hak5
/
signalowl-payloads
mirror of https://github.com/hak5/signalowl-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2 from b1fair/master 

A basic bluetooth scanner payload
pull/3/head
Timothy Mossey 2019-08-13 16:14:52 -04:00 committed by GitHub
parent 1e5bafda4d 158f3f550c
commit 91ecfdb838
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 205 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
payloads/library/bluetooth/Bluetooth-Scanner/README.md Normal file
View File

@ -0,0 +1,106 @@
# A basic bluetooth scanner
Scans for bluetooth devices, and optionally interrogates them (using hcitool info).
## 1. Hardware
Tested with Hak5's "Mini USB Bluetooth Adapter" (Uses the Qualcomm CSR8510 chipset).
## 2. Configuration Variables
Where to write our output (loot):
```
LOOT_DIR=/root/loot/bluetooth_scan
```
Where scan results should go (using unix timestamp for uniqueness):
```
BT_OUTFILE=`date +%s`.bt.list
```
Where interrogation results should go (using unix timestamp for uniqueness):
```
BT_INFOFILE=`date +%s`.bt.info
```
Your bluetooth device, probably hci0:
```
BTDEV=hci0
```
Setting DEBUG to 1 will result in a lot more output to console and to /tmp/payload.log (does not survive reboot)
```
DEBUG=0
```
Setting INTERROGATE to 1 enables running hcitool info on all discovered devices, and logging to BT_INFOFILE, on by default.
```
INTERROGATE=1
```
## 3. Sample output
### a. The loot directory
...should look like this:
```
root@Owl:~/loot/bluetooth_scan# ls -al
drwxr-xr-x 2 root root 0 Aug 7 10:21 .
drwxr-xr-x 3 root root 0 Aug 7 08:48 ..
-rw-r--r-- 1 root root 0 Aug 7 10:21 1565173272.bt.info
-rw-r--r-- 1 root root 153 Aug 7 10:24 1565173272.bt.list
```
### b. Basic scan details
Bluetooth MACs are logged when first seen, with a timestamp. I'm not sure if the clock is ever right, but the 'startup' time gives a frame of reference.
```
root@Owl:~/loot/bluetooth_scan# cat 1565172658.bt.list
Wed Aug 7 10:10:59 UTC 2019 Startup
Wed Aug 7 10:18:25 UTC 2019 F8:38:80:B0:AA:AA iPhone
Wed Aug 7 10:19:10 UTC 2019 30:21:19:C5:AA:BB SCR1986BT-AS
```
### c. Interrogation results
If INTERROGATE=1, you'll get the results of hcitool info here.
```
root@Owl:~/loot/bluetooth_scan# cat 1565172658.bt.info
Begin F8:38:80:B0:AA:AA ----------------------
Requesting information ...
BD Address: F8:38:80:B0:AA:AA
Device Name: iPhone
LMP Version: 5.0 (0x9) LMP Subversion: 0x4307
Manufacturer: Broadcom Corporation (15)
Features page 0: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87
<3-slot packets> <5-slot packets> <encryption> <slot offset>
<timing accuracy> <role switch> <sniff mode> <RSSI>
<channel quality> <SCO link> <HV2 packets> <HV3 packets>
<u-law log> <A-law log> <CVSD> <paging scheme> <power control>
<transparent SCO> <broadcast encrypt> <EDR ACL 2 Mbps>
<EDR ACL 3 Mbps> <enhanced iscan> <interlaced iscan>
<interlaced pscan> <inquiry with RSSI> <extended SCO>
<EV4 packets> <EV5 packets> <AFH cap. slave>
<AFH class. slave> <LE support> <3-slot EDR ACL>
<5-slot EDR ACL> <sniff subrating> <pause encryption>
<AFH cap. master> <AFH class. master> <EDR eSCO 2 Mbps>
<EDR eSCO 3 Mbps> <3-slot EDR eSCO> <extended inquiry>
<LE and BR/EDR> <simple pairing> <encapsulated PDU>
<err. data report> <non-flush flag> <LSTO> <inquiry TX power>
<EPC> <extended features>
Features page 1: 0x0f 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Features page 2: 0x7f 0x0f 0x00 0x00 0x00 0x00 0x00 0x00
Begin 30:21:19:C5:BB:BB ----------------------
Requesting information ...
BD Address: 30:21:19:C5:BB:BB
Device Name: SCR1986BT-AS
LMP Version: 3.0 (0x5) LMP Subversion: 0x1f4
Manufacturer: CONWISE Technology Corporation Ltd (66)
Features page 0: 0xbf 0x3a 0x85 0xfa 0x98 0x1d 0x59 0x87
<3-slot packets> <5-slot packets> <encryption> <slot offset>
<timing accuracy> <role switch> <sniff mode> <RSSI> <SCO link>
<HV2 packets> <HV3 packets> <CVSD> <power control>
<broadcast encrypt> <EDR ACL 2 Mbps> <enhanced iscan>
<interlaced iscan> <interlaced pscan> <inquiry with RSSI>
<extended SCO> <AFH cap. slave> <AFH class. slave>
<3-slot EDR ACL> <5-slot EDR ACL> <pause encryption>
<AFH cap. master> <AFH class. master> <extended inquiry>
<simple pairing> <encapsulated PDU> <non-flush flag> <LSTO>
<inquiry TX power> <EPC> <extended features>
Features page 1: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00
```

