Hacking Bluetooth devices is secondary in the overall scheme of wireless devices so I’m not going to spend too long talking about it; however I will introduce you to a couple of tools and attacks that, if nothing else, will give you some fun.
See Chapter 8 for some discussion of Bluetooth kit. Attacks against Blue-tooth devices (predominantly mobile phones) fall into three categories:
• BlueJacking – This means using a phone to send anonymous messages to people using the Bluetooth protocol. This can be very entertaining and has its uses in a social engineering context.
• BlueSnarfing – This means taking details from mobile phones without the permission of the owner. This can include calendar entries, address book entries, and short message service (SMS) messages. In general, only older phones are vulnerable to BlueSnarfing.
• Eavesdropping Attacks – A lot of people use Bluetooth headsets.
It is sometimes possible to capture and record this voice traffic.
Occasionally, it is possible to inject voice into the stream. A tool
MOUNTING A BLUETOOTH ATTACK 151
released a few years ago allowed you to do exactly this to car radios.
(This tool is called Car Whisperer and is on the BackTrack CD-ROM.)
BlueJacking
A few years ago at the Infosec conference in London, a friend of mine, furious at his recent redundancy, decided to get even with the company in question, which had exhibitors in attendance. (We’ll call it Company X for the purposes of this discussion.) He wrote a small program that tracked Bluetooth phones that came into range of his laptop and sent them a message via the vCard business card protocol. It read something like this:
Hi!!!!1 Welcom to infosec!!!! Why not stop by our stand and talk secu-rity? We at no. 212 – Company X
There was a catch though: The message wasn’t just sent once, it was sent as many times per second as the target phone could handle. This was intentional (as was the poor spelling and grammar). The upshot was that a number of people did turn up at the Company X stand, but only to complain that they were being bombarded with advertisements. The poor sales representatives didn’t have a clue what was going on. Because you can make a message appear to be from anyone, BlueJacking can be useful to a creative social engineer. There are a few ways to carry out this form of attack. These are the easiest:
• Using Phone-specific Features – Create a contact in your address book. For the name, input the message you wish to send. To send the message, switch Bluetooth on, search for target devices and select
‘Send Business Card’ (in some models, ‘Send Contact’). Select the entry you just created from the address book and you’re done.
• Using an Automated Tool – The most popular tools are the Java applications FreeJack and EasyJack. Both work fine and a quick Google search will get you both of them.
BlueSnarfing
From the perspective of a physical penetration tester, being able to steal the phone book from any phone around you is obviously very useful.
In the real world, however, most phones are now patched against this attack, although you may get lucky. First, you need to locate all Bluetooth devices in the area. I show you how to do this using a tool called BlueScanner from Aruba networks. There are plenty of tools that run
152 HACKING WIRELESS EQUIPMENT
Figure 7.5 Aruba’s BlueScanner can find Bluetooth devices within range.
under Linux (and come with BackTrack), but I particularly like this tool’s interface and presentation of information though it runs under Windows (see Figure 7.5).
As you can see, the software divides the devices up nicely so you can see exactly what you’re dealing with. In this example, we target the Nokia 6300. Note its address of 00:24:04:15:AA:08. To extract this device’s address book, you run the following command in BackTrack:
bluesnarfer -r 1-100 -b 00:24:04:15:AA:08
The attack is successful and you now have the target’s address book:
device name: Nokia 6300 custom phonebook selected + 1 – bob : 0416783452 + 4 – john : 0794487651 + 7 – dave : 0792938450 + 10 – test2 : 0794009812 + 13 – house : 0793545345 + 16 – test3 : 0794073352 + 19 – btsucks : 0796009272
Eavesdropping
The Car Whisperer tool is used to eavesdrop on wireless voice communi-cations that take place over the Bluetooth protocol. First of all you have to configure your Bluetooth device to think it’s a mobile phone:
hciconfig hci0 class 0x50204
SUMMARY 153
This assumes your Bluetooth device is called hci0, which it most likely is. If it’s not then use the iwconfig command to list all HCI interfaces.
You need to guess the pairing pin (usually 0000 or 1234) in order to eavesdrop on the stream. You can find out by trial and error. So:
echo 0000 > /etc/bluetooth/pin
Open the file /etc/bluetooth/serial.server and change the value of Autostart to true. Then execute:
/etc/init.d/bluetooth restart
You need to use a tool such as BlueScanner to find the MAC address of the target. Assuming that 00:12:34:56:78:90 is the target Bluetooth headset (and that the PIN is correct), run the following command to dump the audio stream to input.raw:
carwhisperer 0 /dev/null input.raw 00:12:34:56:78:90 1
Here we use /dev/null, but you could also specify an audio file on your system, which would be sent to the target’s headset. To listen to the audio you have captured, use the following command:
sox -t raw -r 8000 -c 1 -s -w input.raw -t ossdsp /dev/dsp
Have a lot of fun with this. If now you’re thinking ‘Hmmm. I’d like to write a script to automate the detection and recording of Bluetooth headsets’
then I like your style, but is has already been done. Check out BlueDiving at http://sourceforge.net/projects/bluediving (which automates quite a bit, actually).
Summary
This chapter has been a departure from the rest of this book as it has been purely technical. While I’ve attempted to create a cookbook approach (in which you just follow the instructions) to defeating wireless security, you may only grasp the contents once you’ve actually sat down and attempted one or more of the attacks. You should do this with your own equipment and be comfortable with the results before even thinking about carrying out a wireless attack on a client site. In this chapter, we’ve looked at:
• Wireless Hacking Equipment – These are my personal preferences and we add to them in Chapter 8. You’ve been introduced to Back-Track which is an excellent environment for learning about defeating wireless security and it does a lot of other things besides.
• Wireless Security Standards and Protocols – It makes sense to have a good practical knowledge of the basics of wireless networking before embarking on wireless hacking.
154 HACKING WIRELESS EQUIPMENT
• Wireless Encryption – Encryption and authentication in wireless access points are often the same thing. The two most common shared key systems are WEP and WPA, both of which can be broken. Other systems exist which require a different approach.
• Wireless Network Attacks – This topic covered both discovering wire-less access points and defeating common security measures such as encryption and MAC filtering.
• Wireless Client Attacks – This is a relatively new breed of attack that, when correctly deployed, can be used to great effect against even the most secure wireless environments.
• Bluetooth – No chapter on wireless security would be complete with-out a discussion on Bluetooth. These attacks can be very useful in a physical penetration test and are often overlooked.
Wireless hacking and physical penetration testing – whilst utilizing very different skill sets – go hand in hand. Practice and master the techniques outlined in this chapter even if, initially, they seem foreign to you.