Ubertooth One Introduction – Setup and Testing

Since I’ve had it for a bit, I figured it was time for an Ubertooth One introduction.

Ubertooth One Introduction

The Ubertooth One is a 2.4GHz development platform intended for Bluetooth experimentation.

I haven’t used it a ton yet, but I wanted to get it setup and at least learn how to scan with it. In the future, I’m hoping to get some scripts working for fox hunting!

Basic Setup

First, I installed the VirtualBox Extension Pack.

Next, I plugged in the Ubertooth and verified that it connected to the VM.

Ubertooth One - Plugged In

Ubertooth One - USB Connected

After that, I installed all the prerequisites that I could get with apt.

apt-get -y install cmake libusb-1.0-0-dev make gcc g++ libbluetooth-dev pkg-config libpcap-dev python-numpy python-pyside python-qt4

Once those were install, I built libbtbb.

wget https://github.com/greatscottgadgets/libbtbb/archive/2015-10-R1.tar.gz -O libbtbb-2015-10-R1.tar.gz
tar xf libbtbb-2015-10-R1.tar.gz
cd libbtbb-2015-10-R1
mkdir build
cd build
cmake ..
make
make install

Finally, I installed ubertooth tools.

wget https://github.com/greatscottgadgets/ubertooth/releases/download/2015-10-R1/ubertooth-2015-10-R1.tar.xz -O ubertooth-2015-10-R1.tar.xz
tar xf ubertooth-2015-10-R1.tar.xz
cd ubertooth-2015-10-R1/host
mkdir build
cd build
cmake ..
make
sudo make install

Ubertooth One – Initial Traffic

First, I ran a Bluetooth scan from my phone to create some traffic.

While that ran, I ran the Spectrum Analyzer to verify that everything was working.

Ubertooth One - Spectrum Analyzer

Next, I sniffed some traffic using ubertooth-rx.

Ubertooth One - ubertooth-rx

Once I captured and verified the LAP, I tried to get the next byte of the address.

Ubertooth One - LAP

Capturing Traffic in Wireshark

First, I setup a FIFO that I could use as a named pipe.

mkfifo /tmp/pipe

Next, I opened Wireshark and setup a new interface using the pipe (reference).

Ubertooth One - Named pipe interface

Afterwards, I ran the Ubertooth in low energy mode on the named pipe.

ubertooth-btle -f -c /tmp/pipe

Note that I got an error at this point regarding “User encapsulation not handled”.

Ubertooth One - User encapsulation error

Per the documentation, I followed these steps.

  1. Edit -> Preferences
  2. Click Protocols -> DLT_USER
  3. Edit (Encapsulations Table)
  4. Click New
  5. Under DLT, select “User 0 (DLT=147)” (adjust this selection as appropriate if the error message showed a different DLT number than 147)
  6. Under Payload Protocol, enter: btle
  7. Click OK
  8. Click OK

Ubertooth One - DLTs Table

Ubertooth One - New DLT

Finally, with the error resolved, I setup a filter to try and view my traffic.

btle.data_header.length > 0 || btle.advertising_header.pdu_type == 0x05

With everything configured, I was able to see the connection between my phone and FitBit!

Ubertooth One - Wireshark Capture

Ubertooth One – Conclusion

While I’m still understanding what I can use it for, this was a pretty easy introduction to the Ubertooth One.

If you have any ideas, suggestions, or tutorials, then please share them with me.

I’m not sure what I’ll use this for next, but hopefully I’ll be ready to hunt some foxes before the next wCTF!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for SecureWorks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (OSCE?!) or side project to work on, he enjoys playing video games, traveling, and watching sports.

1 Comment

Filed under Security Not Included

One Response to Ubertooth One Introduction – Setup and Testing

  1. Josh

    Great post as usual!

Leave a Reply

Your email address will not be published. Required fields are marked *

*