Saturday, October 13, 2018

DERBYCON VIII: Bluetooth DeMystifier

How to make a wearable Raspberry Pi...


LostRabbitLabs created five (5) 'Bluetooth DeMystifiers' and brought them to DerbyCon to share. This page will serve as the howto and manual for those who have the badge and those who would like to build one. All parts needed to build one along with instructions on how to use will be listed below. If you would like a copy of the original SDCard image (RaspberryPI Wireless Zero) let me know and I will provide the link. Code will be posted to our Github soon.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What is a Bluetooth DeMystifier?
Using a Raspberry PI Zero Wireless tucked in a bag (making it a 'Hacky Sack' - thank you pancho for the great name)...it is a bluetooth enumerator, logger, identifier, sniffer, collector & plotter with ssh & web interfaces for admin access. With the DeMystifier you can...identify bluetooth/BLE devices around you, plot their signals over time providing real-time proximity data, and collect stats on Top Mac Addresses and Vendors observed. This can assist with locating lost devices, detecting if you are being followed, and give some insight into the Bluetooth Darknet that exists all around us.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What you will need:
1. Raspberry PI Wireless Zero
2. Adafruit PiTFT 2.2" HAT Mini Kit - 320x240 2.2"
3. GPIO headers (for connecting PI to PiTFT)
4. Adafruit PowerBoost 1000C & one (1) on/off switch
5. 3.7v 2000mAh Lithium Ion Battery
6. One small leathery bag & Paracord



Back and front view of DeMystifier before it goes in the bag! Notice the four (4) buttons on the front below the screen!

Putting things together is pretty easy. Solder headers onto Raspberry Pi. Solder PiTFT to headers (leaving room for access to microUSB ports on the the PI). Connect power wires from Powerboost to Raspberry PI and attach battery. Slide in bag and loop paracord through bag ties. Leather-punky...and done!



How to use:
1. Charge battery (or use microUSB power while charging)
2. Turn on/off switch to ON position (located on back of badge)
3. Device boots up! You should see output and boot-up images (shown below) on the screen followed by the DerbyCon VIII splash screen (pictured above). Be patient and badge may take 1-2 minutes to boot up completely.


4. Using the four (4) buttons on the front of the badge, you can access different bluetooth data being collected/observed.

BUTTON 1:
Displays a graph of the Top 10 most observed Bluetooth Mac Addresses over time. This shows patterns in observed bluetooth traffic, devices and the people/objects who control them. Use for Red-Teaming, Blue-Teaming, Purple-Teaming, Asset management, and curiosity!





BUTTON 2:
Pressing this button will show statistics around total Mac Addresses, vendors and connections observed along with a listing of all devices observed in the last 60 seconds.



The Blueooth DeMystifier uses the open source software package 'Bluetoothctl' to provide some of the data seen in this view.






BUTTON 3:
This shows a real-time, enriched view (in the CSV format) of bluetooth/BLE signals observed complete with timestamp, vendor OUI lookup, and leaked strings.



BUTTON 4:
The Blueooth DeMystifier uses the open source software package 'hcitool' to provide some of the data seen in this view. It provides real-time BLE sniffing. Occasionally the command 'hcitool lescan' displays in I/O error message. Just press the button again...and wish for the best!





How to access the SSH and WEB interfaces:
In order to access the SSH and Web interfaces you will need to modify the existing 'wpa_supplicant.conf' file to use your own wireless network. This can be achieved by mounting the sdcard and modifying the the "/etc/wpa_supplicant/wpa_supplicant.conf" file.

wpa_supplicant.conf:
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
 ssid="YOUR WIFI_SSID"
 psk="YOUR_WPA_KEY"
}

------------------------------------------------
Once your Bluetooth DeMystifier is online...you can log in to SSH by using the following methodology below.

SSH LOGIN:


1. Log in to Raspberry PI using the user 'pi2' and the password 'derbycon'
2. Gain root privileges using the command 'su -' and then using 'derbycon' as the password.
3. All data and important files are in '/home/pi/installs'.
4. Factory reset the DeMystifier (clearing out all bluetooth stats and starting over) by running '/home/pi/installs/clean.sh' and rebooting.

------------------------------------------------

WEB ACCESS:
The web interface for 'Bluetooth DeMystifier' provides additional graphs, logs, and ability to plot any Mac Address you request. Available data includes...

  • Bluetooth Stats - Macs, Vendors, Strings
  • All Discovered Devices (Name/Mac)
  • Discovered Devices Last 5 Minutes (Name/Mac)
  • CSV Version of Log Data
  • Top 10 MACADDRS - Last 10 Minutes
  • Top 10 MACADDRS - All-Time
.
Sample CSV output data shown below...

Use the '/home/pi/installs/tags.txt' file to create MAC-to-TAG translations as well as plot any Mac Address using the request URL below:

http://YOUR_IP_ADDRESS:1337/?macaddr=01:02:03:04:05:06


Thank you DerbyCon!
It was a great DerbyCon and I can't wait to go back next year. Great staff, family and local hospitality (not to mention the great food and drink). To many more!