Many different tools to access Bluetooth devices can be found on the internet and p2pnetworks.. Affix currently supports the following Bluetooth Profiles: • General Access Profile • Serv
Trang 1BLUETOOTH TOOLS
Sil Janssens
Sil.Janssens@vub.ac.be April 18, 2005
Trang 2Many different tools to access Bluetooth devices can be found on the internet and p2pnetworks This document gives a very short overview of the different tools related toBluetooth security
18/05/2005 Sil Janssens small error corrected
14/05/2005 Sil Janssens adding new tools dicovered
08/05/2005 Sil Janssens adding new tools dicovered
05/05/2005 Sil Janssens adding new tools dicovered
07/12/2004 Sil Janssens corrections after remarks of Dave Singelee26/11/2004 Sil Janssens additions and corrections
24/11/2004 Sil Janssens additions
22/11/2004 Sil Janssens First Draft
Table 1: Version History
Trang 31.1 Purpose and scope 6
1.2 References 6
2 Bluetooth Tools 7 2.1 Affix Bluetooth Stack 7
2.1.1 Manufacturer 7
2.1.2 Link - Source 7
2.1.3 Description 7
2.1.4 Screenshots / Logo 8
2.2 Blooover 8
2.2.1 Manufacturer 8
2.2.2 Link - Source 8
2.2.3 Description 8
2.2.4 Screenshots / Logo 9
2.3 BlueAlert 9
2.3.1 Manufacturer 9
2.3.2 Link - Source 9
2.3.3 Description 9
2.4 BlueBug 9
2.4.1 Manufacturer 9
2.4.2 Link - Source 9
2.4.3 Description 9
2.4.4 Screenshots / Logo 10
2.5 BlueFish 10
2.5.1 Manufacturer 10
2.5.2 Link - Source 10
2.5.3 Description 10
2.5.4 Screenshots / Logo 11
2.6 BluePrinting 11
2.6.1 Manufacturer 11
2.6.2 Link - Source 11
Trang 42.7.4 Screenshots / Logo 12
2.8 BlueSnarfer 12
2.8.1 Manufacturer 12
2.8.2 Link - Source 13
2.8.3 Description 13
2.9 BlueSniff 13
2.9.1 Manufacturer 13
2.9.2 Link - Source 13
2.9.3 Description 13
2.9.4 Screenshots / Logo 13
2.10 BlueSniper 14
2.10.1 Manufacturer 14
2.10.2 Link - Source 14
2.10.3 Description 14
2.10.4 Screenshots / Logo 14
2.11 BlueSpam 14
2.11.1 Manufacturer 14
2.11.2 Link - Source 15
2.11.3 Description 15
2.11.4 Screenshots / Logo 15
2.12 Bluetooth Location Tracker Project 15
2.12.1 Manufacturer 15
2.12.2 Link - Source 15
2.12.3 Description 15
2.12.4 Screenshots / Logo 15
2.13 Bluetooth Phone Book Dumper 16
2.13.1 Manufacturer 16
2.13.2 Link - Source 16
2.13.3 Description 16
2.14 BlueZ Bluetooth Stack 16
2.14.1 Manufacturer 16
2.14.2 Link - Source 16
2.14.3 Description 16
2.14.4 Screenshots / Logo 17
2.15 Braces 17
2.15.1 Manufacturer 17
2.15.2 Link - Source 17
2.15.3 Description 17
2.15.4 Screenshots / Logo 18
2.16 bt audit 18
2.16.1 Manufacturer 18
2.16.2 Link - Source 18
2.16.3 Description 18
2.17 BTBrowser - JABWT Browser 18
2.17.1 Manufacturer 18
2.17.2 Link - Source 18
2.17.3 Description 19
2.17.4 Screenshots / Logo 19
2.18 btChat 20
2.18.1 Manufacturer 20
Trang 52.18.2 Link - Source 20
2.18.3 Description 20
2.18.4 Screenshots / Logo 20
2.19 BTFS Bluetooth FileSystemMapping 20
2.19.1 Manufacturer 20
2.19.2 Link - Source 20
2.19.3 Description 20
2.20 BthDisc 21
2.20.1 Manufacturer 21
2.20.2 Link - Source 21
2.20.3 Description 21
2.21 btScanner 21
2.21.1 Manufacturer 21
2.21.2 Link - Source 21
2.21.3 Description 21
2.21.4 Screenshots / Logo 21
2.22 btXML 22
2.22.1 Manufacturer 22
2.22.2 Link - Source 22
2.22.3 Description 22
2.22.4 Screenshots / Logo 22
2.23 Fine Tooth Comb 22
2.23.1 Manufacturer 22
2.23.2 Link - Source 22
2.23.3 Description 22
2.23.4 Screenshots / Logo 23
2.24 FreeJack 23
2.24.1 Manufacturer 23
2.24.2 Link - Source 23
2.24.3 Description 23
2.24.4 Screenshots / Logo 23
2.25 Gnome Bluetooth Subsystem 23
2.25.1 Manufacturer 23
2.25.2 Link - Source 23
2.25.3 Description 23
2.25.4 Screenshots / Logo 24
2.26 Greenplaque 24
2.26.1 Manufacturer 24
2.26.2 Link - Source 24
2.26.3 Description 24
2.26.4 Screenshots / Logo 25
2.27 HCIDump 25
2.27.1 Manufacturer 25
2.27.2 Link - Source 25
Trang 62.29 OpenOBEX 26
2.29.1 Manufacturer 26
2.29.2 Link - Source 26
2.29.3 Description 27
