Bluescan - A Powerful Bluetooth Scanner For Scanning BR/LE Devices, LMP, SDP, GATT And Vulnerabilities!

Bluescan is a open source project by Sourcell Xu from DBAPP Security HatLab. Anyone may redistribute copies of bluescan to anyone under the terms stated in the GPL-3.0 license.

This document is also available in Chinese. See README-Chinese.md

Aren't the previous Bluetooth scanning tools scattered and in disrepair? So we have this powerful Bluetooth scanner based on modern Python 3 ---- bluescan.
When hacking new Bluetooth targets, the scanner can help us to collect intelligence, such as:

• BR devices
• LE devices
• LMP features
• GATT services
• SDP services
• Vulnerabilities (demo)

Requirements
This tool is based on BlueZ, the official Linux Bluetooth stack. The following packages need to be installed:

sudo apt install libglib2.0-dev libbluetooth-dev

When you play this tool in a Linux virtual machine, making a USB Bluetooth adapter exclusive to it is recommended, like the Ostran Bluetooth USB Adapter OST-105 CSR 8150 v4.0 for 99 RMB. Of course, the best one to use is the little bit expensive Parani UD100-G03, 560 RMB. And if you want to try the vulnerability scanning, see README.md of ojasookert/CVE-2017-0785.

Install
The lastest bluescan will be uploaded to PyPI, so the following command can install bluescan:

sudo pip3 install bluescan

Usage

$ bluescan -h  bluescan v0.2.1    A powerful Bluetooth scanner.    Author: Sourcell Xu from DBAPP Security HatLab.    License: GPL-3.0    Usage:      bluescan (-h | --help)      bluescan (-v | --version)      bluescan [-i <hcix>] -m br [--inquiry-len=<n>]      bluescan [-i <hcix>] -m lmp BD_ADDR      bluescan [-i <hcix>] -m sdp BD_ADDR      bluescan [-i <hcix>] -m le [--timeout=<sec>] [--le-scan-type=<type>] [--sort=<key>]      bluescan [-i <hcix>] -m gatt [--include-descriptor] --addr-type=<type> BD_ADDR      bluescan [-i <hcix>] -m vuln --addr-type=br BD_ADDR    Arguments:      BD_ADDR    Target Bluetooth device address    Options:      -h, --help                  Display this help.      -v, --version               Show the version.      -i <hcix>                   HCI device for scan. [default: hci0]      -m <mode>                   Scan mode, support BR, LE, LMP, SDP, GATT and vuln.      --inquiry-len=<n>           Inquiry_Length parameter of HCI_Inquiry command. [default: 8]      --timeout=<sec>             Duration of LE scan. [default: 10]      --le-scan-type=<type>       Active or passive scan for LE scan. [default: active]      --sort=<key>                Sort the discovered devices by key, only support RSSI now. [default: rssi]      --include-descriptor        Fetch descriptor information.      --addr-type=<type>          Public, random or BR.  

Scan BR devices -m br
Classic Bluetooth devices may use three technologies: BR (Basic Rate), EDR (Enhanced Data Rate), and AMP (Alternate MAC/PHY). Since they all belong to the Basic Rate system, so when scanning these devices we call them BR device scanning:

As shown above, through BR device scanning, we can get the address, page scan repetition mode, class of device, clock offset, RSSI, and the extended inquiry response (Name, TX power, and so on) of the surrounding classic Bluetooth devices.

Scan LE devices -m le
Bluetooth technology, in addition to the Basic Rate system, is Low Energy (LE) system. When scanning Bluetooth low energy devices, it is called LE device scanning:

As shown above, through LE device scanning, we can get the address, address type, connection status, RSSI, and GAP data of the surrounding LE devices.

Scan SDP services
Classic Bluetooth devices tell the outside world about their open services through SDP. After SDP scanning, we can get service records of the specified classic Bluetooth device:

You can try to connect to these services for further hacking.

