Bluetooth hacking with Redfang

Searching hidden bluetooth devices with software called redfang.
This little tool will find hidden bluetooth devices but it will take a lots of time because it scan through every address from given range.
Example range 00803789EE76-00803789EEff (138 address(es)) take about 50 minutes to scan.
You can download redfang here: redfang.2.5.tar.gz

On this post I will search device:

  • 0001e364dd9b Siemens Gigaset SL2 Professional

Which should be really easy to find because I know it’s address.

So I use command fang and give it range 0001e364dd9a to 0001e364dd9d (I know that it’s just four address):

Redfang

Redfang

and it found my GigaSet phone called ScriptKiddie =)

When I turn on bluetooth on my Nokia Communicator E90 results will be little different:

Found: PIN1234 [00:1a:89:xx:xx:xx]
Getting Device Information.. Connected.
LMP Version: 2.0 (0x3) LMP Subversion: 0x6cc
Manufacturer: Cambridge Silicon Radio (10)
Features: 0xbf 0xee 0x0f 0x46

<3-slot packets>
<5-slot packets&gt;
<encryption>
<slot offset="">
<timing accuracy="">
<role switch="">
<sniff mode="">
<rssi>
<channel quality="">
<sco link="">
<hv3 packets="">
<u-law log="">
<a-law log="">
<cvsd>
<paging scheme="">
<power control="">
<transparent sco="">
<edr acl="" 2="" mbps="">
<edr acl="" 3="" mbps="">
<inquiry with="" rssi="">
<afh cap.="" slave="">
<afh class.="" slave="">
<3-slot EDR ACL&gt;
<5-slot EDR ACL&gt;
<afh cap.="" master="">
<afh class.="" master="">

If you just want to find example Nokia phones and your have too much time you can scan through everything under 00-02-EE which will take a lots of time but…
You can find whole list of manufactures and mac-address here: https://standards.ieee.org/products-services/regauth/index.html.

3 comments to Bluetooth hacking with Redfang

  • tgcakuct

    It’s difficult to obtain knowledgeable folks on this topic, but you sound like you know what you’re talking about! Thanks

  • mike

    138 address takes 50 mins…

    My question then is what real-world uses would this tool have? Even if I target a phone of a specific vendor, that doesn’t look all too promising in finding a valid MAC address in any decent amount of time…

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

This site uses Akismet to reduce spam. Learn how your comment data is processed.