ဦးဘုန္း (ဓာတု) မႏၱေလး

Bluescan is a open source project by Sourcell Xu from DBAPP Security HatLab. Anyone may redistribute copies of bluescan to anyone under the terms stated in the GPL-3.0 license.

This document is also available in Chinese. See README-Chinese.md

Aren't the previous Bluetooth scanning tools scattered and in disrepair? So we have this powerful Bluetooth scanner based on modern Python 3 ---- bluescan.
When hacking new Bluetooth targets, the scanner can help us to collect intelligence, such as:

BR devices
LE devices
LMP features
GATT services
SDP services
Vulnerabilities (demo)

Requirements
This tool is based on BlueZ, the official Linux Bluetooth stack. The following packages need to be installed:

sudo apt install libglib2.0-dev libbluetooth-dev

When you play this tool in a Linux virtual machine, making a USB Bluetooth adapter exclusive to it is recommended, like the Ostran Bluetooth USB Adapter OST-105 CSR 8150 v4.0 for 99 RMB. Of course, the best one to use is the little bit expensive Parani UD100-G03, 560 RMB. And if you want to try the vulnerability scanning, see README.md of ojasookert/CVE-2017-0785.

Install
The lastest bluescan will be uploaded to PyPI, so the following command can install bluescan:

sudo pip3 install bluescan

Usage

$ bluescan -h  bluescan v0.2.1    A powerful Bluetooth scanner.    Author: Sourcell Xu from DBAPP Security HatLab.    License: GPL-3.0    Usage:      bluescan (-h | --help)      bluescan (-v | --version)      bluescan [-i <hcix>] -m br [--inquiry-len=<n>]      bluescan [-i <hcix>] -m lmp BD_ADDR      bluescan [-i <hcix>] -m sdp BD_ADDR      bluescan [-i <hcix>] -m le [--timeout=<sec>] [--le-scan-type=<type>] [--sort=<key>]      bluescan [-i <hcix>] -m gatt [--include-descriptor] --addr-type=<type> BD_ADDR      bluescan [-i <hcix>] -m vuln --addr-type=br BD_ADDR    Arguments:      BD_ADDR    Target Bluetooth device address    Options:      -h, --help                  Display this help.      -v, --version               Show the version.      -i <hcix>                   HCI device for scan. [default: hci0]      -m <mode>                   Scan mode, support BR, LE, LMP, SDP, GATT and vuln.      --inquiry-len=<n>           Inquiry_Length parameter of HCI_Inquiry command. [default: 8]      --timeout=<sec>             Duration of LE scan. [default: 10]      --le-scan-type=<type>       Active or passive scan for LE scan. [default: active]      --sort=<key>                Sort the discovered devices by key, only support RSSI now. [default: rssi]      --include-descriptor        Fetch descriptor information.      --addr-type=<type>          Public, random or BR.

Scan BR devices -m br
Classic Bluetooth devices may use three technologies: BR (Basic Rate), EDR (Enhanced Data Rate), and AMP (Alternate MAC/PHY). Since they all belong to the Basic Rate system, so when scanning these devices we call them BR device scanning:

As shown above, through BR device scanning, we can get the address, page scan repetition mode, class of device, clock offset, RSSI, and the extended inquiry response (Name, TX power, and so on) of the surrounding classic Bluetooth devices.

Scan LE devices -m le
Bluetooth technology, in addition to the Basic Rate system, is Low Energy (LE) system. When scanning Bluetooth low energy devices, it is called LE device scanning:

As shown above, through LE device scanning, we can get the address, address type, connection status, RSSI, and GAP data of the surrounding LE devices.

Scan SDP services
Classic Bluetooth devices tell the outside world about their open services through SDP. After SDP scanning, we can get service records of the specified classic Bluetooth device:

You can try to connect to these services for further hacking.

Scan LMP features
Detecting the LMP features of classic Bluetooth devices allows us to judge the underlying security features of the classic Bluetooth device:

Scan GATT services
LE devices tell the outside world about their open services through GATT. After GATT scanning, we can get the GATT service of the specified LE device. You can try to read and write these GATT data for further hacking:

Vulnerabilities scanning (demo)
Vulnerability scanning is still in the demo stage, and currently only supports CVE-2017-0785:

$ sudo bluescan -m vuln --addr-type=br ??:??:??:??:??:??  ... ...  CVE-2017-0785

Download Bluescan

via KitPloit

Related word

Welcome back to Linux Command Line Hackery series, I hope you've enjoyed this series so far and would have learned something (at least a bit). Today we're going to get into user management, that is we are going to learn commands that will help us add and remove users and groups. So bring it on...

