___ _ _ ___ _ _ ____ | _ \ | | |_ _| \ | | _ \ | | | | | | || || \| | | | | | |_| | |_| || || |\ | |_| | |____/ \___/|___|_| \_|____/
Core Function: BlueZ is the official Linux Bluetooth protocol stack, providing the daemons, libraries, and command-line utilities required to manage and interact with Bluetooth devices.
Primary Use-Cases:
Device Discovery & Enumeration: Identifying active Bluetooth Classic and Low Energy (LE) devices within proximity.
Service Discovery: Enumerating the services and profiles offered by a target device to identify potential attack surfaces.
Traffic Interception & Analysis: Capturing and analyzing Bluetooth traffic to understand communication protocols and find vulnerabilities.
Device Spoofing & Impersonation: Simulating legitimate devices to test the security of pairing and authentication mechanisms.
Protocol Fuzzing: Sending malformed data to various Bluetooth layers (L2CAP, RFCOMM) to uncover denial-of-service or remote code execution vulnerabilities.
Penetration Testing Phase:
Reconnaissance: Discovering and identifying Bluetooth-enabled targets.
Scanning & Enumeration: Mapping the services and characteristics of identified devices.
Gaining Access/Exploitation: Attacking weak pairing mechanisms or vulnerable services.
Maintaining Access/Sniffing: Monitoring traffic post-compromise.
Brief History: BlueZ originated as a project by Qualcomm in 2001 and quickly became the de facto Bluetooth stack for the Linux kernel. It is an open-source project that has continuously evolved to support new Bluetooth specifications, including Bluetooth Low Energy (BLE) and, more recently, Bluetooth Mesh networking. Its comprehensive toolset has made it an indispensable component for developers and cybersecurity professionals working with Bluetooth on Linux.
Before conducting any operations, an ethical hacker must ensure their toolkit is properly installed and functional. This section covers the foundational steps for getting BlueZ ready for an engagement.
Command:
Bash
dpkg -s bluez
Command Breakdown:
dpkg: The Debian package manager command.
-s bluez: Queries the status of the package named bluez.
Ethical Context & Use-Case: This is a preliminary check to confirm that the core BlueZ package is installed on your system. Before starting a penetration test, verifying that all necessary tools are present prevents delays and ensures a smooth workflow. This command provides version information and confirms the installation status.
--> Expected Output:
Package: bluez Status: install ok installed Priority: optional Section: admin Installed-Size: 4811 Maintainer: Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org> Architecture: amd64 Version: 5.82-1 Depends: libc6 (>= 2.34), libdbus-1-3 (>= 1.9.14), libglib2.0-0 (>= 2.31.8), libreadline8 (>= 6.0), libudev1 (>= 183) Recommends: bluetooth Description: Bluetooth tools and daemons BlueZ is the official Linux Bluetooth protocol stack. Homepage: http://www.bluez.org
Command:
Bash
sudo apt update && sudo apt install bluez
Command Breakdown:
sudo: Executes the command with superuser (root) privileges.
apt update: Refreshes the local package index.
&&: A shell operator that runs the second command only if the first one succeeds.
apt install bluez: Installs the bluez package.
Ethical Context & Use-Case: If the verification step shows that BlueZ is not installed, this command is used to install it. It's crucial to have the latest version to ensure support for modern Bluetooth standards and to have the most up-to-date security patches for the tools themselves. This command must be run on a system you own and control for security research.
--> Expected Output:
Hit:1 http://kali.download/kali kali-rolling InRelease Reading package lists... Done Building dependency tree... Done Reading state information... Done ... Reading package lists... Done Building dependency tree... Done Reading state information... Done bluez is already the newest version (5.82-1). 0 upgraded, 0 newly installed, 0 to remove and 130 not upgraded.
bluetoothctl Help MenuCommand:
Bash
bluetoothctl --help
Command Breakdown:
bluetoothctl: The primary interactive command-line tool for managing Bluetooth devices.
--help: A standard flag to display the tool's available options and a summary of its usage.
Ethical Context & Use-Case: Viewing the help menu is a fundamental step in understanding a tool's capabilities. For a penetration tester, it provides a quick reference for syntax, available commands, and options, which is essential for planning an assessment strategy. It confirms the tool is installed and executable.
--> Expected Output:
Usage: bluetoothctl [OPTION?] Help Options: -h, --help Display help -v, --version Display version -t, --timeout Timeout in seconds for non-interactive mode -m, --monitor Enable monitor output -e, --endpoints Register Media endpoints -a, --agent Register agent handler: <capability>
This section forms the core of our BlueZ exploration, detailing the individual tools and their commands. Each operation is broken down for clarity, emphasizing its role in a structured, ethical security assessment.
hciconfig: Local Adapter Management (Legacy)hciconfig is used to configure local Bluetooth HCI (Host Controller Interface) devices. While largely superseded by btmgmt and bluetoothctl, it remains a quick and useful tool for basic adapter setup and verification.