2.30 ObexFTP 27
2.30.1 Manufacturer 27
2.30.2 Link - Source 27
2.30.3 Description 27
2.31 PsmScan 27
2.31.1 Manufacturer 27
2.31.2 Link - Source 27
2.31.3 Description 28
2.32 RedFang 28
2.32.1 Manufacturer 28
2.32.2 Link - Source 28
2.32.3 Description 28
2.32.4 Screenshots / Logo 28
2.33 RedSnarf 28
2.33.1 Manufacturer 28
2.33.2 Link - Source 28
2.33.3 Description 29
2.33.4 Screenshots / Logo 29
Trang 7Chapter 1
Introduction
The purpose of this document is to provide a brief overview of the existent Bluetoothsecurity tools
Trang 8• Modular implementation.
• Socket interface to HCI, L2CAP and RFCOMM protocols
• Bluetooth module interface independence
• SMP safe
• Multiple Bluetooth devices support
Affix currently supports the following Bluetooth Profiles:
• General Access Profile
• Service Discovery Profile
• Serial Port Profile
• DialUp Networking Profile
• LAN Access Profile
Trang 9• OBEX Object Push Profile
• OBEX File Transfer Profile
• PAN Profile
affix-kernel provides kernel modules implementing core protocols and Bluetooth
de-vice drivers Kernel modules can be used separately from the kernel or can be linkedstatically into the kernel
affix provides control tools, libraries, and server daemons.
Trang 10• When a Bluetooth device is active, or in range of your PC
• If a particular device goes out of range and a connection is lost
I only supports TKS Bluetooth devices
The tool and source code is NOT available!
Trang 11Over time, a profile is built for each discovered device, making it possible to trackindividual users who frequent the scanning area.
Trang 13im-2.7.4 Screenshots / Logo
Trang 142.9.4 Screenshots / Logo
Trang 15The BlueSniper is a rifle stock with a scope and yagi antenna attached A cable
at-taches the antenna to the Bluetooth card, which can be in a PDA or laptop computer
The laptop can be carried in a backpack with the cables connecting into the backpack,
giving it the Ghostbusters look
The Flexilis teams demonstrated the gun with some home-brewed Bluetooth scanning
software They pointed the gun down the hallways and out windows Almost instantly,
vulnerable phones with their unique Bluetooth device numbers appeared on the laptop
screen The device is powerful enough to detect devices through building walls
2.10.4 Screenshots / Logo
Trang 172.13 Bluetooth Phone Book Dumper
The data is written to stdout in a standard xml format There is no need to enter any data
on the host or phone side and no pairing is needed, it simply uses GSM AT commandsover a RFCOMM connection
The software uses the Linux BlueZ Bluetooth stack
2.14 BlueZ Bluetooth Stack
in the Linux 2.4 and Linux 2.6 kernel series
BlueZ provides support for the core Bluetooth layers and protocols It is flexible,efficient and uses a modular implementation It has many interesting features:
• Complete modular implementation
• Symmetric multi processing safe
• Multithreaded data processing
• Support for multiple Bluetooth devices
Trang 18Currently BlueZ consists of many separate modules:
• Bluetooth kernel subsystem core
• L2CAP and SCO audio kernel layers
• RFCOMM, BNEP, CMTP and HIDP kernel implementations
• HCI UART, USB, PCMCIA and virtual device drivers
• General Bluetooth and SDP libraries and daemons
• Configuration and testing utilities
• Protocol decoding and analysis tools
The BlueZ kernel modules, libraries and utilities are known to be working prefectly onmany architectures supported by Linux
Trang 20This MIDlet MIDP2.0/CLDC1.0 works on phones that support JSR-82 (a.k.a JABWT
or Java Bluetooth) specification Examples are Nokia 6600 and Sony Ericsson P900.The following attributes will be shown if they are set in the Bluetooth service record:
Trang 22Simple command line utility to list discoverable bluetooth devices Example of win32
bluetooth device/service discovery API
Requires Microsoft Bluetooth Stack (hotfix for XP SP1, included w/ XP SP2)