Before we get into adding new users to our system lets first talk about a command that will be useful if you are a non-root user.

Command: sudo
Syntax: sudo [options] command
Description: sudo allows a permitted user to execute a command as a superuser or another user.

Since the commands to follow need root privileges, if you are not root then don't forget to prefix these commands with sudo command. And yes you'll need to enter the root password in order to execute any command with sudo as root.

Command: useradd
Syntax: useradd [options] username
Description: this command is used for creating new user but is kinda old school.
Lets try to add a new user to our box.
[Note: I'm performing these commands as root user, you'll need root privileges to add a new user to your box. If you aren't root then you can try these commands by prefixing the sudo command at the very beginning of these command like this sudo useradd joe. You'll be prompted for your root password, enter it and you're good to go]

useradd joe

To verify that this command has really added a user to our box we can look at three files that store a users data on a Linux box, which are:

/etc/passwd -> this file stores information about a user separated by colons in this manner, first is login name, then in past there used to be an encrypted password hash at the second place however since the password hashes were moved to shadow file now it has a cross (x) there, then there is user id, after it is the user's group id, following it is a comment field, then the next field contains users home directory, and at last is the login shell of the user.

/etc/group -> this file stores information about groups, that is id of the group and to which group an user belongs.

/etc/shadow -> this file stores the encrypted password of users.

Using our command line techniques we learned so far lets check out these files and verify if our user has been created:

cat /etc/passwd /etc/group /etc/shadow | grep joe

In the above screenshot you can notice an ! in the /etc/shadow, this means the password of this user has not been set yet. That means we have to set the password of user joe manually, lets do just that.

Command: passwd
Syntax: passwd [options] [username]
Description: this command is used to change the password of user accounts.
Note that this command needs root privileges. So if you are not root then prefix this command with sudo.

passwd joe

After typing this command, you'll be prompted password and then for verifying your password. The password won't show up on the terminal.
Now joe's account is up and running with a password.

The useradd command is a old school command, lets create a new user with a different command which is kinda interactive.

Command: adduser
Syntax: adduser [options] user
Description: adduser command adds a user to the system. It is more friendly front-end to the useradd command.

So lets create a new user with adduser.

adduser jane

as seen in the image it prompts for password, full name and many other things and thus is easy to use.

OK now we know how to create a user its time to create a group which is very easy.

Command: addgroup
Syntax: addgroup [options] groupname
Description: This command is used to create a new group or add an existing user to an existing group.

We create a new group like this

addgroup grownups

So now we have a group called grownups, you can verify it by looking at /etc/group file.
Since joe is not a grownup user yet but jane is we'll add jane to grownups group like this:

addgroup jane grownups

Now jane is the member of grownups.

Its time to learn how to remove a user from our system and how to remove a group from the system, lets get straight to that.

Command: deluser
Syntax: deluser [options] username
Description: remove a user from system.

Lets remove joe from our system

deluser joe

Yes its as easy as that. But remember by default deluser will remove the user without removing the home directory or any other files owned by the user. Removing the home directory can be achieved by using the --remove-home option.

deluser jane --remove-home

Also the --remove-all-files option removes all the files from the system owned by the user (better watch-out). And to create a backup of all the files before deleting use the --backup option.

We don't need grownups group so lets remove it.

Command: delgroup
Syntax: delgroup [options] groupname
Description: remove a group from the system.

To remove grownups group just type:

delgroup grownups

That's it for today hope you got something in your head.

More info

ဦးဘုန္း (ဓာတု) မႏၱေလး

Monday, August 31, 2020

Bluescan - A Powerful Bluetooth Scanner For Scanning BR/LE Devices, LMP, SDP, GATT And Vulnerabilities!

Read more

Sunday, August 30, 2020

Aircrack-ng: The Next Generation Of Aircrack

Related word

Linux Command Line Hackery Series - Part 6

DAY:DATE:TIME

Labels

Blog Archive

ဘာသာေရးဆုိင္ရာဆုိဒ္မ်ား

ဘေလာ့မိတ္ေဆြမ်ား

IT ေလ့လာႏိုင္ရန္

ဧည့္သည္ေတာ္ မွတ္တမ္း

Ads 468x60px

Counter

Country