click click

Sunday, May 16, 2010

Bluesnarfer & Bluebugger Guide With Backtrack

Hey Guys

Just thought I'd post a little on Bluetooth Hacking because I can see thereis a lot of questions and not alot of answers So here's how I hacked my samsung d600.

First I poped to my local supermarket and picked myself up a bluetooth dongle for 6.99!!!! Because my shitieToshiba Satellite P100 doesn't have bluetooth

Ok first lets configure BT.................

Type :

bt ~ # mkdir -p /dev/bluetooth/rfcomm
mknod -m 666 /dev/bluetooth/rfcomm/0 c 216 0

Thats Bluesnarfer done, now for bluebugger.............

Type:

bt ~ # mknod --mode=666 /dev/rfcomm0 c 216 0

Ok now we can fire up are Bluetooth adaptor, so type:

bt ~ # hciconfig hci0 up

Now are bluetooth adaptor should be ready, check by typing :

bt ~ # hciconfig hci0

and you should see somthing like this:

hci0: Type: USB
BD Address: 00:11:22:33:44:55 ACL MTU: 678:8 SCO MTU: 48:10
UP RUNNING
RX bytes:85 acl:0 sco:0 events:9 errors:0
TX bytes:33 acl:0 sco:0 commands:9 errors:0

Ok now we are ready to scan so type:

bt ~ # hcitool scan hci0

And you should see all the devices in the area. You can also use btscanner and btscanner has a bruteforce scanner for discovering hidden devices.

Now note the name and MAC of the target and let's move on.

First thing lets try to ping are target. Type:

l2ping

If you dont get a ping GOOD LUCK

Next we need to find out a little about the device we want to hack so lets fire up blueprint.

And type:

sdptools browse --tree --l2cap

And you should get somthing like this:


Code:
Browsing 00:16:DB:A1:B6:B9 ...
Attribute Identifier : 0x0 - ServiceRecordHandle
 Integer : 0x10000
Attribute Identifier : 0x1 - ServiceClassIDList
 Data Sequence
   UUID128 : 0xdb1d8f12-95f3-402c-9b97-bc504c9a-55c4
Attribute Identifier : 0x4 - ProtocolDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x0100 - L2CAP
   Data Sequence
     UUID16 : 0x0003 - RFCOMM
     Channel/Port (Integer) : 0x1
Attribute Identifier : 0x5 - BrowseGroupList
 Data Sequence
   UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x6 - LanguageBaseAttributeIDList
 Data Sequence
   Code ISO639 (Integer) : 0x656e
   Encoding (Integer) : 0x6a
   Base Offset (Integer) : 0x100
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
 Data Sequence
   Data Sequence
     UUID128 : 0x1cdb1d8f-1295-f340-2c9b-97bc504c-9a55
     Version (Integer) : 0x100
Attribute Identifier : 0x100
 Data : 57 42 54 45 58 54 00 00
Attribute Identifier : 0x8003
 Integer : 0x1

Attribute Identifier : 0x0 - ServiceRecordHandle
 Integer : 0x10001
Attribute Identifier : 0x1 - ServiceClassIDList
 Data Sequence
   UUID16 : 0x1101 - SerialPort
Attribute Identifier : 0x4 - ProtocolDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x0100 - L2CAP
   Data Sequence
     UUID16 : 0x0003 - RFCOMM
     Channel/Port (Integer) : 0x2
Attribute Identifier : 0x5 - BrowseGroupList
 Data Sequence
   UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x1101 - SerialPort
     Version (Integer) : 0x100
Attribute Identifier : 0x100
 Data : 53 65 72 69 61 6c 20 50 6f 72 74 00 00

Attribute Identifier : 0x0 - ServiceRecordHandle
 Integer : 0x10002
Attribute Identifier : 0x1 - ServiceClassIDList
 Data Sequence
   UUID16 : 0x1103 - DialupNetworking (DUN)
Attribute Identifier : 0x4 - ProtocolDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x0100 - L2CAP
   Data Sequence
     UUID16 : 0x0003 - RFCOMM
     Channel/Port (Integer) : 0x3
Attribute Identifier : 0x5 - BrowseGroupList
 Data Sequence
   UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x1103 - DialupNetworking (DUN)
     Version (Integer) : 0x100
Attribute Identifier : 0x100
 Data : 44 69 61 6c 2d 75 70 20 4e 65 74 77 6f 72 6b 69 6e 67 00 00
Attribute Identifier : 0x305
 Integer : 0x0

Attribute Identifier : 0x0 - ServiceRecordHandle
 Integer : 0x10003
Attribute Identifier : 0x1 - ServiceClassIDList
 Data Sequence
   UUID16 : 0x1112 - HeadsetAudioGateway
   UUID16 : 0x1203 - GenericAudio
Attribute Identifier : 0x4 - ProtocolDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x0100 - L2CAP
   Data Sequence
     UUID16 : 0x0003 - RFCOMM
     Channel/Port (Integer) : 0x4
Attribute Identifier : 0x5 - BrowseGroupList
 Data Sequence
   UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x1108 - Headset
     Version (Integer) : 0x100
Attribute Identifier : 0x100
 Data : 56 6f 69 63 65 20 47 57 00 00

