While modern Wi-Fi-routers are able to filter unwanted packets, most Bluetooth adapters, to put it mildly, are dumb. They by and large do not care what package and how many of these packets you will send. Therefore it is absolutely no problem for us to increase the information volume of the ping package in Linux to a huge value and then send these packages to the Bluetooth device with, say 1000 pieces.
There is an order of magnitude. First we need to find the right devices within range. To do this, we use the command.
$ hcitool scan
As a result of this simple manipulation, you will get a list of available Bluetooth devices from their MAC address. If your system cannot see the Bluetooth adapter then I recommend to install one of the Bluetooth managers for Linux. At Kali I personally found gnome-bluetooth which you can install with the following command:
$ apt-get install gnome-bluetooth
You can also use the blueman utility:
$ apt-get install blueman
Having received the list of potential victims, you can deal with their blue-toothed devices in several ways. Let’s consider each of them separately.
Let’s use this command:
$ l2ping -i hci0 -s <packet value> -f <MAC_address>
It will generate the packets you specified in the
<packet value> volume and send those packets to the MAC address written as the
<MAC_address> parameter. Eventually, you will see the following picture: the response time will gradually increase in the terminal, and the device under attack will likely simply turn off Bluetooth.
After a while, it will still turn on, but the music will stop, and some satisfaction will be received..
This scheme works very well when the attacked device (for example, a phone) is connected to a headset or speaker via Bluetooth. After the attack, these two devices will not be able to connect to each other.
Way Two: Websploit
There is a more elegant and comfortable way to muffle the speaker from which the cheerful sounds of rap are heard. Launch the Websploit utility:
Receive a team in the console
$ show modules
It will show us all the modules that work with this utility. There are many components that work with Wi-Fi, but we are specifically interested in the Bluetooth/bluetooth_pod module:
$ use bluetooth/bluetooth_pod
Now you need to configure all settings and specify information about the attacked device:
$ show options $ set bdaddr <MAC_address>
To accurately and surely kill Bluetooth, we will change the size of the packet being sent:
$ set size 999
All preparatory actions are completed, we can launch our “killing machine”:
We will see a very similar picture in the output: the pings get longer and the music stops. Beauty!
These two methods will work with virtually any Bluetooth speaker, headset or other similar device. Simply because the manufacturers do not produce new firmware for them that can filter incoming packets. So, if you have a laptop with “Linux” on board, you can definitely call yourself a storm of portable speakers.
If the column copes with the attack, you can try to send the packets to the phone it is connected to. Personally, I tested this method on a fairly powerful portable speaker (JBL Xtreme) and it more or less coped with the load. But cheap Chinese handicrafts such an attack cuts down once.
Curious products are sold on the Internet, among which you can find and jammers. They cost usually decent money and provide different opportunities. Some can drop almost all the signals of the mobile network, Wi-Fi and Bluetooth at once, and others will not cope with H+.
If you think that you really need such a product, I strongly recommend that you read the applicable law before purchasing it. In Russia it is not forbidden to buy and sell silencers, but if you decide to use it, you need to register the device with the State Committee for Emergency Situations. If you are caught using an unregistered device, you will most likely be fined under Article 13.4 of the Administrative Code of the Russian Federation. Today, the fine for individuals is 500 rubles, for legal entities – up to 10 thousand.
Whoever stopped it once, all the same, we have lived, live and will live by this principle! So if you caught fire with the idea to make your own portable jammer – let’s go.
For better visibility, I’ve picked out 2 videos for you:
I think this is enough to turn a minimum muffler and throw your buddies, or fans of loud music.
To someone else’s device
As we already know, primitive speakers and headsets almost never filter out the packets we send them. But what happens if you send to such a device not just a packet of data to check the connection (ping), but a packet requesting a connection to the device? And not just one.
Ahhhh, I was also shocked when I saw that even that could be done with Bluetooth devices. It seems to me that hacking, over time, may well get to the real world.
Not all manufacturers of such headsets have taken care of buffer overflow protection. If all packets become queued, what will happen when there is nowhere to store requests? Column will try to execute command and clear buffer in this case.
So we use standard Bluetooth – rfcomm communication protocol. But since the protocol utility itself will not allow us to send a thousand such requests, we will write a small script to Python that automates the process.
#!/usr/bin/env python import subprocess cmd=['rfcomm', 'connect', '<MAC_address>', '1']. for i in range(0, 1001): subprocess.call(cmd) print('Connecting...')
Before running the script, we need to know the MAC address of the device. To do this we use the already familiar command
hcitool scan and insert the resulting address into the script instead of
<MAC_address>. Now we save the script and run it:
$ python <FileName>
Whether the script will work or not depends on the model of the device being attacked, or rather on the buffer filling speed. If the buffer has time to be filled before it is cleaned, the command will be executed, and then we will connect to the column simultaneously with the main user. If the buffer is cleared, it will fail and the script will have to be restarted.