Introduction into Bluetooth and Bluetooth testing__ubertooth

Original https://www.ins1gn1a.com/introduction-into-bluetooth-and-bluetooth-low-energy-testing/

Introduction into Bluetooth and Bluetooth testing October 2015 Brief

This post would primarily be a introduction into Bluetooth and Bluetooth low energy testing, along with information on set Ting up the environment and tools required.

The referenced for this post, and the respective links can is found throughout and the final section. Step 1-setup pre-requisites Ubertooth-one USB unix-based os (OS X is compatible) Software listed below Software Tools:

Build Guide from Greatscottgadgets focusing on the other OS setups:https://github.com/greatscottgadgets/ubertooth/wiki/ Build-guide

Install the necessary libraries and tools:

Apt-get install CMake libusb-1.0-0-dev make gcc g++ libbluetooth-dev pkg-config libpcap-dev python-numpy python-pyside PYT Hon-qt4  

Next, install the Bluetooth baseband library:

Cd/opt && wget Https://github.com/greatscottgadgets/libbtbb/archive/2015-09-R2.tar.gz-O libbtbb-2015-09-r2.tar.gz && Tar XF libbtbb-2015-09-r2.tar.gz && cd libbtbb-2015-09-r2 && mkdir Build && CD Build && cmake. && make && sudo make install  

Now the Ubertooth tools can be downloaded and configured:

Cd/opt && wget https://github.com/greatscottgadgets/ubertooth/releases/download/2015-09-R2/ Ubertooth-2015-09-r2.tar.xz-o ubertooth-2015-09-r2.tar.xz && Tar XF ubertooth-2015-09-r2.tar.xz && CD Ubertooth-2015-09-r2/host && mkdir build && CD build && cmake. && make && sudo make install && sudo ldconfig  

Install the Kismet tools if desired. I have added a oneliner Sed command to replace the manual change described in the Build Guide. I have also changed one of the libraries (Libncurses-dev) as I kept getting package after errors to trying via apt:

cd/opt && sudo apt-get install libpcap0.8-dev libcap-dev pkg-config build-essential Libnl-dev Libncurses5-dev Lib Pcre3-dev libpcap-dev libcap-dev && wget https://kismetwireless.net/code/kismet-2013-03-R1b.tar.xz  && Tar XF kismet-2013-03-r1b.tar.xz && cd kismet-2013-03-r1b && ln-s. /ubertooth-2015-09-r2/host/kismet/plugin-ubertooth. &&/configure && make && make plugins && sudo make suidinstall && sudo make Plugi Ns-install && sed-i ' S/logtypes=pcapdump,gpsxml,netxml,nettxt,alert/logtypes=pcapdump,gpsxml,netxml, Nettxt,alert,pcapbtbb/g '/etc/kismet/kismet.conf  

You'll likely have Wireshark installed already so I ' ve omitted the apt install of the base package:

Apt-get Install Wireshark-dev Libwireshark-dev && CD/OPT/LIBBTBB-2015-09-R2/WIRESHARK/PLUGINS/BTBB & & mkdir Build && CD build && cmake-dcmake_install_libdir=/usr/lib/x86_64-linux-gnu/wireshark/ Libwireshark3/plugins.. && make && sudo make install  

Lastly install the Btbredr libary:

Cd/opt/libbtbb-2015-09-r2/wireshark/plugins/btbredr && mkdir build && CD build && Cmake-dcmake _install_libdir=/usr/lib/x86_64-linux-gnu/wireshark/libwireshark3/plugins.. && make && sudo make install  

To decrypt Bluetooth low energy (btle) you'll need to use something like crackle to process the Pcap file so you ' ve ou Tput from Ubertooth-btle. We'll go into this later and but for now and can just install it with the following one-liner:

Cd/opt && git clone https://github.com/mikeryan/crackle.git && cd crackle/&& make && Sud o Make Install  

Step 2-capturing Kismet:

Start up Kismet to the command line or the Task menu. Once It is running, accept all of the default options (colours, etc) and start the Kismet server when prompted.

