German | English
n.runs AG - Company
 
 
n.runs AG
Services by n.runs
IT INFRASTRUCTURE
IT SECURITY
IT BUSINESS CONSULTING

n.runs AG
Nassauer Straße 60
D-61440 Oberursel
Phone: +49 (0) 6171/699-0
Fax: +49 (0) 6171/699-199
E-mail: contact@nruns.com
Imprint

.Security Tools - BTcrack 1.1

Introduction
BTCrack is the worlds first Bluetooth Pass phrase (PIN) bruteforce tool, BTCrack will bruteforce the Passkey and the Link key from captured Pairing* exchanges.

To capture the pairing data it is necessary to have a Professional Bluetooth Analyzer : FTE (BPA 100, BPA 105, others), Merlin OR to know how to flash a CSR based consumer USB dongle with special firmware.

Example of an aAttack scenario :

  1. Attacker reconstructs BD_ADDR of both Master and Slave through passive (reconstructing through a preamble sniff, even when the device is in hidden mode) or active means (redfang)
  2. Attacker changes his BD_ADDR to the one of the Slave device
  3. Attacker asks to pair with the Master indicating it has no key, the Master will more then often trash the old pairing data and request a new link key from the genuine slave
  4. Attacker now captures the key (pairing) exchange taking place between the two devices as the users try to re-establish a connection
  5. Attacker exports data to CSV format and imports into BTCrack
  6. Attacker can now compromise Master and Slave Bluetooth device through usage of the cracked Linkkey and is able to decrypt the data transmitted between the bluetooth devices


Why the PIN is not so important
An Attacker will focus on recovering the Linkkey and not the PIN, here's why :

  • The Link-key allows remote connections without the victim noticing
  • The Link-key allows and attacker to connect to devices in non-pairing mode and non discoverable mode
  • The Link-key allows decryption of the data

History :

  • Olly Whitehouse - 2003
    Presented theoretic weaknesses in the Implementation of the Pairing exchange
  • Shaked and Wool - 2005
    Present their logic to break pairing exchanges and implement it in Private
  • Thierry Zoller - 2006
    First public release of a complete optimized Implementation of the Shaked and Wool logic. Optimisation done by Erik Sesterhenn.
  • David Hulton / Thierry Zoller - 2007
    Worlds first FPGA based Implementation

Screenshots :

btcrack

Speed Comparison :

P4 2Ghz - Dual Core     200.000 keys/sec
FPGA E12 @ 50Mhz  7.600.000 keys/sec
FPGA E12 @ 75Mhz 10.000.000 keys/sec
FPGA E14 30.000.000 keys/sec

Known issues :
[+] Frontline 6.0 mixes Master & Slave Addresses

Changes :
1.0 First release
1.1 Intermediate Release
    »  E12 + E14 FPGA Support ( http://www.picocomputing.com)
    »  Splash Screen
    »  Process Priority
    »  Speed increase (+15%)

Downloads :

Be alerted to News, Tools and Whitepapers by signing up to the n.runs Newsletter
Penetration Test
 

5. January 2010:
press release
German Consulting Specialist n.runs AG expands their portfolio with an “On Demand” Penetration Testing Platform in cooperation with Indian Supplier iViZ Security

* * *



11. December 2009:
Corporate News
New n.runs Supervisory Board Elected
+++ New Supervisory Board is confirmed at the 2009 Annual Shareholder Meeting
+++ Günther Paul Löw is chosen as the Chairman of the Supervisory Board
+++ Ralph-Peter Quetz is chosen as the Vice Chairman

* * *



4. September 2009:
Corporate News
n.runs publishes 2008 Annual Report
Revenues increase by 22 Percent to EUR 6,70 Million +++ EBIT improves by EUR 0,21 Million to EUR -0,80 Millionen +++ Concentration on profitable Consulting Business

* * *

27 February 2009:
Corporate News
n.runs makes capital increase placement
+++ Subscribed capital increased by 8.7 percent
+++ Funds inflow to be used for reorganization and further growth in consulting
+++ Spin-off of the software solution aps-AV® planned

* * *

17 Dec 2008:
Advisory: Opera HTML parsing flaw lead to remote code execution 
* * *

27 Oct 2008:
Advisory: Eaton MGE OPS Network Shutdown Moduleauthentication bypass and code execution

* * *

21 Oct 2008:
Advisory: Internet Explorer HTML Object Memory Corruption

* * *

30 September 2008:
Corporate News
Figures from the first half of 2008 confirm expansion
+++ Revenues increase by around 30 percent to EUR 3.32m EBITDA improved
+++ by EUR 0.27m to EUR -0.35m Profit impacted by software investments,
+++ consulting profitable Outlook 2008

* * *

17 Sep 2008:
Corporate News
Microsoft selects n.runs as a member of the new program Microsoft Secure Development Lifecycle Pro Network
+++ n.runs AG exclusive member of Microsoft SDL Pro Network
+++ Only member of the MS SDL Pro Network on the European mainland
+++ Medium-term contribution to revenues in excess of 10 percent planned
* * *

10 Sep 2008:
Advisory alert:
Cross-Site Scripting Filter Evasion in various frameworks

* * *

10 Sep 2008:
Advisory alert: 
Horde Framework Cross-Site Scripting in filename MIME attachments

* * *

26 Aug 2008:
Press-release
IT Security for Governments and Military Organizations:
n.runs and Thales Now Co-operating

* * *

25 Aug 2008:
Press-release
Growing threat:
serious attacks on E-Mail-/AV systems constantly increasing n.runs introduces aps-AV – Protective cover for antivirus software