samedi 29 août 2020

Bluescan - A Powerful Bluetooth Scanner For Scanning BR/LE Devices, LMP, SDP, GATT And Vulnerabilities!


Bluescan is a open source project by Sourcell Xu from DBAPP Security HatLab. Anyone may redistribute copies of bluescan to anyone under the terms stated in the GPL-3.0 license.

This document is also available in Chinese. See README-Chinese.md

Aren't the previous Bluetooth scanning tools scattered and in disrepair? So we have this powerful Bluetooth scanner based on modern Python 3 ---- bluescan.
When hacking new Bluetooth targets, the scanner can help us to collect intelligence, such as:
  • BR devices
  • LE devices
  • LMP features
  • GATT services
  • SDP services
  • Vulnerabilities (demo)

Requirements
This tool is based on BlueZ, the official Linux Bluetooth stack. The following packages need to be installed:
sudo apt install libglib2.0-dev libbluetooth-dev
When you play this tool in a Linux virtual machine, making a USB Bluetooth adapter exclusive to it is recommended, like the Ostran Bluetooth USB Adapter OST-105 CSR 8150 v4.0 for 99 RMB. Of course, the best one to use is the little bit expensive Parani UD100-G03, 560 RMB. And if you want to try the vulnerability scanning, see README.md of ojasookert/CVE-2017-0785.

Install
The lastest bluescan will be uploaded to PyPI, so the following command can install bluescan:
sudo pip3 install bluescan

Usage
$ bluescan -h  bluescan v0.2.1    A powerful Bluetooth scanner.    Author: Sourcell Xu from DBAPP Security HatLab.    License: GPL-3.0    Usage:      bluescan (-h | --help)      bluescan (-v | --version)      bluescan [-i <hcix>] -m br [--inquiry-len=<n>]      bluescan [-i <hcix>] -m lmp BD_ADDR      bluescan [-i <hcix>] -m sdp BD_ADDR      bluescan [-i <hcix>] -m le [--timeout=<sec>] [--le-scan-type=<type>] [--sort=<key>]      bluescan [-i <hcix>] -m gatt [--include-descriptor] --addr-type=<type> BD_ADDR      bluescan [-i <hcix>] -m vuln --addr-type=br BD_ADDR    Arguments:      BD_ADDR    Target Bluetooth device address    Options:      -h, --help                  Display this help.      -v, --version               Show the version.      -i <hcix>                   HCI device for scan. [default: hci0]      -m <mode>                   Scan mode, support BR, LE, LMP, SDP, GATT and vuln.      --inquiry-len=<n>           Inquiry_Length parameter of HCI_Inquiry command. [default: 8]      --timeout=<sec>             Duration of LE scan. [default: 10]      --le-scan-type=<type>       Active or passive scan for LE scan. [default: active]      --sort=<key>                Sort the discovered devices by key, only support RSSI now. [default: rssi]      --include-descriptor        Fetch descriptor information.      --addr-type=<type>          Public, random or BR.

Scan BR devices -m br
Classic Bluetooth devices may use three technologies: BR (Basic Rate), EDR (Enhanced Data Rate), and AMP (Alternate MAC/PHY). Since they all belong to the Basic Rate system, so when scanning these devices we call them BR device scanning:


As shown above, through BR device scanning, we can get the address, page scan repetition mode, class of device, clock offset, RSSI, and the extended inquiry response (Name, TX power, and so on) of the surrounding classic Bluetooth devices.

Scan LE devices -m le
Bluetooth technology, in addition to the Basic Rate system, is Low Energy (LE) system. When scanning Bluetooth low energy devices, it is called LE device scanning:


As shown above, through LE device scanning, we can get the address, address type, connection status, RSSI, and GAP data of the surrounding LE devices.

Scan SDP services
Classic Bluetooth devices tell the outside world about their open services through SDP. After SDP scanning, we can get service records of the specified classic Bluetooth device:


You can try to connect to these services for further hacking.

Scan LMP features
Detecting the LMP features of classic Bluetooth devices allows us to judge the underlying security features of the classic Bluetooth device:


Scan GATT services
LE devices tell the outside world about their open services through GATT. After GATT scanning, we can get the GATT service of the specified LE device. You can try to read and write these GATT data for further hacking:


Vulnerabilities scanning (demo)
Vulnerability scanning is still in the demo stage, and currently only supports CVE-2017-0785:
$ sudo bluescan -m vuln --addr-type=br ??:??:??:??:??:??  ... ...  CVE-2017-0785




via KitPloit
This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com

More articles


  1. Hacking Tools Github
  2. Pentest Tools Download
  3. Pentest Tools Android
  4. Hackrf Tools
  5. Hacking Tools Github
  6. Pentest Tools Kali Linux
  7. Hacker Techniques Tools And Incident Handling
  8. Kik Hack Tools
  9. Pentest Tools Review
  10. Hacking Tools Windows
  11. Computer Hacker
  12. Hack Website Online Tool
  13. Hack Tools For Games
  14. Pentest Tools Url Fuzzer
  15. Pentest Reporting Tools
  16. Hacker Tools Free Download
  17. Pentest Tools For Windows
  18. Pentest Tools Website Vulnerability
  19. Hacker Tools Free Download
  20. Hacking Tools 2020
  21. Pentest Tools Windows
  22. What Are Hacking Tools
  23. Hacking Tools For Games
  24. Hacking App
  25. Best Pentesting Tools 2018
  26. Hack Tools For Mac
  27. Blackhat Hacker Tools
  28. Hacker Tools For Mac
  29. Pentest Tools Review
  30. Pentest Tools List
  31. Hacking Tools Online
  32. Hacking Tools 2020
  33. Hacker Tools 2019
  34. Hacker Tools Software
  35. World No 1 Hacker Software
  36. Hacking Tools Download
  37. Hack And Tools
  38. Hacker Tools Windows
  39. Hacker Tools For Windows
  40. New Hack Tools
  41. Pentest Tools Tcp Port Scanner
  42. Hacker Tools List
  43. Hacking Tools And Software
  44. Hacking Tools For Windows 7
  45. Pentest Tools Open Source
  46. Hack Apps
  47. Tools Used For Hacking
  48. Nsa Hack Tools Download
  49. Pentest Tools Kali Linux
  50. Hacker Tools For Pc
  51. Hack And Tools
  52. Pentest Tools Website Vulnerability
  53. Hack Tools
  54. Kik Hack Tools
  55. Hacker Tools 2020
  56. Physical Pentest Tools
  57. Free Pentest Tools For Windows
  58. Hacker Tools For Windows
  59. Hacking Tools For Beginners
  60. Ethical Hacker Tools
  61. Pentest Tools Website Vulnerability
  62. Pentest Tools Find Subdomains
  63. Hackrf Tools
  64. Hack Tools
  65. Hacking Tools Download
  66. Github Hacking Tools
  67. Hacker Tools Apk Download
  68. Tools For Hacker
  69. Hacking Tools For Windows 7
  70. Best Pentesting Tools 2018
  71. Pentest Tools For Windows
Publié par à

Aucun commentaire:

Publier un commentaire

S'abonner à : Publier des commentaires (Atom)