Command:
Bash
hciconfig
Command Breakdown:
hciconfig: When run without arguments, it displays information about all available local Bluetooth adapters.
Ethical Context & Use-Case: This is the first step in any Bluetooth assessment. An ethical hacker must identify the wireless interface (hci0, hci1, etc.) they will be using for the engagement. This command verifies that the hardware is recognized by the system and shows its current status and BD_ADDR (Bluetooth Device Address).
--> Expected Output:
hci0: Type: Primary Bus: USB BD Address: 00:1A:7D:DA:71:13 ACL MTU: 310:10 SCO MTU: 64:8 UP RUNNING PSCAN ISCAN RX bytes:1456 acl:0 sco:0 events:88 errors:0 TX bytes:3964 acl:0 sco:0 commands:88 errors:0
Command:
Bash
sudo hciconfig hci0 up
Command Breakdown:
sudo: Required as changing device state requires root privileges.
hciconfig: The configuration utility.
hci0: The target interface to modify.
up: The command to enable and initialize the interface.
Ethical Context & Use-Case: If an adapter is administratively down, it cannot transmit or receive. This command activates the specified interface, making it ready for scanning and other operations. This is a prerequisite for any active reconnaissance.
--> Expected Output: (No output is printed on success, but hciconfig can be run again to verify the UP flag is present).
Command:
Bash
sudo hciconfig hci0 down
Command Breakdown:
sudo: Required for device state modification.
hciconfig: The configuration utility.
hci0: The target interface.
down: The command to close the interface.
Ethical Context & Use-Case: Disabling the Bluetooth adapter is crucial for maintaining operational security (OPSEC). When not actively in use during a penetration test, the adapter should be disabled to prevent the testing machine itself from being discovered or fingerprinted by other devices.
--> Expected Output: (No output is printed on success, but hciconfig can be run again to verify the UP flag is no longer present).
Command:
Bash
sudo hciconfig hci0 piscan
Command Breakdown:
sudo: Privileges needed to change scan modes.
hciconfig: The configuration utility.
hci0: The target interface.
piscan: A command that enables both page scan (making the device connectable) and inquiry scan (making the device discoverable).
Ethical Context & Use-Case: In some scenarios, a penetration tester may need their device to be discoverable. For example, when testing how a target device behaves when it discovers a new Bluetooth device, or for certain man-in-the-middle (MITM) scenarios. This command makes the testing machine visible to other devices searching for Bluetooth connections.
--> Expected Output: (No output on success. The PSCAN and ISCAN flags will appear in the hciconfig status).
Command:
Bash
sudo hciconfig hci0 name 'TestDevice-AP'
Command Breakdown:
sudo: Required privileges.
hciconfig: The configuration utility.
hci0: The target interface.
name 'TestDevice-AP': The command to set the user-friendly name of the adapter.
Ethical Context & Use-Case: This is useful for social engineering or baiting scenarios in a physical penetration test. By setting a plausible name like "Conference Room Projector" or "Free_Public_WiFi," you can entice users of the target device to connect to your machine, allowing you to test the pairing process or capture handshake data.
--> Expected Output: (No output on success. The new name can be verified by running hciconfig -a).
Command:
Bash
sudo hciconfig hci0 class 0x5a020c
Command Breakdown:
sudo: Required privileges.
hciconfig: The configuration utility.
hci0: The target interface.
class 0x5a020c: Sets the Class of Device (CoD). This specific value (0x5a020c) represents a Smartphone.
Ethical Context & Use-Case: Spoofing the Class of Device can make your testing machine appear as a more legitimate or trusted device type to a target. For instance, a target system might be configured to auto-accept connections from headsets or smartphones. By matching your device class, you can test if these rules can be bypassed.
--> Expected Output: (No output on success. Can be verified with hciconfig -a).
hcitool: Device Discovery and Interaction (Legacy)hcitool is used for sending special commands to HCI-compliant devices. Its primary functions in a security context are scanning for remote devices and querying basic information.
Command:
Bash
hcitool scan
Command Breakdown:
hcitool: The HCI command utility.
scan: The command to perform an inquiry scan for discoverable classic Bluetooth devices.
Ethical Context & Use-Case: This is the most fundamental active reconnaissance technique. The command actively probes for nearby Bluetooth devices that are in a discoverable mode. The results provide the MAC address (BD_ADDR) and user-friendly name of each device found, which are critical pieces of information for the next stages of enumeration.
--> Expected Output:
Scanning ... B8:27:EB:4D:5A:6B raspberrypi 04:52:C7:1A:2B:3C Logitech MX Master 3 A1:B2:C3:D4:E5:F6 JBL Charge 4
Command:
Bash
hcitool name B8:27:EB:4D:5A:6B
Command Breakdown:
hcitool: The HCI command utility.
name: The command to request the user-friendly name from a device.
