Bluetooth Hacking Tools

BLUETOOTH TOOLS

Sil [email protected]

January 9, 2005

Abstract

Many different tools to access Bluetooth devices can be found on the internet and p2pnetworks. This document gives a very short overview of the different tools related toBluetooth security.

Date Author Comment

08/05/2005 Sil Janssens adding new tools dicovered05/05/2005 Sil Janssens adding new tools dicovered07/12/2004 Sil Janssens corrections after remarks of Dave Singelee26/11/2004 Sil Janssens additions and corrections24/11/2004 Sil Janssens additions22/11/2004 Sil Janssens First Draft

Table 1: Version History

Contents

1 Introduction 61.1 Purpose and scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 Bluetooth Tools 72.1 Affix Bluetooth Stack . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.1.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 72.1.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 72.1.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.1.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 8

2.2 Blooover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 9

2.3 BlueAlert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.3.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 92.3.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 92.3.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.4 BlueBug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.4.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 92.4.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 92.4.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.4.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 10

2.5 BlueFish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.5.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 102.5.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 102.5.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.5.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 11

2.6 BluePrinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.6.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 112.6.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 112.6.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.6.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 12

2.7 BlueSmack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.7.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 122.7.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 122.7.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2

2.7.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 122.8 BlueSniff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12


2.9 BlueSniper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.9.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 132.9.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 132.9.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.9.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 14

2.10 BlueSpam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.10.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 142.10.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 142.10.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.10.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 14

2.11 Bluetooth Phone Book Dumper . . . . . . . . . . . . . . . . . . . . . 152.11.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 152.11.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 152.11.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.12 BlueZ Bluetooth Stack . . . . . . . . . . . . . . . . . . . . . . . . . 152.12.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 152.12.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 152.12.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 152.12.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 16

2.13 Braces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.13.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 162.13.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 162.13.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.13.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 17

2.14 bt audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.14.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 172.14.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 172.14.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.15 BTBrowser - JABWT Browser . . . . . . . . . . . . . . . . . . . . . 172.15.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 172.15.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 172.15.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.15.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 18

2.16 btChat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.16.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 192.16.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 192.16.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.16.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 19

2.17 BTFS Bluetooth FileSystemMapping . . . . . . . . . . . . . . . . . . 192.17.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 192.17.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 192.17.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.18 btScanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.18.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3

2.18.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 202.18.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.18.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 20

2.19 btXML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.19.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 202.19.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 202.19.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.19.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 20

2.20 Fine Tooth Comb . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.20.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 212.20.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 212.20.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.20.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 21

2.21 FreeJack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.21.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 212.21.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 222.21.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.21.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 22

2.22 Gnome Bluetooth Subsystem . . . . . . . . . . . . . . . . . . . . . . 222.22.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 222.22.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 222.22.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.22.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 23

2.23 HCIDump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.23.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 232.23.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 232.23.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.24 Impronto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.24.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 232.24.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 232.24.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.24.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 24

2.25 OpenOBEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242.25.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 242.25.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 242.25.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.26 ObexFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.26.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 252.26.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 252.26.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.27 PsmScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.27.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 252.27.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 252.27.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.28 RedFang . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262.28.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 262.28.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 262.28.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 262.28.4 Screenshots / Logo . . . . . . . . . . . . . . . . . . . . . . . 26

2.29 RedSnarf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4


2.30 The Bluetooth Location Tracker Project . . . . . . . . . . . . . . . . 272.30.1 Manufacturer . . . . . . . . . . . . . . . . . . . . . . . . . . 272.30.2 Link - Source . . . . . . . . . . . . . . . . . . . . . . . . . . 272.30.3 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

5

Chapter 1

Introduction

1.1 Purpose and scope

The purpose of this document is to provide a brief overview of the existent Bluetoothsecurity tools.

1.2 References

• Sil Janssens, Preliminary study, VUB, 2004, http://student.vub.ac.be/˜sijansse/2elic/BT/Voorstudie/PreliminaryStudy.pdf

• Sil Janssens, Software Requirement Specifications, VUB, 2004, http://student.vub.ac.be/˜sijansse/2elic/BT/SRS/SRS.pdf

• other references are included for each tool in the document

6

Chapter 2

Bluetooth Tools

2.1 Affix Bluetooth Stack

2.1.1 Manufacturer

Affix: Nokia Research Center at Mobile Networks Lab and released under GPL.

2.1.2 Link - Source

• http://affix.sourcefourge.net

2.1.3 Description

Affix is a Bluetooth Protocol Stack for Linux Affix supports core Bluetooth protocolslike HCI, L2CAP, RFCOMM, SDP and various Bluetooth profiles (see bellow).

Affix features:

• Modular implementation.

• Socket interface to HCI, L2CAP and RFCOMM protocols.

• Bluetooth module interface independence.

• SMP safe.

• Multiple Bluetooth devices support.

Affix currently supports the following Bluetooth Profiles:

• General Access Profile

• Service Discovery Profile

• Serial Port Profile

• DialUp Networking Profile

• LAN Access Profile

7

• OBEX Object Push Profile

• OBEX File Transfer Profile

• PAN Profile

affix-kernel provides kernel modules implementing core protocols and Bluetooth de-vice drivers. Kernel modules can be used separately from the kernel or can be linkedstatically into the kernel.affix provides control tools, libraries, and server daemons.

2.1.4 Screenshots / Logo

2.2 Blooover

2.2.1 Manufacturer

Trifinite

2.2.2 Link - Source

• http://trifinite.org/trifinite_stuff_blooover.html

2.2.3 Description

Blooover is a proof-of-concept tool (similar to BlueSnarf) that is intended to run onJ2ME-enabled cell phones. Blooover is an audit tool that people can use to checkwhether their phones and phones of friends and employees are vulnerable.

8


2.3 BlueAlert

2.3.1 Manufacturer

TDK

2.3.2 Link - Source

• http://www.tdksystems.com/software/apps/content.asp?id=4

• http://www.tdksystems.com/

2.3.3 Description

TDK Systems’ BlueAlert Windows tool creates a ’pop-up ’icon from the system tray,notifying you in advance:

• When a Bluetooth device is active, or in range of your PC

• If a particular device goes out of range and a connection is lost

I only supports TKS Bluetooth devices.

2.4 BlueBug

2.4.1 Manufacturer

Trifinite

2.4.2 Link - Source

• http://trifinite.org/trifinite_stuff_bluebug.html

2.4.3 Description

BlueBug is the name of a Bluetooth security loophole on some Bluetooth-enabled cellphones. Exploiting this loophole allows the unauthorized downloading phone booksand call lists, the sending and reading of SMS messages from the attacked phone andmany more things.

The tool and source code is NOT available!

9


2.5 BlueFish

2.5.1 Manufacturer

nobodaddy

2.5.2 Link - Source

• http://www.nobodaddy.org/portfolio/bluefish.htm

2.5.3 Description

Bluefish is a surveillance system which tracks the presence of Bluetooth devices, andtheir users.

Bluefish constantly scans for Bluetooth-enabled devices, such as phones, PDA’s,and wireless peripherals. When a new device is found, Bluefish takes a picture of thearea in which the device is discovered and catalogues all retrievable information aboutthe device. If the device is ever discovered again, the user will be sent the last imagecaptured of them via Bluetooth. All images are tagged with the device’s name and thetime it was last observed.

Over time, a profile is built for each discovered device, making it possible to trackindividual users who frequent the scanning area.

10


2.6 BluePrinting

2.6.1 Manufacturer

Collin Mulliner and Martin Herfurt, Trifinite

2.6.2 Link - Source

• http://trifinite.org/trifinite_stuff_blueprinting.html

• http://trifinite.org/Downloads/Blueprinting.pdf

• http://trifinite.org/Downloads/bp_v100.zip

2.6.3 Description

Blueprinting is a method to remotely find out details about bluetooth-enabled devices.Blueprinting can be used for generating statistics about manufacturers and models andto find out whether there are devices in range that have issues with Bluetooth security.

Every bluetooth-enabled device has some characteristics that are either unique (Blue-tooth device address), maufacturer specific (the first part of the bluetooth device ad-dress) or model-specific (service description records). Blueprinting is combining thedifferent information that Bluetooth-enabled devices reveal in order to determine themanufacturer as well as the model of the device. Upon different characteristics it isalso possible to tell about the respective firmware version that runs on certain devices.

Every Bluetooth-enabled device that offers services to other Bluetooth-enabled devicesdoes announce these services via the service discovery protocol (SDP). So, remote de-vices can query devices upon the offered capabilities.

11


2.7 BlueSmack

2.7.1 Manufacturer

Trifinite

2.7.2 Link - Source

• http://trifinite.org/trifinite_stuff_bluesmack.html

• http://www.insecure.org/sploits/ping-o-death.html

2.7.3 Description

BlueSmack is a Bluetooth attack that knocks out some Bluetooth-enabled devices im-mediately. This Denial of Service attack can be conducted using standard tools thatship with the official Linux Bluez utils package.


2.8 BlueSniff

2.8.1 Manufacturer

The Shmoo Group, Bruce Potter - Brian Caswell

12

2.8.2 Link - Source

• http://bluesniff.shmoo.com/

• http://www.shmoo.com/˜gdead/dc-11-brucepotter.ppt

• http://bluesniff.shmoo.com/bluesniff-0.1.tar.gz

2.8.3 Description

Bluesniff is proof of concept code for a Bluetooth wardriving utility. It provided a GUIfor finding discoverable and hidden Bluetooth devices. It is focused on providing a UIFront-end for Redfang.


2.9 BlueSniper

2.9.1 Manufacturer

Flexilis

2.9.2 Link - Source

• http://www.flexilis.com

• http://www.blueserker.com/html/modules.php?op=modload&name=News&file=index&catid=&topic=14

2.9.3 Description

The BlueSniper is a rifle stock with a scope and yagi antenna attached. A cable at-taches the antenna to the Bluetooth card, which can be in a PDA or laptop computer.The laptop can be carried in a backpack with the cables connecting into the backpack,giving it the Ghostbusters look.

13

The Flexilis teams demonstrated the gun with some home-brewed Bluetooth scanningsoftware. They pointed the gun down the hallways and out windows. Almost instantly,vulnerable phones with their unique Bluetooth device numbers appeared on the laptopscreen. The device is powerful enough to detect devices through building walls.


2.10 BlueSpam

2.10.1 Manufacturer

Collin R. Mulliner

2.10.2 Link - Source

• http://www.mulliner.org/palm/bluespam.php

2.10.3 Description

BlueSpam is a Palm OS application that searches for all discoverable Bluetooth devicesand send a arbitrary file to them if they support OBEX.


14

2.11 Bluetooth Phone Book Dumper

2.11.1 Manufacturer

Collin R. Mulliner


• http://www.saftware.de/bluetooth/btxml.c

2.11.3 Description

Bluetooth phone book dumper creates a backup of the Nokia 6310i via bluetooth. Italso works on some Ericsson mobile phones.The data is written to stdout in a standard xml format. There is no need to enter any dataon the host or phone side and no pairing is needed, it simply uses GSM AT commandsover a RFCOMM connection.The software uses the Linux BlueZ Bluetooth stack.

2.12 BlueZ Bluetooth Stack

2.12.1 Manufacturer

BlueZ Project


• http://www.bluez.org

2.12.3 Description

BlueZ is an implementation of the Bluetooth wireless standards specifications for Linux.The code is licensed under the GNU General Public License (GPL) and is now includedin the Linux 2.4 and Linux 2.6 kernel series.

