Bluetooth hacking with Redfang

Searching hidden bluetooth devices with software called redfang.
This little tool will find hidden bluetooth devices but it will take a lots of time because it scan through every address from given range.
Example range 00803789EE76-00803789EEff (138 address(es)) take about 50 minutes to scan.
You can download redfang here: redfang.2.5.tar.gz

On this post I will search device:

  • 0001e364dd9b Siemens Gigaset SL2 Professional

Which should be really easy to find because I know it’s address.

So I use command fang and give it range 0001e364dd9a to 0001e364dd9d (I know that it’s just four address):



and it found my GigaSet phone called ScriptKiddie =)

When I turn on bluetooth on my Nokia Communicator E90 results will be little different:
[cc lang=”bash”]
Found: PIN1234 [00:1a:89:xx:xx:xx]
Getting Device Information.. Connected.
LMP Version: 2.0 (0x3) LMP Subversion: 0x6cc
Manufacturer: Cambridge Silicon Radio (10)
Features: 0xbf 0xee 0x0f 0x46

<3-slot packets>
<5-slot packets>

<3-slot EDR ACL> <5-slot EDR ACL>


If you just want to find example Nokia phones and your have too much time you can scan through everything under 00-02-EE which will take a lots of time but…
You can find whole list of manufactures and mac-address here:

3 comments to Bluetooth hacking with Redfang

  • tgcakuct

    It’s difficult to obtain knowledgeable folks on this topic, but you sound like you know what you’re talking about! Thanks

  • mike

    138 address takes 50 mins…

    My question then is what real-world uses would this tool have? Even if I target a phone of a specific vendor, that doesn’t look all too promising in finding a valid MAC address in any decent amount of time…

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>