B8:27:EB:4D:5A:6B: The BD_ADDR of the target device.
Ethical Context & Use-Case: After discovering a device's address via a scan, this command can be used to query its name. This is useful if the initial scan failed to retrieve the name or if you are targeting a specific device whose address you already know from a previous reconnaissance phase.
--> Expected Output:
raspberrypi
Command:
Bash
sudo hcitool lescan
Command Breakdown:
sudo: Required as LE scanning often requires higher privileges.
hcitool: The HCI command utility.
lescan: The command to scan for Bluetooth Low Energy devices that are advertising.
Ethical Context & Use-Case: Modern IoT devices, wearables, and sensors predominantly use BLE. This command is essential for discovering these types of devices. It listens for advertisement packets, providing the MAC address and, often, the device name and some advertising data, which is the first step in assessing BLE security.
--> Expected Output:
LE Scan ... F8:B7:A6:C5:D4:E3 (unknown) F8:B7:A6:C5:D4:E3 Tile E1:D2:C3:B4:A5:F6 (unknown) C1:C2:C3:C4:C5:C6 Mi Smart Band 4
Command:
Bash
sudo hcitool leinfo F8:B7:A6:C5:D4:E3
Command Breakdown:
sudo: Privileges required.
hcitool: The HCI command utility.
leinfo: Command to request LE connection parameters from a remote device.
F8:B7:A6:C5:D4:E3: The MAC address of the target LE device.
Ethical Context & Use-Case: After discovering a BLE device, this command attempts to create a temporary connection to query its connection parameters. This can provide insight into how the device manages connections and can sometimes be used to fingerprint the device's firmware or stack based on the values returned. This is a form of active enumeration.
--> Expected Output:
Requesting information ... Handle: 64 LMP Version: 4.2 (0x8) LMP Subversion: 0x2209 Manufacturer: Cambridge Silicon Radio (10) Features: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
l2ping: Layer 2 Connectivity Testl2ping sends an L2CAP (Logical Link Control and Adaptation Protocol) echo request to a remote device, similar to how ICMP ping works over IP networks.
Command:
Bash
sudo l2ping B8:27:EB:4D:5A:6B
Command Breakdown:
sudo: Often required to access raw sockets.
l2ping: The L2CAP ping utility.
B8:27:EB:4D:5A:6B: The BD_ADDR of the target device.
Ethical Context & Use-Case: This is a quick and effective way to check for the presence and responsiveness of a Bluetooth device at Layer 2, even if it's not in a discoverable mode (provided you already know its address). It confirms the device is powered on, within range, and its Bluetooth stack is active. A successful ping is a strong indicator that the target is "live."
--> Expected Output:
Ping: B8:27:EB:4D:5A:6B from 00:1A:7D:DA:71:13 (data size 44) ... 44 bytes from B8:27:EB:4D:5A:6B id 0 time 25.48ms 44 bytes from B8:27:EB:4D:5A:6B id 1 time 31.12ms 44 bytes from B8:27:EB:4D:5A:6B id 2 time 28.75ms 3 sent, 3 received, 0% loss
Command:
Bash
sudo l2ping -f B8:27:EB:4D:5A:6B
Command Breakdown:
sudo: Required privileges.
l2ping: The L2CAP ping utility.
-f: The "flood" flag, which sends echo requests as fast as possible.
B8:27:EB:4D:5A:6B: The target's BD_ADDR.
Ethical Context & Use-Case: This command can be used to perform a basic denial-of-service (DoS) stress test against a device's Bluetooth stack. Within an authorized test, observing how a device handles a high volume of L2CAP requests can reveal vulnerabilities. Some poorly implemented stacks may crash, reboot, or become unresponsive, indicating a lack of proper resource handling.
--> Expected Output:
Ping: B8:27:EB:4D:5A:6B from 00:1A:7D:DA:71:13 (data size 44) ... .................................................. --- B8:27:EB:4D:5A:6B l2ping statistics --- 50 sent, 50 received, 0% loss rtt min/avg/max = 21.32/29.88/45.10 ms
sdptool: Service Discovery Protocol Enumerationsdptool is used to perform SDP queries on a remote Bluetooth device to discover the services it offers, along with their attributes. This is a critical enumeration tool.
Command:
Bash
sdptool browse B8:27:EB:4D:5A:6B
Command Breakdown:
sdptool: The Service Discovery Protocol utility.
browse: The command to retrieve all available service records.
B8:27:EB:4D:5A:6B: The target's BD_ADDR.
