Bluetooth has become a major component of our lives. Bluetooth devices used every day by many individuals around the globe. Most of them, though, have no idea how it functions and can be penetrated. Bluetooth hacking offers attackers a window of opportunity to access confidential information on phones and tablets.
Although Bluetooth shares the same frequency of 2.4 GHz as WiFi, the protocol used here is different. You cannot use the same resources as WiFi Penetration.
In this article, learn how to identify nearby Bluetooth devices, use the built-in kali feature, use a better cap for locating devices, and target the device
Built-In Kali Functions
The first tool is hciconfig same as ifconfig but it is for Bluetooth devices.
Hciconfig is the tool used to configure Bluetooth devices. See attached Bluetooth devices or can add the Bluetooth devices and configure them accordingly.
When you open hciconfig the state of the device is DOWN. The device should be in UP and Running state
Use command hciconfig your-mac-address up. After this command, you can run the hciconfig command again and see that the state has changed to UP and Running.
Use hciconfig –help command to get the commands available to use. Here I am using few commands as an example. Here I am using -a, p scan, and name command for example purpose. You can use the man hciconfig command to get more information about hciconfig.
HCITOOL is another built-in tool of Kali Linux for configuring and finding nearby Bluetooth devices. This tool sends a special command to Bluetooth devices. If no command passed hcitool prints some basic device information and exists.
You can use the man command to find more information on hcitool. Here I am using some commands for example you can explore more by hands-on practice.
The scan command will give you a list of the active devices nearby. Here I am using the name, info, and inquiry commands for illustration purposes.
Sdptool provides an interface for Bluetooth devices to perform SDP queries and manage a local SDP database.You can use sdptool to get more information on the target device. Use man command to get more information about sdptool. Here I am using the browse command for example
Bt scanner is a tool that is specifically designed to collect as much information from a Bluetooth device as possible without the mandatory pairing. A detailed information screen extracts HCI and SDP information and maintains an open link to track the RSSI and connection quality.. To get more information use the man command.
The following image will show you the default screen of the Bt scanner.
By pressing the keys given at the end of the page you can run the scans that are available and so various other things. Here I am using an inquiry scan for example.
When you’ll press i you’ll get the list of active devices nearby. By clicking on them you can get a lot of information about the device. By gathering as much information as possible it is possible to take an educated guess about the device.
Bettercap is the successor to Ettercap and includes attack modules for various radio and network technology. We'll be concentrating on the Bluetooth module today, but Bettercap has a lot more to it than just Bluetooth hacking. Bettercap will also track down and attack Wi-Fi networks, and when you launch it, by default, it will start listing devices on any network you are on. This skill applies well to Bluetooth devices being detected and scanned.
The tool comes with a low-energy Bluetooth suite that enables us to do much more than look at Bluetooth devices nearby. We can search any device in range for the MAC address and then use that MAC address to connect to the device and get data about it. Ultimately, even though it changes its MAC address, we can write data to the computer to attempt to exploit it, like a tag to monitor the device over time.
You can download bettercap here
After installing bettercap use –help command to know the active modules.
Start searching the Bluetooth device with a net. recon on command. The list of active Bluetooth devices can be seen
Start bettercap in sniffing mode using ble. recon on command. The list of devices that you have discovered from scanning with the ble. show command.
After getting the scan results you can dig a little deeper into the device. But the important thing is to know the MAC Address of the target. To enumerate details about the device you can use ble.enum command.
Writing on the device
You can see that some of the services has write property enabled on them. You can access the property. Let's try writing some data on the device discovered. We can write the value of "any-value-you-want" to that device by typing the command ble.write TheMacAddress TheFieldToWriteTo ValueToWrite. It’s not necessary that you will be able to write on the device all the time.
We can use Bettercap to start poking around for ways to further exploit nearby devices if we learn a device is running a service with a vulnerability that we can exploit by writing to a value. Using MAC address randomization, we can also use these fields to fingerprint devices, as the values will uniquely identify a device that alters other properties such as its MAC address to try to avoid correlation.
Bluetooth radio transmissions can be discovered and unmasked to track the people and devices behind. We have the major chance of successfully attacking this device by knowing the type of hardware and the version of the software that we detect.
I hope you enjoyed and learned something new from this guide to scan and target Bluetooth devices from Kali Linux.