• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > R&D > Research > Spawning Shells Over Bluetooth

Spawning Shells Over Bluetooth

September 7, 2015 By Spencer

Lately, unique remote access techniques have become more commonly discussed. Most are payloads that beacon over some protocol using space within it that might be re-used for nefarious purposes (think HTTP). Some others are ones that use more obscure protocols that may not rely on TCP/IP at all. These have the added advantage of being able to communication more quickly than some of the low-and-slow beaconing payloads while still being difficult to detect.

This post will outline a simple technique that can be used to maintain a shell with a full PTY on a compromised Linux host with Bluetooth. A simple pseudo-serial connection can be created with Bluetooth using the common RFCOMM protocol. The Linux Bluetooth stack Bluez supports this, and it can be used for binding shells similar to common netcat listeners. At the end of this post is the code to a Proof-of-Concept script in Python which makes use of the PyBluez package. The script need only be executed on a system after an attacker has paired their Bluetooth device, and it will spawn an RFCOMM socket listener.

Bluetooth Shell Server
Bluetooth shell server having received a connection
Bluetooth Shell Client
Bluetooth terminal client running on Android

The applicable Bluetooth service must be running, and the script must be executed as root in order to listen on an RFCOMM socket for connections. The script, by default, listens on Channel 1 for a connection and forks a process that spawns a shell with a PTY. The PTY support allows terminal emulation as opposed to some scripts which merely enter a read-execute loop which can cause issues with commands expecting to read from STDIN (such as sudo). The Android BlueTerm application is compatible with this technique. It is important to note, however, that some 3rd party keyboards seem to cause issues. While within range, the attacker can open the BlueTerm application and connect to the target system where the aforementioned script is running. After the terminal client has disconnected from the session, the script will wait for a new connection, allowing the attacker to exit and return as desired.

 

Next time on Shells with Spencer we’ll outline opening a meterpreter session over a Bluetooth RFCOMM socket.

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Spencer

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.9k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.