 Hello, everybody. Can you hear me fine? Cool. So my name is Ryan Holman. Today I'm going to be talking to you about a project I've been working on for a while. The aim of the project was to bring the data that we obtained through passive Bluetooth monitoring. Oh, sorry. Is that better? Okay. So the aim of the project was to bring the data that we obtained from passive Bluetooth monitoring into a Python medium. A little bit about myself before I get started. I live in Austin, Texas. I work for an amazing company called Zifton Technologies where I am their lead server developer. I have a master's degree in computer science. Most of my thesis work revolved around C++ template metaprogramming. This is a longer speech than I had at Black Hat. So you guys are going to get longer demos and more content. So pretty awesome. So here's what we're going to go over today. Terry picked out three Bluetooth essentials that I think anyone doing passive Bluetooth monitoring should understand. I'm going to go over some fundamental projects which created the foundation for my work. And then finally what I did, why did it, why I thought it was needed and what it provides. And then I'm going to go on to some demos. And the demos are pretty thorough. They're in an IPython notebook format. It's really nice for creating documentation and live demos. It's all, all this content is on your conference DVDs. So if you want to check it out later, go for it. The source code currently doesn't have a home online. So you guys have the only copy of it right now until I check it in somewhere. And let's get going. Okay. So the first thing to understand about Bluetooth is it's built upon this frequency hopping protocol. And what this means is a communication between two devices is going to take place over 79 different channels. And these devices will hop through these channels at about 1600 times per second. And the hardware that we have in order to monitor this, this Bluetooth in the air can really only listen to one channel or a small subset of channels at a time right now. So the data that we obtain is going to be very sparse. And what this means is we're not really going to have a whole conversation and this, you know, the data, we can still do a lot with it, right? It's not completely useless. And that's what we get. Okay. So here I have an illustration of a simplified Bluetooth stack. There's three things I want you to take away from this slide. Anytime I say BTBB, that's Bluetooth baseband. And the second thing is, is Bluetooth baseband is the lowest level on the Bluetooth stack. And this is what we listen to when we actually passively monitor Bluetooth. So the Bluetooth baseband layer cannot directly be accessible with our everyday commodity Bluetooth devices and operating system software. So we need specialized hardware in order to access this layer. Okay. And now on to the Bluetooth address space. This is the last thing that I kind of cherry picked out that I think you guys should understand about Bluetooth. It's some of the more important information we actually gain from this data when we're doing passive Bluetooth monitoring is actual Bluetooth addresses because the Bluetooth protocol tends to hide them. So if you're familiar with a typical our networking protocol, a Bluetooth address is laid out pretty much like, like a MAC address, right? Where our upper half is vendor specific and our lower half is device specific. Now as far as relating them, that's about as far as it goes because in Bluetooth, where it starts to differ is we don't actually need this whole entire address in order to make a Bluetooth connection, right? On the illustration, the section labeled the NAP can be filled in with whatever we want, as long as the UAP and the LAP are correct and we can actually make Bluetooth connections. So the other thing that we tend to do with Bluetooth addresses is we split them up into these three subsections, right? The NAP, the UAP and the LAP. And so the NAP is the non significant address part, right? Because we don't need it. And luckily we don't need this because it's actually the hardest part to obtain when we're passively monitoring Bluetooth. The UAP, this can be derived from packets that we obtain during passive Bluetooth monitoring if the packet actually has a payload or data associated to it, right? We obtain this by checking its air checks and basically we're able to obtain this sometimes. So we won't always have a UAP but we can get it sometimes. LAP is basically given to us in Bluetooth based band traffic and we can pretty much always guarantee it's going to be there. And that's the Bluetooth address base in a nutshell. Okay, so for my project, I chose to use the Ubertooth. I chose it because it's small and it's cheap. If you're unfamiliar with the Ubertooth, it's a project created by Michael Osman. And it's basically a USB dongle capable of sending and receiving data on the same layer as a Bluetooth baseband. Some other things about the project. New this month, Dominic Spill took over as the lead programmer. So there's been a lot of code movement and I expect to see a lot of new features and functionality coming out of it pretty soon. So that's pretty exciting. And most importantly for my project is the Ubertooth software provides a Kismet plugin. And basically the Kismet plugin can output this Bluetooth baseband data into PCAP files. And this is kind of core to my libraries because I use these PCAP files in order to input the data into my libraries. So really short to live BTBB also created by Dominic Spill, Michael Osman. It's basically a core library for Ubertooth and GR Bluetooth. And I mentioned it here because it provides a wire shark plugin. And this is closely related to what I did with my medium in my libraries. And luckily, I had this because it made my work a lot easier, right? Michael Osman did all the hard work of building this wire shark plugin. And then I could check my work against his. And it made my stuff go a lot quicker. If you're unfamiliar with Libby to BBB, it's basically it provides the data structures and methods for driving information for Bluetooth baseband data. So Scapi is the medium that I chose in Python in order to incorporate my data into Python, right? And Scapi is pretty much your go to framework in Python if you want to deal with raw network traffic. It's a framework slash library which provides methods for sending, receiving, accessing, manipulating network traffic and it supports a lot of different layers, right? Bluetooth baseband not being one of them. So that's kind of where I came in. So when I first started out, you know, I have one goal and one goal only and that was to somehow get all this Bluetooth baseband traffic into Python in its entirety, right? I figured once I could do that, I could rip through this stuff and throw it into my data crunching libraries and throw it into big data storage warehouses and you know, just have fun with it, right? I don't need to sit there and hammer out C code or C++ code to do stuff that's rapid development, right? Python is better for rapid development. So I did this by creating the Bluetooth baseband layer in Scapi and when I first started out, I would just take the pcap files created from Kismet and load them into my Scapi module and this was really great for postmortem work, right? But the problem here was is I couldn't find live data. I couldn't see packets streaming down my screen as they came in over the air, right? So I had two options here. My first option which I started to do was to build a direct interface into the ubertooth so I could stream this data directly to Scapi. I actually chose not to do this. I quit that. I'm working on it again. But for this initial release, I stopped that because I thought, well, people using stuff like a USRP and they're able to write these pcap files, they're not going to be able to use my libraries directly because I'm only going to have an ubertooth layer. So what I did instead is I built a streaming layer for pcap files in Scapi and what this does is it's kind of similar to the tell-to-ash Chef ID and Linux, right? Where you're just kind of looking at the file as it's being written and you can safely review this. So I created a layer where I'm actually able to read from the pcap file safely as Kismet's writing to it so we can use it as kind of a data pipe in between applications. So now that I have my data flowing into Scapi, the way that I wanted it and I could get everything I wanted, there was a lot of stuff that I would do over and over that I really wanted to just build a lot of helper methods in my library for. So the first thing I did was a lot of times when we're going through this data we want to see all the unique Bluetooth addresses we saw within a data set, right? So I have helper methods in there that will give me a unique list of all Bluetooth addresses found within this traffic and I'm viewing. Same thing for data types too, right? If I have a pcap capture it's really useful for me to know, give me a count of all, you know, poll traffic or ID traffic, dv traffic, dh traffic that I actually saw within this so I can actually get an idea for some review. Okay, this packet had a lot of voice traffic, this packet had a lot of data traffic, this, you know, things like this and it just makes it easy for me to actually see what's in these pcap files really quickly. Some other things that I did, looking at MAC addresses all day, I don't know how many you guys can actually remember off the top of your head. So I would try to build these methods that would give me like a human readable format for these things. So obviously if I had a vendor and a UAP I could then look them up via manufacturer files and get the manufacturer a name for me. So I could, as I'm streaming this data I can see, okay this is an Apple device. I can see, okay this is a, you know, XYZ device. Now we're not always going to have an NAP so when we only have a UAP I can do a NAP reduction on this stuff, right? So a typical vendor list has about 20,000 vendors in it. If I have a UAP I can do a NAP reduction and get, you know, 30 to 60 vendors and it's associated NIP. So if I see the vendor that I'm actually looking at in this list then I can associate its NAP along with it. So as I did, like I'm really into doc strings so if you guys look through any of my libraries there's extensive doc strings for all of my methods and functions along with descriptions of their outputs and arguments. I'm also very pet bait so if you guys look at my stuff it's pretty readable. And along with all this stuff too, as I was learning all of this I wrote a lot of extensive documentation for all the related projects, right? So if you're new to loading firmware on your Uber 2 to get the latest, greatest code and functionality, you know, the first time you do this it's not so straightforward. So I have a lot of documentation on my website on how to actually do this type of stuff for, you know, the Uber 2 project and a couple other things. And I should be updating my documentation soon, hopefully after the whole conference settles down and I can relax a little bit. So under the demo, anyone in the audience use iPython notebook? C1, alright. It's my new favorite Python tool. Basically it's a, it's a great way to create documentation when you're actually doing this stuff and to allow people to run your code interactively. But here we go. Basically I'm going to go through a lot of, you know, like a SCAPI tutorial but using these PCAP files for Bluetooth-based band traffic and show off some of my libraries. So the first thing I'm going to do from SCAPI import all, this is not very pepe to me, but for demo sake it makes my namespace a little bit less. So BTBB is the library, the Bluetooth-based band library that I created for SCAPI. Basically when you want to install it you can just put it in your Python path or if you really wanted to you can throw it in your SCAPI layer folder. I'm going to create a reader interface to a sample PCAP file and I'm