BlueZ provides support for the core Bluetooth layers and protocols. It is flexible,efficient and uses a modular implementation. It has many interesting features:

• Complete modular implementation

• Symmetric multi processing safe

• Multithreaded data processing

• Support for multiple Bluetooth devices

• Real hardware abstraction

• Standard socket interface to all layers

• Device and service level security support

15

Currently BlueZ consists of many separate modules:

• Bluetooth kernel subsystem core

• L2CAP and SCO audio kernel layers

• RFCOMM, BNEP, CMTP and HIDP kernel implementations

• HCI UART, USB, PCMCIA and virtual device drivers

• General Bluetooth and SDP libraries and daemons

• Configuration and testing utilities

• Protocol decoding and analysis tools

The BlueZ kernel modules, libraries and utilities are known to be working prefect onmany architectures supported by Linux.


2.13 Braces

2.13.1 Manufacturer

The Shmoo Group, Bruce Potter, Brian


• http://braces.shmoo.com/

2.13.3 Description

Bluetooth tracking application used at a demonstration on the BlackHat conferenceUSA 2004.

16


2.14 bt audit

2.14.1 Manufacturer

Collin R. Mulliner


• http://www.betaversion.net/btdsd/

2.14.3 Description

bt audit is a suit of programs and scripts to do Bluetooth device auditing. The suit cur-rently consists of two port scanners, psm scan for the L2CAP layer and rfcomm scanfor the RFCOMM layer.

2.15 BTBrowser - JABWT Browser

2.15.1 Manufacturer

Klings.org BenHui.net


• http://www.benhui.net/bluetooth/btbrowser.html

• http://www.benhui.net/bluetooth/btbrowser.jar

• http://www.benhui.net/bluetooth/btbrowser.jad

• http://wireless.klings.org/main.php/BTBrowser/

• http://wireless.klings.org/source/btbrowser_src.zip

17

2.15.3 Description

Bluetooth (JABWT) Browser is a J2ME MIDP MIDlet that can browse and explore thetechnical specification of surrounding Bluetooth devices.BTBrowser will discover nearby devices (if they are discoverable. You can browsedevice Bluetooth information and all supported profiles and service records of eachdevice. This is a great utility tool to sniff bluetooth information.This MIDlet MIDP2.0/CLDC1.0 works on phones that support JSR-82 (a.k.a JABWTor Java Bluetooth) specification. Examples are Nokia 6600 and Sony Ericsson P900.The following attributes will be shown if they are set in the Bluetooth service record:

• 0x0100, ServiceName

• 0x0101, ServiceDescription

• 0x0102, ProviderName

• 0x0000, ServiceRecordHandle

• 0x0003, ServiceID

• 0x0001, ServiceClassIDList

• 0x0004, ProtocolDescriptorList

• 0x0009, BluetoothProfileDescriptorList

• 0x0007, ServiceInfoTimeToLive

• 0x0008, ServiceAvailability

• 0x000A, DocumentationURL

• 0x000B, ClientExecutableURK

• 0x000C, IconURL


18

2.16 btChat

2.16.1 Manufacturer

Collin R. Mulliner


• http://www.mulliner.org/bluetooth/btchat/

2.16.3 Description

btChat is a Bluetooth based chatting/IM (instant messaging) system


2.17 BTFS Bluetooth FileSystemMapping

2.17.1 Manufacturer

Collin R. Mulliner


• www.mulliner.org/bluetooth/btfs.php

2.17.3 Description

BTFS brings basic Bluetooth support to the filesystem by mapping functions like in-quiry (search for Bluetooth devices) and file transfer (via OBEX) to normal file opera-tions.BTFS is a FUSE (Filesystem in USErspace) application.With btfs a simple ls DEVICES shows you all Bluetooth devices within range and cpsomefile OPUSH/devicename sends the given file to the device (via OBEX).

