Metadata-Version: 2.1
Name: bluescan
Version: 0.0.9
Summary: A powerful Bluetooth scanner for scanning BR/LE devices, LMP, SDP, GATT and vulnerabilities!
Home-page: https://github.com/fO-000/bluescan
Author: fO_000
Author-email: fO_000@protonmail.com
License: BSD
Description: # bluescan
        
        A powerful Bluetooth scanner that supports scanning:
        
        * BR devices
        * LE devices
        * LMP
        * GATT
        * SDP
        * Vulnerabilities (demo)
        
        ## Requirements
        
        ```sh
        sudo apt install libglib2.0-dev libbluetooth-dev
        
        # This tool is based on BlueZ, the official Linux Bluetooth stack.
        # If you want to try the vulnerabilities scanning, see requirements in
        # README.md of https://github.com/ojasookert/CVE-2017-0785
        ```
        
        The Bluetooth adapters using following chips are recommended:
        
        * Broadcom
        * CSR
        
        ## Install
        
        ```sh
        sudo pip3 install bluescan
        ```
        
        ## Usage
        
        ```txt
        $ bluescan -h
        
        Usage:
            bluescan (-h | --help)
            bluescan (-v | --version)
            bluescan [-i <hcix>] -m br [--inquiry-len=<n>]
            bluescan [-i <hcix>] -m lmp BD_ADDR
            bluescan [-i <hcix>] -m sdp BD_ADDR
            bluescan [-i <hcix>] -m le [--timeout=<sec>] [--le-scan-type=<type>] [--sort=<key>]
            bluescan [-i <hcix>] -m gatt [--include-descriptor] --addr-type=<type> BD_ADDR
            bluescan [-i <hcix>] -m vuln --addr-type=br BD_ADDR
        
        Arguments:
            BD_ADDR    Target Bluetooth device address
        
        Options:
            -h, --help                  Display this help
            -v, --version               Show the version
            -i <hcix>                   HCI device for scan [default: hci0]
            -m <mode>                   Scan mode, support BR, LE, LMP, SDP, GATT and vuln
            --inquiry-len=<n>           Inquiry_Length parameter of HCI_Inquiry command [default: 8]
            --timeout=<sec>             Duration of LE scan [default: 10]
            --le-scan-type=<type>       Active or passive scan for LE scan [default: active]
            --sort=<key>                Sort the discovered devices by key, only support RSSI now [default: rssi]
            --include-descriptor        Fetch descriptor information
            --addr-type=<type>          Public, random or BR
        ```
        
        ## Example
        
        * Scan BR device
        
          ```txt
          $ sudo bluescan -m br
          [INFO] BR scanning on hci0 with timeout 10.24 sec
          
          addr: ??:??:??:??:??:??
          name: HUAWEI P30 Pro
          class: 0x5A020C
              Service Class: 0b1011010000
                  Telephony (Cordless telephony, Modem, Headset service, ...)
                  Object Transfer (v-Inbox, v-Folder, ...)
                  Capturing (Scanner, Microphone, ...)
                  Networking (LAN, Ad hoc, ...)
              Major Device Class: 0b10, Phone
          rssi: -52
          ```
        
        * Scan LMP
        
          ```txt
          $ sudo bluescan -m lmp ??:??:??:??:??:??
          Version
              Version:
                  Bluetooth Core Specification 5.0 (LMP)
                  Bluetooth Core Specification 5.0 (LL)
              Manufacturer name: 271
              Subversion: 4887
          
          LMP features
              3 slot packets: True
              5 slot packets: True
              Encryption: True
              Slot offset: True
              Timing accuracy: True
              Role switch: True
              Hold mode: False
              Sniff mode: True
        
          Extended LMP features
          Page 0
              ... ...
          Page 1
              ... ...
          Page 2
              ... ...
          ```
        
        * Scan LE device
        
          ```txt
          $ sudo bluescan -m le
          [Warnning] Before doing active scan, make sure you spoof your BD_ADDR.
          LE active scanning on hci0...timeout 10 sec
        
          BD_ADDR:     4c:34:78:26:ad:71
          Addr type:   random
          Connectable: True
          RSSI:        -94 dB
          General Access Profile:
                  Flags (0x01): 06
                  Manufacturer (0xFF): 4c0010054b1c3debf9
        
          BD_ADDR:     28:11:a5:41:28:27
          Addr type:   public
          Connectable: True
          RSSI:        -91 dB
          General Access Profile:
                  Flags (0x01): 19
                  Complete 16b Services (0x03): 0000febe-0000-1000-8000-00805f9b34fb,0000fe26-0000-1000-8000-00805f9b34fb
                  Manufacturer (0xFF): 010951100d8851abf2f196f2
                  Tx Power (0x0A): f6
        
          ... ...
          ```
        
        * Scan (Discover) SDP
        
          ```txt
          $ sudo bluescan -m sdp ??:??:??:??:??:??
          Service Record
          0x0000: ServiceRecordHandle (uint32)
              0x0001000a
          0x0001: ServiceClassIDList (sequence)
              uuid: 0x112f (Phonebook Access – PSE)
          0x0004: ProtocolDescriptorList (sequence)
              uuid: 0x0100 (L2CAP)
              uuid: 0x0003 (RFCOMM)
                  channel: 0x13
              uuid: 0x0008 (OBEX)
          0x0005: BrowseGroupList (sequence)
              uuid: 0x1002 (PublicBrowseRoot)
          0x0009: BluetoothProfileDescriptorList (sequence)
              uuid: 0x1130 (Phonebook Access)
                  <uint16 value="0x0101" />
          0x0100: unknown
              <text value="OBEX Phonebook Access Server " />
          0x0314: unknown
              <uint8 value="0x01" />
          
          ... ...
          ```
        
        * Scan (Discover) GATT
        
          ```txt
          $ sudo bluescan -m gatt --addr-type=random ??:??:??:??:??:??
          Number of services: 5
        
        
          Service declaration (3 characteristics)
              Handle: "attr handle" by using gatttool -b <BD_ADDR> --primary
              Type: (May be primary service 00002800-0000-1000-8000-00805f9b34fb)
              Value (Service UUID): 00001800-0000-1000-8000-00805f9b34fb (Generic Access)
              Permission: Read Only, No Authentication, No Authorization
        
              Characteristic declaration (0 descriptors)
                  Handle: 0x0002
                  Type: 00002803-0000-1000-8000-00805f9b34fb
                  Value:
                      Characteristic properties: READ WRITE  
                      Characteristic value handle: 0x0003
                      Characteristic UUID:  00002a00-0000-1000-8000-00805f9b34fb (Device Name)
                  Permission: Read Only, No Authentication, No Authorization
              Characteristic value declaration
                  Handle: 0x0003
                  Type: 00002a00-0000-1000-8000-00805f9b34fb
                  Value: b'???????'
                  Permission: Higher layer profile or implementation specific
          ... ...
          ```
        
        * Vulnerability (demo)
        
          ```txt
          $ sudo bluescan -m vuln --addr-type=br ??:??:??:??:??:??
          ... ...
          CVE-2017-0785
          ```
        
Platform: UNKNOWN
Description-Content-Type: text/markdown
