Jump to content


Photo
- - - - -

Bluetooth Sniffer


  • Please log in to reply
23 replies to this topic

#1 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 05 August 2008 - 11:20 PM

Busting Bluetooth Myth

After reading this article, I thought I might try to get a USB dongle that has the BlueCore-4 Ext chip in it, so that I may try to modify the dongle just like this security researcher did.

However, it is kind of hard to find what chip is in each USB dongle that comes with various hardware. I thought I might get one cheap with a laptop mouse or a wireless keyboard. Has anybody ever made a bluetooth sniffer? Has anybody played with this? Is this the only way to make a cheap bluetooth sniffer, let alone make a bluetooth sniffer?

I have a wireless RocketFish keyboard that uses a bluetooth, but unfortunately the USB dongle that comes with it has a Broadcom chip in it. Broadcom does not really give you access to the same stuff as the one who does the BlueCore4 chip. The BlueCore4 chip has an SDK and a lot of documentation that comes with it, so that's why it is easier to modify a dongle that has one.

Thanks for your help. I have also found that there is documentation for a reference USB dongle that uses the BlueCore4 chip, they call it NanoSira.

#2 Corleone

Corleone

    elite

  • Members
  • 111 posts
  • Location:Belgium

Posted 06 August 2008 - 03:34 PM

Also check out these tools for bluetooth hacking.Bluetooth Penetration Testing Framework
Interesting article.

c

Edited by Corleone, 07 August 2008 - 04:59 PM.


#3 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 09 August 2008 - 05:56 PM

The NanoSira bluetooth dongle can be bought from digikey for $100... which is expensive. The author of the article said he used a $30 bluetooth dongle.

After further googling, I found this thread which gives a list of bluetooth dongles that have the BlueCore4-Ext chip:

Acer Bluetooth Stick - BC2-EXT
Linksys USBBT100 Rev 1
D-Link DBT-120 Rev C1
DELOCK 61478
A7 eb502-HCI
Fujitsu Siemens BLUETOOTH V2.0 - BC4-EXT -there are no known revision for this dongle
Toshiba PA3455U-1BTM
Aircable Host XR
Cellink BTA-6030 Bluetooth Adapter

I then searched for where to buy some of them, and the cheapest seem to be the D-Link DBT-120 Rev C1. I don't know if the one on newegg.com is the Rev C1, but it is 25$ with a 10$ mail in rebate (15$ in the end). Offer available until the 31th of this month. Get it here, I think I'll order one right away.

Edit: Damn, newegg.com does not seem to ship to Canada. I found it on tigerdirect.ca for $42 :(

Has anybody found a place to buy the fujitsu siemens bluetooth 2.0? I can only find places in europe.

Edit 2:

Both the USBBT100 and the DBT-120 are Bluetooth 1.1 devices, I cannot find one that I could buy in Canada that supports 2.0. I guess if I buy a bluetooth 1.1 dongle I won't be able to get it to work with all devices, supposing that some of them might be using bluetooth 2.0.

#4 mungewell

mungewell

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 376 posts
  • Location:Planet Earth

Posted 12 August 2008 - 06:52 PM

What's written in the article makes perfect sense, he has replaced the firmware of the bluetooth dongle and changed the MAC address to match the appropriate block so that the paid-for sniffing application accepts it.

He doesn't say which application he used, but my money is on:
http://www.fte.com/p...s/FTS4BT-06.asp

Not cheap, around the $10K mark for each license/dongle. If you have managed to find a source of 'ripped off' firmware, then you might be able to get something going. They did have a demo for download around Oct 2006...
Cheers,
Mungewell.

#5 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 12 August 2008 - 07:08 PM

What's written in the article makes perfect sense, he has replaced the firmware of the bluetooth dongle and changed the MAC address to match the appropriate block so that the paid-for sniffing application accepts it.

He doesn't say which application he used, but my money is on:
http://www.fte.com/p...s/FTS4BT-06.asp

Not cheap, around the $10K mark for each license/dongle. If you have managed to find a source of 'ripped off' firmware, then you might be able to get something going. They did have a demo for download around Oct 2006...
Cheers,
Mungewell.


I think you are right on it. Quite funny you can get the same thing for just 30$ when it is sold for $10K mark

Also, I'm having problems getting a bluetooth dongle in Canada. The best would be a Fujitsu Siemens Bluetooth 2.0 (Europe only) or a DLINK DBT-120 (US + Europe). Do you live in a place where it is easier to buy one? Damn, all the american online sellers charge between 30 to 50$ of SHIPPING alone to send to Canada... It is so frustrating, I don't know what justifies such prices for a small bluetooth dongle.

