bluescan v0.5 releases: A powerful Bluetooth scanner
bluescan —- A powerful Bluetooth scanner
bluescan is a open source project by Sourcell Xu from DBAPP Security HatLab. Anyone may redistribute copies of bluescan to anyone under the terms stated in the GPL-3.0 license.
Aren’t the previous Bluetooth scanning tools scattered and in disrepair? So we have this powerful Bluetooth scanner based on modern Python 3 —- bluescan.
When hacking new Bluetooth targets, the scanner can help us to collect intelligence, such as:
- BR devices
- LE devices
- LMP features
- GATT services
- SDP services
- Vulnerabilities (demo)
This tool is based on BlueZ, the official Linux Bluetooth stack. The following packages need to be installed:
sudo apt install libglib2.0-dev libbluetooth-dev
When you play this tool in a Linux virtual machine, connecting a USB Bluetooth adapter using a Broadcom or CSR chip is recommended, like the Ostran Bluetooth USB Adapter OST-105 CSR 8150 v4.0. And if you want to try the vulnerability scanning, see README.md of ojasookert/CVE-2017-0785.
- Added SMP Pairing features scanning.
- Fixed “struct error” when parsing HCI_Inquiry_Result event. (issue #9 by @project-jj)
- Improved LE device scanning.
The lastest bluescan will be uploaded to PyPI, so the following command can install bluescan:
sudo pip3 install bluescan
Scan BR devices
Classic Bluetooth devices may use three technologies: BR (Basic Rate), EDR (Enhanced Data Rate), and AMP (Alternate MAC/PHY). Since they all belong to the Basic Rate system, so when scanning these devices we call them BR device scanning:
As shown above, through BR device scanning, we can get the address, name, device type, and RSSI of the surrounding classic Bluetooth devices.
Scan LE devices
Bluetooth technology, in addition to the Basic Rate system, is Low Energy (LE) system. When scanning Bluetooth low energy devices, it is called LE device scanning:
As shown above, through LE device scanning, we can get the address, address type, connection status, RSSI, and GAP data of the surrounding LE devices.
Scan SDP services
Classic Bluetooth devices tell the outside world about their open services through SDP. After SDP scanning, we can get service records of the specified classic Bluetooth device:
You can try to connect to these services for further hacking.
Scan LMP features
Detecting the LMP features of classic Bluetooth devices allows us to judge the underlying security features of the classic Bluetooth device:
Scan GATT services
LE devices tell the outside world about their open services through GATT. After GATT scanning, we can get the GATT service of the specified LE device. You can try to read and write these GATT data for further hacking:
Vulnerabilities scanning (demo)
Vulnerability scanning is still in the demo stage, and currently only supports CVE-2017-0785:
Copyright (C) 2020 fO-000