|
|
|
|
| |
Credit:
The information has been provided by Ollie Whitehouse of at Stake.
|
| |
RedFang is a small proof-of-concept application to find non discoverable Bluetooth devices. This is done by brute forcing the last six (6) bytes of the Bluetooth address of the device and doing a read_remote_name().
Tool:
/*
RedFang - The Bluetooth Device Hunter
Copyright (C) 2003 @stake inc
Written 2003 by Ollie Whitehouse <ollie@atstake.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2 as
published by the Free Software Foundation;
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY CLAIM,
OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER
RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
USE OR PERFORMANCE OF THIS SOFTWARE.
ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, COPYRIGHTS,
TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS SOFTWARE IS DISCLAIMED.
*/
/*
* $Id: fang.c,v 1.00 2003/04/20 13:00:00 ollie Exp $
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <fcntl.h>
#include <errno.h>
#include <ctype.h>
#include <termios.h>
#include <fcntl.h>
#include <getopt.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <asm/types.h>
#include <netinet/in.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
extern int optind,opterr,optopt;
extern char *optarg;
#define for_each_opt(opt, long, short) while ((opt=getopt_long(argc, argv, short ? short:"+", long, NULL)) != -1)
static void usage(void);
static struct option hunt_options[] = {
{"help", 0,0, 'h'},
{0, 0, 0, 0}
};
static char *hunt_help =
"Usage:\n"
"\thunt <timeout>\n";
static void cmd_hunt(int dev_id, int argc, char **argv)
{
bdaddr_t bdaddr;
char name[248];
int opt, dd, num=0, num2=0, num3=0, num4=0, num5=0, num6=0;
int btout=50000;
unsigned char lame[16][2] = {"0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F", };
char addtobrute[248];
printf("redfang - the bluetooth hunter ver 1.00.alpha\n");
printf("(c)2003 \@stake Inc\n");
printf("author: Ollie Whitehouse (ollie@atstake.com)\n");
argc -= optind;
argv += optind;
if (argc < 2) {
printf(hunt_help);
exit(1);
}
if (argc >= 1) {
btout=atoi(argv[1]);
}
printf("timeout: %d\n", btout);
printf("starting...\n");
while (num <= 15)
{
while(num2 <= 15)
{
while(num3 <= 15)
{
while(num4 <= 15)
{
while(num5 <= 15)
{
while(num6 <= 15)
{
strcpy(addtobrute,"00:80:98:");
strcat(addtobrute,lame[num]);
strcat(addtobrute,lame[num2]);
strcat(addtobrute,":");
strcat(addtobrute,lame[num3]);
strcat(addtobrute,lame[num4]);
strcat(addtobrute,":");
strcat(addtobrute,lame[num5]);
strcat(addtobrute,lame[num6]);
/* debug purposes */
printf("%s\n",addtobrute);
baswap(&bdaddr, strtoba(addtobrute));
dev_id = hci_get_route(&bdaddr);
if (dev_id < 0) {
fprintf(stderr,"Device not availible");
exit(1);
}
dd = hci_open_dev(dev_id);
if (dd < 0) {
fprintf(stderr,"HCI device open failed");
exit(1);
}
/* try to get name of remote device - timeout is the int) */
if (hci_read_remote_name(dd,&bdaddr,sizeof(name), name, btout) == 0)
printf("\n.start--->\naddress :- %s\nname :- %s\n<.end-----\n",batostr(&bdaddr),name);
close(dd);
num6++;
}
num6=0;
num5++;
}
num5=0;
num4++;
}
num4=0;
num3++;
}
num3=0;
num2++;
}
num2=0;
num++;
}
}
struct {
char *cmd;
void (*func)(int dev_id, int argc, char **argv);
char *doc;
} command[] = {
{ "hunt", cmd_hunt, "Get name from remote device" },
{ NULL, NULL, 0}
};
static void usage(void)
{
int i;
printf("redfang - the bluetooth hunter ver 1.00.alpha\n");
printf("usage:\n"
"\tfang [options] <command> [command parameters]\n");
printf("options:\n"
"\t--help\tDisplay help\n"
"\t-i dev\tHCI device\n");
printf("commands:\n");
for (i=0; command[i].cmd; i++)
printf("\t%-4s\t%s\n", command[i].cmd,
command[i].doc);
printf("\n"
"For more information on the usage of each command use:\n"
"\tfang <command> --help\n" );
}
static struct option main_options[] = {
{"help", 0,0, 'h'},
{"device", 1,0, 'i'},
{0, 0, 0, 0}
};
int main(int argc, char **argv)
{
int opt, i, dev_id = -1;
bdaddr_t ba;
while ((opt=getopt_long(argc, argv, "+i:h", main_options, NULL)) != -1) {
switch(opt) {
case 'i':
dev_id = hci_devid(optarg);
if (dev_id < 0) {
perror("Invalid device");
exit(1);
}
break;
case 'h':
default:
usage();
exit(0);
}
}
argc -= optind;
argv += optind;
optind = 0;
if (argc < 1) {
usage();
exit(0);
}
if (dev_id != -1 && hci_devba(dev_id, &ba) < 0) {
perror("Device is not available");
exit(1);
}
for (i=0; command[i].cmd; i++) {
if (strncmp(command[i].cmd, argv[0], 3))
continue;
command[i].func(dev_id, argc, argv);
break;
}
return 0;
}
|
|
|
| Subject:
|
Redfang |
Date: |
26 Mar. 2006 |
| From: |
|
how do i implement this code on a pda.