19

2.18 btScanner

2.18.1 Manufacturer

Pentest


http://www.pentest.co.uk/cgi-bin/viewcat.cgi?cat=downloads&section=01_bluetooth

2.18.3 Description

btscanner is a tool designed specifically to extract as much information as possiblefrom a Bluetooth device without the requirement to pair. A detailed information screenextracts HCI and SDP information, and maintains an open connection to monitor theRSSI and link quality. btscanner is based on the BlueZ Bluetooth stack, which is in-cluded with recent Linux kernels, and the BlueZ toolset. btscanner also contains acomplete listing of the IEEE OUI numbers and class lookup tables. Using the informa-tion gathered from these sources it is possible to make educated guesses as to the hostdevice type.


2.19 btXML

2.19.1 Manufacturer

Saftware, Andreas Oberritter, GNU General Public License


• www.saftware.de/bluetooth/btxml.c

2.19.3 Description

Creates a backup of the Nokia 6310i (and for Ericsson T610 and T68i) via Bluetooth.


20

2.20 Fine Tooth Comb

2.20.1 Manufacturer

The Shmoo Group


• http://bluetooth.shmoo.com

• http://www.oook.cz/bsd/bluetooth.html

2.20.3 Description

A Bluetooth scanner for FreeBSD.This tool tries to find other Bluetooth devices in three different ways:

• A periodic inquiry scanAbout every minute (it varies) discoverable devices are listed. These show up as:++¿IR¿MAC ADDRESS

• Report devices that try to connect to the scanning hostIf somebody tries to check what services you are offering, it makes note of whataddress tried to connect. (It rejects them.) You must have inquiry and pagescanning turned on for this to be of use. These show up as: ++¿CR¿MAC AD-DRESS¿A for ACL, S for SCO¿Device Class

• Brute forceIt steps through each of the manufacturers listed in ftc manuf.h and tries allpossible device IDs. This is very slow! Devices that are found show up as:++¿BF¿MAC ADDRESS If the attempt times out, it will show: –¿BF¿MACADDRESS


2.21 FreeJack

2.21.1 Manufacturer

Software13

21


• http://www.software13.co.uk/freejack/

2.21.3 Description

FreeJack is a Java based BlueJacking application for mobile devices. The aim of thissoftware is to allow the anonymous sending of messages to Bluetooth enabled deviceswithin range.


2.22 Gnome Bluetooth Subsystem

2.22.1 Manufacturer

Useful Information Company, GPL


• http://usefulinc.com/software/gnome-bluetooth/

2.22.3 Description

Current features include:

• Controller object to manage the discovery of nearby Bluetooth devices

• Controller will create serial (RFCOMM) connections for clients to devices

• libbtcl, a GObject wrapper for Bluetooth functionality An OBEX server, so youcan ”beam” files such as pictures, addresses or contacts from other Bluetoothdevices to your computer

• An OBEX push send tool, so you can beam files from your computer to remotedevices.

• Nautilus menu integration

22


2.23 HCIDump

2.23.1 Manufacturer

Maxim Krasnyansky


• http://linuxcommand.org/man_pages/hcidump8.html

2.23.3 Description

HCIDump is a HCI packet analyzer. It reads raw HCI data coming from and going to aBluetooth device and prints to screen commands, events and data in a human-readableform.

2.24 Impronto

2.24.1 Manufacturer

Rococo Software


• http://rococosoft.com

• http://www.rococosoft.com/blue_university.html

• http://www.rococosoft.com/blue_dk.html

2.24.3 Description

Impronto Developer Kit is a standards-based Java tool designed to make building Blue-tooth applications easy. Impronto’s framework hides complex Bluetooth protocols be-hind standard Java APIs (JSR82), letting developers focus on writing wireless applica-tions rather than on low-level Bluetooth networking issues. The result is faster, easierconstruction of Bluetooth applications.

