with range, we use
hciutil
to scan. You can see an example
of running this scan in
Example 7-16
.
Example 7-16. Using hciutil to identify Bluetooth devices
root@savagewood:/# hcitool scan
Scanning ...
00:9E:C8:93:48:C9 MIBOX3
In spite of the many Bluetooth devices in my house and the reasonably close proxim‐
ity of neighbors, all that was found was a single device. This is because all the other
devices are previously paired or not in pairing mode to be discovered. We can use
hciutil
to
query Bluetooth devices, and we’ll use it for that later. As we are still scan‐
ning for Bluetooth devices, we’re going to move onto another program:
btscanner
.
This has an ncurses-based interface, which is a very rudimentary GUI. It provides the
program more than a line-by-line interface. You can see an example of using it in
Figure 7-11
.
Figure 7-11. btscanner showing Bluetooth devices
You’ll note that we get the same results from
btscanner
as we did from using
hcitool
,
which you’d expect since they are both using the same Bluetooth device and sending
out the standard Bluetooth protocol commands. We get two ways of performing the
scan using
btscanner
. The
first is the inquiry scanner, which sends out probes looking
for devices. The second is a brute-force scan, which sends out specific requests to
addresses. In other words, you provide
a range of addresses for
btscanner
to probe. It
will then send out requests to those
addresses, which are MAC addresses, so they
should look familiar. Communicating with a Bluetooth device is done over layer 2,
234 | Chapter 7: Wireless Security Testing
and as such, we use layer 2 addresses, MAC addresses, to communicate with the devi‐
ces.
If we want to go about brute-forcing Bluetooth devices, there is one last tool that we
are going to take a look at. This is a program called
RedFang
,
which was developed as
a proof of concept to identify nondiscoverable Bluetooth devices. Just because an
inquiry scan doesn’t return much of anything doesn’t mean that there aren’t Bluetooth
devices around. RedFang helps us to identify all of those devices. Once we’ve identi‐
fied them, we may be able to use them down the road a little. Using RedFang, we can
let it scan all possible addresses or we can specify a range. In
Example 7-17
, we’ve
selected a range of addresses to look for devices in.
Example 7-17. Brute-force Bluetooth scanning with RedFang
root@savagewood:/# fang -r 007500000000-0075ffffffff -s
redfang - the bluetooth hunter ver 2.5
(
c
)
2003
@stake Inc
author: Ollie Whitehouse
enhanced: threads by Simon Halsall
enhanced: device info discovery by Stephen Kapp
Scanning
4294967296
address
(
es
)
Address range 00:75:00:00:00:00 -> 00:75:ff:ff:ff:ff
Performing Bluetooth Discovery...
Even just scanning the range 00:75:00:00:00:00 through 00:75:ff:ff:ff:ff, selecting a
range entirely at random, gives us 4,294,967,296 addresses to scan. I’ll save you from
counting the positions. That’s more than 4 billion potential devices. And we’re just
scanning a small slice of the possible number of devices. Scanning the entire range
would be looking through 281,474,976,710,656 device addresses.