Ethical Context & Use-Case: This is the equivalent of port scanning in traditional network pentesting. The output reveals every registered service (e.g., Headset, Hands-Free, File Transfer, Serial Port), which directly maps to the device's attack surface. Identifying an insecure or legacy service (like an unauthenticated Serial Port Profile) can provide a direct avenue for exploitation.
--> Expected Output:
Browsing B8:27:EB:4D:5A:6B ...
Service Name: Headset Gateway
Service RecHandle: 0x10000
Service Class ID List:
"Headset Audio Gateway" (0x1112)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 1
Service Name: AV Remote Control Target
Service RecHandle: 0x10001
Service Class ID List:
"AV Remote Target" (0x110c)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 23
"AVCTP" (0x0017)
uint16: 0x103
... (and so on for all services)
Command:
Bash
sdptool search --bdaddr B8:27:EB:4D:5A:6B SP
Command Breakdown:
sdptool: The SDP utility.
search: Command to search for a specific service type.
--bdaddr B8:27:EB:4D:5A:6B: Specifies the target address.
SP: The short name for the Serial Port Profile, a common target for security assessments.
Ethical Context & Use-Case: Instead of browsing all services, this allows a tester to quickly check for the existence of a specific high-value service. The Serial Port Profile (SPP) is often used for legacy data communication and can sometimes be left unsecured, providing a virtual serial connection to the device's internals if a connection can be established.
--> Expected Output:
Searching for SP on B8:27:EB:4D:5A:6B ...
Service Name: Serial Port
Service RecHandle: 0x10002
Service Class ID List:
"Serial Port" (0x1101)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 2
bluetoothctl: The Modern Interactive Control Toolbluetoothctl is the current standard for managing Bluetooth in Linux. It provides an interactive shell for pairing, connecting, and managing devices, supporting both Classic and LE standards.
Command:
Bash
bluetoothctl
Command Breakdown:
bluetoothctl: Executes the control tool, entering its interactive prompt.
Ethical Context & Use-Case: The interactive mode is the primary way to use bluetoothctl. It provides a powerful environment for managing the entire lifecycle of a Bluetooth interaction, from scanning to connecting and pairing. For a penetration tester, this is the command center for modern Bluetooth assessments.
--> Expected Output:
Agent registered [bluetooth]#
Command (inside bluetoothctl):
list
Command Breakdown:
list: A bluetoothctl command to display available local adapters (controllers).
Ethical Context & Use-Case: Similar to hciconfig, this confirms the presence of your testing hardware within the modern BlueZ framework. It shows the controller's MAC address and its alias.
--> Expected Output:
[bluetooth]# list Controller 00:1A:7D:DA:71:13 BlueZ-Test [default]
Command (inside bluetoothctl):
power on
Command Breakdown:
power on: A bluetoothctl command to enable the default controller.
Ethical Context & Use-Case: This is the bluetoothctl equivalent of hciconfig hciX up. It's a required step to ensure the adapter is powered and ready to perform any scanning or connection operations.
--> Expected Output:
[bluetooth]# power on Changing power on succeeded [CHG] Controller 00:1A:7D:DA:71:13 Powered: yes
Command (inside bluetoothctl):
scan on
Command Breakdown:
scan on: A bluetoothctl command that starts a continuous scan for both Bluetooth Classic and LE devices.
Ethical Context & Use-Case: This is one of the most powerful reconnaissance commands in the BlueZ suite. It provides a real-time stream of discovered devices, including their address, name, and often class or service data. A tester would run this in a target environment to build a comprehensive list of all nearby Bluetooth assets.
--> Expected Output:
[bluetooth]# scan on Discovery started [CHG] Controller 00:1A:7D:DA:71:13 Discovering: yes [NEW] Device B8:27:EB:4D:5A:6B raspberrypi [NEW] Device A1:B2:C3:D4:E5:F6 JBL Charge 4 [NEW] Device F8:B7:A6:C5:D4:E3 Tile [CHG] Device A1:B2:C3:D4:E5:F6 RSSI: -45 [CHG] Device B8:27:EB:4D:5A:6B RSSI: -62
Command (inside bluetoothctl):
scan off
Command Breakdown:
scan off: Stops the discovery process.
Ethical Context & Use-Case: Once a sufficient list of targets has been gathered, the scan should be turned off. Continuous scanning drains the battery and creates unnecessary wireless noise. Stopping the scan allows the tester to move on to the next phase: enumerating specific devices from the discovered list.
--> Expected Output:
[bluetooth]# scan off Discovery stopped [CHG] Controller 00:1A:7D:DA:71:13 Discovering: no
Command (inside bluetoothctl):
devices
Command Breakdown:
devices: Displays a list of devices that have been seen during the discovery session.
Ethical Context & Use-Case: After running a scan, this command provides a clean list of the targets that were found. This is the primary list of potential targets that the ethical hacker will work from for the rest of the assessment.
