Wednesday, June 11, 2008

Tutorial: Using frontline comprobe to crack a link key exchange

you will need the following...

one or two bluetooth enabled devices
frontline comprobe
A regular bluetooth device (for getting macs)
a copy of frontline.c
openciphers btpincrack

First thing is to setup your lab. Lets get the bluetooth hardware and services started.

Code:
hciconfig hci0 up
hciconfig hci1 up
bash /etc/rc.d/rc.bluetooth startYou an check everything is running correctly by issuing the hciconfig command.

Code:
hciconfigOk now we are ready to setup frontline.c.

Now I have had some trouble with the frontline source code and my frontline comprobe. I am using the airsniffer47-bc04 and it seems the packet shift is double than set in frontline.c ???

I'm keen to find out whats going on and have asked the powers that be to look into this and they have asked me to try a couple of things. One suggestion is to change FP_TYPE_SHIFT to 2 but it still has the same results. For now you will have to check it out for yourself, but if possible please could somebody try frontline.c with a dlink dbt120 without my mod and post the log ?

OK open frontline.c in your fav editor and find the following ...

Code:
#define TYPE_DV 8

#define LMP_IN_RAND 8
#define LMP_COMB_KEY 9
#define LMP_AU_RAND 11
#define LMP_SRES 12Now change to the following values ...

Code:
#define TYPE_DV 16

#define LMP_IN_RAND 16
#define LMP_COMB_KEY 18
#define LMP_AU_RAND 22
#define LMP_SRES 24Save and exit, then compile with the following command..

Code:
gcc -lbluetooth frontline.c -o frontlineThats frontline.c patched, now we can start the sniffer

ok if you run frontline with the -h tag you will see what options you have to play with. As explained in the video to start the sniffing process you will need the master's and slave's macs first. At the moment there is no way of telling who is the master or slave a piconet, obviously you would know this info because this is your equipment we are using right ??? ! lol But in a real situation it would just be trial and error and maybe a bit of a educated guess.

Ok lets scan for devices, if you already know the macs skip this step

Code:
hcitool inqGood practice to always issue a stop to your sniffer before starting just in case.

Code:
frontline -d hci1 -sNext we tell the comprobe to filter all frames.

Code:
frontline -d hci1 -f 7Next we add our MAC's

Code:
frontline -d hci1 -S MA:ST:ER:MA:C1@SL:AV:EM:AC:01Now lets start the sniffing process. -p tell's frontline to look for a key exchange and -z tell frontline to ignore zero length packets or in my language crap

Code:
frontline -d hci1 -p -z -eNow pair the two devices and you should see some data. Once the pairing process is complete, stop frontline and check back for the pairing process as seen in the video.

Next compile btpincrack I cant remember if you need to do anything to install onto bt3 so if you get errors post em and i'l fix em for you lol

And run frontlines output through btpincrack as seen in the video. A 6 digit pin should take around 7 seconds .

DONE

(c)Dr_GrEeN

No comments: