bluescan: A powerful Bluetooth scanner

Bluescan is one project open source by SAPcell Xu of the DBAPP Security HatLab team. 

When violating new Bluetooth targets, the scanner can help us gather information, such as:

  • BR devices
  • LE devices
  • LMP features
  • GATT services
  • SDP services
  • Vulnerabilities
Contents hide
Scan devices BR -m br
Scan devices LE -m le
SDP scanning services
LMP scan functions
Scanning GATT services
Vulnerability Scan (Demo)

System requirements

This it is based on BlueZ, the official Linux Bluetooth stack. The following packages must be installed:

sudo apt install libglib2.0-dev libbluetooth-dev

Installation

sudo pip3 install bluescan

Use



Scanning BR devices -m br


Classic Bluetooth devices may use three : BR (Basic Rate), EDR ( Data Rate) and AMP (Alternate MAC / PHY). Since they all belong to the Basic Rate system, we call them BR scanners:




 


As shown above, by scanning BR devices, we can get the address, the , the device type and the RSSI of the surrounding classic Bluetooth devices.


Scanning devices LE -m le


Bluetooth technology, in addition to the Basic Rate system, also has the low power system (LE). Scanning low power Bluetooth devices is called LE device scan:




Όπως φαίνεται παραπάνω, μέσω της σάρωσης συσκευών LE, μπορούμε να λάβουμε τη διεύθυνση, τον τύπο διεύθυνσης, την κατάσταση σύνδεσης, το RSSI και τα  GAP of surrounding LE devices.


SDP scanning services


Classic Bluetooth devices inform the outside world about their open services via SDP. After scanning SDP, we can receive the service data of this classic Bluetooth device:



















You can try to connect to these services for further benefits.


LMP scan functions


Detecting the LMP functions of classic Bluetooth devices allows us to judge the basic security features of the classic Bluetooth device:




 


Scanning GATT services


LE devices inform the outside world about their open services through GATT. After scanning the GATT, we can receive the GATT service of the specified LE device. You can try to keep the GATT data for further breaches:




Vulnerability Scan (Demo)


The vulnerability scan is still in the demonstration phase and currently only supports CVE-2017-0785:


$ sudo bluescan -m vuln --addr-type = br ??: ??: ??: ??: ??: ?? ... ... CVE-2017-0785


 


You can download the program from here.




iGuRu.gr The Best Technology Site in Greecefgns






Subscribe to Blog by Email






Subscribe to this blog and receive notifications of new posts by email.


















































bluescanbluetooth

















Written by Anastasis Vasileiadis






Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.




















Leave a reply 
Your email address is not published. Required fields are mentioned with *
 
Your message will not be published if:

1. Contains insulting, defamatory, racist, offensive or inappropriate comments.


2. Causes harm to minors.


3. It interferes with the privacy and individual and social rights of other users.


4. Advertises products or services or websites.


5. Contains personal information (address, phone, etc.).