A powerful Bluetooth scanner for scanning BR/LE devices, GATT, SDP and vulnerabilities!
Project description
bluescan
A powerful Bluetooth scanner that supports scanning:
- BR devices
- LE devices
- GATT
- SDP
- Vulnerabilities (demo)
Requirements
sudo apt install libglib2.0-dev libbluetooth-dev
# This tool is based on BlueZ, the official Linux Bluetooth stack.
# If you want to try the vulnerabilities scanning, see requirements in
# README.md of https://github.com/ojasookert/CVE-2017-0785
The Bluetooth adapters using following chips are recommended:
- Broadcom
- CSR
Install
sudo pip3 install bluescan
Usage
$ bluescan -h
Usage:
bluescan (-h | --help)
bluescan (-v | --version)
bluescan [-i <hcix>] -m br [--inquiry-len=<n>] [--async]
bluescan [-i <hcix>] -m le [--timeout=<sec>] [--le-scan-type=<type>] [--sort=<key>]
bluescan [-i <hcix>] -m sdp BD_ADDR
bluescan [-i <hcix>] -m gatt [--include-descriptor] --addr-type=<type> BD_ADDR
bluescan [-i <hcix>] -m vuln --addr-type=br BD_ADDR
Arguments:
BD_ADDR Target Bluetooth device address
Options:
-h, --help Display this help
-v, --version Show the version
-i <hcix> HCI device for scan [default: hci0]
-m <mode> Scan mode, support BR, LE, SDP, GATT and vuln
--inquiry-len=<n> Inquiry_Length parameter of HCI_Inquiry command [default: 8]
--timeout=<sec> Duration of LE scan [default: 10]
--le-scan-type=<type> Active or passive scan for LE scan [default: active]
--sort=<key> Sort the discovered devices by key, only support RSSI now [default: rssi]
--async Asynchronous scan for BR scan
--include-descriptor Fetch descriptor information
--addr-type=<type> Public, random or BR
Example
-
Scan LE device
$ sudo bluescan -m le [Warnning] Before doing active scan, make sure you spoof your BD_ADDR. LE active scanning on hci0...timeout 10 sec BD_ADDR: 4c:34:78:26:ad:71 Addr type: random Connectable: True RSSI: -94 dB General Access Profile: Flags (0x01): 06 Manufacturer (0xFF): 4c0010054b1c3debf9 BD_ADDR: 28:11:a5:41:28:27 Addr type: public Connectable: True RSSI: -91 dB General Access Profile: Flags (0x01): 19 Complete 16b Services (0x03): 0000febe-0000-1000-8000-00805f9b34fb,0000fe26-0000-1000-8000-00805f9b34fb Manufacturer (0xFF): 010951100d8851abf2f196f2 Tx Power (0x0A): f6 ... ...
-
Scan BR device
$ sudo bluescan -m br BR scanning on hci0...timeout 10.24 sec [BR scan] discovered new device addr: EC:51:BC:ED:6E:DC name: OPPO R11 class: 0x5A020C [BR scan] discovered new device addr: 9C:2E:A1:43:EB:5F name: 360syh class: 0x5A020C ... ...
-
Scan (Discover) GATT
$ sudo bluescan -m gatt --addr-type=random ??:??:??:??:??:?? Number of services: 5 Service declaration (3 characteristics) Handle: "attr handle" by using gatttool -b <BD_ADDR> --primary Type: (May be primary service 00002800-0000-1000-8000-00805f9b34fb) Value (Service UUID): 00001800-0000-1000-8000-00805f9b34fb (Generic Access) Permission: Read Only, No Authentication, No Authorization Characteristic declaration (0 descriptors) Handle: 0x0002 Type: 00002803-0000-1000-8000-00805f9b34fb Value: Characteristic properties: READ WRITE Characteristic value handle: 0x0003 Characteristic UUID: 00002a00-0000-1000-8000-00805f9b34fb (Device Name) Permission: Read Only, No Authentication, No Authorization Characteristic value declaration Handle: 0x0003 Type: 00002a00-0000-1000-8000-00805f9b34fb Value: b'???????' Permission: Higher layer profile or implementation specific ... ...
-
Scan (Discover) SDP
$ sudo bluescan -m sdp ??:??:??:??:??:?? Service Record 0x0000: ServiceRecordHandle (uint32) 0x0001000a 0x0001: ServiceClassIDList (sequence) uuid: 0x112f (Phonebook Access – PSE) 0x0004: ProtocolDescriptorList (sequence) uuid: 0x0100 (L2CAP) uuid: 0x0003 (RFCOMM) channel: 0x13 uuid: 0x0008 (OBEX) 0x0005: BrowseGroupList (sequence) uuid: 0x1002 (PublicBrowseRoot) 0x0009: BluetoothProfileDescriptorList (sequence) uuid: 0x1130 (Phonebook Access) <uint16 value="0x0101" /> 0x0100: unknown <text value="OBEX Phonebook Access Server " /> 0x0314: unknown <uint8 value="0x01" /> ... ...
-
Vulnerability (demo)
$ sudo bluescan -m vuln --addr-type=br ??:??:??:??:??:?? ... ... CVE-2017-0785
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
bluescan-0.0.6.tar.gz
(24.5 kB
view hashes)
Built Distribution
bluescan-0.0.6-py3-none-any.whl
(39.7 kB
view hashes)