Metadata-Version: 2.1
Name: bluescan
Version: 0.0.7
Summary: A powerful Bluetooth scanner for scanning BR/LE devices, GATT, SDP and vulnerabilities!
Home-page: https://github.com/fO-000/bluescan
Author: fO_000
Author-email: fO_000@protonmail.com
License: UNKNOWN
Platform: UNKNOWN
Description-Content-Type: text/markdown
Requires-Dist: bluepy (>=1.3.0)
Requires-Dist: docopt (>=0.6.2)
Requires-Dist: pybluez (>=0.22)
Requires-Dist: termcolor (>=1.1.0)

# bluescan

A powerful Bluetooth scanner that supports scanning:

* BR devices
* LE devices
* GATT
* SDP
* Vulnerabilities (demo)

## Requirements

```sh
sudo apt install libglib2.0-dev libbluetooth-dev

# This tool is based on BlueZ, the official Linux Bluetooth stack.
# If you want to try the vulnerabilities scanning, see requirements in
# README.md of https://github.com/ojasookert/CVE-2017-0785
```

The Bluetooth adapters using following chips are recommended:

* Broadcom
* CSR

## Install

```sh
sudo pip3 install bluescan
```

## Usage

```txt
$ bluescan -h
Usage:
    bluescan (-h | --help)
    bluescan (-v | --version)
    bluescan [-i <hcix>] -m br [--inquiry-len=<n>] [--async]
    bluescan [-i <hcix>] -m le [--timeout=<sec>] [--le-scan-type=<type>] [--sort=<key>]
    bluescan [-i <hcix>] -m sdp BD_ADDR
    bluescan [-i <hcix>] -m gatt [--include-descriptor] --addr-type=<type> BD_ADDR
    bluescan [-i <hcix>] -m vuln --addr-type=br BD_ADDR

Arguments:
    BD_ADDR    Target Bluetooth device address

Options:
    -h, --help                  Display this help
    -v, --version               Show the version
    -i <hcix>                   HCI device for scan [default: hci0]
    -m <mode>                   Scan mode, support BR, LE, SDP, GATT and vuln
    --inquiry-len=<n>           Inquiry_Length parameter of HCI_Inquiry command [default: 8]
    --timeout=<sec>             Duration of LE scan [default: 10]
    --le-scan-type=<type>       Active or passive scan for LE scan [default: active]
    --sort=<key>                Sort the discovered devices by key, only support RSSI now [default: rssi]
    --async                     Asynchronous scan for BR scan
    --include-descriptor        Fetch descriptor information
    --addr-type=<type>          Public, random or BR
```

## Example

* Scan LE device

  ```txt
  $ sudo bluescan -m le
  [Warnning] Before doing active scan, make sure you spoof your BD_ADDR.
  LE active scanning on hci0...timeout 10 sec

  BD_ADDR:     4c:34:78:26:ad:71
  Addr type:   random
  Connectable: True
  RSSI:        -94 dB
  General Access Profile:
          Flags (0x01): 06
          Manufacturer (0xFF): 4c0010054b1c3debf9

  BD_ADDR:     28:11:a5:41:28:27
  Addr type:   public
  Connectable: True
  RSSI:        -91 dB
  General Access Profile:
          Flags (0x01): 19
          Complete 16b Services (0x03): 0000febe-0000-1000-8000-00805f9b34fb,0000fe26-0000-1000-8000-00805f9b34fb
          Manufacturer (0xFF): 010951100d8851abf2f196f2
          Tx Power (0x0A): f6

  ... ...
  ```

* Scan BR device

  ```txt
  $ sudo bluescan -m br
  BR scanning on hci0...timeout 10.24 sec

  [BR scan] discovered new device
  addr: EC:51:BC:ED:6E:DC
  name: OPPO R11
  class: 0x5A020C


  [BR scan] discovered new device
  addr: 9C:2E:A1:43:EB:5F
  name: 360syh
  class: 0x5A020C

  ... ...
  ```

* Scan (Discover) GATT

  ```txt
  $ sudo bluescan -m gatt --addr-type=random ??:??:??:??:??:??
  Number of services: 5


  Service declaration (3 characteristics)
      Handle: "attr handle" by using gatttool -b <BD_ADDR> --primary
      Type: (May be primary service 00002800-0000-1000-8000-00805f9b34fb)
      Value (Service UUID): 00001800-0000-1000-8000-00805f9b34fb (Generic Access)
      Permission: Read Only, No Authentication, No Authorization

      Characteristic declaration (0 descriptors)
          Handle: 0x0002
          Type: 00002803-0000-1000-8000-00805f9b34fb
          Value:
              Characteristic properties: READ WRITE  
              Characteristic value handle: 0x0003
              Characteristic UUID:  00002a00-0000-1000-8000-00805f9b34fb (Device Name)
          Permission: Read Only, No Authentication, No Authorization
      Characteristic value declaration
          Handle: 0x0003
          Type: 00002a00-0000-1000-8000-00805f9b34fb
          Value: b'???????'
          Permission: Higher layer profile or implementation specific

  ... ...
  ```

* Scan (Discover) SDP

  ```txt
  $ sudo bluescan -m sdp ??:??:??:??:??:??
  Service Record
  0x0000: ServiceRecordHandle (uint32)
      0x0001000a
  0x0001: ServiceClassIDList (sequence)
      uuid: 0x112f (Phonebook Access – PSE)
  0x0004: ProtocolDescriptorList (sequence)
      uuid: 0x0100 (L2CAP)
      uuid: 0x0003 (RFCOMM)
          channel: 0x13
      uuid: 0x0008 (OBEX)
  0x0005: BrowseGroupList (sequence)
      uuid: 0x1002 (PublicBrowseRoot)
  0x0009: BluetoothProfileDescriptorList (sequence)
      uuid: 0x1130 (Phonebook Access)
          <uint16 value="0x0101" />
  0x0100: unknown
      <text value="OBEX Phonebook Access Server " />
  0x0314: unknown
      <uint8 value="0x01" />

  ... ...
  ```

* Vulnerability (demo)

  ```txt
  $ sudo bluescan -m vuln --addr-type=br ??:??:??:??:??:??
  ... ...
  CVE-2017-0785
  ```


