Lately, unique remote access techniques have become more commonly discussed. Most are payloads that beacon over some protocol using space within it that might be re-used for nefarious purposes (think HTTP). Some others are ones that use more obscure protocols that may not rely on TCP/IP at all. These have the added advantage of being able to communication more quickly than some of the low-and-slow beaconing payloads while still being difficult to detect.
This post will outline a simple technique that can be used to maintain a shell with a full PTY on a compromised Linux host with Bluetooth. A simple pseudo-serial connection can be created with Bluetooth using the common RFCOMM protocol. The Linux Bluetooth stack Bluez supports this, and it can be used for binding shells similar to common netcat listeners. At the end of this post is the code to a Proof-of-Concept script in Python which makes use of the PyBluez package. The script need only be executed on a system after an attacker has paired their Bluetooth device, and it will spawn an RFCOMM socket listener.
The applicable Bluetooth service must be running, and the script must be executed as root in order to listen on an RFCOMM socket for connections. The script, by default, listens on Channel 1 for a connection and forks a process that spawns a shell with a PTY. The PTY support allows terminal emulation as opposed to some scripts which merely enter a read-execute loop which can cause issues with commands expecting to read from STDIN (such as sudo). The Android BlueTerm application is compatible with this technique. It is important to note, however, that some 3rd party keyboards seem to cause issues. While within range, the attacker can open the BlueTerm application and connect to the target system where the aforementioned script is running. After the terminal client has disconnected from the session, the script will wait for a new connection, allowing the attacker to exit and return as desired.
Next time on Shells with Spencer we’ll outline opening a meterpreter session over a Bluetooth RFCOMM socket.