Bluetooth Pentesting guide 101



Just interesting in daily life that we cant see properly called signals that we can't see with our own eyes

but devices can do there many wireless communication are there like

Wireless Communication protocols in IoT:

  1.  wifi (wireless fidelity)
  2.  bluetooth 
  3.  zigbee
  4.  zwave 
  5.  LoRA
  6.  GSM
But let's get into the topic Mostly relevant 

Vulnerabilities in Bluetooth:

  1.  Authentication and authorization issues
  2.  MiTM
  3.  DoS
  4.  MAC Spoofing
  5.  PIN Cracking
  6.  Brute force

In android Bluetooth mostly we will get this type vulnerability:

  1.  RCE        Remote code Execution
  2.  EoP        Elevation of Privilege
  3.  ID         Information Disclosure
  4.  DoS        Denial of Service
  5.  PAIR       Pairing without Auth

In major level: 

  1.  Hardware
  2.  Memory Leakage 
  3.  

 Well same procedure what we scan the surrounding devices and start attacks from the write-ups available in google

Let’s see little difference right now we need to know how Bluetooth works

Lets start with Required installation tools: 

A written bash script for the BLE Pentesting tools to install in a Ubuntu or debian OS 
just download from here

wget https://raw.githubusercontent.com/IoTSecurity101/BLE-UAE/master/ble_uae.sh

And give the permission to run chmod +x ble_uae.sh



#./ble_uae.sh


Will install requirement tools with dependencies as well.All good with tools what i need to do just need to understand what to do before we need to start hacking , fuzzing and MiTM on BLE devices

ESP32 - Espressif Device
Smartband bought from flipkart - 359 /- Rupees - or we can buy from the banggood or any other online sellers

ESP32      Smartband

Bluetooth Pentest Guide:

---------------------------------


1. Flashing the codes to ESP32
2. Understanding BLE with Mobile App Configuration
3. Recon Techniques 
4. Finding the Vulnerabilities 
5. Python & easy bash scripts 
6. Cheatsheet

General Cheat Sheet



dmesg | egrep -i 'blue|firm'

Hcitool tool:

hciconfig - sudo apt-get install bluez


For Non LE Devices:

hcitool scan - to scan the basic bluetooth devices
hcitool info <baddr> - 


For LE Devices :

hcitool lescan - for scanning the LE devices 
hcitool leinfo <baddr> - for getting the info of the LE Devices

Install bleak 

sudo pip3 install bleak
sudo pip install service_identity

Usage : sudo bleak-lescan

SDPTOOL :

sudo sdptool browse --tree --raw <baddr> : Browse all available services on the device specified by a Bluetooth address as a parameter




Comments

Post a Comment

Popular posts from this blog

VR Model P1 - 360 degree camera

Image
This article is one of my very old assessment for fun i did (and it is done 2017) got it by recovering hard disk and assigned CVE ID - (CVE-2020-23512) . Here my target to  test 360 degree camera which trending in the IP camera world recently, what we going test model P1 VR camera. What is VR camera..? In photography, an omnidirectional camera (from "Omni", meaning all) is a camera with a 360-degree field of view in the horizontal plane, or with a visual field that covers (approximately) the entire sphere. Omnidirectional cameras are important in areas where large visual field coverage is needed, such as in panoramic photography and robotics. VR CAM P1 Proxy Eye Fisheye Camera IP 3D Vr 360 Degree Panoramic 960P Wi-Fi CCTV Camera With Sd Memory Card Slot Multi Viewing Mode Features of this VR CAMERA:    Brand VR CAM Model P1 Product Dimension 15 x 15 x 5 cm Resolution 960p Android/iOS Devices Additional Featur
Read more

Buspirate v3.6 firmware upgrade from USB

Image
Buspirate:  The Bus Pirate v3.6a, created by Ian Lesnet, is a troubleshooting tool that communicates between a PC and any embedded device over 1-wire, 2-wire, 3-wire, UART, I2C, SPI, and HD44780 LCD protocols - all at voltages from 0-5.5VDC. This product eliminates a ton of early prototyping effort when working with new or unknown chips. Upgrading Firmware: buspirate will not come with new firmware so it has to be change by us. buspirate v4 : Supports firmware version 7  buspirate v3.x:  Supports firmware version 6&7 (note : firmware version 7 may hurt the device hardware not fully tested from my side doit in your won risk) Requirements: Buspirate firmware and loader : https://github.com/DangerousPrototypes/Bus_Pirate/tree/master/BPv3-bootloader ICSP pins. in these pins there are two of them which is  PGD and PGC   helps us to load the firmware into it . T he PGC and PGD pins with a jumper cable. When you are in the bootloader, the MODE LED of the Bus Pirate will stay on connect th
Read more

Dumping the Firmware from the device Using buspirate - SPI

Image
One of the best way to get the firmware from the hardware While doing penetration testing there are scenarios in which we need to dump the firmware from the devices.This method is typically used when there are no firmware’s available from vendor site. Today we are going to show you how to dump the firmware from an Wireless router Binatone DT 850W Software and hardware Requirements: Buspirate Ubuntu 16.04 or any other Linux machine Flashrom tool SOIC cable pin 8 Buspirate connectors               This is a Wireless router from Binatone DT 850W which will be used as an example for dumping the firmware. Let’s us Analyze the Inside Device.You can see IC chips like  EEPROM, UART  pins and Ralink  CPU  and also some Other   IC  chips Let us focus mainly on the  EEPROM chip (winbond W25Q16). What is EEPROM : EEPROM (also written E2PROM and pronounced “e-e-prom”, “double-e-prom” or “e-squared-prom”) stands for electrically erasable program
Read more