blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… ·...
Transcript of blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… ·...
![Page 1: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/1.jpg)
blucatJoseph Paul Cohen
Security BSides Boston 2013
http://blucat.sf.net
![Page 2: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/2.jpg)
![Page 3: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/3.jpg)
SOCKETS!
![Page 4: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/4.jpg)
![Page 5: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/5.jpg)
![Page 6: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/6.jpg)
![Page 7: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/7.jpg)
Inte
rp
os
itio
n?
![Page 8: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/8.jpg)
Primary Objective of the Internet
![Page 9: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/9.jpg)
0101101011010010100101001010101001011010110100101001010010101010
Streams are awesome!
![Page 10: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/10.jpg)
0101101011010010100101001010101001011010110100101001010010101010
Locally we can just stream files to
applications
![Page 11: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/11.jpg)
0101101011010010100101001010101001011010110100101001010010101010
On the internet this gets a bit of
abstraction with sockets
Internet
![Page 12: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/12.jpg)
0101101011010010100101001010101001011010110100101001010010101010
Now we can think about Bluetooth
this way too
Bluetooth
![Page 13: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/13.jpg)
Use case
cat foo.mpg | | vlc -
cat foo.mpg | | vlc -
Internet
Bluetooth
![Page 14: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/14.jpg)
with netcat
| nc machine1 123
nc -l 123 |Internet
![Page 15: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/15.jpg)
$ ./blucat
blucat - by Joseph Paul Cohen 2012 - josephpcohen.com
-_-_-_-_-_-_-_,------,
_-_-_-_-_-_-_-| /\_/\
-_-_-_-_-_-_-~|__( ^ .^)
"" ""
Usage:
blucat devices : Lists devices
blucat services : Lists all RFCOMM services
blucat services <device> : List RFCOMM services for one device
blucat scan <device> : Scan all RFCOMM channels
blucat -l : Listen for RFCOMM connection
blucat -l <port> : Listen for RFCOMM connection on port
blucat -uuid <uuid> : Listen for UUID and attempt RFCOMM
blucat -l <port> -e <command>: Listen for RFCOMM connection, execute <command> when connection
blucat <server args> -k : Keep the connection alive
blucat -url <url> : Connect to RFCOMM URL
blucat doctor : Run this if it's not working
![Page 16: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/16.jpg)
with blucat
| blucat -url btspp://0002723E6A6A:4
blucat -l 4 |Bluetooth
![Page 17: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/17.jpg)
with nmap
Starting Nmap 5.21 ( http://nmap.org )Nmap scan reportNot shown: 846 closed ports, 152 filtered portsPORT STATE SERVICE22/tcp open ssh80/tcp open http
![Page 18: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/18.jpg)
Discovery
![Page 19: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/19.jpg)
Discovery
![Page 20: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/20.jpg)
Scanning
![Page 21: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/21.jpg)
Bluetooth URI Moniker:
btspp - Bluetooth serial port profile
RFCOMM
btl2cap - Logical link control and
adaptation protocol
btgoep - OBEX Generic Object Exchange
profile(GOEP)
btspp://10643FC98386:17
![Page 22: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/22.jpg)
Bluetooth URI Moniker
Instead of IP's we have MAC addresses
Can be looked up here:
http://standards.ieee.
org/develop/regauth/oui/public.html
btspp://10643FC98386:17
![Page 23: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/23.jpg)
Bluetooth URI Moniker
There are 30 channels to choose from
Bluetooth channel width is 1MHz
btspp://10643FC98386:17
![Page 24: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/24.jpg)
![Page 25: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/25.jpg)
Searching for services on 30F306AAAAAA, "Officejet 6300 series", Trusted:false, ..."Officejet 6300 series", "OBEX Object Push", "", btgoep://30F306598203:2"Officejet 6300 series", "Serial Port", "", btspp://30F306598203:1"Officejet 6300 series", "Basic Printing", "", btgoep://30F306598203:4"Officejet 6300 series", "Basic Imaging", "", btgoep://30F306598203:3
![Page 26: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/26.jpg)
"Serial Port", "", btspp://30F306598203:1
$./blucat -url btspp://30F306598203:1
![Page 27: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/27.jpg)
$./blucat -v -url btspp://30F306598203:1# ConnectedDear Sir, ...
