Skip to main content

RCOMM Channel Scanner

Each service can be listed via SDP ,but its not an actual requirement .So thats where the RCOMM comes into the picture ,it will try to access all the 30 channels to see what is running on the target address.
We can consider RCOMM scanning as the port scanning for bluetooth .
It is making a full connection to each channel, no packet tricks, no nothing. If it reaches a channel that needs further authorization the owner of the scanned device is asked to authorize it and for an encrypted link layer to even enter a password. If the owner chooses to not authorize the connection the socket connection is closed. The user interaction needs time.
Time we can use to determine whether the port is really closed or filtered.

##Implementation details:
The Idea is to call the function alarm before executing connect. If the connect call doesn’t return before timeout seconds are reached the signal SIGALRM gets triggered, which executes our handler function sig_alrm_handler(), that was previously registered with signal(SIGALRM, sig_alrm_handler). sig_alrm_handler just sets the global variable got_timeout to True. This is recognized by the scan evaluation and interpreted as the channel being filtered.
We will use following libraries to write the RCOMM scanner:
##Required libraries
##Required variables
##register the signal handler which will handle the SIGALRM signal
##check if the proper arguements are passed to this script or not and if not exit and print the usage
##create a socket for all the 30 channels one by one and if no parameter is passed ,it uses protoRFCOMM as default else apart from this L2CAP can be used but that is not required here. now lets try to connect via socket which we created above for the channels one by one using connect() method : this method waits for the tupel of bluetooth destination address and channel number and it throws an execption if connection attempt was not successful. ##print the results for each channel based on the result of the connect() request
- if no exeception thrown then and the channel_status is 1 ,it means that port is open.
- if we got the timeout as True which is set via the signal handler and as it is mentioned above in the Imlementation details ,the port will be considered as a filtered.
- if we got the channel_status as 0 ,it means the port is closed.

You can find the whole script in this repository : RCOMM_SCANNER

Checkout some more hacking scripts

1. Sign & Verify message 1. Bluetooth discovery 1. Stealing saved wifi password from windows 1. Hacking commands with Kali Linux 1. Command and Control Trojan 1. Dictionary Attack 1. Man in Browser Attack
2. SandBox Detection 2. Bluetooth SDP browsing 2. Sniffing packets 2. Reverse shell in python
3. TCP Proxy 3. Bluetooth OBEX 3. Email Credential sniffers 3. Keylogger
4. Bluetooth RCOMM channel scanner 4. Screenshot with Python
5. Blue Bug Exploit 5. Backdoor with Python
6. Blue Snarf Exploit
7. Bluetooth spoofing
8. Bluetooth sniffing