#6 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 13 August 2008 - 06:43 PM

FINALLY!!! I just bought mine, a DLINK DBT-120 for about 40$ CAN. They are listed on ebay for $18.60 US, here. Very cheap price, get them before they are gone! There are still 11 left at the time of this post. It was very hard to find a good deal that could ship to Canada. As some people said on IRC, Canada is the e-third world...

:D

#7 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 27 August 2008 - 04:34 PM

I have just received my DBT-120 USB Bluetooth adapter Rev C1, bought from ebay (link in my previous post). I am currently on Backtrack3 following instructions very carefully on how to install the special firmware on it. So far so good, I've verified that it had the good chipset:

bt ~ # hciconfig hci0 revision
hci0:   Type: USB
		BD Address: 00:17:9A:2A:FF:58 ACL MTU: 384:8 SCO MTU: 64:8
		HCI 19.2
		Chip version: BlueCore4-External
		Max key size: 56 bit
		SCO mapping:  HCI

I'm following DrGreen's guide here.

I will post more info when I'll get it working :)

#8 Havoc

Havoc

    "I Hack, therefore, I am"

  • Agents of the Revolution
  • 923 posts
  • Country:
  • Gender:Male
  • Location:Poland

Posted 30 August 2008 - 07:31 AM

does it mean you can sniff passphrase and access for instance mobile phone without pairing and browse the content ?

#9 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 30 August 2008 - 02:35 PM

does it mean you can sniff passphrase and access for instance mobile phone without pairing and browse the content ?


Hum... that's not the same thing, I think it is called bluesnarfing. However, if you can sniff the pairing process with this bluetooth sniffer, you can use btcrack to crack the PIN. You could then use the PIN to do some bluesnarfing.

#10 Havoc

Havoc

    "I Hack, therefore, I am"

  • Agents of the Revolution
  • 923 posts
  • Country:
  • Gender:Male
  • Location:Poland

Posted 30 August 2008 - 02:45 PM

so what can you do with all those sniffed packets ?

is it possible to recreate voice conversation ?

#11 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 31 August 2008 - 10:04 AM

so what can you do with all those sniffed packets ?

is it possible to recreate voice conversation ?


The videos and I've seen that did that used the PIN to pair with the device, and then get the audio, and even inject audio with the carwhisperer tool. Most of the time the PIN is just 0000 so you do not even need to crack it. The sniffer would be useful for cracking the PIN if it is something hardly guessable. If you want to intercept the communication without pairing with the device, then I guess you could reconstruct it with the packets, but I'm not sure if there are tools to do it. It would make a nice programming project.

#12 Corleone

Corleone

    elite

  • Members
  • 111 posts
  • Location:Belgium

Posted 31 August 2008 - 11:25 AM

I also got my DBT-120 USB Bluetooth adapter Rev C1 and following DrGreen's guide on the backtrack forums.
Thanks for the link Aghaster.

c

#13 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 31 August 2008 - 11:32 AM

I also got my DBT-120 USB Bluetooth adapter Rev C1 and following DrGreen's guide on the backtrack forums.
Thanks for the link Aghaster.

c


Great :) I have flashed my DBT-120 with the firmware, but it looks like I need a second dongle to scan for other devices (the sniffer cannot do it, it is set to receive all RAW packets). I have a Rocketfish bluetooth dongle that came with my bluetooth keyboard, but even if the keyboard works out of the box, the dongle itself has problem being recognized as a bluetooth adapter. This is a problem as I need it to be recognized as a bluetooth adapter in order to use the scanning tools to let my sniffer find the devices to sniff. I will buy one of those very cheap bluetooth adapter (Broadcom, it does not matter I think for the adapter I use for scanning) from a cheap electronics store.

#14 PurpleJesus

PurpleJesus

    Dangerous free thinker

  • Members
  • 1,578 posts
  • Gender:Male
  • Location:800

Posted 31 August 2008 - 02:37 PM

inject audio with the carwhisperer tool




As if those folks didn't look schizophrenic enough, does this mean I could use that to be the voice of God?

#15 Havoc

Havoc

    "I Hack, therefore, I am"

  • Agents of the Revolution
  • 923 posts
  • Country:
  • Gender:Male
  • Location:Poland

Posted 31 August 2008 - 02:41 PM

The sniffer would be useful for cracking the PIN if it is something hardly guessable.


and you bought that dongle only for this purpose ?