Dear Sir,
Your serial port is showing.
![Page 28: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/28.jpg)
Alcatel one touch 665A
![Page 29: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/29.jpg)
Alcatel one touch 665A
Searching for services on 9471ACAAAAAA, "Alcatel one touch 665A", ..."AUDIO Gateway", "", btspp://9471ACDBACAD:1"OBEX Object Push", "", btgoep://9471ACDBACAD:4"Serial Port0", "", btspp://9471ACDBACAD:11"Dial-up Networking", "", btspp://9471ACDBACAD:9"Voice gateway", "", btspp://9471ACDBACAD:2
"Serial Port0", "", btspp://9471ACDBACAD:11
![Page 30: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/30.jpg)
$ ./blucat -url btspp://9471ACAAAAAA:11AT+CGMI+CGMI: AlcatelOK
AT+CGMM+CGMM: one touch 665AOK
AT+CGMR+CGMR: Alcatel 010 04, 2012/03/05 14:56OK
Typed
Typed
Typed
![Page 31: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/31.jpg)
More AT Commands?
https://github.
com/boos/bluesnarfer/blob/master/src/bluesnarf
er.c
http://www.forensicswiki.org/wiki/AT_Commands
http://www.anotherurl.com/library/at_test.htm
http://gatling.ikk.sztaki.hu/~kissg/gsm/at+c.
html
![Page 32: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/32.jpg)
$./blucat -v -l -e /bin/bash#Listening at btspp://002608D6A03A:4
On connect execution!
$./blucat services"BlueCatPipe","",btspp://002608D6F03F:4
$./blucat -url btspp://002608D6F03F:4 -v#ConnectedHi/bin/bash: line 1: Hi: command not found
![Page 33: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/33.jpg)
DetailsJava based
Uses BlueCove Java Libraries
Only works with RFCOMM so far
Tested on Mac, Ubuntu with Bluez
![Page 34: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/34.jpg)
svn co http://svn.code.sf.net/p/blucat/code/trunk/blucat/
![Page 35: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/35.jpg)
x86, x64, ARM
![Page 36: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/36.jpg)
![Page 37: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/37.jpg)
blucat and bluecat.arm
$./blucat$./blucat.arm
if [[ $OSTYPE == *darwin* ]]; thenLIBS=build/blucat.jar:lib/bluecove-2.1.1-SNAPSHOT.jar...
elif [[ $OSTYPE == *linux* ]]; then
LIBS=build/blucat.jar:lib/bluecove-2.1.1-SNAPSHOT.jar:lib.arm/bluecove-gpl-2.1.1-SNAPSHOT.jar
fi
java -cp $LIBS Main $@ 2>&1 | grep -v -E '(Pool|BlueCove)'
lib or lib.arm
![Page 38: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/38.jpg)
Java Native Interface
==Somewhere in the program:System.loadLibrary("bluecove");// Searched for file // libbluecove.so // in LD_LIBRARY_PATH
==BluetoothStackBlueZ.java:private native int rfServerGetChannelIDImpl(long handle) throws IOException;
==Some C fileJNIEXPORT void JNICALLJava_bluecove_rfServerGetChannelIDImpl(JNIEnv *env, jobject obj, jlong handle){...}
![Page 39: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/39.jpg)
Bluetooth Backdoor?
POC Android Bluetooth backdoor demo (no code released)
$pm list packages -f
$am start 'http://josephpcohen.com'
More: http://www.anddev.org/using_the_am-tool_start_activities-
intens_from_a_shell-t368.html
![Page 40: blucatblucat.sourceforge.net/blucat/wp-content/uploads/2013/10/blucat-bsi… · 01011010110100101001010010101010 01011010110100101001010010101010 On the internet this gets a bit of](https://reader034.fdocuments.net/reader034/viewer/2022050117/5f4dd176045b64163a492158/html5/thumbnails/40.jpg)
End