Sounds good to me. Right now I'm awaiting management's decision on what route we're going to take. If we go the USRP route, I'd be happy to work with you son something.
Thanks, James On Fri, Sep 24, 2010 at 1:37 PM, Matt Neely <[email protected]>wrote: > I'm starting to play with the USRP more and hope to publish some > penetration testing specific tutorials. So feel free to drop me a line > if you want to work together on documenting the process for sniffing > Bluetooth with a USRP1. > > Cheers, > Matt > > James Philput wrote: > > Thanks Matt! Your information will help me a lot. I may try the USRP > > route since I don't think my company will shell out the cash for the > > commercial sniffer.. > > > > Regards, > > James > > > > On Wed, Sep 22, 2010 at 3:43 PM, Matt Neely > > <[email protected] <mailto:[email protected]>> > wrote: > > > > James, > > > > Sniffing Bluetooth is a lot harder then sniffing 802.11. This is > > because > > of the frequency hopping Bluetooth uses and the lack of a monitor or > > promiscuous mode in consumer Bluetooth hardware. To capture > > traffic I'm > > aware of a couple of options. > > > > 1) Purchase a commercial Bluetooth sniffer > > (http://www.fte.com/products/fts4bt.aspx). Cost around 10K. > > 2) Flash a commercial firmware onto consumer dongle. This would be > > illegal so I'll leave this for you to research on your own. > > 3) Use a USRP1 or USRP2 to capture the traffic. The USRP1 doesn't > have > > the bandwidth to capture the entire Bluetooth spectrum but there > > is some > > tricky you can do to make it sort of work. The USPR2 has more > > bandwidth > > so can capture the entire Bluetooth spectrum with fewer units. > > Here's a > > presentation on the topic > > www.ossmann.com/shmoo-09/ossmann-spill-shmoo-2009.pdf > > <http://www.ossmann.com/shmoo-09/ossmann-spill-shmoo-2009.pdf>. > > > > Even if you can't capture the traffic you still do some analysis > > on how > > secure the transmissions are. The main area I would look at is how > the > > device is handling encryption. IF Bluetooth's native encryption is > > enabled three variables are used to setup the encryption key. The > > encryption key is formed by combining the DBAddr (MAC Address) of the > > two devices, the PIN and a random number exchanged by the devices. > The > > DBAddr and random number are both exchanged in the clear. So the > > security of the encryption key ultimately lies in the PIN. So > > figure out > > how the PIN is set and synced between devices. Some devices do a very > > poor job at selecting secure PIN codes. For example all wireless > > headsets I’ve ever seen us the PIN 0000, 1234 or 1111. So although > the > > encryption key can be up to 128 bits the key space is really 3 > > which is > > pretty damn easy to bruteforce. So to determine an encryption key > > all an > > attacker needs to do is capture the initial part of the handshake a > > bruteforce the PIN code. I’m pretty sure public tools exist to > perform > > this attack. > > > > Als ask the vendor if they use any transport layer encryption or > > security outside of what Bluetooth offers. > > > > Here are a series of blog posts I've found useful when attacking > > Bluetooth: http://www.evilgenius.de/category/bluetooth/. > > > > Here's a site on penetration testing Bluetooth that's a little out of > > date but still might be helpful to you: > > http://bluetooth-pentest.narod.ru/. > > > > Cheers, > > Matt > > > > James Philput wrote: > > > Hello All, > > > I've recently been asked to look into what a couple of supposedly > > > secure devices are transmitting via bluetooth. I've done a fair > > amount > > > of work with 802.11 traffic capture and analysis, but very > > little with > > > bluetooth. If any of you could give me some guidance on what > > hardware > > > and software works best for bluetooth traffic capture and analysis > I > > > would appreciate it. For the time being my company is primarily > > > interested in what can be gotten from passive captures, but they > may > > > give me a couple of spare devices to attack in the future. > > Thanks for > > > the help! > > > > > > Regards, > > > James > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Pauldotcom mailing list > > > [email protected] > > <mailto:[email protected]> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > > Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] <mailto: > [email protected]> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
