How to use BlueChomp to find undiscoverable bluetooth devices

Intro
Many people think that putting your bluetooth device in undiscoverable mode makes it so that noone can see your device. While this is true for the conventional user, it is not accurate! Bluetooth devices can still be found by knowing or guessing the BDADDR which is the bluetooth equivelant of a MAC Address.

The good news is that guessing a BDADDR is very hard and even when using a program it takes ALOT of time to check all the possible addresses. There are however a couple of tools out there that make it possible. This tutorial is how about one of those tools called BlueChomp by Bluesheep Security.

BlueChomp is an alternative to the program RedFang. BlueChomp can look for devices with all possible addresses, within a specified range, or even from a file that hold a list of BD Addresses. you can always download the latest version of BlueChomp from
http://public.bluesheepsecurity.com/bluechomp-latest.tar

you can also get some files that hold lists of BD Addresses to load into the program. You can get these at the bottom of this page if you wish or from the Bluesheep Security website.

Now lets dive into the use of the program

NOTE: This program is made for a linux machine

After you have downloaded the program all we have to do is extract it

put it into the folder you want it to be in and issue this command

sudo tar -xvf bluechomp-latest.tar

Now we get a folder called "bluechomp" let go into that folder

cd bluechomp

I suggest reading the README file for information on its use but we will be covering it here also

to run the program issue this command in your shell, we will talk about options in a moment, but this shows basic use

sudo ./bluechomp

This command checks all possible BD Addresses it returns the BDADDR of any device that can be found. This includes devices in discoverable mode and also devices that are not in discoverable mode!!! This type of scan however takes a VERY VERY long time there are alot of possibilities to run thru, on top of that the device we are searching for can take a while to respond so if we dont want to miss a device that is actually there we have to allow enough time for it to respond. If we dont wait long enough then we dont know if the device is not present or if it just hasn't responded yet.

Ok but what if you do not want to sit there and wait for the program to scan all those addresses?
Well lets take a look at some options this program has that allow us to cut the time down that it takes to scan for devices.

-d 

this option lets us use more than one dongle we can use it like in this example below

sudo ./bluechomp -d 4

This tells it to use 4 devices to search, they have to be the first 4 dongles plugged in if you have more attached. This functionality helps a little bit but will be updated in the future to improve performance.

-s AND -e

these options allow us to specify a range of addresses to search for.
-s allows us to give a starting address. Alone it will run from the specified address to the address FF:FF:FF:FF:FF:FF.
-e allows us to specify an ending address. We can use it alone or coupled with the -s option. Alone it will run from the
address 00:00:00:00:00:00 to the specified address.
-s -e Using both options together allows us to scan from the address specified after -s until we reach the address specified after -e.
This allows us to specify a range to scan within.

Here is an example of its usage

sudo ./bluechomp -s 00:00:00:00:00:06 -e 00:00:00:01:FF

Again we can use only one of these option or we can use them together like I have shown above.

-i

Another way to specify the BDADDR list to scan for is a file. Unlike the other options a file allows us to specify only specific BD Addresses, therefor we dont have to scan a range of addresses we can check many addresses that are not consecutive. This can be used when we already know the BDADDR(s) that we are looking for. With this option we can also target specific devices, perhaps we are targeting a specific device that we know is vunerable to a certain attack. The file needs to contain one BDADDR on each line. The files can be downloaded from the website, made by yourself, or generated from found devices using the -f option Here is its usage

sudo ./bluechomp -i input.txt

This suggests that the file is in the same directory as bluechomp if the file is located somewhere else you can use a full path to the location such as /root/home/file.txt

-f

Ok Now as mentioned we can dump the addresses we find to a file and we can even load them later on if we want with the -i option.
To do this we use the -f option. When we use this option we dont see any output to the screen, when the program is done scanning then we see the shells prompt. Here I show an example that saves all the found devices into a file called output.txt

sudo ./bluechomp -f output.txt

-l 1

The LOOP option is best used when you are loading from a file using the -i option, however it can always be used with any type of scan. it simply keeps searching from begining to end then it goes back to the begining and starts scanning again. When you use this option the program will never stop looping you must hit CTRL+C to exit the program. you must type the number 1 after it like in the below example, this will turn it on

sudo ./bluechomp -l 1 

This option will loop thru all the possibilities which will take forever, but if you combine it with the -i option or specify a range with the -s and -e options then the -l option becomes more useful. Note that if you are logging to a file with the -f option and a device is discovered then loops and is discovered again it will put a second entry into the log, future versions should fix this issue

I hope you have enjoyed this tutorial any questions can be asked here or use the contact form over at the Bluesheep Security website
http://www.bluesheepsecurity.com