Scan LMP features
Detecting the LMP features of classic Bluetooth devices allows us to judge the underlying security features of the classic Bluetooth device:

Scan GATT services
LE devices tell the outside world about their open services through GATT. After GATT scanning, we can get the GATT service of the specified LE device. You can try to read and write these GATT data for further hacking:

Vulnerabilities scanning (demo)
Vulnerability scanning is still in the demo stage, and currently only supports CVE-2017-0785:

$ sudo bluescan -m vuln --addr-type=br ??:??:??:??:??:??  ... ...  CVE-2017-0785  

Download Bluescan

via KitPloit

This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com

Continue reading

• Hacking Tools 2020
• Hacker
• Hack Tools For Ubuntu
• Hacking Tools
• Hacking Tools For Games
• Hak5 Tools
• Tools Used For Hacking
• Hacker Tools For Pc
• Underground Hacker Sites
• Pentest Tools For Windows
• Hacking Tools For Mac
• Install Pentest Tools Ubuntu
• Hacker Tools Mac
• Hacking Tools Free Download
• Pentest Tools Linux
• Hack Apps
• Pentest Tools Free
• Hacker Tools For Mac
• Pentest Tools Windows
• Hacks And Tools
• Hacking Tools Mac
• Hacker Tools For Ios
• Pentest Tools Download
• Ethical Hacker Tools
• Beginner Hacker Tools
• Pentest Recon Tools
• Hacker Tools
• Hacker Tools Free
• Hack Website Online Tool
• Game Hacking
• Hack Tools Pc
• Pentest Tools Free
• Hack Tools For Windows
• Hacker Tools 2020
• Hacker Search Tools
• Hacker Tools For Pc
• Kik Hack Tools
• Best Hacking Tools 2020
• Easy Hack Tools
• Hack Website Online Tool
• Pentest Tools Review
• Pentest Tools Linux
• Ethical Hacker Tools
• Hack Rom Tools
• Hack Rom Tools
• How To Install Pentest Tools In Ubuntu
• Hack Tools Mac
• Hackers Toolbox
• Hacker Tools
• How To Make Hacking Tools
• Hacking Tools 2019
• Pentest Tools For Windows
• Hacker Tools List
• Hacking Tools 2020
• Pentest Tools For Android
• Hacker Hardware Tools
• Pentest Tools Review
• Hacking Tools
• Pentest Tools Website Vulnerability
• Pentest Tools Subdomain
• Top Pentest Tools
• Hack Website Online Tool
• Hacking Tools Hardware
• Pentest Tools Kali Linux
• Hacker Tools For Mac
• Hacking Tools For Windows Free Download
• Hacking App
• Hacking Tools For Games
• Pentest Tools Subdomain
• Nsa Hacker Tools
• Hack Tools
• Nsa Hacker Tools
• Beginner Hacker Tools
• Hacker Tools List
• Pentest Tools Website Vulnerability
• Hacking Apps
• Pentest Tools List
• Hacker Tools For Mac
• Hacking Tools Online
• Hacking Tools For Windows 7
• Hack Tool Apk No Root
• Growth Hacker Tools
• Ethical Hacker Tools
• Pentest Tools Open Source
• What Are Hacking Tools
• Ethical Hacker Tools
• Hack App
• Underground Hacker Sites
• Hacking App
• Hack Tools Download
• What Is Hacking Tools
• Ethical Hacker Tools
• Hacker Tools Linux
• Pentest Tools Windows
• Pentest Tools Windows
• New Hack Tools
• Pentest Tools Subdomain
• Hacking Tools For Windows Free Download
• Hackrf Tools
• Hacker Hardware Tools
• Hackers Toolbox
• Hacker Hardware Tools
• Hacking Tools Windows 10
• New Hack Tools
• Growth Hacker Tools
• Easy Hack Tools
• Hacking Tools For Windows Free Download
• Pentest Tools Online
• Pentest Tools For Android
• Hacker
• Hacker Tools Github
• Hack Tools
• Hacker Tools Free
• Pentest Tools Find Subdomains
• Hacker
• Pentest Tools Port Scanner
• Pentest Tools Online
• Hack And Tools
• Hack Tool Apk
• Nsa Hack Tools
• Hack Tools For Ubuntu
• Pentest Tools Bluekeep
• Pentest Tools For Mac
• Hacker Security Tools
• Kik Hack Tools
• Pentest Tools Download
• Pentest Tools Nmap
• Hack Tool Apk
• Pentest Tools For Windows
• Top Pentest Tools
• Hack And Tools
• Hacking Tools Name
• Hacker Tools Linux
• Pentest Tools Download