PentestingScenarios
In this section we will see a few examples to cover the basic usage of the tool in pentesting related scenarios.
In our first attack, we will target BLE devices. As in any other attacks we will first explore the scenario in order to set a target. We will load the module discovery/ble with root permission and we will check the options.
By default we have a timeout option of 5 seconds and an optional attribute rssi, used to filter by the proximity of the device. If we execute the module with run, we will see the devices running around us ordered by RSSI.
This list has all the information required to see the GATT (Services and Characteristics) of each Bluetooth device. To do so, we will target a device with the green check mark in the Connectable column. In the list above we will select the AMIYJ_2484, a tile-knockoff Bluetooth tracker.
We will load the module ble/read-characteristics and set the mac to the one listed above and the type command to public in order to match with the device selected.
The next step is to run the module and read the characteristics, which will indicate if they can be modified.
In the image above we can see the first 2 characteristics, but there are plenty more and we are searching for the ones that could be modified (with write property).
In our victim, we have found that the fff2 characteristic is the one that emits the tracking sound, if we sniff the traffic, we could see the type of information that is sent, so we could replicate it from HomePwn. To do so, we load the ble/write-characteristic module, setting the mac and uuid of the characteristic, and then the data and the encode type as seen in the following picture.
Once we have revised the data (otherwise the connection will fail) we will run the module, making the tile beep. This is possible because 0XAA03 is the instruction, 04 is the number of beeps and FFFF is the intensity of the sound (in this case the loudest).
v2. Phishing Bluetooth devices
HomePwn has a feature to create fake Bluetooth profiles, both dumping the values of an existing device or writing the characteristics manually. This will allow to spoof a connection with the victim, forcing the connection to our PC.
To start using this feature, we must load the module bluetooth/mac_spoof. With this module we could monitor the status of our attack. This module was developed thantks to spooftooph.
In our example, we will ‘clone’ a device, that is why we first we load the discovery module to scan our environment.
We will use the device named “PowerLocus”, this address belong to some Bluetooth headphones. Then we load the module bluetooth/mac-spoof and we set some properties, like the bmac address of our targeted device and the interface used to spoof and we start the execution.
To examine if the spoof was successful, we could take a look of the bluetooth interface by running the hciconfi command, so we could confirm that the hci1 interface has changed.
Once is confirmed we could move to the next scenario.
HomePwn has several modules to discover devices, as we have seen in the Bluetooth section. In this chapter we will use SSDP, and MDNS to poke around in our scenario. We even have a module specific for Xiaomi devices.
First we will use the ssdp module in a straightforward way, just loading the module and then running it, even though we could tweak parameters like the service we are searching (by default ssdp:all) and the timeout used in the search. In the following image we could see an example of the module in action.
This list could potentially grow a lot, depending of the connected device and the type of service configured.
We will try to discover more devices with the MDNS protocol.
We first load the module and then execute it, as we have mentioned before, this module is running in background until we stop the search pressing the q key. We can run other search with another mdns module that uses the avahi tool.
This tool has the option of sniff bluetooth packets in two different ways: with tcpdump and with scapy, the one we will see in this section.
To do so, we will load the capture/bluetooth-scapy module and as we see in the show options command we could change the path of the file or the interface before we run the module in background.
Once we are finished, we just need to see the list of tasks with the command tasks list and use the task kill ID command to ‘kill’ our process, displaying a farewell message with the number of packets captured and the path of the file.
If we want to read the pcap file, we can load the module capture/read-pcap. Setting the parameter file to the actual path of our file and the number of parameter we want to display we will see the list packets of our file.
As you can imagine, this .pcap file can be read in other tools like Wireshark.
Other remarkable feature of the tool is the ability to work with RFID and NFC devices. HomePwn can read any NFC Tag compatible with NDEF (NFC Data Exchange Format).
As we have mentioned before, if you have an NFC Reader connected to the tool and enabled (you can setup this device with the module nfc/setup) you can get all the relevant information about a Tag, like the type, identifier, NDEF capabilities...
This module has a property to enable a verbose mode which will display the memory allocation of the Tag allowing to detect all the records written, even the ones that could have been deleted but are still persisted in the PROM memory.
In addition to display the information of the tag we can read and write our own records if the device allow the operations, to do so we can load the module nfc/write, set the ndef_type record that we want, select if we want to append or rewrite the tag and then execute the module.
And not only we can write our own tags, we can dump and load the data, allowing us to clone our tags in other devices. With nfc/dump we can create the .ndef file with the configuration and we could load in another device with the nfc/load module.
HomePwn can search clients connected to a specific network and perform a deauth attack. To accomplish this attack, a network interface with promiscuous mode is needed.
First step in the tool is to load the module wifi/stations-sniffing and set the values of the interface and channel.
The image is altered in order to hide the address of the devices and access points.Once targeted the web, we only need the BSSID to perform the attack, but how do we get the MAC of the Chromecast?. The way to go here is to check the manufacturer, in this scenario is Google, and perform the attack. In case there are multiple devices with Google as the manufacturer we will need to test them all until we find our victim.
Now, with all the information gathered, we only need to load the module wifi/deauth to deauth the device, we set the properties of the module like the bssid, the number of packets to send (-1 to infinite loop) and hit run to send the task to execute in background.
If we manage to remove the Chromecast from the network, the device will boot up an access point to start the pairing mode, so we will be able to hijack it, and send content or change the name of the device with the help of several modules in homePwn related to Chromecast.