going to read one packet from it and save it as a variable PKT. Now SCAPI provides methods for viewing this data in a nice format. So let's look at the first packet, although I can tell you it's not going to look very interesting. So my layer is based on top, like the bottom layer of my SCAPI module is based upon the Ethernet layer since they're one-to-one match. So when we see ID traffic it's just going to look like an Ethernet packet. Wireshark also does this with their plugin, but let's look for something a little more interesting. So I'm going to iterate through these packets one by one until we find something with actual data and here we have something. We can see here that, you know, the Ethernet layer is the base layer for this stuff. Then we start to have the Bluetooth baseband layer. Each level of the Bluetooth baseband layer and a lot of this was modeled off of how it was laid out in Wireshark. SCAPI also provides summary data for us too if we just wanted to see this packet in a short view. And this is really nice for just generically iterating through this stuff so you don't have a whole bunch of stuff on your screen. So we can build just simple loops in order to go through, let's say, find me the first packet that actually has Bluetooth baseband payload in it, right? I'll iterate through and print out a short summary of every packet before that until we find one with actual payload. Okay. So next we can actually, these are just kind of like built-in SCAPI things. If you're unfamiliar with SCAPI, this is probably informative, otherwise it's probably kind of boring. We can take the rest of our packets from our PCAP list and load them all into a Python list. We can view it, see that there's, you know, 440 other packets in here. We can treat it a lot like a Python list where we can do list splitting on it. Now we can take this list and, so this is really helpful to have SCAPI with this traffic, because I can actually take that data that I just loaded into a list now and say I knew Joe Schmoe had, you know, Mac address or Bluetooth address X, Y, Z. I could filter out all of his data and write that to a PCAP file. So now I have these really nice formatted PCAP files. So I can say, okay, this is all of Joe Schmoe's traffic and I'll save it for later analysis. So here's just an example of me writing out all this data to a PCAP file. I'm doing a bash ls on it through IPython in order to show you that it's written there. I can then open it back up and look at 5 packets from it and close all my files. Okay, so I mentioned that I created this streamer object in SCAPI in order to be able to access these PCAP files as Kismet's writing them. So here's an example of this. This first four lines of gibberish here is my hybrid of bash in Python. Don't ever use anything like this. This was actually just one line less than actually doing the pure pythonic way. Basically all I'm doing here is looking in my Kismet logs and grabbing the latest one. So let's assume for demo's sake I'm not going to do, I'm not going to do a live Kismet packer, eh, capture, but let's just assume it's being written to right now. I'm going to grab my latest log and here's the file here. I'm going to create a streamer object on top of that and now I can stream through this, right? And my streamer object, my streamer iterator I can tell it like a lot of different things. I can say stop when you get to the end and basically to remember where you are so the next time you access your stream you can start where you left off. If I tell it not to stop it'll basically sit there and wait until a new packet comes in and we can kind of see this stuff go through. And that's more for an interactive mode in Scapi where you'd actually have to control C in order to get out of it. But here's just an example of it. And then we can close my streamer object. Oh, actually let's go back, sorry. It wasn't very informative. So let's go to the skin and open my streamer object and look at this stuff and show you that the next time that I go to access to this stuff there's been no new data written to this file so I'm basically going to start off with nothing, right? So this is really useful for and I'm just streaming through in order to see all this data in real time. Okay, so this is just kind of some setup stuff. I use Wireshark manufacturer files when I actually do my vendor look up and NAP look up on a lot of my data. So I don't have my Wireshark manufacturer file in a default location. So I actually have to specify it here. I'm going to open up another pcap file and we're just going to view the first couple packets within this pcap file and we're going to look for the first one that has some actual data associated with it, right? We have a UAP for this. And so what I'm going to do here is I'm going to show you these helper methods built in here. Here's an example of the get vendor one, right? So let's assume we did know the NAP and I plugged in the associated upper NAP to this address we saw here, right? This wasn't in the data but let's pretend like we knew it. I can now see okay the vendor is this, right? But if we did not have that I can take this packet here which was packet number six and actually plug it into my get vendors function and I'll get back a variable possible vendors, right? And we can see that there were 60 possible vendors for that. I can then look through all the vendors that it was associated with. And for me this was very easy because I knew that I was looking for an Apple device, right? So now I have here my NAP associated with that address and my actual device name. Grabbing all distinct Bluetooth addresses out of a packet capture. This provides very useful for when you're actually plugging into other applications you might create or other tools, right? I can take this list and send it to you know a scanner utility that I have or I can send this list to a connection utility. I can do a lot of things with this and basically this kind of builds at the core for a lot of my tools that I just