Attribute Identifier : 0x0 - ServiceRecordHandle
 Integer : 0x10004
Attribute Identifier : 0x1 - ServiceClassIDList
 Data Sequence
   UUID16 : 0x111f - HandsfreeAudioGateway
   UUID16 : 0x1203 - GenericAudio
Attribute Identifier : 0x4 - ProtocolDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x0100 - L2CAP
   Data Sequence
     UUID16 : 0x0003 - RFCOMM
     Channel/Port (Integer) : 0x5
Attribute Identifier : 0x5 - BrowseGroupList
 Data Sequence
   UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x111e - Handsfree
     Version (Integer) : 0x101
Attribute Identifier : 0x100
 Data : 56 6f 69 63 65 20 47 57 00 00
Attribute Identifier : 0x301
 Integer : 0x1
Attribute Identifier : 0x311
 Integer : 0x1

Attribute Identifier : 0x0 - ServiceRecordHandle
 Integer : 0x10005
Attribute Identifier : 0x1 - ServiceClassIDList
 Data Sequence
   UUID16 : 0x110a - AudioSource
Attribute Identifier : 0x4 - ProtocolDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x0100 - L2CAP
     Channel/Port (Integer) : 0x19
   Data Sequence
     UUID16 : 0x0019 - AVDTP
     Channel/Port (Integer) : 0x100
Attribute Identifier : 0x5 - BrowseGroupList
 Data Sequence
   UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x110d - AdvancedAudio
     Version (Integer) : 0x100
Attribute Identifier : 0x100
 Data : 41 64 76 61 6e 63 65 64 20 61 75 64 69 6f 20 73 6f 75 72 63 65 00 00
Attribute Identifier : 0x311
 Integer : 0x1

Attribute Identifier : 0x0 - ServiceRecordHandle
 Integer : 0x10006
Attribute Identifier : 0x1 - ServiceClassIDList
 Data Sequence
   UUID16 : 0x110c - RemoteControlTarget
Attribute Identifier : 0x4 - ProtocolDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x0100 - L2CAP
     Channel/Port (Integer) : 0x17
   Data Sequence
     UUID16 : 0x0017 - AVCTP
     Channel/Port (Integer) : 0x100
Attribute Identifier : 0x5 - BrowseGroupList
 Data Sequence
   UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x110e - RemoteControl
     Version (Integer) : 0x100
Attribute Identifier : 0x311
 Integer : 0x100

Attribute Identifier : 0x0 - ServiceRecordHandle
 Integer : 0x10007
Attribute Identifier : 0x1 - ServiceClassIDList
 Data Sequence
   UUID16 : 0x1106 - OBEXFileTransfer
Attribute Identifier : 0x4 - ProtocolDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x0100 - L2CAP
   Data Sequence
     UUID16 : 0x0003 - RFCOMM
     Channel/Port (Integer) : 0x6
   Data Sequence
     UUID16 : 0x0008 - OBEX
Attribute Identifier : 0x5 - BrowseGroupList
 Data Sequence
   UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x1106 - OBEXFileTransfer
     Version (Integer) : 0x100
Attribute Identifier : 0x100
 Data : 4f 42 45 58 20 46 69 6c 65 20 54 72 61 6e 73 66 65 72 00 00

Attribute Identifier : 0x0 - ServiceRecordHandle
 Integer : 0x10008
Attribute Identifier : 0x1 - ServiceClassIDList
 Data Sequence
   UUID16 : 0x1105 - OBEXObjectPush
Attribute Identifier : 0x4 - ProtocolDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x0100 - L2CAP
   Data Sequence
     UUID16 : 0x0003 - RFCOMM
     Channel/Port (Integer) : 0x7
   Data Sequence
     UUID16 : 0x0008 - OBEX
Attribute Identifier : 0x5 - BrowseGroupList
 Data Sequence
   UUID16 : 0x1002 - PublicBrowseGroup
Attribute Identifier : 0x9 - BluetoothProfileDescriptorList
 Data Sequence
   Data Sequence
     UUID16 : 0x1105 - OBEXObjectPush
     Version (Integer) : 0x100
Attribute Identifier : 0x100
 Data : 4f 62 6a 65 63 74 20 50 75 73 68 00 00
Attribute Identifier : 0x303
 Data Sequence
   Integer : 0x1
   Integer : 0x3
   Integer : 0x5
   Integer : 0xff
Now if you asked me what does this mean I wouldn't know, but I think it tells you abit about the channels and what services are running on what channel.

Anyway after playing abit I found that my D600 uses channel 7 for phonebook lookup etc. I think every make and model is diffrent so you might have to try a few until you get the right one. Like I said im only just getting to grips with linux So if anybodu knows anymore I'd love to read about it.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

tiap2 hari click je

Link2Communion.com

ip-address

IP
get yours here

Followers