Bluescan – A powerful Bluetooth scanner for scanning BR/LE devices, LMP, SDP, GATT and vulnerabilities!
Bluescan is an open up resource venture by Sourcell Xu from DBAPP Protection HatLab. Everyone may well redistribute copies of bluescan to any one beneath the conditions mentioned in the GPL-3. license.
Usually are not the prior Bluetooth scanning equipment scattered and in disrepair? So we have this impressive Bluetooth scanner based on fashionable Python 3 —- bluescan.
When hacking new Bluetooth targets, the scanner can aid us to collect intelligence, these as:
- BR devices
- LE gadgets
- LMP functions
- GATT solutions
- SDP expert services
- Vulnerabilities (demo)
Requirements
This device is primarily based on BlueZ, the formal Linux Bluetooth stack. The next packages have to have to be put in:
sudo apt put in libglib2.-dev libbluetooth-dev
When you enjoy this software in a Linux digital equipment, earning a USB Bluetooth adapter unique to it is proposed, like the Ostran Bluetooth USB Adapter OST-105 CSR 8150 v4. for 99 RMB. Of training course, the ideal a person to use is the minimal bit pricey Parani UD100-G03, 560 RMB. And if you want to attempt the vulnerability scanning, see README.md of ojasookert/CVE-2017-0785.
Put in
The lastest bluescan will be uploaded to PyPI, so the following command can put in bluescan:
sudo pip3 put in bluescan
Usage
$ bluescan -h
bluescan v0.2.1
A powerful Bluetooth scanner.
Creator: Sourcell Xu from DBAPP Protection HatLab.
License: GPL-3.
Use:
bluescan (-h | --support)
bluescan (-v | --model)
bluescan [-i ] -m br [--inquiry-len=]
bluescan [-i ] -m lmp BD_ADDR
bluescan [-i ] -m sdp BD_ADDR
bluescan [-i ] -m le [--timeout=] [--le-scan-type=] [--sort=]
bluescan [-i ] -m gatt [--include-descriptor] --addr-style= BD_ADDR
bluescan [-i ] -m vuln --addr-sort=br BD_ADDR
Arguments:
BD_ADDR Goal Bluetooth gadget handle
Selections:
-h, --help Exhibit this support.
-v, --variation Display the model.
-i HCI system for scan. [default: hci0]
-m Scan method, support BR, LE, LMP, SDP, GATT and vuln.
--inquiry-len= Inquiry_Size parameter of HCI_Inquiry command. [default: 8]
--timeout= Length of LE scan. [default: 10]
--le-scan-kind= Lively or passive scan for LE scan. [default: active]
--kind= Type the found out products by essential, only help RSSI now. [default: rssi]
--include-descriptor Fetch descriptor details.
--addr-style= Community, random or BR.
Scan BR products -m br
Vintage Bluetooth units might use a few technologies: BR (Basic Amount), EDR (Improved Details Fee), and AMP (Alternate MAC/PHY). Due to the fact they all belong to the Essential Rate technique, so when scanning these gadgets we contact them BR system scanning:
As demonstrated above, by BR system scanning, we can get the deal with, web page scan repetition manner, course of unit, clock offset, RSSI, and the prolonged inquiry reaction (Identify, TX power, and so on) of the surrounding vintage Bluetooth units.
Scan LE equipment -m le
Bluetooth technological innovation, in addition to the Basic Level technique, is Low Power (LE) procedure. When scanning Bluetooth very low power products, it is called LE gadget scanning:
As proven above, via LE device scanning, we can get the handle, tackle form, relationship standing, RSSI, and Hole knowledge of the bordering LE units.
Scan SDP expert services
Basic Bluetooth units notify the exterior environment about their open solutions as a result of SDP. After SDP scanning, we can get support records of the specified basic Bluetooth machine:
You can attempt to hook up to these solutions for even more hacking.
Scan LMP characteristics
Detecting the LMP features of basic Bluetooth products enables us to decide the fundamental safety attributes of the traditional Bluetooth system:
Scan GATT solutions
LE products convey to the exterior globe about their open products and services by way of GATT. Soon after GATT scanning, we can get the GATT service of the specified LE product. You can check out to browse and write these GATT data for even further hacking:
Vulnerabilities scanning (demo)
Vulnerability scanning is nonetheless in the demo stage, and presently only supports CVE-2017-0785:
$ sudo bluescan -m vuln --addr-style=br ??:??:??:??:??:??
... ...
CVE-2017-0785 A lot more at: https://github.com/fO-000/bluescan
The article Bluescan – A impressive Bluetooth scanner for scanning BR/LE devices, LMP, SDP, GATT and vulnerabilities! appeared initial on Hakin9 – IT Protection Magazine.