kind of create around my library. I actually don't have a Bluetooth library installed on my OSX operating system right here so this part is not going to work but this was me sampling showing you that you can take this list and throw it through like throw all these addresses through a Bluetooth scanner. This works in Linux. I actually have never really been able to find a really good Python Bluetooth module so if anyone knows of any let me know. Let's go to another demo. So this is kind of the fun stuff. I do a lot of data analysis in my day-to-day work so I took a lot of this data that I'm grabbing from these pcap files and I can do a lot of really cool stuff with it right? So anyone here familiar with pandas? Python pandas? Alright he's the Python guru over there. Python pandas is basically like a data crunching library in Python. It's really awesome you can do these in memory like database tables and you can do a lot of like group by operations and matplot lib graphs and stuff like that off all your data. So here I'm going to open up another simple pcap file and I'm going to read it in with my streamer. I'm going to instantiate a whole list of packets rather than iterating through which would be better memory but not going to get into that right now. So basically here this gibberish is me going through my list of packets that I put in a pcap file list and I'm just going to grab out some interesting information from within each packet right? I'm going to grab if it had a UAP and LAP what type of packet type it was is it going to be the master was there a payload associated and in the time that I actually saw it from the pcap metadata and so when I do this I never cleared all of my stuff but either way I already had the output recalculated on these I guess. So here I'm just going to show you that the head of my data set that I just created above right and basically this is just the first five rows of my table that I created in memory. This is a pandas table so basically I can go through my data set find the min and max date I can see that this packet capture was only about five minutes long and then I can just rip out some awesome graphs on all this stuff by doing a lot of group by functions right? I can say okay show me all of my data for all my client like all the LAPs I actually saw right and then you know I get this really cool graph here I can you know with four more lines of Python I can say okay well just show me all data that wasn't you know blank right let's get rid of all of our ID traffic and I can show this stuff I can do type breakdowns by packet types for all this stuff with a couple more lines I mean this is just all Python pandas is really cool for this with two lines of code you can just rip through this data and do some really cool stuff with it here I'm just showing you know per LAP here are the packet types we saw for each one and I'm actually running out of time so I'm going to kind of sum this up I can also do a lot of really cool time series stuff on this so I can see if I'm running this packet capture overnight I can you know see at midnight I saw this big spike of traffic or whatever we can break this out a lot of different ways per client or per LAP time series cumulative sums of all the data they sent you know sub graphs of different types of data they sent stuff like this so it's really cool stuff if you like Python pandas you can just kind of go through these tutorials and learn a lot from them all right back to the slides okay so what is the relevance of all of this obviously I created a way to do postmortem in real-time data analysis on these Bluetooth baseband pcap files in Python I did it in a way where we're providing cross compatibility across different devices which is really nice just for you know people using other tools out there like the USRP and a lot of these libraries can just be really easily incorporated into other tools you have auditing tools pentesting tools there's a lot of cool stuff you can do with this I just I play with this stuff all the time while I'm drinking coffee in the morning and I can rip out a new scanner and try some new techniques and it's pretty easy stuff and when in Python you only need a couple lines of code so stuff I'm working on right now I'm working on some Python libraries to directly interface with a lot of the ubertooth functionality that you get out of their C libraries just recently I think it was like this week Dominic Spills made the main ubertooth library a shared library which is really nice for me so now I can just kind of plug into that instead of me creating it in a Python setup.py file I still want to build a direct stream into the ubertooth now that I actually have a way for you people with the USRP to use it now I just kind of want to not run Kismet in the background I mean no offense to Kismet I just you know resource consumption and stuff like that I would just rather directly stream this stuff straight into Python. Bluetooth low energy layer I'd never created that layer although it would be fairly simple for me to do now that I know my way around all this stuff and we have no way of actually sending these packets out if I were to create them in Scapi right now but it would be really nice for me to just make sure it was all sane if we are building packets in Scapi for in the future when we actually have a way of sending these out we have a medium for actually creating a lot of these packets and here's some references you can all my slides and content is on the conference DVDs but if you want to get into this stuff or learn it or if there's something I talked about that you weren't familiar with I have links to all this stuff here and you can find a lot of my tutorials and demo code online at hacknar.com I actually don't have the code from this conference up there yet but later this week I'll put it up there contact me at my email address don't be scared I'm pretty nice and follow me on twitter hacknar.com I'll try to do any updates for the project there so thank you