Bluetooth Pentesting guide
buspirate
Firmware Dumping
It’s fascinating how, in our daily lives, there are signals that we can’t perceive with our own eyes, but devices can communicate through various wireless protocols. Some of the key wireless communication protocols used in IoT include:
Wireless Protocols
- Wi-Fi (Wireless Fidelity)
- Bluetooth
- Zigbee
- Z-Wave
- LoRa (Long Range)
- GSM (Global System for Mobile Communications)
Now, let’s delve deeper into the topic, focusing primarily on the vulnerabilities found in Bluetooth:
Vulnerabilities in Bluetooth
- Authentication Flaws
- MiTM (Man-in-the-Middle Attacks)
- DoS (Denial of Service)
- MAC Spoofing
- PIN Cracking
- Brute Force Attacks
In Android Bluetooth, we often encounter specific vulnerabilities such as:
- RCE (Remote Code Execution)
- EoP (Elevation of Privilege)
- ID (Information Disclosure)
- DoS (Denial of Service)
- PAIR (Pairing without Authentication)
- BlueBorne Vulnerability
At a more significant level, these vulnerabilities can extend to:
- Hardware Exploits
- Memory Leakage
Understanding Bluetooth Operation
The general approach involves scanning nearby devices and initiating attacks using techniques detailed in various online resources and write-ups. Let’s explore the specifics of how Bluetooth works, starting with the required tools.
Installation of Tools
To set up BLE pentesting tools on Ubuntu or Debian OS, use the following bash script:
wget https://raw.githubusercontent.com/IoTSecurity101/BLE-UAE/master/ble_uae.sh
Grant execution permissions to the script:
chmod +x ble_uae.sh
Execute the script to install the necessary tools and their dependencies:
./ble_uae.sh
With these tools installed, you’re prepared to explore BLE hacking, fuzzing, and MiTM attacks.
Bluetooth Pentesting Setup
For a Bluetooth penetration test, you will need:
- ESP32 (Espressif Device)
- A Smartband (e.g., from Flipkart for around ₹359)
Steps:
- Flashing Codes to ESP32
- Configuring BLE with a Mobile App
- Reconnaissance Techniques
- Identifying Vulnerabilities
- Using Python and Simple Bash Scripts
- Cheat Sheet for Commands
General Cheat Sheet
dmesg Command for Bluetooth & Firmware:
dmesg | egrep -i 'blue|firm'
Hcitool Commands:
To install hcitool:
sudo apt-get install bluez
For Non-LE Devices:
hcitool scan # Scan basic Bluetooth devices
hcitool info <baddr> # Get information about a Bluetooth device
For LE Devices:
hcitool lescan # Scan LE (Low Energy) devices
hcitool leinfo <baddr> # Get information on LE devices
Installing Bleak Library:
sudo pip3 install bleak
sudo pip install service_identity
Usage:
sudo bleak-lescan
SDPTool Command:
sudo sdptool browse --tree --raw <baddr>
This command browses all available services on the specified device using its Bluetooth address.