many thanks |
|
| Subject:
|
Redfang |
Date: |
12 Apr. 2006 |
| From: |
hockeyplayer12345hotmail.com |
| How do u download this on a computer? |
|
| Subject:
|
Redfang |
Date: |
7 May 2006 |
| From: |
illirate |
| if you don't know what the hell is this, If you don't get what language is this, If you don't know what a language is, then don't bother trying to make this work. Making it simple: script-kiddies and lamers don't mess around, don't bother. |
|
| Subject:
|
RedFang |
Date: |
15 May 2006 |
| From: |
dacooldude |
| well this program is written in C++ i think but the point is hjow can one make it run on da comp or mobile to actually hack |
|
| Subject:
|
men and boys.... |
Date: |
25 May 2006 |
| From: |
veccy |
"e;how do you download this"e;.....?
ahahahahahaha.... HAHHAHAHA. don't even try unless you have programming experience. |
|
| Subject:
|
RedFang |
Date: |
30 May 2006 |
| From: |
General Hotentop |
| I agree. This is out of the league of the less-experienced. |
|
| Subject:
|
RedFuck |
Date: |
3 Jun. 2006 |
| From: |
Blah |
| Why dont anyone compile it to sis file for Symbian .? iT C , raight ? |
|
| Subject:
|
RedFang |
Date: |
24 Jun. 2006 |
| From: |
odie |
Does anyone know how long it takes for this to run in the worst case? I mean has anyone figured out the average time per attempt? This would run 16 to the 6th power = 251,658,240 times in the worst case. I just wonder if that would complete in minutes, hours, or days.
I'm not too familiar with bluetooth, but is there a specific reason (aside from arbitrarily cutting down the amount of addresses to brute force) why the MAC address this RedFang uses starts with 00:80:98:? |
|
| Subject:
|
bluetooth |
Date: |
25 Jun. 2006 |
| From: |
paleface |
#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
where can i get these bluetooth libraries? |
|
| Subject:
|
bluetooth libs |
Date: |
30 Jun. 2006 |
| From: |
0x90 |
You'll find them in the BlueZ implementation. In my case, where I use Gentoo, I issue the command:
emerge bluez-utils
This will also automatically install bluez-firmware, bluez-kernel, bluez-libs as the above depends on these.
/0x90 |
|
| Subject:
|
redfang |
Date: |
11 Sep. 2006 |
| From: |
technobaz |
how can you import this code to a cell/mobile phone?
also can you run .tar files on a phone?
thanks. |
|
| Subject:
|
whoever |
Date: |
21 Sep. 2006 |
| From: |
logan |
whoever you guys are that bag out people should go fuck yourselves.... cause you all are the same think your so good an think you know stuff well ya all are phonies...
sorry bout that guys i really hate seeing people bag others that wanna learn....
|
|
| Subject:
|
Hacking by Sony Ericcson K750i |
Date: |
6 Oct. 2006 |
| From: |
wik_crashyahoo.com |
i need tool for hacking by SE k750i.
would u tell me how to do it?
i need the software..
many thanks |
|
| Subject:
|
jumped up wannabees |
Date: |
7 Nov. 2006 |
| From: |
code crackpot |
| listen you illirate stop thinking your something special because you know c++ its only jumped up basic,i was assembling+disassembling machine code when i was 12.so instead of taking the piss help the lad out!!! |
|
| Subject:
|
Help Me |
Date: |
19 Nov. 2006 |
| From: |
Mommas Boy |
| Just Compile it ! |
|
| Subject:
|
Mac OS X |
Date: |
22 Nov. 2006 |
| From: |
8JJD |
Im cant remember for the life of me where to get the bluetooth libraries for mac os x.
I would appreciate it if anybody knows if you could post where they are located.
Thank you in advance. |
|
| Subject:
|
OS X and fools |
Date: |
6 Dec. 2006 |
| From: |
naxxtor |
I'm pretty sure there is a BSD port of bluez, which would be prefereable in this case.
