Monday, 6 September 2010

Bluetooth mayhem

So this is going to be a post which will probably be either updated when possible or deleted
depending on the progress I am able to make with bluetooth ;)

After getting interested in bluetooth again, I came to the conclusion that I really can't get much done at all..
Considering the amount of cash I have spent in the past on wireless adapters to test, getting a pre-paid mobile and a couple of bluetooth dongles and headsets to go crazy on didn't really seem like a bad idea.

So this will be a post containing some information on the bluetooth side of things that that I have been able to get through, which as it stands right now is horrifically little :|

The bluetooth tools included on BackTrack4 are all somewhat dated and their functionality with BackTrack4 not well documented, though bluetooth still forms a part of many wireless security courses, so I have a feeling it is simply a lack of documentation.

The phone I am using to test on is a Nokia 2720 with bluetooth visibility set to permanently visible (except with the tests of tbsearch & fang)
I have a couple of usb dongles, 2x Class 2 and 1x Class 1.


First to ensure that the bluetooth devices are up and running ;

hciconfig hci0 up  <-- in my case an internal bluetooth device
hciconfig hci1 up  <-- in my case an external USB dongle

Getting more info on the bluetooth interface ;
hciconfig hci0 -a

There are numerous methods to scan for devices ;

hcitool is the most straightforward, comparable with using the iwlist scan option when checking for wireless.
hcitool dev
hcitool -i hci0 scan
hcitool -i hci0 inq

Alternatively you can use one of the many monitoring tools included in BT4 such as ;
BlueScan, Btscanner, ghettotooth, tbear 

BlueScan will show bdaddr of the device found along with name, manufacturer, active services and active channels along with time of discovery.
However have not figured out how to specify which interface to use; BlueScan always seems to want to use bdaddr of hci0.
After stopping the scan with Ctrl +C you are given 3 options;
1. Print to screen
2. Export results to log
3. Quit

cd /pentest/bluetooth/bluescan/

Btscanner uses all available bluetooth interfaces for scanning.
It opens an GUI and works similar to the oldschool Kismet, listing found bluetooth devices with the possibility to show further information on the devices when selected.
i          <-- starts an inquiry scan
Enter   <-- gives further info on the device selected
a         <-- aborts the scan
Q        <-- Quits the program
Results for the devices found are logged automatically with a directory created per bdaddr found.
For scanning for devices,  I would say that so far as I have seen, this tool is the one to use.
I have come to the conclusion that I am not fond of the way btscanner ; 
> Does not enable the choosing of individual interface adapters. 
> Logs all the information in separate folders, it makes sense in view of the information included, but it makes it harder to quickly view a list of bdaddr's, Names, Class etc.once programme quits.


Further info after selecting the found device;
(q to return to main menu)

ghettotooth simply lists the bdaddr's and names of the devices found.
A log is made each time ghettotooth is started.

cd /pentest/bluetooth/ghettotooth/
perl -h
perl hci0

A straightforward bluetooth device locator with options to log the results.
Whichever interface is entered to use, the screen shows hci0 as being in use after a few seconds
which is a bit confusing.
Well after having played a bit more with them, I have decided that I like tbear the best for quick scans. 
The reason is that you can choose which interface adapter to use (even though it doesnt correctly mention that on screen) and it is easy to view a quick list of what was found from the logs after quitting the programme. Plus it looks pretty ;)

cd /pentest/bluetooth/tbear/
./tbear -h

./tbear -i hci0 -l log

From what I have read, Tbear did originally come with a load of other tools (, but in BT4 there are just two other tools with tbear;
tanya & tbsearch

tanya is a DoS tool for bluetooth, however haven't yet played enough with it to get it to work.
I would love to think that the author had a wife / GF called Tanya whose constant rattling reminded him of a DoS..

tbsearch is a tool to search for hidden bluetooth devices by checking bluetooth addresses and able to use multiple threads (multiple bluetooth interfaces)
So for instance if you know a device should be in the area and you have the bdaddr or a possible range you can search for it and tbsearch will find it, even if it is in hidden mode, and continue searching for others.
Its not a fast process however..
cd /pentest/bluetooth/tbear/
./tbsearch -b 6C:9B:02:FF:97:2F hci0
(bluetooth on mobile set to 'hidden')

This process can be sped up a bit using multiple dongles, below I have a total of 4 devices checking it all out with a starting point 7 digits before the bdaddr, but as you can see it came back with a false positive..
(30 instead of 2f)
This happened more or less consistently when using multiple interfaces, checking for individual bdaddr's seems to work better when using a single interface with tbsearch.

./tbsearch -b 6C:9B:02:FF:97:29 hci0 hci1 hci2 hci3

fang checks for 'hidden' bluetooth devices by scanning a range of bluetooth addresses similar to the above tbsearch but somewhat more refined and expanded.
fang appears to work better than tbsearch in detecting hidden devices using multuiple interfaces.

cd /pentest/bluetooth/redfang/
./fang -h

The below example is only testing the last 2 digits of the bdaddr of my test phone (set to hidden) using 4 bluetooth interfaces as above with tbsearch.
./fang -r 6C9B02FF9700-6C9B02FF973F -n 4

 A word of warning, bluetooth and WiFi both use part of the 2.4 GHz band .. carrying out this attack with this many dongles basically caused my wireless network to suffer considerably..

This is the easy stuff, now there is a whole lot more to get my head around, but hopefully the motivation will continue to flow as I have to say, for the moment bluetooth feels a bit like ;

Some reference material ;

more to be added..please leave a comment if you have a link to helpful info.


  1. Dude, that's cool, glad you back after months :).

  2. Nice tut! Thanks theNURSE

  3. Hey, This is nice, the only problem is I cannot get my bluetooth to connect to any devices. I am trying to use command line without the GUI or applet. Can you offer any help? I got bluez installed.



  4. Hey Nico,

    Thanks for your comment, connections have been my biggest headache as well and to be honest the reason why I more or less gave up on it.

    Check out the followup post I did ;
    for the progress that I was able to make.
    Very limited I regret to say.

    For connections you will have to look into the rfcomm commands.

    Let me know what progress you are able to make !

  5. Have you used bluesniff? I am attempting to use it for a project and can't get it to work.

  6. No, never used it, its not included with backtrack is it ?

    Just try one of the others as above (or what I wrote; bluejay) to get your bluetooth wardriving kicks..

  7. Hi, Thank you for this tutorial, very nice.
    What Bluetooth USB do you recommend?

  8. Hey there :) Glad you liked the post,
    thanks for your interest !

    To be honest, all the bluetooth USB dongles I have
    tried worked fine for scanning as in the above post.

    Check out this post to see what I was using ;

    Laters - TAPE

  9. Thank you, perfect manual, everything is very easy to understand and use!

  10. Thanks, glad you enjoyed the post :)


Google Analytics Alternative