Skip to content

Category: Hacking

Hacking

Spoof BTADDR

Wrote a quick & dirty python wrapper for the bluez-utils bccmd command to set a the btaddr
of an bluetooth hci device. The native bccmd syntax is awkward, so that i found it handy to have a script which accepts normal formated btaddr as an argument and does some error checking and status infomation.

Usage:

root@linux:~/devel/tech/bluetooth/# ./setbtaddr hci0 01:0E:07:75:B7:12
Exec './bccmd  -d hci0 psset -r bdaddr 0x75 0x00 0x12 0xB7 0x07 0x00 0x0E 0x01'
hci0:   Type: USB
        BD Address: 01:0E:07:75:B7:12 ACL MTU: 192:8 SCO MTU: 64:8
        UP RUNNING
        RX bytes:86 acl:0 sco:0 events:9 errors:0
        TX bytes:33 acl:0 sco:0 commands:9 errors:0

[download](http://optixx.org/download/setbtaddr)

1 Comment

H00lyshit – DIY Bluetooth Sniffer

Since the [23c3]( http://events.ccc.de/congress/2006/Home) every interested researcher knew that is easy to compromise bluetooth sessions using the BTcrack tool.Thierry Zoller showed how it’s possible to [retrieve](http://secdev.zoller.lu/research/bluetoothcracker.htm) link keys, The only problem was to get hands on a bluetooth sniffer device to get the raw bluetooth packets. Such devices are not available at consumer prices. But somehow Max Moser found a [way](http://www.remote-exploit.org/research/busting_bluetooth_myth.pdf) to tranform a vanilla usb bt dongle into a bluetooth sniffer device. Don’t believe the hype…Now bluetooth security is dead.

Mini Howto:

#Backup old firmware
dfutool -d hci0 archiv backup.dfu
# Backup config
bccmd -d hci0 pslist -s 0x000F >> backup_cfg
# Check Vendor ID ( has to be 0x0a12)
bccmd -d hci0 psget -s 0x000f 0x02be
# Write new Product ID
bccmd -d hci0 psset -s 0x0002 0x02bf 0x0002 
5 Comments

Undelete with Sleuthkit

Wrote a little Bash script using [Sleuthkit](http://www.sleuthkit.org/) tools to recover a deleted file from a partion. Tested the script with ext2 and fat32 filesystems.

Setup a test image:

dd  if=/dev/zero of=image  bs=1k count=8192
mkfs.ext2 image
mount -o loop image /mnt/image
cp something /mnt/image
rm /mnt/image/something
sync
umount /mnt/image

Now you can start the script to find a token of the deleted file:

./find.sh image “Test”

The Code for find.sh

#!/bin/sh
 
IMAGE=$1
TOKEN=$2
BSIZE=1024
TYPE="linux-ext2"
TMP="dls_$(date +%Y%d%m_%H%M%S)"
 
if [ $# -ne 2 ]
then
    echo "Usage: $0 image token"
    exit -1
fi
 
if [ ! -f $IMAGE ]
then
  echo "Cannot find $IMAGE"
  exit -1
fi
 
if [  -z "$TOKEN" ]
then
  echo "Pleae give search token"
  exit -1
fi
 
echo "--------------------------"
echo "Found deleted"
fls -f $TYPE -rd $IMAGE
dls -f $TYPE $IMAGE > $TMP
strings -t d $TMP > $TMP.str
echo "--------------------------"
grep -i "$TOKEN" $TMP.str
echo "--------------------------"
echo -en "Select Offset:"
read n
ADDR=$(grep -i "$TOKEN" $TMP.str | grep "$n" |  sed 's/^[ \t]*//' | head -n 1 | cut -d " " -f1)
if [ -z "$ADDR" ]
then
    echo "Nothing found for '$TOKEN'"
    exit -1
fi
echo "Found $ADDR"
OFFSET=$(echo "$ADDR / $BSIZE" | bc)
echo "Using Offset $OFFSET"
BLOCK=$(dcalc -f $TYPE  -u $OFFSET  $IMAGE)
echo "Using Block $BLOCK"
echo "----------------------------"
dcat -f $TYPE  $IMAGE  $BLOCK
echo
echo "----------------------------"
INODE=$(ifind -f $TYPE  $IMAGE -d $BLOCK)
echo "Found Inode $INODE"
istat -f $TYPE $IMAGE $INODE
BLOCKS=$(istat -f $TYPE $IMAGE $INODE | tail -n 1)
echo "---------------------------"
echo "Found Blocks $BLOCKS"
echo "---------------------------"
(for BLOCK in $BLOCKS
do
   dcat -f $TYPE  $IMAGE  $BLOCK
done) | tee $TMP.found
echo "---------------------------"
echo "Saved to $TMP.found"
echo "---------------------------"
rm -f $TMP $TMP.str
Leave a Comment