Raspberry Pi 3 – Kali Linux – Bluetooth Hacking Journal 2 – Redfang

Copied atshell.c from bluediving folder to bluemaho tools folder.
atshell still won’t run
opened another tool in bluediving to check the readme
The readme is unable to open due to xterm not being found
sudo apt install xterm
I can open the readme and it says to install carwhisperer with make, make install.
I did that in the bluediving/tools/carwhisperer-0.2 folder
I can run carwhisperer with ‘carwhisperer’ command

root@kali:~/bluediving/tools/carwhisperer-0.2# carwhisperer
carwhisperer <hci#> <messagefile> <recordfile> <bdaddr> [channel]
carwhisperer 0 out.raw - 00:11:22:33:44:55 | sox -t raw -r 8000 -c 1 -s -w - -t ossdsp /dev/dsp

Saw a folder for redfang_src in the bluediving/tools folder
sudo apt install redfang
package found, installing
redfang, command not found
Found wiki https://tools.kali.org/wireless-attacks/redfang
the command is ‘fang’ not ‘redfang’
description ‘RedFang is a small proof-of-concept application to find non discoverable Bluetooth devices. This is done by brute forcing the last six (6) bytes of the Bluetooth address of the device and doing a read_remote_name().’
fang -h shows

root@kali:~# fang -h
redfang - the bluetooth hunter ver 2.5
(c)2003 @stake Inc
author: Ollie Whitehouse &lt;ollie@atstake.com&gt;
enhanced: threads by Simon Halsall &lt;s.halsall@eris.qinetiq.com&gt;
enhanced: device info discovery by Stephen Kapp &lt;skapp@atstake.com&gt;
fang [options]

-r range i.e. 00803789EE76-00803789EEff
-o filename Output Scan to Text Logfile
An address can also be manf+nnnnnn, where manf
is listed with the -l option and nnnnnn is the
tail of the address. All addresses must be 12
characters long
-t timeout The connect timeout, this is 10000 by default
Which is quick and yields results, increase for
-n num The number of dongles
-d Show debug information
-s Perform Bluetooth Discovery
-l Show device manufacturer codes

-h Display help

The devices are assumed to be hci0 to hci(n) where (n) is the number
of threads -1, this is currently not configurable but maybe at a
later date.

fang -s scans all bluetooth mac addresses that are possible, 1 at a time. You can’t open multiple instances of this program to speed it up. It takes about 5 seconds to check each mac so it’s not practical to check them all. A mac address is a 12 digit hexadecimal number. The first six of the mac are the manufacturer so it would be faster to narrow it down that way. For example, iphone has certain addresses for the first 6 hexidecimal entries of a mac and samsung would have a different set.

So now you would be left with 16^6 possible combinations instead of 16^12. 16 comes from each of the 12 characters that could be a hexidecimal entry of the 12 digits/characters that make up a mac 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F. However, there are hundreds of millions of iphones out there, so there would have to be different manufacturers mac addresses as well because the second half of a mac only allows for about 16.7 million combinations.

So if we give iphones 100 possible manufacturer addresses there would be (100 potential manufacturer addresses)(16^6 possible entries) for ). So this program may only be useful if there is a way to run multiple instances at the same time on the same hardware and/or have multiple devices dividing up the work, or if there is a way to find out the bluetooth mac of a device beforehand but that sortof defeats the purpose of this program except to monitor if that specific address comes into range and is set to not be discovered.

Assuming (100)(16^6) = 1,677,721,600 possible iphone macs (made up 100 different manufacturer macs because there are a lot of iphones in circulation each with a unique mac), it would take 100 raspberry pi3’s about 23,301 hours (each raspberry checking 1 mac every 5 seconds) to check them all. However, the program barely uses any cpu so there is room for multiple instances to be run by the same cpu if somehow multiple instances of the program could be run at the same time on one raspberry pi3. There is also an option for multiple bluetooth dongles via the  -n flag, however that would require purchasing additional bluetooth dongles.

My phone is BC:E6:3F:18:74:35 so I could try finding that when my phone is not discoverable.

fang -s -r BC:E6:3F:18:74:35-BC:36:3F:18:74:35

finds my phone

root@kali:~# fang -s -r BCE63F187435-BCE63F187435
redfang - the bluetooth hunter ver 2.5
(c)2003 @stake Inc
author: Ollie Whitehouse <ollie@atstake.com>
enhanced: threads by Simon Halsall <s.halsall@eris.qinetiq.com>
enhanced: device info discovery by Stephen Kapp <skapp@atstake.com>
Scanning 1 address(es)
Address range bc:e6:3f:18:74:35 -> bc:e6:3f:18:74:35
Performing Bluetooth Discovery... Completed.
Found: IGNORE ME [bc:e6:3f:18:74:35]
Getting Device Information.. Connected.
LMP Version: 4.2 (0x8) LMP Subversion: 0x240f
Manufacturer: Broadcom Corporation (15)
Features: 0xbf 0xfe 0xcf 0xfe
<3-slot packets>
<5-slot packets>
<slot offset>
<timing accuracy>
<role switch>
<sniff mode>
<channel quality>
<SCO link>
<HV2 packets>
<HV3 packets>
<u-law log>
<A-law log>
<paging scheme>
<power control>
<transparent SCO>
<broadcast encrypt>
<EDR ACL 2 Mbps>
<EDR ACL 3 Mbps>
<enhanced iscan>
<interlaced iscan>
<interlaced pscan>
<inquiry with RSSI>
<extended SCO>
<EV4 packets>
<EV5 packets>
<AFH cap. slave>
<AFH class. slave>
<LE support>
<3-slot EDR ACL>
<5-slot EDR ACL>
<sniff subrating>
<pause encryption>
<AFH cap. master>
<AFH class. master>
<EDR eSCO 2 Mbps>
<EDR eSCO 3 Mbps>
<3-slot EDR eSCO>
<extended inquiry>
<LE and BR/EDR>
<simple pairing>
<encapsulated PDU>
<err. data report>
<non-flush flag>
<inquiry TX power>
<extended features>


However, hcitool scan, cannot find my phone unless I make it discoverable.

root@kali:~# hcitool scan
Scanning ...

fang vs hcitool scan summary

So fang can find my phone, provided bluetooth is powered on, but even if it’s not discoverable. To make my phone discoverable (android s6) I have to click and hold the bluetooth button on the screen, and then it will load up a window and say ‘your device (IGNORE ME) is currently visible to nearby devices. ‘However, even if that screen is not up, fang can still find my phone where hcitool cannot.

To test that hcitool is working correctly for that experiment, I made my phone discoverable and ‘hcitool scan’ did find it. I did not run ‘hcitool lescan’ (low energy) because my phone is not le.

root@kali:~# hcitool scan
Scanning ...
BC:E6:3F:18:74:35 IGNORE ME

Currently, I’m still trying to identify if fang -s is really a practical tool or if it could be.

Next week: https://github.com/balle/bluediving/tree/master/tools/carwhisperer-0.2 Car Whisperer to inject and record sounds into/from bluetooth headsets and hands-free units.

*an example command to start carwhisperer – carwhisperer 0 message.raw in.raw BC:E6:3F:18:74:35 2.4