How to use bluetooth on Virtual Box for Linux hacking

How to use bluetooth on Virtual Box for Linux hacking
Illustration by Alex Castro / The Verge
First you have to activate your USB device on virtual box, in my case for DELL laptops: activate with Vbox (intel chipset intern bluetooth device):

Now install on your Linux bluetooth fw and drivers after first check of device:

# check for devices:
lsusb | grep -i bluetooth; echo; dmesg | grep -iE 'bluetooth|hci'

# Install bluez, fw files and helpful tools:
apt install bluetooth bluez bluez-tools bluez-firmware rfkill rfcomm

# Start services:
systemctl start bluetooth.service
systemctl enable bluetooth.service

# Check for device block:
rfkill --output-all
rfkill unblock bluetooth

# Startup device
hciconfig hci0 up
hciconfig --all

# Start first scanning:
hcitool scan

Important info for bluez 5.x installations (check with dpkg -l | grep bluez):
hcitool -i hci0 lescan` etc issn't supported here, please use blootoothctl scan le instead!

Get some infos about first devices and using profiles:

# HCITOOL (More infos on hcitool -h)
hcitool -i hci0 info <MAC>

# HCITOOL -> Connecting:
hcitool cc <MAC> && hcitool auth <MAC>

# SDPTOOL
sdptool browse <MAC> | grep 'Service Name'

Using bluetoothctl
#Commandline for low engery scan:
bluetoothctl scan le

# Change your bt controller name instant ;)
bluetoothctl system-alias ilak00

# -----------------------------------------------
#
# bluetoothctl
# ...

[bluetooth]# help
Menu main:
Available commands:
-------------------
advertise                                         Advertise Options Submenu
monitor                                           Advertisement Monitor Options Submenu
scan                                              Scan Options Submenu
gatt                                              Generic Attribute Submenu
admin                                             Admin Policy Submenu
player                                            Media Player Submenu
endpoint                                          Media Endpoint Submenu
transport                                         Media Transport Submenu
mgmt                                              Management Submenu
monitor                                           Advertisement Monitor Submenu
list                                              List available controllers
show [ctrl]                                       Controller information
select <ctrl>                                     Select default controller
devices [Paired/Bonded/Trusted/Connected]         List available devices, with an optional property as the filter
system-alias <name>                               Set controller alias
reset-alias                                       Reset controller alias
power <on/off>                                    Set controller power
pairable <on/off>                                 Set controller pairable mode
discoverable <on/off>                             Set controller discoverable mode
discoverable-timeout [value]                      Set discoverable timeout
agent <on/off/auto/capability>                    Enable/disable agent with given capability
default-agent                                     Set agent as the default one
advertise <on/off/type>                           Enable/disable advertising with given type
set-alias <alias>                                 Set device alias
scan <on/off/bredr/le>                            Scan for devices
info [dev/set]                                    Device/Set information
pair [dev]                                        Pair with device
cancel-pairing [dev]                              Cancel pairing with device
trust [dev]                                       Trust device
untrust [dev]                                     Untrust device
block [dev]                                       Block device
unblock [dev]                                     Unblock device
remove <dev>                                      Remove device
connect <dev>                                     Connect device
disconnect [dev]                                  Disconnect device
menu <name>                                       Select submenu
version                                           Display version
quit                                              Quit program
exit                                              Quit program
help                                              Display help about this program
export                                            Print environment variables

[bluetooth]# menu admin 
Menu admin:
Available commands:
-------------------
allow [clear/uuid1 uuid2 ...]                     Allow service UUIDs and block rest of them
back                                              Return to main menu
version                                           Display version
quit                                              Quit program
exit                                              Quit program
help                                              Display help about this program
export                                            Print environment variables

[bluetooth]# back

[bluetooth]# scan on
hci0 type 7 discovering on
Discovery started
[CHG] Controller 44:A...1:33 Discovering: yes
[NEW] Device 49:B3:BC:3...6-EF-DE-5C-43
[NEW] Device 57:9F:F6:....9B-5E-A8

[bluetooth]# info 44:C6...:0A
Device 44:C...:0A (public)
        Alias: 44-C...A
        Paired: no
        Bonded: no
        Trusted: no
        Blocked: no
        Connected: no
        LegacyPairing: no
        ManufacturerData Key: 0x004c (76)
        ManufacturerData Value:
  0f 08 ...0c 10 02 01 00        ....J.xcx...  
        RSSI: 0xff..1 (-63)
        TxPower: 0x000c (12)
hci0 type 7 discovering off
...xffffffa0 (-96)[bluetooth]# 
[bluetooth]# exit


# Commands . overwrite and info
scan on 
connect <MAC>
info <MAC>

# GATT / Change values
menu gatt
list-attributes <MAC>
attribute-info <MAC>


#
# Check with l2ping for MAC adress:
l2ping <MAC>
Using bettercap

start simply with bettercap after install and disable net.recon off monitoring and activate ble.recon on for bluetooth scanning.

find many devices of apple...

now show devices with ble.show and enumerate with ble.enum <MAC>

Maybe ... Some interesting stuff here?

Theory of hacking devices by overwriting character ids:

by enum the MAC you will find some values which can alter by GATT protocol:
Important here are the SIG specifications for characteristics and services for BLE devices.

You will see 16Bit Generic Access (0x1800) and some 128Bit values by vendor which you have to fuzzing or find some stuff on google (dorks) or some android programs (nRF Connect).

In the Properties column, there are:

READ:
read only
WRITE: can be change in some 128Bit values
NOTIFY:
INDICATE:

To overwrite data values you have to ble.write MAC UUID HEX_DATA

For example: ble.write CC:DF:12:BB:AA:26 a0f0ff2350aabbbcccaa012a776s 1000001111

Examples for this coming soon, when i got some easy bt devices for this.
# SHEET
hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up

# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66

gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
  handle: 0x0002, char properties: 0x20, char value handle:
  0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
  handle: 0x0015, char properties: 0x02, char value handle:
  0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[...]

# Write data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)

# Read data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16

# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c


# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported

# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
Readon, smartlock hack:
Don’t worry about being locked with Loccess
Loccess smart lock is promoted as being a lock to be used in luggage, bicycles and lockers. Besides opening with a keypad on the bottom of the device, this smart lock is able to be opened with your smart phone using BLE. I was able to get this smart lock
The Practical Guide to Hacking Bluetooth Low Energy
Learn about various BLE vulnerabilities and the tools and techniques employed for performing attacks on Bluetooth Low Energy devices.