to scanning thousands of addresses. Here it goes…

FINDING BD_ADDR FROM MAC:

My little handy victim’s settings->

WiFi is on and Bluetooth is invisible mode.

 Start sniffing in the air by enabling monitor mode to wireless interface.

So many MACs. Here the question is who’s mac it is? Means how we look for smart-phones/smart-devices from this bulk of mac addresses?

So start wireshark.

#wireshark&

Start capturing on mon0 interface.

Now observe the packets, especially the source field. You may see Samsung, Apple like names. So here it it…

In above screenshot you can see Samsung name and its mac address. And the important thing is SamsungE_ff:cf:88 is not Bluetooth/Wifi name, rather it is manufacturer name.

Now we can surely say 00:07:ab:ff:cf:88 is of Samsung Device.

Okay, we come to know that we got one Samsung smartphone/device. The next challenge is finding its Bluetooth address.

We have, MAC: 00:07:AB:ff:CF:88~MAC address plus one.

No output. Means no BT device with that address is available currently ~ MAC address minus 1.

So here we get the Bluetooth device along with the name my_android.

So you can observe that BT address is associated with MAC address, i.e Minus or Plus 1. Once you find the Bluetooth device, the scan can be made to check the services on the device.

# sdptool browse 00:07:ab:ff:cf:87

One of the interesting thing is that when you enumerate the laptops, you can see the information of Operating systems and other services.

You can observe the field Service Provider: Microsoft. So this is the basic step i.e. first find the target before exploiting them

References:

1.    Bluetooth Hacking: The state of art by trifinite.org
2.    Bluetooth Wiki

Author bio not avialable

Leave a Reply