2.21.3 Description
btscanner is a tool designed specifically to extract as much information as possible
from a Bluetooth device without the requirement to pair A detailed information screen
extracts HCI and SDP information, and maintains an open connection to monitor the
RSSI and link quality btscanner is based on the BlueZ Bluetooth stack, which is
in-cluded with recent Linux kernels, and the BlueZ toolset btscanner also contains a
complete listing of the IEEE OUI numbers and class lookup tables Using the
informa-tion gathered from these sources it is possible to make educated guesses as to the host
device type
2.21.4 Screenshots / Logo
Trang 23A Bluetooth scanner for FreeBSD.
This tool tries to find other Bluetooth devices in three different ways:
• A periodic inquiry scan
About every minute (it varies) discoverable devices are listed These show up as:++¿IR¿MAC ADDRESS
• Report devices that try to connect to the scanning host
If somebody tries to check what services you are offering, it makes note of whataddress tried to connect (It rejects them.) You must have inquiry and pagescanning turned on for this to be of use These show up as: ++¿CR¿MAC AD-DRESS¿A for ACL, S for SCO¿Device Class
Trang 24Current features include:
• Controller object to manage the discovery of nearby Bluetooth devices
• Controller will create serial (RFCOMM) connections for clients to devices
Trang 25• libbtcl, a GObject wrapper for Bluetooth functionality An OBEX server, so you
can ”beam” files such as pictures, addresses or contacts from other Bluetoothdevices to your computer
• An OBEX push send tool, so you can beam files from your computer to remote
Multi-dongle Bluetooth Hunter / Killer
RedFang was a small proof-of-concept application to find non discoveredable bluetoothdevices
Greenplaque on the other hand is an application to find discoverable bluetooth devices.After being found the device will promptly be slayed
Trang 27Blue-Support for IrDA - ircomm and irdaobex - which allows access to infrared wirelesstechnologies through standardised specifications (Linux Developer Kit only)
Provides abstractions of Bluetooth wireless communication using the Java 2 Platform,Micro Edition (J2ME)
Generic Connection Framework
Based on J2ME Connected Limited Device Configuration (CLDC)
Addresses primary Bluetooth profiles:
• Generic Access Profile
• Service Discovery Profile
• Serial Port Profile
• Generic Object Exchange Profile
2.28.4 Screenshots / Logo
2.29.1 Manufacturer
OpenOBEX Sourceforge, LGPL GPL
Trang 28• http://prdownloads.sourceforge.net/openobex/openobex-apps-1.
0.0.tar.gz
2.29.3 Description
Free open source implementation of the Object Exchange (OBEX) protocol OBEX
is a session protocol and can best be described as a binary HTTP protocol OBEX is
optimized for ad-hoc wireless links and can be used to exchange all kind of objects like
files, pictures, calendar entries (vCal) and business cards (vCard)
The OpenOBEX Project has a sample IrCp (infrared copy) application and an
associ-ated ObexFTP application
Free open source implementation of the Object Exchange (OBEX) protocol OBEX
is a session protocol and can best be described as a binary HTTP protocol OBEX is
optimized for ad-hoc wireless links and can be used to exchange all kind of objects like
files, pictures, calendar entries (vCal) and business cards (vCard)
The common usage for ObexFTP is to access your mobile phones memory to store and
retrieve e.g your phonebook, logos, ringtones, music, pictures and alike
Trang 292.31.3 Description
This tool was written as part of the ”Bluetooth device security database” project Somehardware manufacturers could hide ”special” functions on PSMs (Protocol/ServiceMultiplexer) without listing them in the SDP database, this tool should find them Itscans a range of L2CAP PSMs to check if they are open (accept connections)