Bluescan - A Powerful Bluetooth Scanner For Scanning BR/LE Devices, LMP, SDP, GATT And Vulnerabilities!

Bluescan is a open source project by Sourcell Xu from DBAPP Security HatLab. Anyone may redistribute copies of bluescan to anyone under the terms stated in the GPL-3.0 license.

This document is also available in Chinese. See README-Chinese.md

Aren't the previous Bluetooth scanning tools scattered and in disrepair? So we have this powerful Bluetooth scanner based on modern Python 3 ---- bluescan.
When hacking new Bluetooth targets, the scanner can help us to collect intelligence, such as:

• BR devices
• LE devices
• LMP features
• GATT services
• SDP services
• Vulnerabilities (demo)

Requirements
This tool is based on BlueZ, the official Linux Bluetooth stack. The following packages need to be installed:

sudo apt install libglib2.0-dev libbluetooth-dev

When you play this tool in a Linux virtual machine, making a USB Bluetooth adapter exclusive to it is recommended, like the Ostran Bluetooth USB Adapter OST-105 CSR 8150 v4.0 for 99 RMB. Of course, the best one to use is the little bit expensive Parani UD100-G03, 560 RMB. And if you want to try the vulnerability scanning, see README.md of ojasookert/CVE-2017-0785.

Install
The lastest bluescan will be uploaded to PyPI, so the following command can install bluescan:

sudo pip3 install bluescan

Usage

$ bluescan -h  bluescan v0.2.1    A powerful Bluetooth scanner.    Author: Sourcell Xu from DBAPP Security HatLab.    License: GPL-3.0    Usage:      bluescan (-h | --help)      bluescan (-v | --version)      bluescan [-i <hcix>] -m br [--inquiry-len=<n>]      bluescan [-i <hcix>] -m lmp BD_ADDR      bluescan [-i <hcix>] -m sdp BD_ADDR      bluescan [-i <hcix>] -m le [--timeout=<sec>] [--le-scan-type=<type>] [--sort=<key>]      bluescan [-i <hcix>] -m gatt [--include-descriptor] --addr-type=<type> BD_ADDR      bluescan [-i <hcix>] -m vuln --addr-type=br BD_ADDR    Arguments:      BD_ADDR    Target Bluetooth device address    Options:      -h, --help                  Display this help.      -v, --version               Show the version.      -i <hcix>                   HCI device for scan. [default: hci0]      -m <mode>                   Scan mode, support BR, LE, LMP, SDP, GATT and vuln.      --inquiry-len=<n>           Inquiry_Length parameter of HCI_Inquiry command. [default: 8]      --timeout=<sec>             Duration of LE scan. [default: 10]      --le-scan-type=<type>       Active or passive scan for LE scan. [default: active]      --sort=<key>                Sort the discovered devices by key, only support RSSI now. [default: rssi]      --include-descriptor        Fetch descriptor information.      --addr-type=<type>          Public, random or BR.  

Scan BR devices -m br
Classic Bluetooth devices may use three technologies: BR (Basic Rate), EDR (Enhanced Data Rate), and AMP (Alternate MAC/PHY). Since they all belong to the Basic Rate system, so when scanning these devices we call them BR device scanning:

As shown above, through BR device scanning, we can get the address, page scan repetition mode, class of device, clock offset, RSSI, and the extended inquiry response (Name, TX power, and so on) of the surrounding classic Bluetooth devices.

Scan LE devices -m le
Bluetooth technology, in addition to the Basic Rate system, is Low Energy (LE) system. When scanning Bluetooth low energy devices, it is called LE device scanning:

As shown above, through LE device scanning, we can get the address, address type, connection status, RSSI, and GAP data of the surrounding LE devices.

Scan SDP services
Classic Bluetooth devices tell the outside world about their open services through SDP. After SDP scanning, we can get service records of the specified classic Bluetooth device:

You can try to connect to these services for further hacking.

