How to Hack Bluetooth, Part 3: Reconnaissance

Reconnaissance

How to Hack Bluetooth, Part 3: Reconnaissance

Welcome back, my newbie hackers!

The beauty of Bluetooth hacking is that it gives you a clear window into the world of the target. Nearly every device has Bluetooth capabilities now, and people store a great deal of personal information on their phones and tablets. If we can hack their Bluetooth connection, we can access all of that great information stored on their device!

Of course, it goes without saying that we have to be in fairly close proximity to hack Bluetooth. As I mentioned in my guide on terms, technologies, and security, the Bluetooth protocol has a minimum range of 10 m (32 ft) and can actually extend as far as 100 m (320 ft) with some adapters. That should be enough to reach everyone in a coffee shop, your school classroom, your office, and maybe even into your neighbor's house.

The Importance of Reconnaissance

Like all attacks, whether computer-based or military field operations, reconnaissance is critical. Without good recon, your chances of success are severely diminished, or in some cases, nil. In all cases, success increases exponentially the more you know about your target. So in this tutorial, I will show you several ways to do recon on a potential target.

Before continuing on below, I strongly suggest you familiarize yourself with the Bluetooth terms, technologies, and security, as well as the MultiBlue Dongle, a specialized tool for hacking Bluetooth. Although you need physical access to the target device with MultiBlue, it clearly demonstrates what can be done when you have enough information and tools. Furthermore, you might find this article interesting, which shows how Elliot hacked a prison to release prisoners in the hit show Mr. Robot.

Using Bluez for Bluetooth Reconnaissance

BlueZ is the default Bluetooth protocol stack in nearly every version of Linux, including our Kali Linux that is built on Debian. BlueZ was also the default Bluetooth stack on both Mac OS X and Android until recently.

This implementation of the Bluetooth protocol has numerous tools built in that we can use for recon, and since they are in nearly every distribution and flavor of Linux, they can be used by pretty much all of you. (We will also use some specialized tools for Bluetooth recon in Kali.)

Step 1: Fire Up Kali

Let's start by firing up Kali and opening a command prompt. I hope it goes without saying that you need a Linux-compatible Bluetooth adapter to continue from here.

Step 2: Use Hciconfig to Enable Your Bluetooth Adapter

The first step is to check whether our Bluetooth adapter is recognized and enabled. We can do this with a built-in BlueZ tool called hciconfig:

kali > hciconfig

As you can see in this screenshot, we do have a Bluetooth adapter that has a MAC address of 10:AE:60:58:F1:37. The Bluetooth stack has named it "hci0." Now, let's make certain it is up and enabled:

kali > hciconfig hci0 up

Good, hci0 is up and ready to work!

Step 3: Scan for Bluetooth Devices with Hcitool

The BlueZ stack also has some excellent command line (cli) tools for scanning for Bluetooth devices. These are in located in hcitool. Let's first use the scanning portion of this tool to look for Bluetooth devices that are sending out their discover beacons (in discovery mode). Type:

kali > hcitool scan

In the screenshot above, you can see it found two devices, ANDROID BT and SCH-I535. Now, let's try the inquiry (inq) command in hcitool to garner more information about these devices:

kali > hcitool inq

Note that it also displays clock offset and the class. The class indicates what type of Bluetooth device it is, and we can look up the code by going to the Service Discovery webpage on the Bluetooth SIG site to see what type of device it is. Or, as we will see later, some tools will do this for us.

Hcitool is a powerful command line interface to the Bluetooth stack that can do many, many things. In the screenshot below, you can see some of the commands that it can execute. Many of the Bluetooth-hacking tools that we will be using in future tutorials simply use these commands in a script. You can easily create your own tool by using these commands in your own script.

Step 4: Scan for Services with Sdptool

Service discovery protocol (SDP) is a Bluetooth protocol for searching for services. BlueZ has a tool called sdptool that is capable of browsing a device for the services it provides. We can use it by typing:

kali > sdptool browse <MAC Address>

Here we can see that this tool was able to pull information on all the services this device is capable of using.

Step 5: See if They Are Reachable with L2ping

Now that we have the MAC addresses of all the nearby devices, we can ping them, whether they are in discover mode or not, to see whether they are in reach.

kali > l2ping <MAC address>

This indicates that the device with a the MAC address 76:6F:46:65:72:67 is within range and reachable.

Step 6: Scan for Bluetooth Devices with BTScanner

For those of you who are more comfortable with a GUI-based tool, Kali has BTScanner. Simply type:

kali > btscanner

When you type in BTScanner, it opens a rudimentary GUI interface with commands along the bottom. To do an inquiry scan, simply type the letter "i" on your keyboard. In this case, BTScanner found the two that I found with hcitool, as well as an additional one, MINIJAMBOX.

To gather more information about the device, simply place the cursor over the device and hit Enter on your keyboard. It will then display all of the information it has gathered about the device, similar to sdptool.

In this case, this is the information about the SCH-I535 device. Notice about a third of the way down the screen, under class, it identifies it as a "Phone/Smart phone" from its class number, 0x5a020c.

Step 7: Bluetooth Sniffing with BlueMaho

We have still another tool in Kali we can use for Bluetooth scanning, called BlueMaho, an integrated Bluetooth scanning/hacking tool. Here we will simply use it for scanning. You can start BlueMaho's elegant GUI by typing:

kali > bluemaho.py

When you do, it opens a GUI like that below. Here, I have clicked on the "get SDP info" and hit the play button to the left. BlueMaho begins scanning for discoverable devices, and like the other tools, it finds two Bluetooth devices.

In the bottom window, BlueMaho displays more info from the scanned devices. I have copied that info and placed it into a text file to make it easier for you to read:

Note that it displays the name of the first device "MINIJAMBOX" and then describes the device type as "Audio/Video, Headset profile." The second device is identified as "SCH-I535," and we are told its device type is "Phone, Smart phone."

Now, that we know how to gather information on the Bluetooth devices in our range, we will begin hacking those devices with that info in future tutorials, so keep coming back, my newbie hackers!

Cover image via Shutterstock (1, 2)

28 Comments

I went through this tutorial, I am very excited for this series and even bought the bluetooth dongle you showed earlier. I couldn't find it tonight so I tried my built in bluetooth adapter and it didn't find anything. When I do hciconfig it shows it up and running.

like ping, bluetooth has l2ping,very intersting

Yes, where TCP ping, hits the IP address (level 3), Bluetooth has level 2 ping which hits the level 2 address (MAC address).

As always great stuff OTW, I really like the way this series is moving away from the traditional port scanning and exploiting.

Cheers,
Washu

Really nice tutorial please do another one soon

why bluemaho command not found ?

it should be bluemaho.py. I've edited the article to reflect that.

also cannot open bluemaho, what problem ?

yes i did type bluemaho.py also can't open

Bluemaho is not included in Kali Linux 2.0. You will have to download and install it.

I am wondering if my bluetooth card gets all the information in this tutorial should I buy a bluetooth adapter and if I do which one would you recommend as the bluetooth dongle from Mr.Robot (the one you show) is not available anywhere near me, so my question is is it worth to try and find it or is there a similar adapter i could use?

Almost every basic stuff you want to do is compatible with any bluetooth adapter, from 5$ up. Newer devices have longer range, more speed, but really, if you are just starting, anything goes.

Until now it's just covered the basics, but I think following guides will explain how to use rfcomm, issue AT modem commands to control a phone, send sms, call, get / push files from phone etc.

Bluetooth hacking is long time dead, but sometimes the dead come back to bite again..

im already sniffing my own bluetooth for experiment,anybody got an idea to access the phone ??

Accessing the phone via Bluetooth is coming so keep checking back here.

Just found this site and i thinks its great :) I wished i had read through all the posts before starting because now im stuck haha. I see its been some time since this series of posts and i was wondering if you was going to continue? Thanks :)

There is more coming soon. Maybe as early as next week.

Hello there OTW, this is a nice series, just wondering when you'll provide more.

Just seen this... the bump function in this board is not as efficient as other, it's easy to miss a post on such old topic.

Anyway, Android has a bad (or good, depending on point of view) implementation of bluetooth. Unless you install further packages that allow more bluetooth control, there is little you can do with a stock rom, or even a Cyanogen (compared to an OS like old Symbian, for example, that just worked out of the box), and even there, most old attacks won't work.

What other 'arbitrary btmsg' were you trying to send ?

Very interesting. Can't wait to learn how to hack devices through bluetooth. Hope to see it soon...

Please post your next article on how to hack bluetooth devices
I'm so exited.
Please reply me.

Very interesting. Can't wait to learn how to hack devices through bluetooth. Hope to see it soon...

This is a really interesting series, I'm really enjoy it. Can't wait for the next part!

I already tried working with hcitool a while ago but I'm running into some issues. Somehow when I try to l2ping with my Kali Nethunter, I'm only getting timeouts. When I l2ping from my local Kali pc, l2ping works without problems.

Someone got the same phenomenon and knows what causes the problem?

Any update on a part 4? ...had some annoying 15 year olds drinking beer and blasting music on the beach and would've loved to screw with them.

Any perceivable updates to this?
A way to disconnect devices others are using would be useful.

Share Your Thoughts

  • Hot
  • Latest