hope this helps, it's of a web site by pauldotcom.com
Scanning for bluetooth and total pwnage with Bluesnarfer
first off, you are going to want to install the bluez libraries, and bluez utilities for your Linux distro of choice. Or use Backtrack...
Most installations will automatically start up the bluetooth adaptor as the hci0 interface. We can verify this with one of the bluez tools hciconfig. hciconfig without any other command line options will show us info on all of our bluetooth adaptors. If hci0 isn't up, we can set it up, with hciconfig hci0 up.
Verify bluetoothe devices exist in your environment with hcitool, another bluez utility. Use hcitool scan, and it will return all of the available BT devices with the btaddr (Mac address). Success? Sweet.
Btscanner can be used to scan as well, and obtain info in a format that is a little easier to use. You'll need to download and compile btscanner - we found that with the Linksys USBT100 btscanner works best when started with the --no-reset option. This will prevent btscanner from resetting hte device before starting. btscanner will scan for discoverable devices once started with the i comand - b will perform a bruteforce scan, scanning for all possible BT btaddrs!
Bluescanner for win32! Won't work with the default widcomm drivers though.
hcitool can also be used to obatin much of the same info as btscanner :-)
Got a vulnerable phone? Btscanner will compare the btaddr to a database, and list the attacks possible - mostly snarf attacks. The database is limited, so test what you discover in your environment.
record the btaddr of the device vulnerable to the snarf attack so we can use it with bluesnarfer. One problem with the default install of bluesnarfer is that bluesnarfer.h expects the bluetooth device to be connected to /dev/bluetooth/rfcomm/<device ID> (likely 0). I've tried modifying the source to point to the default install without much success and chasing my tail. Modding the source also isn't possible on Backtrack, where bluesnarfer doesn't work either! Yes, I tried 2.0.
The solution with the default sourcecode is real easy, this works for Backtack too. The problem is that the device nodes are missing for bluesnarfer to function, so let' create them. As root, do:
mkdir -p /dev/bluetooth/rfcomm then mknod -m 666 /dev/bluetooth/rfcomm/0 c 216 0
These will not survive a reboot, so you may want to add them to startup, or create a script :-)
Once the nodes have been created, bluesnarfer will be happy. Let's use it.
In order to grab phonebook entries, we'll give bluesnarfer the -r switch folloewd by the phone book entries we want and the -b switch with the :
bluesnarfer -r 1-100 -b <btaddr>
Delete the phonebook? Sure!:
bluesnarfer -w 1-100 -b <btaddr>
Now the fun part. Custom AT commands. How about making the phone dial a number of our choice? We can issue AT commands to the vulnerable phones with the -c switch:
bluesnarfer -c 'ATDT5551212;' -b <baddr>
Note that we have to properly quote the AT command (with single quotes), and include a semicolon as the trailing command character.