Next you are prompted to add a source interface. Use the following options:

Intf:ubertooth  
name:ubertooth  
Opt: [Blank]  

Navigate to [Kismet > Plugins > Select Plugin] and enable ' ubertooth_ui.so '. The status would change to ' pending ', which is intended.

Logged packets'll be stored in the working directory for Kismet, which if you started the application via the command Li NE would be the directory of your were in. If It is the case, can I change to that terminal window and a live output of the Bluetooth packets that were CAPTU Red, likely displaying the LAP (Lower-address-part).

Upon exiting Kismet The output should is saved to a PCAPBTBB file, which can is imported into Wireshark. Ubertooth Bluetooth:

Standard Bluetooth is a tough cookies to crack as the protocol are setup to channel hop repeatedly and very, very quickly- Hence why the Ubertooth-one is created to offload the channel hopping to dedicated. Each hopped packet transmits a LAP, a Lower address part, which are one of three address parts used by the protocol. The others are the UAP (Upper address part-something "We need"), and the NAP (Non-significant address part), both of which Make-up the ' company ID ' is assigned a network adaptor MAC address. Lower address Part-lap:

The LAP is transmitted with every packet and are easy to demodulate, however the UAP are the pot of gold at the end of the R Ainbow. Once we ' ve captured and demodulated at least one Bluetooth packet we then have the LAP. We can do the "Ubertooth by using the" following comand without any arguments:

Ubertooth-rx  

The output would be something vaguely similar to the following output, where the LAP are clearly displayed next to the Chann El (CH).

systime=1444317293 ch=39 lap=28c03f err=2 clk100ns=798510522 clk1=127761 s=-29 n=-62 snr=33  

Upper address PART-UAP:

The UAP is only 8 bits long, and the easiest method to determine it's value is a brute force (maximum 256 potential values Attack, however this requires interaction with the target. The NAP is not required as it's ignored on the initial connection process. This is only possible however if the target device was in a connectible state.

I won ' t go into too much detail as the guys on at the Ubertooth project have written a fantastic blog post about their Process:http://ubertooth.blogspot.co.uk/2014/06/discovering-bluetooth-uap.html.

As for the "commands" to the determining the UAP, we can run the following:

Ubertooth-rx-l 28c03f  

This command targets the device with the LAP we identified earlier. The ubertooth would passively listen and would attempt to identify the hopping of the target device. The "the" the obtaining the UAP that is created by the Ubertooth team is to reverse the Header Error Check that a Ppears within the header of the packets. An except from the Project Ubertooth blog post relating to this is as follows:

Our ' technique ' to compute ' UAP by reversing ' Header Error Check (HEC) that appears at the end of Er of every packet that has a header. The HEC is a 8 bit value computed from the master UAP and the header bytes. The purpose of the HEC is to allow a receiver to verify this packet header was received correctly, without any Unrecov Ered bit errors. We assume that we received the packet without bit errors (which was true most of the time). After decoding the HEC and the packet bytes it are possible to determine the one missing variable, the UAP. This are particularly easy because Bluetooth ' s HEC algorithm is reversible; We can run it forward to determine the HEC from the UAP and packet bytes, or we can run it backward to determine the UAP F Rom the HEC and packet bytes.

Every Bluetooth packet is whitened or scrambled by XOR with a pseudo-random bit sequence before. Since the packet header is whitened, we have to unwhiten it before we can reverse the HEC algorithm.

There are possible pseudo-random sequences that can is used to whiten a packet. The particular sequence is selected by the lower six bits of the the master ' s Clock (clk1-6) This is used for other things h as synchronizing the frequency hopping pattern.