#16 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 01 September 2008 - 09:58 PM

The sniffer would be useful for cracking the PIN if it is something hardly guessable.


and you bought that dongle only for this purpose ?


No, you want to do this. I'm not interesting in intercepting voice conversations from bluetooth headsets or pulling information out of phones. I want to intercept the communication between my bluetooth keyboard and my computer and try to crack it. And that requires a bluetooth sniffer.

#17 mungewell

mungewell

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 376 posts
  • Location:Planet Earth

Posted 02 September 2008 - 11:21 AM

The sniffer would be useful for cracking the PIN if it is something hardly guessable.


and you bought that dongle only for this purpose ?


No, you want to do this. I'm not interesting in intercepting voice conversations from bluetooth headsets or pulling information out of phones. I want to intercept the communication between my bluetooth keyboard and my computer and try to crack it. And that requires a bluetooth sniffer.



The FTE/FTS software can be installed in Demo/Viewer only mode without a key. The default install contains some sample captures which show how powerful the sniffing is, if your sniffer is active from before any connection is made between the two target devices then EVERYTHING is decodable.....

Attached File  sniffer_screenshot.PNG   60.09KB   21 downloads

Cheers,
Mungewell.

#18 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 02 September 2008 - 11:18 PM

I bought a second dongle today but I still cannot find any device with it. I don't know what is going wrong.

jacob:/home/aghaster# hciconfig hci1
hci1:	Type: USB
	BD Address: 11:11:11:11:11:11 ACL MTU: 672:3 SCO MTU: 48:1
	UP RUNNING PSCAN ISCAN 
	RX bytes:937 acl:0 sco:0 events:22 errors:0
	TX bytes:338 acl:0 sco:0 commands:27 errors:0

(I did hciconfig hci1 up before that)

and then if I try scanning for devices:

jacob:/home/aghaster# hcitool -i hci1 scan
Scanning ...
Inquiry failed: Connection timed out

I don't know what is wrong, I have my bluetooth headset nearby and my bluetooth keyboard, it should be able to find it.

I'm getting a bit lost... maybe I should try to use the Windows tools but I wanted to do it on Linux with the open source tools, to avoid relying on the demo software.

Edit: I was able to find one device, which was my phone when I set it in discoverable mode...

#19 mungewell

mungewell

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 376 posts
  • Location:Planet Earth

Posted 03 September 2008 - 10:06 AM

I'm getting a bit lost... maybe I should try to use the Windows tools but I wanted to do it on Linux with the open source tools, to avoid relying on the demo software.


I think that you are setting yourself quite a hurdle by attempting not to use the FTS software. Unlike 802.11, Bluetooth is actually pretty secure by design. Once the communication is established, the frequency changes in time slices and these changes can be psuedo random. There are 79 channel each 1MHz wide starting at 2.402GHz and finishing at 2.480GHz.

In order to snoop you will have to control your 'sniffer dongle' to some degree in order to make it follow the jumps of the monitored pair. You will also have to grab/work out what the encryption key is, which is negoiated when a channel is brought up between peers.

If you really want to read up on Bluetooth, it looks like the core specification documents are available here:
http://www.bluetooth...Specifications/

If you want to ask specific questions, PM me and I'll try to help.
Cheers,
Mungewell.

#20 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 03 September 2008 - 03:59 PM

I'm getting a bit lost... maybe I should try to use the Windows tools but I wanted to do it on Linux with the open source tools, to avoid relying on the demo software.


I think that you are setting yourself quite a hurdle by attempting not to use the FTS software. Unlike 802.11, Bluetooth is actually pretty secure by design. Once the communication is established, the frequency changes in time slices and these changes can be psuedo random. There are 79 channel each 1MHz wide starting at 2.402GHz and finishing at 2.480GHz.

In order to snoop you will have to control your 'sniffer dongle' to some degree in order to make it follow the jumps of the monitored pair. You will also have to grab/work out what the encryption key is, which is negoiated when a channel is brought up between peers.

If you really want to read up on Bluetooth, it looks like the core specification documents are available here:
http://www.bluetooth...Specifications/

If you want to ask specific questions, PM me and I'll try to help.
Cheers,
Mungewell.


Hum yeah but the guides I've seen on the internet use the linux tools :/




BinRev is hosted by the great people at Lunarpages!