1 00:00:06,490 --> 00:00:08,720 - [Narrator] In lesson three, you learn all about 2 00:00:08,720 --> 00:00:11,010 the different antennas and devices 3 00:00:11,010 --> 00:00:14,390 to monitor wireless networks, including Bluetooth. 4 00:00:14,390 --> 00:00:16,030 The antenna that actually I show you 5 00:00:16,030 --> 00:00:19,260 from Bluetooth, was the Ubertooth-One 6 00:00:19,260 --> 00:00:22,150 as I mentioned in lesson three, Bluetooth monitoring 7 00:00:22,150 --> 00:00:26,510 was really expensive before this device was created. 8 00:00:26,510 --> 00:00:29,640 I am including here, the creators, GitHub, Wiki 9 00:00:29,640 --> 00:00:33,140 and also the repository for installation instructions. 10 00:00:33,140 --> 00:00:37,390 So I personally install the Ubertooth underlying packages 11 00:00:37,390 --> 00:00:41,640 in kali Linux but you can even install it in MacOS 6 12 00:00:41,640 --> 00:00:44,460 and any other Linux based operating systems. 13 00:00:44,460 --> 00:00:49,460 So red hat, Ubuntu, DBN, and so on. 14 00:00:49,660 --> 00:00:52,140 Now there are several utilities that can be used 15 00:00:52,140 --> 00:00:53,810 with Ubertooth-One. 16 00:00:53,810 --> 00:00:56,350 For example you can actually launch its 17 00:00:56,350 --> 00:01:00,550 packet capture module and interact with Wireshark 18 00:01:00,550 --> 00:01:04,610 to monitor all Bluetooth transactions near you. 19 00:01:04,610 --> 00:01:06,470 Now keep in mind that Bluetooth is actually 20 00:01:06,470 --> 00:01:10,810 a short distance technology, so you will have to be in range 21 00:01:10,810 --> 00:01:15,810 of the Bluetooth devices that you want to scan and monitor. 22 00:01:15,880 --> 00:01:17,730 Let's see how this works. 23 00:01:17,730 --> 00:01:22,730 First. I'm going to use the mkfifo, or F-I-F-O command 24 00:01:22,950 --> 00:01:27,950 or tool to create a name pipe to slash temp slash pipe, 25 00:01:28,450 --> 00:01:32,260 in my example, then let's actually launch Wireshark. 26 00:01:32,260 --> 00:01:34,730 I'm going to select a capture interface 27 00:01:34,730 --> 00:01:37,330 and then click on manage interfaces. 28 00:01:37,330 --> 00:01:39,210 Now under the pipes tab 29 00:01:39,210 --> 00:01:42,610 I will add the name pipe that I actually created earlier 30 00:01:42,610 --> 00:01:45,050 under the slash temp slash pipe. 31 00:01:45,050 --> 00:01:47,280 So once I do that, I click on, okay 32 00:01:47,280 --> 00:01:48,720 and then I click on start 33 00:01:48,720 --> 00:01:52,520 and then I start the actual packet capture itself. 34 00:01:52,520 --> 00:01:55,000 So then I'm gonna open a new terminal 35 00:01:55,000 --> 00:01:59,360 and then I will invoke the Ubertooth dash B-T-L-E command 36 00:01:59,360 --> 00:02:03,130 with a minus F option to follow the connections. 37 00:02:03,130 --> 00:02:06,480 So then I'm gonna specify minus C to specify 38 00:02:06,480 --> 00:02:10,520 the capture file or the name pipe in this case 39 00:02:10,520 --> 00:02:11,900 that I actually created earlier. 40 00:02:11,900 --> 00:02:15,770 So once I press enter, you will see the Bluetooth packages 41 00:02:15,770 --> 00:02:19,681 or packets rather in the terminal screen 42 00:02:19,681 --> 00:02:22,360 and also in Wireshark. 43 00:02:22,360 --> 00:02:24,370 Now this is a very cool way of actually seeing 44 00:02:24,370 --> 00:02:27,260 all the Bluetooth transactions in detail, just like you 45 00:02:27,260 --> 00:02:29,930 learned how to actually use Wireshark in the past 46 00:02:29,930 --> 00:02:31,710 with other scenarios. 47 00:02:31,710 --> 00:02:35,270 So now let's take a look at a transaction in detail. 48 00:02:35,270 --> 00:02:38,290 So in this case, this is a communication 49 00:02:38,290 --> 00:02:41,500 between my iPhone and my Bluetooth headset. 50 00:02:41,500 --> 00:02:44,970 So there, you can see the scan request 51 00:02:44,970 --> 00:02:48,950 the advertising address, and a lot more information. 52 00:02:48,950 --> 00:02:52,210 Now in the past, in weak Bluetooth implementations 53 00:02:52,210 --> 00:02:54,810 you can use this information to 54 00:02:54,810 --> 00:02:57,080 spoofed pair devices. 55 00:02:57,080 --> 00:03:00,667 And in some cases even get like address books and 56 00:03:00,667 --> 00:03:04,860 contact information and other sensitive information. 57 00:03:04,860 --> 00:03:07,383 So of course in modern implementations, 58 00:03:07,383 --> 00:03:09,630 there's a lot of protections against that 59 00:03:09,630 --> 00:03:11,717 but you may be actually surprised you can 60 00:03:11,717 --> 00:03:14,877 spoof some of these transactions with ease. 61 00:03:14,877 --> 00:03:17,387 Now let's take a look at another tool 62 00:03:17,387 --> 00:03:21,860 in this case is the Ubertooth Spectrum Analyzer. 63 00:03:21,860 --> 00:03:25,340 And basically a spectrum analyzer is a useful tool 64 00:03:25,340 --> 00:03:29,760 for assessing or troubleshooting in some cases 65 00:03:29,760 --> 00:03:34,610 RF interference because it visualizes RF signals. 66 00:03:34,610 --> 00:03:38,550 So the display of spectrum analyzers 67 00:03:38,550 --> 00:03:43,220 or any spectrum analyzer rather shows the amplitude 68 00:03:43,220 --> 00:03:47,140 of all signals over a particular range of frequencies. 69 00:03:47,140 --> 00:03:50,870 And it also represents a combination of signals 70 00:03:50,870 --> 00:03:53,370 coming from data traffic on wireless networks. 71 00:03:53,370 --> 00:03:57,160 And of course, in this case in Bluetooth devices. 72 00:03:57,160 --> 00:04:01,010 Now the guys behind Kismet also created another 73 00:04:01,010 --> 00:04:05,790 spectrum analyzer that you can use called the Spec Tool. 74 00:04:05,790 --> 00:04:08,010 Here I'm actually showing an example 75 00:04:08,010 --> 00:04:11,370 of how you can use the Ubertooth-One 76 00:04:11,370 --> 00:04:15,140 with this tool, so in this one you can see 77 00:04:15,140 --> 00:04:17,677 that the tool has three different views. 78 00:04:17,677 --> 00:04:20,965 The spectral view, the topo view to measure 79 00:04:20,965 --> 00:04:24,125 the amplitude of signals in decibels, and also 80 00:04:24,125 --> 00:04:29,016 a plainer view that also shows signals in decibels as well. 81 00:04:29,016 --> 00:04:33,550 So this tools can also be used for in-depth troubleshooting 82 00:04:33,550 --> 00:04:36,420 not only for pen testing but, to troubleshoot 83 00:04:36,420 --> 00:04:40,320 any Bluetooth implementation and also do research 84 00:04:40,320 --> 00:04:41,763 in Bluetooth environments.