The Bluetooth Service Discovery Protocol (SDP) is used to publish and enumerate the services of a Bluetooth device. Through SDP, your mobile phone knows that your Mac accepts file transfers or can extend your wired network over Bluetooth, for example.

We can enumerate the SDP information for a given device with the Linux command “sdptool”:

$ sdptool records 00:1D:25:EC:47:86

Service Name: FTP
Service RecHandle: 0x10002
Service Class ID List:
  "OBEX File Transfer" (0x1106)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 2
  "OBEX" (0x0008)
Language Base Attr List:
  code_ISO639: 0x656e
  encoding:    0x6a
  base_offset: 0x100
Profile Descriptor List:
  "OBEX File Transfer" (0x1106)
    Version: 0x0100

This output shows us that the target is publishing the OBEX File Transfer service (the target is a Windows Mobile phone). The developer who implemented this profile gave it the service name “FTP”, which is what you would see in a typical GUI interface to identify this service.

Notice the data following the Language Base Attribute List, “code_ISO639”. This field is referring to ISO specification 639:1988 (E/F), used to denote a 2-letter code for the language used to denote human-readable fields associated with this service. This language code will often correspond to the language pack on the host operating system. In this example, the value 0x656e corresponds corresponds to the hexadecimal equivalent of the ASCII letters “en”, denoting the English language used on this system.

I find this information very useful since it helps me in selecting the right exploit for the target, using my two favorite penetration testing tools, the Metasploit Framework and Core IMPACT.

I’ve modified the ISO specification to also include the hexadecimal values for the language code, making it easy to interpret the output from sdptool, available Projects section.

If anyone finds the language code 0x656f, please drop me a note.

-Josh