Snoop with Kali Linux

10th October 2021, Kathmandu

Bluetooth has become a major component of our lives. Bluetooth contrivances are utilized every day by many individuals around the globe. Most of them, though, have no conception of how it functions and can be perforated. Bluetooth hacking offers assailants a window of opportunity to access confidential information on phones and tablets.

Albeit Bluetooth shares the same frequency of 2.4 GHz as WiFi, the protocol used here is different. You cannot utilize the same resources as WiFi Perforation.

In this article, learn how to identify nearby Bluetooth contrivances, utilize the built-in kali feature, utilize a better cap for locating contrivances, and target the contrivance

Built-In Kali Functions


The first implement is hciconfig same as ifconfig but it is for Bluetooth contrivances.

Hciconfig is the implement used to configure Bluetooth contrivances. Visually perceive affixed Bluetooth contrivances or can integrate the Bluetooth contrivances and configure them accordingly.

When you open hciconfig the state of the contrivance is DOWN. The contrivance should be in the UP and Running state.

Use command hciconfig your-mac-address up. After this command, you can run the hciconfig command again and optically discern that the state has transmuted to UP and Running.

Use hciconfig –help command to get the commands available to utilize. Here I am utilizing few commands as an example. Here I am utilizing -a, p scan, and name command for example purport. You can utilize the man hciconfig command to get more information about hciconfig.


HCITOOL is another built-in implement of Kali Linux for configuring and finding nearby Bluetooth contrivances. This implement sends a special command to Bluetooth contrivances. If no command passed hcitool prints some rudimentary contrivance information and subsists.

You can utilize the man command to find more information on hcitool. Here I am utilizing some commands for example you can explore more by hands-on practice.

The scan command will give you a list of the active contrivances nearby. Here I am utilizing the designation, info, and inquiry commands for illustration purposes.


Sdptool provides an interface for Bluetooth contrivances to perform SDP queries and manage a local SDP database. You can utilize sdptool to get more information on the target contrivance. Utilize man command to get more information about sdptool. Here I am utilizing the browse command for example.

BT Scanner

BT scanner is an implement that is categorically designed to accumulate as much information from a Bluetooth contrivance as possible without the indispensable pairing. A detailed information screen extracts HCI and SDP information and maintains an open link to track the RSSI and connection quality. To get more information utilize the man command.

The following image will show you the default screen of the BT scanner.

By pressing the keys given at the cessation of the page you can run the scans that are available and so sundry other things. Here I am utilizing an inquiry scan for example.

When you’ll press I you’ll get the list of active contrivances nearby. By clicking on them you can get a plethora of information about the contrivance. By amassing as much information as possible it is possible to take an edified conjecture about the contrivance.


Bettercap is the successor to Ettercap and includes attack modules for sundry radio and network technology. We’ll be concentrating on the Bluetooth module today, but Bettercap has a lot more to it than just Bluetooth hacking. Bettercap will withal track down and assail Wi-Fi networks, and when you launch it, by default, it will commence listing contrivances on any network you are on. This adeptness applies well to Bluetooth contrivances being detected and scanned.

The implement comes with a low-energy Bluetooth suite that enables us to do much more than visually examine Bluetooth contrivances nearby. We can probe any contrivance in range for the MAC address and then utilize that MAC address to connect to the contrivance and get data about it. Ultimately, albeit it changes its MAC address, we can inscribe data to the computer to endeavor to exploit it, like a tag to monitor the contrivance over time.

After installing bettercap use –help command to ken the active modules.

Start probing the Bluetooth contrivance with a net. recon on command. The list of active Bluetooth contrivances can be optically discerned.

Start bettercap in sniffing mode utilizing ble. recon on command. The list of contrivances that you have discovered from scanning with the ble. show command.

After getting the scan results you can dig a little deeper into the contrivance. But the paramount thing is to ken the MAC Address of the target. To enumerate details about the contrivance you can utilize ble.enum command.

Inditing on the contrivance

You can optically discern that some of the accommodations have inscribed property enabled on them. You can access the property. Let’s endeavor to indite some data on the contrivance discovered. We can indite the value of “any-value-you-want” to that contrivance by inscribing the command ble.write, TheMacAddress, TheFieldToWriteTo and ValueToWrite. It’s not obligatory that you will be able to indite on the contrivance all the time.

We can utilize Bettercap to commence poking around for ways to further exploit nearby contrivances if we learn a contrivance is running an accommodation with a susceptibility that we can exploit by inscribing to a value. Utilizing MAC address randomization, we can withal utilize these fields to dactylogram contrivances, as the values will uniquely identify a contrivance that alters other properties such as its MAC address to endeavor to eschew correlation.


Bluetooth radio transmissions can be discovered and unmasked to track the people and contrivances behind. We have the major chance of prosperously assailing this contrivance by kenning the type of hardware and the version of the software that we detect.


Please enter your comment!
Please enter your name here