Bluetooth Pentesting Tools (HW/SW)

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

This article describes various tools for bluetooth penetration testing and aims to provide an overview to choose the right tool for a use case.

Requirements

  • Operating system: Kali Linux amd64 2019.2
  • Packages: Individual shown for each tool

In order to use hardware pentesting devices a dedicated installation of kali linux is recommended but it is also possible to use hypervisors which are capable of passing USB devices from the host- to the guestsystem e.g. VMWare Workstation or the free hypervisor VirtualBox.

Information gathering

The offical linux bluetooth protocol stack BlueZ is already installed on kali linux but can be installed on other linux maschines with:

apt install -y bluez bluez-utils
systemctl start bluetooth.service
systemctl status bluetooth.service

Bluetoothservice.PNG

hcitool

To start with penetration testing we need to gather information about our environment, for this purpose scan for available bluetooth devices with the included packages 'hcitool' or 'bluetoothctl'.

First check if your bluetooth device is available:

hciconfig

Hciconfig.PNG

Scan for BR/EDR Bluetooth devices with hcitool:

hcitool scan

Scanbr.PNG

In order to scan for BLE devices use:

hcitool lescan

bluetoothctl

Alternatively you can use bluetoothctl which is also included in the bluez-utils package:

Btctl.PNG

bettercap

This Software is described in the Bettercap Documentation.

bluelog

Another great tool for bluetooth device discovery is 'bluelog'. It is extremly lightweight and can be automated for background usage without user intervention. Bluelog is already preinstalled on kali linux but can be installed with:

apt install -y bluelog

To start scanning for bluetooth devices use:

bluelog -nmtc

(n=log device names;m=log manufacturer;t=log timestamps of discovery;c=log device class)

Bluelog.PNG

Capturing bluetooth traffic

btmon

With the preinstalled package 'btmon' it is possible to capture traffic between the HCI and the controller:

btmon --write ~/Documents/bttraffic.snoop

These files can be viewed and analysed with 'Wireshark' which is also preinstalled on kali linux.

Wireshark

Alternatively you can capture bluetooth traffic directly with Wireshark. Start Wireshark with...

wireshark -w ~/Documents/bttraffic.snoop

...and select your bluetooth interface e.g. bluetooth0 or bluetooth1.

Wiresharkhciscan.PNG

Bluetooth Pentesting Software

In the following chapter we will present some software pentesting tools which are used for ethical bluetooth device hacking.

BlueMaho

BlueMaho is a tool suite for bluetooth device pentesting and provides various exploits. It is written in python and uses wxPython. The feature set includes: scanning, tracking, alerts on new devices or targeted devices, sending files or changing BT values like the BD_ADDR.

Although it is still listed in the kali linux tool list, it has to be manually installed:

apt install autoconf build-essential build-dep git python-wxtools 
git clone https://github.com/zenware/bluemaho
cd bluemaho/config
./build.sh

In order to run the GUI use:

./bluemaho.py

Bluemaho.PNG

GATT Tool

Before you can start using the GATT Tool you need to know the Bluetooth Address of the victim device. For gathering this information you can use the hcitool, which is described above.

The GATT Tool has a powerful interactive mode. During this mode the devices stay connected and you can use more than one handle sequentially.

sudo gatttool -I <Bluetooth interface> -b <BD_ADDR>
connect

To get the name of your Bluetooth interfaces use hciconfig, which is described above.

The Interactive mode also allows to list the characteristics of the connected device and control them.

 characteristics

Depending on the Privileges you can Read, Write characteristics of the device.

 Read:
 char-read-hnd <handle>
   
 Write:
 char-write-req <handle> <write value>
 or
 char-write-cmd <handle> <write value>


The Privileges are described in the following graph

CharacterProperties.png

An example of an guided exploit can be found at the Mipow Playbulb: Bluetooth Connection Sniffing documentation

Bluepot

Bluepot is a Bluetooth Honeypot written in Java, it is designed to accept and store any malware sent to it and interact with common Bluetooth attacks. The system also allows monitoring of attacks via a graphical user interface that provides graphs, lists, a dashboard and further detailed analysis from log files.

In order to install bluepot use following commands:

wget https://github.com/andrewmichaelsmith/bluepot/raw/master/bin/bluepot-0.1.tar.gz
tar xfz bluepot-0.1.tar.gz
java -jar bluepot/BluePot-0.1.jar

Bluepot.PNG

spooftooph

Spooftooph is designed to automate spoofing or cloning Bluetooth device information. The software is able to clone and log bluetooth devices, generate or change new random bluetooth profiles and specify device information for bluetooth interfaces.

E.g.: Spoof your own device address for the interface hci0:

Btspoofbdaddr.PNG

Bluetooth Pentesting Hardware

For hardware pentesting devices like the Ubertooth one please see following documentations:

References