23

Support for IrDA - ircomm and irdaobex - which allows access to infrared wirelesstechnologies through standardised specifications (Linux Developer Kit only)Provides abstractions of Bluetooth wireless communication using the Java 2 Platform,Micro Edition (J2ME)Generic Connection FrameworkBased on J2ME Connected Limited Device Configuration (CLDC)Addresses primary Bluetooth profiles:

• Generic Access Profile

• Service Discovery Profile

• Serial Port Profile

• Generic Object Exchange Profile


2.25 OpenOBEX

2.25.1 Manufacturer

OpenOBEX Sourceforge, LGPL GPL


• http://openobex.sourceforge.net/

• http://prdownloads.sourceforge.net/openobex/openobex-1.0.1.tar.gz

24

• http://prdownloads.sourceforge.net/openobex/openobex-apps-1.0.0.tar.gz

2.25.3 Description

Free open source implementation of the Object Exchange (OBEX) protocol. OBEXis a session protocol and can best be described as a binary HTTP protocol. OBEX isoptimized for ad-hoc wireless links and can be used to exchange all kind of objects likefiles, pictures, calendar entries (vCal) and business cards (vCard).The OpenOBEX Project has a sample IrCp (infrared copy) application and an associ-ated ObexFTP application.

2.26 ObexFTP

2.26.1 Manufacturer

OpenOBEX Sourceforge, LGPL GPL


• http://triq.net/obex/

• http://openobex.sourceforge.net/

• http://prdownloads.sourceforge.net/openobex/obexftp-0.10.3.tar.gz

• http://triq.net/obex/examples.html

2.26.3 Description

Free open source implementation of the Object Exchange (OBEX) protocol. OBEXis a session protocol and can best be described as a binary HTTP protocol. OBEX isoptimized for ad-hoc wireless links and can be used to exchange all kind of objects likefiles, pictures, calendar entries (vCal) and business cards (vCard).The common usage for ObexFTP is to access your mobile phones memory to store andretrieve e.g. your phonebook, logos, ringtones, music, pictures and alike.

2.27 PsmScan

2.27.1 Manufacturer

Collin R. Mulliner


• http://www.betaversion.net/btdsd/

25

2.27.3 Description

This tool was written as part of the ”Bluetooth device security database” project. Somehardware manufacturers could hide ”special” functions on PSMs (Protocol/ServiceMultiplexer) without listing them in the SDP database, this tool should find them. Itscans a range of L2CAP PSMs to check if they are open (accept connections)

2.28 RedFang

2.28.1 Manufacturer

Ollie Whitehouse, @stake


• http://www.atstake.com

• http://www.securiteam.com/tools/5JP0I1FAAE.html

• http://cansecwest.com/csw04/csw04-Whitehouse.pdf

2.28.3 Description

RedFang is an application that finds non-discoverable Bluetooth devices by brute-forcing the last six bytes of the device’s Bluetooth address and doing a read remote name().


2.29 RedSnarf

2.29.1 Manufacturer

Ollie Whitehouse, @stake


• http://www.atstake.com

• http://cansecwest.com/csw04/csw04-Whitehouse.pdf

• http://www.thebunker.net/security/bluetooth.htm

26

2.29.3 Description

RedSnarf is the @stake implementation of the BlueStumbler/BlueSnarf application:OBEX PULL’ing / Snarf’ing.On some makes of devices, it is possible to connect to the device, without alertingthe owner of the target device of the request, and gain access to restricted portionsof the stored data, including the phonebook, calendar, realtime clock, business card,properties, IMEI.The tool and source code is NOT available!


2.30 The Bluetooth Location Tracker Project

2.30.1 Manufacturer

Collin R. Mulliner, GPL


• http://www.betaversion.net/blt/

• http://www.betaversion.net/blt/blt.pdf

2.30.3 Description

Linux software to track Bluetooth devices in combination with a GPS devices.

27

Documents

Bluetooth Hacking Tools