How to use bluetooth on Virtual Box for Linux hacking
First you have to activate your USB device on virtual box, in my case for DELL laptops: activate with Vbox (intel chipset intern bluetooth device):
Now install on your Linux bluetooth fw and drivers after first check of device:
# check for devices:
lsusb | grep -i bluetooth; echo; dmesg | grep -iE 'bluetooth|hci'
# Install bluez, fw files and helpful tools:
apt install bluetooth bluez bluez-tools bluez-firmware rfkill rfcomm
# Start services:
systemctl start bluetooth.service
systemctl enable bluetooth.service
# Check for device block:
rfkill --output-all
rfkill unblock bluetooth
# Startup device
hciconfig hci0 up
hciconfig --all
# Start first scanning:
hcitool scan
Important info for bluez 5.x installations (check with dpkg -l | grep bluez
):hcitool -i hci0 lescan
` etc issn't supported here, please use blootoothctl scan le
instead!
Get some infos about first devices and using profiles:
# HCITOOL (More infos on hcitool -h)
hcitool -i hci0 info <MAC>
# HCITOOL -> Connecting:
hcitool cc <MAC> && hcitool auth <MAC>
# SDPTOOL
sdptool browse <MAC> | grep 'Service Name'
Using bluetoothctl
#Commandline for low engery scan:
bluetoothctl scan le
# Change your bt controller name instant ;)
bluetoothctl system-alias ilak00
# -----------------------------------------------
#
# bluetoothctl
# ...
[bluetooth]# help
Menu main:
Available commands:
-------------------
advertise Advertise Options Submenu
monitor Advertisement Monitor Options Submenu
scan Scan Options Submenu
gatt Generic Attribute Submenu
admin Admin Policy Submenu
player Media Player Submenu
endpoint Media Endpoint Submenu
transport Media Transport Submenu
mgmt Management Submenu
monitor Advertisement Monitor Submenu
list List available controllers
show [ctrl] Controller information
select <ctrl> Select default controller
devices [Paired/Bonded/Trusted/Connected] List available devices, with an optional property as the filter
system-alias <name> Set controller alias
reset-alias Reset controller alias
power <on/off> Set controller power
pairable <on/off> Set controller pairable mode
discoverable <on/off> Set controller discoverable mode
discoverable-timeout [value] Set discoverable timeout
agent <on/off/auto/capability> Enable/disable agent with given capability
default-agent Set agent as the default one
advertise <on/off/type> Enable/disable advertising with given type
set-alias <alias> Set device alias
scan <on/off/bredr/le> Scan for devices
info [dev/set] Device/Set information
pair [dev] Pair with device
cancel-pairing [dev] Cancel pairing with device
trust [dev] Trust device
untrust [dev] Untrust device
block [dev] Block device
unblock [dev] Unblock device
remove <dev> Remove device
connect <dev> Connect device
disconnect [dev] Disconnect device
menu <name> Select submenu
version Display version
quit Quit program
exit Quit program
help Display help about this program
export Print environment variables
[bluetooth]# menu admin
Menu admin:
Available commands:
-------------------
allow [clear/uuid1 uuid2 ...] Allow service UUIDs and block rest of them
back Return to main menu
version Display version
quit Quit program
exit Quit program
help Display help about this program
export Print environment variables
[bluetooth]# back
[bluetooth]# scan on
hci0 type 7 discovering on
Discovery started
[CHG] Controller 44:A...1:33 Discovering: yes
[NEW] Device 49:B3:BC:3...6-EF-DE-5C-43
[NEW] Device 57:9F:F6:....9B-5E-A8
[bluetooth]# info 44:C6...:0A
Device 44:C...:0A (public)
Alias: 44-C...A
Paired: no
Bonded: no
Trusted: no
Blocked: no
Connected: no
LegacyPairing: no
ManufacturerData Key: 0x004c (76)
ManufacturerData Value:
0f 08 ...0c 10 02 01 00 ....J.xcx...
RSSI: 0xff..1 (-63)
TxPower: 0x000c (12)
hci0 type 7 discovering off
...xffffffa0 (-96)[bluetooth]#
[bluetooth]# exit
# Commands . overwrite and info
scan on
connect <MAC>
info <MAC>
# GATT / Change values
menu gatt
list-attributes <MAC>
attribute-info <MAC>
#
# Check with l2ping for MAC adress:
l2ping <MAC>
Using bettercap
start simply with bettercap
after install and disable net.recon off
monitoring and activate ble.recon on
for bluetooth scanning.
now show devices with ble.show
and enumerate with ble.enum <MAC>
Theory of hacking devices by overwriting character ids:
by enum the MAC you will find some values which can alter by GATT protocol:
Important here are the SIG specifications for characteristics and services for BLE devices.
You will see 16Bit Generic Access (0x1800) and some 128Bit values by vendor which you have to fuzzing or find some stuff on google (dorks) or some android programs (nRF Connect).
In the Properties column, there are:
READ: read only
WRITE: can be change in some 128Bit values
NOTIFY:
INDICATE:
To overwrite data values you have to ble.write MAC UUID HEX_DATA
For example: ble.write CC:DF:12:BB:AA:26 a0f0ff2350aabbbcccaa012a776s 1000001111
Examples for this coming soon, when i got some easy bt devices for this.
# SHEET
hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up
# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66
gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
handle: 0x0002, char properties: 0x20, char value handle:
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x02, char value handle:
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[...]
# Write data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)
# Read data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16
# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported
# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06