99
payloads/library/bluetooth/Bluetooth-Scanner/payload.txt Normal file
View File

@ -0,0 +1,99 @@
#!/bin/bash
#
# Title: Bluetooth Scanner
# Author: Brian Fair <blfair@gmail.com>, https://github.com/b1fair
# Version: 1.0
#
# Description: Scans for bluetooth devices, optionally interrogates them (hcitool info), tested with Hak5 "Mini USB Bluetooth Adapter (Qualcomm CSR8510 chipset)"
#
# LED SETUP: Scanning
# LED ATTACK: Querying devices
#
LOOT_DIR=/root/loot/bluetooth_scan
BT_OUTFILE=`date +%s`.bt.list # File (in LOOT_DIR) to write list of observed MACs to
BT_INFOFILE=`date +%s`.bt.info # File (in LOOT_DIR) to write results of "hcitool info <MAC>" to (if enabled)
BTDEV=hci0 # Set to the device to use for scanning (probably hci0)
DEBUG=0 # Set to 1 to enable verbose logging.
INTERROGATE=1 # Set to 1 to enable running "hcitool info <MAC>" on observed bluetooth MACs, 0 to disable this.
function scan_bluetooth() {
LED SETUP
[[ $DEBUG == 1 ]] && echo ... Scanning for bluetooth devices... | tee -a /tmp/payload.log
hcitool scan |egrep -v "^Scanning" > /tmp/bluetooth_scan
total_bts=$(cat /tmp/bluetooth_scan | wc -l)
[[ $DEBUG == 1 ]] && echo ... Found "$total_bts" bluetooth devices | tee -a /tmp/payload.log
for check_bt_mac in `cat /tmp/bluetooth_scan |awk '{print $1}'`
do
grep -i -q $check_bt_mac $LOOT_DIR/$BT_OUTFILE
if [ $? == 0 ]
then
[[ $DEBUG == 1 ]] && echo --- "$check_bt_mac": Already seen, not logging. | tee -a /tmp/payload.log
else
[[ $DEBUG == 1 ]] && echo +++ "$check_bt_mac": New MAC, logging... | tee -a /tmp/payload.log
echo -e "`date`\t`grep -i $check_bt_mac /tmp/bluetooth_scan`" >>$LOOT_DIR/$BT_OUTFILE
fi
done
}
function interrogate_bluetooth() {
LED ATTACK
current_bt=$(sed -n "$on"p /tmp/bluetooth_scan | awk '{print $2}')
current_bt_mac=$(sed -n "$on"p /tmp/bluetooth_scan | awk '{print $1}')
if grep -i -q "$current_bt_mac" /tmp/bt_scanned; then
[[ $DEBUG == 1 ]] && echo --- "$current_bt_mac": Already interrogated, skipping. | tee -a /tmp/payload.log
else
bluetooth_info
fi
}
function bluetooth_info() {
[[ $DEBUG == 1 ]] && echo +++ "$current_bt_mac": Not yet scanned, scanning... | tee -a /tmp/payload.log
echo "Begin $current_bt_mac ----------------------" >>$LOOT_DIR/$BT_INFOFILE
hcitool info $current_bt_mac >>$LOOT_DIR/$BT_INFOFILE
echo $current_bt_mac >> /tmp/bt_scanned
}
function run() {
runonce
while true; do
setup
scan_bluetooth
if [ "$INTERROGATE" -eq 1 ]
then
while [ "$on" -le "$total_bts" ]
do
if [ "$on" -ge 1 ]; then interrogate_bluetooth; fi
let on=on+1
done
else
[[ $DEBUG == 1 ]] && echo ... Interrogate mode is not enabled, skipping scans. | tee -a /tmp/payload.log
fi
sleep 5
[[ $DEBUG == 1 ]] && echo ... Completed recon. Restarting... | tee -a /tmp/payload.log
done
}
function runonce() {
hciconfig $BTDEV up
[[ $DEBUG == 1 ]] && echo "-----------------------------------------" | tee -a /tmp/payload.log
[[ $DEBUG == 1 ]] && echo Our local bluetooth device info: | tee -a /tmp/payload.log
[[ $DEBUG == 1 ]] && hciconfig | tee -a /tmp/payload.log
[[ $DEBUG == 1 ]] && echo "-----------------------------------------" | tee -a /tmp/payload.log
> /tmp/bluetooth_scan
> /tmp/bt_scanned
mkdir -p $LOOT_DIR
touch $LOOT_DIR/$BT_OUTFILE
touch $LOOT_DIR/$BT_INFOFILE
echo -e "`date`\tStartup" >>$LOOT_DIR/$BT_OUTFILE
}
function setup() {
on=0
}
# Run payload
run