--> Expected Output:
[bluetooth]# devices Device B8:27:EB:4D:5A:6B raspberrypi Device A1:B2:C3:D4:E5:F6 JBL Charge 4 Device F8:B7:A6:C5:D4:E3 Tile
Command (inside bluetoothctl):
info B8:27:EB:4D:5A:6B
Command Breakdown:
info: A bluetoothctl command to show detailed information about a specific device.
B8:27:EB:4D:5A:6B: The address of the target device.
Ethical Context & Use-Case: This is a key enumeration step. The info command provides a wealth of data, including the device name, alias, class, icon, paired status, trusted status, and a list of UUIDs for the services it advertises. Analyzing these UUIDs is crucial for understanding the device's functionality and potential weaknesses.
--> Expected Output:
[bluetooth]# info B8:27:EB:4D:5A:6B Device B8:27:EB:4D:5A:6B (public) Name: raspberrypi Alias: raspberrypi Class: 0x00480204 Icon: computer Paired: no Trusted: no Blocked: no Connected: no LegacyPairing: no UUID: Audio Sink (0000110b-0000-1000-8000-00805f9b34fb) UUID: A/V Remote Control Target (0000110c-0000-1000-8000-00805f9b34fb) UUID: PnP Information (00001200-0000-1000-8000-00805f9b34fb)
Command (inside bluetoothctl):
pair B8:27:EB:4D:5A:6B
Command Breakdown:
pair: A bluetoothctl command to initiate the pairing process.
B8:27:EB:4D:5A:6B: The address of the target device.
Ethical Context & Use-Case: Testing the pairing mechanism is a core part of a Bluetooth security assessment. This command attempts to bond with the target device. The ethical hacker will observe the authentication method required (e.g., Just Works, Passkey Entry, PIN code) and assess its strength. Weaknesses like using a fixed or easily guessable PIN can be identified during this phase.
--> Expected Output:
[bluetooth]# pair B8:27:EB:4D:5A:6B Attempting to pair with B8:27:EB:4D:5A:6B [CHG] Device B8:27:EB:4D:5A:6B Connected: yes Request confirmation [agent] Confirm passkey 123456 (yes/no): yes [CHG] Device B8:27:EB:4D:5A:6B Paired: yes Pairing successful [CHG] Device B8:27:EB:4D:5A:6B Connected: no
Command (inside bluetoothctl):
connect B8:27:EB:4D:5A:6B
Command Breakdown:
connect: A bluetoothctl command to establish a connection.
B8:27:EB:4D:5A:6B: The address of the target device.
Ethical Context & Use-Case: After successfully pairing (or if the device allows unauthenticated connections), this command establishes a link. Once connected, a tester can interact with the device's services, such as attempting a file transfer via OBEX or communicating over a Serial Port Profile, to test for further vulnerabilities.
--> Expected Output:
[bluetooth]# connect B8:27:EB:4D:5A:6B Attempting to connect to B8:27:EB:4D:5A:6B Connection successful [raspberrypi]#
(Note: The prompt may change to the device name upon connection).
Command (inside bluetoothctl):
disconnect B8:27:EB:4D:5A:6B
Command Breakdown:
disconnect: The command to terminate an active connection.
B8:27:EB:4D:5A:6B: The address of the connected device.
Ethical Context & Use-Case: Properly terminating connections is good practice during an assessment. It returns the device to its idle state and allows the tester to move on to other targets or phases of the test cleanly.
--> Expected Output:
[raspberrypi]# disconnect B8:27:EB:4D:5A:6B Attempting to disconnect from B8:27:EB:4D:5A:6B Successful disconnected [CHG] Device B8:27:EB:4D:5A:6B Connected: no [bluetooth]#
Command (inside bluetoothctl):
remove B8:27:EB:4D:5A:6B
Command Breakdown:
remove: Deletes the bonding information for a device.
B8:27:EB:4D:5A:6B: The address of the device to remove.
Ethical Context & Use-Case: As part of the cleanup phase of a penetration test, the tester should remove any pairings made with target devices from their testing machine. This prevents the testing machine's address from being permanently stored on the target device and returns the system to its original state.
--> Expected Output:
[bluetooth]# remove B8:27:EB:4D:5A:6B [DEL] Device B8:27:EB:4D:5A:6B raspberrypi Device has been removed
btmon: Real-time Bluetooth Monitorbtmon is a powerful utility for capturing and displaying HCI commands, events, and data in a human-readable format in real time.
Command:
Bash
sudo btmon
Command Breakdown:
sudo: Required to access the HCI monitoring interface.
btmon: The Bluetooth monitor utility.
Ethical Context & Use-Case: This is the equivalent of running Wireshark or tcpdump for Bluetooth. btmon allows an ethical hacker to observe the raw communication between the local adapter and remote devices. This is invaluable for debugging interactions, analyzing pairing procedures, viewing advertisement packets in detail, and identifying non-standard or vulnerable communication patterns.
