Wireless Security
Re: Bluetooth testing... Aug 07 2008 08:37PM
Joshua Wright (jwright hasborg com)
Hash: SHA1

Serg B wrote:
| Thanks for all replies so far, just a quick update with more detail...
| I am planning to be using a Linux based laptop with a USB bluetooth
| dongle...
| Not sure if the equipment is right or not, so any feedback on that
| front is also appreciated.

The tools mentioned by various posters such as BlueMaho and BlueDiving
are all useful, though some functionality may not work as expected.
Best to become comfortable with the code and what is being called (often
external executables) and use those tools directly instead.

~From a hardware perspective, I have had a lot of luck with the Zoom
Bluetooth USB dongle on Linux (http://tinyurl.com/5pn485). It is easy
to modify to accept an external 2.4 GHz antenna, is a class 1
transmitter (e.g. 100 mW), supports Bluetooth 2.0 extensions (including
RSSI reporting introduced in Bluetooth 1.2) and works well on Linux and
Windows systems.

Instructions on modifying this dongle to work with an external antenna
are available from Gary Coleman (aka KF):
http://www.digitalmunition.com/zoom-mod/ in 4 succinct steps.

If you are hardcore about Bluetooth testing, you'll want to identify
devices in non-discoverable mode too. The talk about using RedFang or
other brute-force mechanisms to do this is BS; you need to use a
software-defined radio such as the USRP and GNURadio with Dominic
Spill's gr-bluetooth code:


This will run you ~$1000/USD with a USRP Software Defined Radio
(www.ettus.com) and the USRP Flex2400 2.4 GHz receiver. Alternatively,
you can snag a Cognio Spectrum Expert card that will give you the same
information (~$3000/USD) and it runs on Windows.

For either solution, you will get the last 3-bytes of the BD_ADDR of a
Bluetooth device actively transmitting, regardless of whether it is
discoverable or not. With the last 3-bytes of the BD_ADDR, you can
brute-force the first three bytes of BD_ADDR (representing the OUI)
using the list of common Bluetooth OUI's from the BNAP, BNAP project:


I modified btscanner to search through the list of common OUI's given
the last three bytes of BD_ADDR, available here:


Make sure you do a "./configure ; make ; make install" to get the files
in the right places. Press "l" to enter the LAP and start searching
(faster if you have multiple dongles connected; I usually use 4 at the
same time). If you run into a problem, please drop me a note.

The bottom line is that Bluetooth analysis is still a big mystery to
lots of end-users and pen-testers, and I personally feel that it doesn't
get the attention it deserves. We spend a bunch of time going over
exploiting Bluetooth in my SANS Wireless Penetration Testing course
(http://www.sans.org/training/description.php?mid=3) on day 5,
specifically on how to apply Bluetooth security testing in a pen-test
engagement. Students also get the Zoom USB dongle as part of the class
(along with an AirPcap TX and drivers for Linux and Windows, and the
BU-353 USB GPS).

One last parting note; don't overlook the basic stuff in a pen-test
engagement. I have been successful in getting lots of critical data
from Bluetooth phones using nothing more devious than the Nokia PC Suite
software on many occasions.

- -Josh
Version: GnuPG v1.4.7 (Darwin)


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus