and as such, we use layer 2 addresses, MAC addresses, to communicate with the devi‐
ces.
If we want to go about brute-forcing Bluetooth devices, there is one last tool that we
are going to take a look at. This is a program called
RedFang
, which was developed as
a proof of concept to identify nondiscoverable Bluetooth devices. Just because an
inquiry scan doesn’t return much of anything doesn’t mean that there aren’t Bluetooth
devices around. RedFang helps us to identify all of those devices. Once we’ve identi‐
fied them, we may be able to use them down the road a little. Using RedFang, we can
let it scan all possible addresses or we can specify a range. In
Example 7-17
, we’ve
selected a range of addresses to look for devices in.
Example 7-17. Brute-force Bluetooth scanning with RedFang
root@savagewood:/# fang -r 007500000000-0075ffffffff -s
redfang - the bluetooth hunter ver 2.5
(
c
)
2003
@stake Inc
author: Ollie Whitehouse
enhanced: threads by Simon Halsall
enhanced: device info discovery by Stephen Kapp
Scanning
4294967296
address
(
es
)
Address range 00:75:00:00:00:00 -> 00:75:ff:ff:ff:ff
Performing Bluetooth Discovery...
Even just scanning the range 00:75:00:00:00:00 through 00:75:ff:ff:ff:ff, selecting a
range entirely at random, gives us 4,294,967,296 addresses to scan. I’ll save you from
counting the positions. That’s more than 4 billion potential devices. And we’re just
scanning a small slice of the possible number of devices. Scanning the entire range
would be looking through 281,474,976,710,656 device addresses.