--> Expected Output:
Bluetooth monitor ver 5.82
= Note: Linux kernel interface is experimental for this tool.
= HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7 [hci0] 2025-08-17 18:30:01.234567
Type: Active (0x01)
Interval: 11.250 msec (0x0012)
Window: 11.250 msec (0x0012)
Own address type: Public (0x00)
Filter policy: Accept all (0x00)
> HCI Event: Command Complete (0x0e) plen 4 [hci0] 2025-08-17 18:30:01.235678
LE Set Scan Parameters (0x08|0x000b) ncmd 1
Status: Success (0x00)
@ MGMT Event: Device Found (0x0012) plen 39 {0x0001} [hci0] 2025-08-17 18:30:02.345678
LE Address: F8:B7:A6:C5:D4:E3 (random)
RSSI: -55 dBm (0xc9)
Flags: 0x00000006
LE General Discoverable Mode
BR/EDR Not Supported
AD Data (12 bytes)
Flags (0x01)
LE General Discoverable Mode
BR/EDR Not Supported
Company: Tile, Inc. (799)
Data: 0102030405
Combining BlueZ tools with standard Linux utilities unlocks more efficient and powerful testing capabilities. This section demonstrates how to chain commands to automate reconnaissance and analysis.
Command:
Bash
hcitool scan | grep ":" | awk '{print $1}' | xargs -n1 sudo l2ping -c 1
Command Breakdown:
hcitool scan: Performs a scan for discoverable Classic Bluetooth devices.
|: The pipe operator, which sends the output of the first command to the input of the second.
grep ":": Filters the output, keeping only lines that contain a colon, effectively selecting lines with MAC addresses.
awk '{print $1}': Processes the filtered lines and prints only the first column (the BD_ADDR).
xargs -n1 sudo l2ping -c 1: Takes each BD_ADDR from the previous command's output and executes sudo l2ping -c 1 on it, sending a single ping to each discovered device.
Ethical Context & Use-Case: This one-liner automates a common workflow: discover and verify. It performs a broad scan and then immediately confirms layer 2 connectivity for every device found. This is highly efficient for initial reconnaissance in an environment with multiple potential targets, quickly building a list of live, responsive devices.
--> Expected Output:
Scanning ... B8:27:EB:4D:5A:6B raspberrypi A1:B2:C3:D4:E5:F6 JBL Charge 4 Ping: B8:27:EB:4D:5A:6B from 00:1A:7D:DA:71:13 (data size 44) ... 44 bytes from B8:27:EB:4D:5A:6B id 0 time 28.15ms 1 sent, 1 received, 0% loss Ping: A1:B2:C3:D4:E5:F6 from 00:1A:7D:DA:71:13 (data size 44) ... 44 bytes from A1:B2:C3:D4:E5:F6 id 0 time 41.33ms 1 sent, 1 received, 0% loss
Command:
Bash
hcitool scan | grep ":" | awk '{print $1}' | while read addr; do echo "--- Scanning $addr ---"; sdptool browse $addr; done
Command Breakdown:
hcitool scan | grep ":" | awk '{print $1}': Same as before, this extracts the BD_ADDR of each discovered device.
| while read addr; do ... ; done: This pipes the list of addresses into a while loop. For each address (addr), it executes the commands between do and done.
echo "--- Scanning $addr ---": Prints a header to easily identify which device the subsequent output belongs to.
sdptool browse $addr: Runs a full service discovery scan on the current address.
Ethical Context & Use-Case: This powerful chain automates the full enumeration process. It discovers all nearby devices and immediately performs a deep dive into the services offered by each one. An ethical hacker can run this command, walk away, and come back to a complete report of all Bluetooth services running on all discoverable devices in the area, significantly speeding up the attack surface mapping phase.
--> Expected Output:
Scanning ... B8:27:EB:4D:5A:6B raspberrypi A1:B2:C3:D4:E5:F6 JBL Charge 4 --- Scanning B8:27:EB:4D:5A:6B --- Browsing B8:27:EB:4D:5A:6B ... Service Name: Headset Gateway Service RecHandle: 0x10000 Service Class ID List: "Headset Audio Gateway" (0x1112) ... (full sdptool output for the first device) --- Scanning A1:B2:C3:D4:E5:F6 --- Browsing A1:B2:C3:D4:E5:F6 ... Service Name: Audio Sink Service RecHandle: 0x10001 Service Class ID List: "Audio Sink" (0x110b) ... (full sdptool output for the second device)
Command:
Bash
bluetoothctl --monitor | grep "NEW" | while read -r line; do echo "$(date): $line"; done >> bluetooth_discoveries.log
Command Breakdown:
bluetoothctl --monitor: Runs bluetoothctl in a non-interactive mode where it just prints status changes to standard output.
grep "NEW": Filters the real-time output from bluetoothctl to only show lines indicating a new device has been discovered.
while read -r line; do ... ; done: Reads each "NEW" device line.
echo "$(date): $line": Prepends the current date and time to the discovery line.
