Bluetooth Pentesting guide

Bluetooth Pentesting guide


buspirate

Firmware Dumping

It’s fascinating how, in our daily lives, there are signals that we can’t perceive with our own eyes, but devices can communicate through various wireless protocols. Some of the key wireless communication protocols used in IoT include:

Wireless Protocols

  • Wi-Fi (Wireless Fidelity)
  • Bluetooth
  • Zigbee
  • Z-Wave
  • LoRa (Long Range)
  • GSM (Global System for Mobile Communications)

Now, let’s delve deeper into the topic, focusing primarily on the vulnerabilities found in Bluetooth:

Vulnerabilities in Bluetooth

  • Authentication Flaws
  • MiTM (Man-in-the-Middle Attacks)
  • DoS (Denial of Service)
  • MAC Spoofing
  • PIN Cracking
  • Brute Force Attacks

In Android Bluetooth, we often encounter specific vulnerabilities such as:

  • RCE (Remote Code Execution)
  • EoP (Elevation of Privilege)
  • ID (Information Disclosure)
  • DoS (Denial of Service)
  • PAIR (Pairing without Authentication)
  • BlueBorne Vulnerability

At a more significant level, these vulnerabilities can extend to:

  • Hardware Exploits
  • Memory Leakage

Understanding Bluetooth Operation

The general approach involves scanning nearby devices and initiating attacks using techniques detailed in various online resources and write-ups. Let’s explore the specifics of how Bluetooth works, starting with the required tools.

Installation of Tools

To set up BLE pentesting tools on Ubuntu or Debian OS, use the following bash script:

wget https://raw.githubusercontent.com/IoTSecurity101/BLE-UAE/master/ble_uae.sh

Grant execution permissions to the script:

chmod +x ble_uae.sh

Execute the script to install the necessary tools and their dependencies:

./ble_uae.sh

With these tools installed, you’re prepared to explore BLE hacking, fuzzing, and MiTM attacks.

Bluetooth Pentesting Setup

For a Bluetooth penetration test, you will need:

  • ESP32 (Espressif Device)
  • A Smartband (e.g., from Flipkart for around ₹359)

Steps:

  1. Flashing Codes to ESP32
  2. Configuring BLE with a Mobile App
  3. Reconnaissance Techniques
  4. Identifying Vulnerabilities
  5. Using Python and Simple Bash Scripts
  6. Cheat Sheet for Commands

General Cheat Sheet

dmesg Command for Bluetooth & Firmware:

dmesg | egrep -i 'blue|firm'

Hcitool Commands:

To install hcitool:

sudo apt-get install bluez

For Non-LE Devices:

hcitool scan          # Scan basic Bluetooth devices
hcitool info <baddr>  # Get information about a Bluetooth device

For LE Devices:

hcitool lescan          # Scan LE (Low Energy) devices
hcitool leinfo <baddr>  # Get information on LE devices

Installing Bleak Library:

sudo pip3 install bleak
sudo pip install service_identity

Usage:

sudo bleak-lescan

SDPTool Command:

sudo sdptool browse --tree --raw <baddr>

This command browses all available services on the specified device using its Bluetooth address.

© 2024 Mr-IoT