And to the people who can't work out what to do with this, thanks for the laugh! As for implementing it on "e;a phone"e;, I somewhat doubt that J2ME is going to cope with this - Symbian shouldn't be a problem, though. |
|
| Subject:
|
HI |
Date: |
17 Dec. 2006 |
| From: |
wedgemcwedgegmail.com |
| Hi, sorry again but im new to this whole tech thing and i really want to learn. Could someone please write me and idiot proof guide in order so i can put this redfang app on my sony ericsson w900i? Many thanks |
|
| Subject:
|
Bluehacking |
Date: |
26 Dec. 2006 |
| From: |
RED |
| I want to know how to install this in my K700i and/or Windows xp SP2 |
|
| Subject:
|
Win |
Date: |
29 Dec. 2006 |
| From: |
RED |
Can i use this only in linux?
Can i decompile it in Windows?
|
|
| Subject:
|
all |
Date: |
2 Feb. 2007 |
| From: |
schiki |
- its only for Linux, because of the linux-bluetooth-stack
- you cant get it as *.jar file because it isnt java
- for running this tool you need all bluez-headers -> look at the source
- if you need to search bluetooth-devices via mobile search for BTBrowser.jar
- ...be sure what you are doing ;-) |
|
| Subject:
|
noobs |
Date: |
9 Feb. 2007 |
| From: |
gigabite1123dodgeit.com |
| You Noobs, quit posting how can i hack this or that. And quit posting how do I install this. You fucking script kiddies don't need this kind of stuff. If you don't know how to compile source code.. you shouldn't be asking to hack this or that. 2nd. good for you dude.... glad you can read assembly... no one cares... the only thing it's used for now... is really fast programs... or disassembly. and dude... if you wanna compile it and pass it out.. go for it you uber leet haxor. A legit question.. where to get the libraries... that is initiative. |
|
| Subject:
|
I have to agree |
Date: |
20 Feb. 2007 |
| From: |
ninja9_2001 |
| I have to agree, any one who just wants to use this to fuck around with but doesn't know how to compile it, you may be beyond your league. Even if you do manage to get it compiled you will probably be asking yourself "e;OK, Now what?"e; The point is, if you want to learn this awesome sh!t, do like the rest of us did, and start at the beginning. You cant learn to be the best by skipping the basic essentials.....now, how the fcuk do i compile this cr4p? lol jk ;-) |
|
| Subject:
|
Anyone compiled this |
Date: |
1 Mar. 2007 |
| From: |
jtw |
redfang.cpp:106: error: invalid conversion from 'unsigned char*' to 'const char*'
|
|
| Subject:
|
ffs |
Date: |
1 Apr. 2007 |
| From: |
fazed |
ffs if you guys want this program for your mobile phone
just make it in java or symbian c your self..
bluesnarfing tools arn't even that hard to make!!!
if you cant write one or cant even compile this one
you shouldn't even have it.
thanks,
[fazed] |
|
| Subject:
|
Amazing |
Date: |
31 May 2007 |
| From: |
rsaxvc |
beautiful-
open source software available only in source
|
|
| Subject:
|
windows |
Date: |
5 Jun. 2007 |
| From: |
bazhef |
can this be used with windows or is it for linux only?
or can the code be converted to suit windows? |
|
| Subject:
|
Where do we get the headers |
Date: |
7 Jun. 2007 |
| From: |
DVN |
Headers like 'unistd' , 'termios'........ are not in the standard C++ libraries
Where can we find them?
I'll be really thankful if you can tell me where to get those headers |
|
| Subject:
|
Dont just check TDKs |
Date: |
8 Aug. 2007 |
| From: |
Details |
The sample code only looks at the MAC 00:80:98 - a TDK device. I have a list of 10,400 other valid MACs, e.g. 00:19:A1 is an LG phone MAC. I don't know how many more MACs have been created since the list I have was produced.
So to check the entire valid hardware address space, you'd have to go through:
256 ^ 3 = 16777216 devices per MAC
16777216 * 10400 MACs = 174,483,046,400 legal addresses
Or you can go through all 281,474,976,710,656 possible addresses just to be safe
|
|
| Subject:
|
Bluetooth |
Date: |
24 Oct. 2007 |
| From: |
Mdhluli |
| Guys lets face it, this thing alone is useless. Even if i have the last digits of the MAC address, i stil got a trillion guesses to make. Well, this thing is a start but thats just wat it is, a start. |
|
| Subject:
|
RedFANG |
Date: |
24 Oct. 2007 |
| From: |
Mdhluli |
| I got screwed wit this redfang. I was able to open the class archive(with the help of my genius friend) and i tried to complile a symbian signature file using .sisx bluetooth software as a blueprint but my N95 failed 2installed and it froze. When i removed the rebooted the system, important boot files have been deleted any my bluetooth is permanently disabled. I reset all factory settings and formated my MMC and i got a system error msg upon restart. |
|
|
|
|
|
|