>> bluetooth_discoveries.log: Appends this timestamped line to a log file.
Ethical Context & Use-Case: This sets up a persistent monitoring station. During a physical engagement, an ethical hacker can leave this command running on a concealed device (like a Raspberry Pi) to passively log every Bluetooth device that enters the area over a period of time. The resulting log file provides valuable intelligence, such as identifying when specific individuals (and their devices) enter or leave the premises.
--> Expected Output: (No output to the terminal, as it is redirected to the log file. The contents of bluetooth_discoveries.log would look like this):
Sun Aug 17 18:40:15 PKT 2025: [NEW] Device B8:27:EB:4D:5A:6B raspberrypi Sun Aug 17 18:41:02 PKT 2025: [NEW] Device F8:B7:A6:C5:D4:E3 Tile Sun Aug 17 18:41:05 PKT 2025: [NEW] Device 04:52:C7:1A:2B:3C Logitech MX Master 3
Leveraging AI and data analysis can transform raw tool output into actionable intelligence. This section explores how to process BlueZ data programmatically for deeper insights.
bluetoothctl Scan Output to Profile Device ManufacturersCommand (Python Script):
Python
# save this as analyze_scan.py
import pandas as pd
import sys
import re
# A simple regex to capture device info from bluetoothctl scan output
# Assumes input is piped from `bluetoothctl scan on` and cleaned
# e.g., `bluetoothctl scan on | grep "Device " > scan_output.txt`
DEVICE_REGEX = re.compile(r"Device (([0-9A-F]{2}:){5}[0-9A-F]{2}) (.+)")
def analyze_oui(mac_address):
"""
Analyzes the OUI (first 3 octets) of a MAC address to guess the manufacturer.
This is a simplified example; a real implementation would use a proper OUI database.
"""
oui_map = {
"B8:27:EB": "Raspberry Pi Foundation",
"04:52:C7": "Logitech",
"A1:B2:C3": "Unknown Vendor (Example)",
"F8:B7:A6": "Tile, Inc.",
"00:1A:7D": "Motorola" # Example for our own adapter
}
oui = mac_address[:8].upper()
return oui_map.get(oui, "Unknown Vendor")
def main(filename):
"""
Reads a file of bluetoothctl scan output, parses it, and prints an analysis.
"""
devices = []
with open(filename, 'r') as f:
for line in f:
match = DEVICE_REGEX.search(line)
if match:
mac = match.group(1)
name = match.group(3)
vendor = analyze_oui(mac)
devices.append({"MAC_Address": mac, "Name": name, "Vendor": vendor})
if not devices:
print("No devices found in the input file.")
return
df = pd.DataFrame(devices)
# Remove duplicates based on MAC address
df.drop_duplicates(subset="MAC_Address", keep="first", inplace=True)
print("--- Discovered Device Profile ---")
print(df.to_string(index=False))
print("\n--- Vendor Distribution ---")
print(df['Vendor'].value_counts().to_string())
if __name__ == "__main__":
if len(sys.argv) != 2:
print(f"Usage: python3 {sys.argv[0]} <scan_output_file>")
sys.exit(1)
main(sys.argv[1])
Command Breakdown:
First, capture scan data: bluetoothctl scan on > /tmp/scan.txt (Run this for a minute, then press Ctrl+C).
Then, process with the script: python3 analyze_scan.py /tmp/scan.txt.
The Python script uses the pandas library for data manipulation.
It reads the log file, uses regular expressions to parse MAC addresses and names.
The analyze_oui function cross-references the first three bytes of the MAC address (the Organizationally Unique Identifier) with a dictionary to identify the device manufacturer.
Finally, it prints a clean table of unique devices and a summary of manufacturers found.
Ethical Context & Use-Case: During a large-scale assessment (e.g., in a corporate office), you might discover hundreds of devices. Manually sifting through this data is inefficient. This AI-augmented approach automates the analysis, providing immediate intelligence. Identifying the vendor can help a penetration tester prioritize targets; for example, they might focus on devices from a vendor known for poor security practices or search for public exploits related to specific manufacturers.
--> Expected Output:
--- Discovered Device Profile ---
MAC_Address Name Vendor
B8:27:EB:4D:5A:6B raspberrypi Raspberry Pi Foundation
04:52:C7:1A:2B:3C Logitech MX Master 3 Logitech
F8:B7:A6:C5:D4:E3 Tile Tile, Inc.