Scan LMP features
Detecting the LMP features of classic Bluetooth devices allows us to judge the underlying security features of the classic Bluetooth device:

Scan GATT services
LE devices tell the outside world about their open services through GATT. After GATT scanning, we can get the GATT service of the specified LE device. You can try to read and write these GATT data for further hacking:

Vulnerabilities scanning (demo)
Vulnerability scanning is still in the demo stage, and currently only supports CVE-2017-0785:

$ sudo bluescan -m vuln --addr-type=br ??:??:??:??:??:??  ... ...  CVE-2017-0785  

Download Bluescan

via KitPloit

This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com

Continue reading

1. Pentest Tools Download
2. Pentest Tools Find Subdomains
3. Termux Hacking Tools 2019
4. Hacking Tools Pc
5. Pentest Tools Alternative
6. Hack Rom Tools
7. Game Hacking
8. Hacking Tools
9. Hack Tools For Pc
10. Hacking Tools For Windows Free Download
11. How To Hack
12. Pentest Tools Open Source
13. Pentest Tools Tcp Port Scanner
14. Hacking Tools Download
15. Hacker Tools For Pc
16. Nsa Hacker Tools
17. Pentest Tools Free
18. Hack App
19. Pentest Tools For Android
20. Hack Tools
21. Hacker Security Tools
22. Pentest Tools Subdomain
23. Best Hacking Tools 2020
24. Hacking Tools Usb
25. Hacking Tools For Windows
26. Pentest Tools
27. How To Install Pentest Tools In Ubuntu
28. Bluetooth Hacking Tools Kali
29. Pentest Tools Website Vulnerability
30. Pentest Tools Framework
31. Nsa Hack Tools Download
32. Free Pentest Tools For Windows
33. Hacking Tools For Windows
34. Hacking Tools For Kali Linux
35. Hacker Hardware Tools
36. Hacking Tools For Pc
37. Hackers Toolbox
38. Hacking Tools For Mac
39. Blackhat Hacker Tools
40. Pentest Tools Tcp Port Scanner
41. Black Hat Hacker Tools
42. Pentest Tools Apk
43. Game Hacking
44. Pentest Tools Website
45. Hacker Techniques Tools And Incident Handling
46. Termux Hacking Tools 2019
47. Hacker Tools Online
48. Hak5 Tools
49. Hacker Tools Windows
50. Hack Tools Mac
51. Hacking Tools For Windows Free Download
52. Hacker Tools Linux
53. Hacker Tools For Ios
54. Pentest Tools Website Vulnerability
55. Nsa Hacker Tools
56. Pentest Tools Android
57. Hack Tool Apk
58. Hak5 Tools
59. Hacker Tools Windows
60. Easy Hack Tools
61. World No 1 Hacker Software
62. Pentest Tools Find Subdomains
63. Computer Hacker
64. Pentest Tools Github
65. Hacking Tools Mac
66. Bluetooth Hacking Tools Kali
67. Pentest Tools Alternative
68. Hacking Tools Software
69. Pentest Tools Android
70. Pentest Tools Framework
71. Hacking Tools Pc
72. Hack Tools Github
73. New Hack Tools
74. Hacker Tools Hardware
75. Hack Tools For Games
76. Hack Rom Tools
77. Pentest Tools For Ubuntu
78. Bluetooth Hacking Tools Kali
79. Android Hack Tools Github
80. Hacker Tools 2020
81. What Are Hacking Tools
82. Hack Apps
83. Hacking Tools Windows
84. Hacking Tools Software
85. Hackrf Tools
86. Hacker Tools For Ios
87. Hacking Tools 2020
88. Hacking Tools For Beginners
89. Hackrf Tools
90. Hack Tools Download
91. Hacker Tools Free
92. Pentest Tools Tcp Port Scanner
93. Hack Tool Apk
94. Easy Hack Tools
95. Pentest Tools Subdomain
96. Hacker Tools Free Download
97. Pentest Tools For Ubuntu
98. Pentest Tools Website
99. Hacker Tools Online
100. Nsa Hacker Tools
101. Hacker Search Tools
102. Hacking Tools Free Download
103. Hack Tools For Windows
104. Hacker Tools Github
105. Blackhat Hacker Tools
106. Hacking Tools Name
107. Pentest Tools Open Source
108. Hacking App
109. Pentest Tools Bluekeep
110. Hacking Tools For Mac
111. Pentest Tools For Mac
112. Hack Tools Github
113. Pentest Automation Tools
114. Hacking Tools And Software
115. Hackers Toolbox
116. Hacking Tools Pc
117. Hacking Tools Mac
118. Hack Tool Apk
119. Kik Hack Tools
120. Hack Tools Github
121. Pentest Tools Bluekeep
122. Pentest Tools For Mac
123. Wifi Hacker Tools For Windows
124. Hacker Tools List