When we receive a packet, we try each of the possible clk1-6 values. For each value, we determine the whitening sequence, unwhiten the packet using that sequence, and reverse the HEC algorith M to determine the UAP. This gives us-candidate UAP values, so we ' ve reduced the search spaces from 8 bits to 6 bits. Because we have a way to compute the UAP for a particular clk1-6, we take the approach of trying to determine.

There is one easy way to determine the correct clk1-6. If a packet has a payload that includes a cyclic redundancy Check (CRC), then we can use the CRC to verify that we have UN whitened the packet correctly. If one of our possible clk1-6 values results in a CRC match, then we win.

The main problem with the CRC (IS) is that it's packets that have CRCs. If you look through the Bluetooth Core specification, you'll find this only certain packet types have payloads with CRCs, And it turns out this are the minority of Bluetooth packets in the wild. It is very common to the thousands of packets from a piconet without ever capturing one CRC with Ubertooth. Because of this, we needed another to determine if a clk1-6 the value is correct or incorrect.

Unfortunately there is a problem with error checking when trying to obtain the UAP, which means Obtain the UAP and then actually lose it. This happens when a packet are received that conflicts with the identified UAP, which then renders it void. Bluetooth Low Energy (btle):

Capturing Btle is fairly straight forward. Initially you'll want to find connections and output the "data to a" Pcap file for later cracking using crackle. Much like the Ubertooth-rx tool it's possible to follow connections, sniff promiscuously, and set addresses to follow rats Her than listening to all connections.

Basic capture to StdOut can is performed with the following command:

Ubertooth-btle-p  

This would enable promiscuous mode and would output data that looks similar to this:

systime=1444318925 freq=2440 addr=43bf3d62 delta_t=0.800 ms  
9f 8a 2b  
data/aa 43bf3d62 (valid)/  0 byte s  
    Channel index:17
    llid:1/LL Data pdu/empty or l2cap continuation
    nesn:0  sn:0  md:0

    data:< C9/>CRC:   9f 8a 2b

Ideally, what we are looking for are to capture connection and pairing requests, along with the necessary responses. Once we ' ve done it we can move in to decryption with Crackle. Crackle:

Using the newly-created pcap file from the Ubertooth-btle session earlier we can run crackle using the Pcap file within th E-i (Input) argument. For this to actually decrypt the data we need to also specify a output file With-o:

Crackle-i Btle-capture.pcap-o Btle-decrypted.pcap  

If we are able to capture the pairing then we can obtain the encryption key (Ltk-long Term key) that are used to encrypt The data, and since these keys are reused on the paired devices we could continue to decode and decrypt future data if we are in proximity of the devices again.

Crackle can crack the encryption key and would decrypt any data this is sent during the connected session. If The key is specified along with encrypted data in a Pcap file then crackle would decrypt the data too:

Crackle-i Btle-capture.pcap-o btle-decrypted.pcap-l 11223344556677889900aabbccddeeff  

This would decrypt the captured data is encrypted with the aforementioned LTK (Long Term Key) and output it to the ' btle-decrypted ' Pcap file. Other Options

Pentura Labs offer some very good information into other avenues and tools, can is used to decrypt Btle and Bluetooth. The main article I ' m referring to can is found here.

Tools such as Hcidump, Csrsniff, and the Brute-force bt-uap-search.rb file (which I cannot seem to find anywhere else on t He internet).

For Csrsniff The C code can is found on Google code and although you'll need to compile it manually:

GCC Csrsniff.c-o csrsniff-lbluetooth  

Once complete the binary file would be executable. The-h argument provides some information on the tool ' s functionality. Step 3-analysis Wireshark:

Open Wireshark and navigate to [File > Open] and select the PCAPBTBB file, which should is imported and readable much L IKE Network TCPIP captures. References With Bluetooth low energy comes low security sniffing Bluetooth Smart and cracking It ' s Crypto ubertooth project-discove Ring the UAP Pentura labs-bluetooth sniffing Why bother?