Bluetooth Hacking: The Most Vulnerable Data Transmission Protocol! (Part 2)

As in all the , whether computer-based or military operations, reconnaissance is critical and an integral part of attacks. Your chances of success are greatly reduced in many cases when you don't know what's important for your goal.

In all cases, the success increases considerably the more know about your target. So, in this article, I will show you several ways to redefine a potential target.

bt beacon

 

Using Bluez for Bluetooth Discovery

BlueZ is the default Bluetooth protocol on almost every Linux release, including Debian-based Kali Linux. BlueZ was also the default Bluetooth protocol on both Mac OS X and Android until recently.

The Bluetooth protocol has many built-in tools that we can use for review, and since they are in almost every Linux distribution, they can be used by all of us. (We will also use some specialized tools to review Bluetooth in Kali).

 

Step 1: Enable Bluetooth on Kali

Let's start by firing up Kali and opening a command prompt. I hope it goes without saying that you need a Linux-compatible Bluetooth adapter to proceed from here.

Step 2: Use Hciconfig to enable the Bluetooth adapter

The first step is to check if our Bluetooth adapter is recognized and activated. We can check this with a built-in BlueZ tool called hciconfig:

kali > hciconfig

1

As you can see in this screenshot, we have a Bluetooth adapter that has a MAC address of 10:AE:60:58:F1:37. The Bluetooth stack has named it “hci0”. Now, let's make sure it's enabled and ready to use:

kali > hciconfig hci0 up

2
Once we've confirmed it, hci0 is ready to use!

Step 3: Scan for Bluetooth devices with Hcitool

BlueZ also has some great command line (cli) tools for scanning Bluetooth devices. These are in hcitool. Let's first use the scanning part of this tool to search for Bluetooth devices that are sending their location beacons (in always-on mode).

kali > hcitool scan

3

In the screenshot above, you can see that two devices were found, ANDROID BT and SCH-I535. Now, let's try the inquiry (inq) command in hcitool to gather more information about these two devices:

kali > hcitool inq

4

Note that it also displays the clock offset and class. The class indicates what type of Bluetooth device it is, and we can look up the code by going to the Service webpage on the Bluetooth SIG website to see what kind of device it is, or as we'll see later, some tools will do this for us.

Hcitool is a powerful command line interface that can do many things. In the screenshot below, you can see some of the commands it can execute.

Many of the Bluetooth hacking tools that we will use in our future articles simply use these commands in a script. You can easily create your own tool using these commands in your own script.

5

Step 4: Scan for services with Sdptool

Service Discovery Protocol (SDP) is a Bluetooth protocol for searching for all services. BlueZ has a tool called sdptool that is able to check on a device all the services it has. We can use it by typing the following command:

6

Here we can see that this tool has detected all the information about the services that this device can use.

Step 5: Determine if Bluetooth devices are reachable with L2ping

Now that we have the MAC addresses of all nearby devices, we can ping them, whether they are in discovery mode or not, to see if they are reachable.

7

This indicates that the device with MAC address 76:6F:46:65:72:67 is in range and reachable.

Step 6: Scan for Bluetooth devices with BTScanner

For those of you who are more comfortable with a GUI-based tool, the Kali distribution has the BTScanner program. Just type:

kali > btscanner

When you type BTScanner, it opens a rudimentary GUI interface with commands at the bottom. To do a scan, just type the letter “i” on your keyboard. In this case, BTScanner found the two I found with hcitool, plus one more, MINIJAMBOX.

8

To gather more information about the device, simply place your cursor over the device and press Enter on your keyboard. It will then display all the information it has gathered about the device, similar to sdptool.

9

This is the information about the SCH-I535 device. Notice about a third of the screen down, in the category, it identifies it as “Phone/Smartphone” by its category number, 0x5a020c.

Step 7: Bluetooth Sniffing with BlueMaho

We still have a tool in Kali that we can use for Bluetooth scanning, called BlueMaho, a built-in Bluetooth scanning/hacking tool. Here we will just use it for scanning. You can start the BlueMaho GUI by typing:

kali > bluemaho.py

It opens a GUI like the one below. Here, I clicked on “get SDP info” and hit the play button on the left. BlueMaho starts scanning for discoverable devices and like the rest of the tools, it finds two Bluetooth devices.

10

In the bottom window, BlueMaho displays more information from the scanned devices. I copied this information and placed it in a text file to make it easier for you to read:

11

Note that it displays the first device name “MINIJAMBOX” and then describes the device type as “Audio/Video, Profile .” The second device is identified as “SCH-I535” and showed us that the device type is “Phone, Smartphone”.

Somewhere here we have reached the end of the second part of our series of guides “Bluetooth Hacking: The Most Vulnerable Data Transmission Protocol!”. Stay tuned as the next part is coming which will be even more interesting.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
hacking, bluetooth, Bluetooth Hacking

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).