--- Vendor Distribution ---
Raspberry Pi Foundation 1
Logitech 1
Tile, Inc. 1
Command (Conceptual Python Script):
Python
# save this as suggest_vulns.py
import sys
import json
# A mock vulnerability database
VULN_DB = {
"Serial Port": [
"Unauthenticated access (CVE-2019-XXXX)",
"Potential for buffer overflows via RFCOMM",
"Default PIN (e.g., 0000 or 1234)"
],
"Headset": [
"Can be targeted by BlueBorne-like attacks",
"Firmware update mechanism may be insecure"
],
"OBEX Object Push": [
"Arbitrary file push vulnerability if not configured correctly",
"Directory traversal weaknesses (CVE-2020-YYYY)"
]
}
def generate_report(sdp_output_file):
"""
Parses sdptool output and suggests potential vulnerabilities.
This is a conceptual demonstration.
"""
# In a real scenario, this would involve complex parsing of sdptool output.
# For this example, we'll assume a simplified, pre-parsed JSON input.
with open(sdp_output_file, 'r') as f:
services = json.load(f)
print(f"--- Vulnerability Assessment Report for {services['device']} ---")
for service in services["services_found"]:
if service in VULN_DB:
print(f"\n[+] Service Found: {service}")
print(" Potential Vulnerabilities / Attack Vectors:")
for vuln in VULN_DB[service]:
print(f" - {vuln}")
print("\n--- End of Report ---")
if __name__ == "__main__":
if len(sys.argv) != 2:
print(f"Usage: python3 {sys.argv[0]} <parsed_sdp_json_file>")
sys.exit(1)
generate_report(sys.argv[1])
Command Breakdown:
First, capture and manually parse service data into a JSON file named target.json:
JSON
{
"device": "B8:27:EB:4D:5A:6B",
"services_found": [
"Serial Port",
"Headset"
]
}
Then, run the script: python3 suggest_vulns.py target.json
The script loads a predefined "vulnerability database" (a Python dictionary).
It reads the simplified JSON input representing the services found on a target.
It cross-references the found services with its database and prints a list of potential, relevant vulnerabilities for the ethical hacker to investigate further.
Ethical Context & Use-Case: This demonstrates how a simple expert system or AI model could be used to augment a penetration tester's knowledge. After enumerating services with sdptool, this script acts as an intelligent assistant, immediately suggesting what to test next based on the discovered attack surface. This helps standardize the testing process, ensures common vulnerabilities are not missed, and can significantly speed up the exploitation phase of an assessment.
--> Expected Output:
--- Vulnerability Assessment Report for B8:27:EB:4D:5A:6B ---
[+] Service Found: Serial Port
Potential Vulnerabilities / Attack Vectors:
- Unauthenticated access (CVE-2019-XXXX)
- Potential for buffer overflows via RFCOMM
- Default PIN (e.g., 0000 or 1234)
[+] Service Found: Headset
Potential Vulnerabilities / Attack Vectors:
- Can be targeted by BlueBorne-like attacks
- Firmware update mechanism may be insecure
--- End of Report ---
Command:
Bash
sudo hciconfig hci0 rstat
Command Breakdown:
sudo: Required to execute commands that modify the state or counters of a network device.
hciconfig: The HCI device configuration utility.
hci0: The identifier for the local Bluetooth adapter.
rstat: The command to reset the statistics counters (RX/TX bytes, errors, etc.) for the specified adapter.
Ethical Context & Use-Case: During a penetration test, especially one involving traffic generation or denial-of-service testing, resetting the adapter's statistics is crucial for establishing a clean baseline. This allows the tester to accurately measure the amount of traffic sent or received during a specific test phase, helping to quantify the impact of their actions without noise from previous operations.
--> Expected Output: (No output is printed on success. Running hciconfig again will show the counters reset to zero.)
hci0: Type: Primary Bus: USB BD Address: 00:1A:7D:DA:71:13 ACL MTU: 310:10 SCO MTU: 64:8 UP RUNNING PSCAN ISCAN RX bytes:0 acl:0 sco:0 events:0 errors:0 TX bytes:0 acl:0 sco:0 commands:0 errors:0
Command:
Bash
hciconfig hci0 lm
Command Breakdown:
hciconfig: The HCI device configuration utility.
hci0: The target local adapter.
lm: The command to get the default link mode.
Ethical Context & Use-Case: Understanding the link mode provides insight into the connection policies of the adapter. An ethical hacker would check this to see if the adapter is configured to accept central or peripheral roles, which is important when planning man-in-the-middle or device impersonation attacks. The mode is a bitmask representing roles like LM_ACCEPT, LM_CENTRAL, LM_PERIPHERAL.
--> Expected Output:
hci0: Type: Primary Bus: USB BD Address: 00:1A:7D:DA:71:13 ACL MTU: 310:10 SCO MTU: 64:8 Link mode: PERIPHERAL ACCEPT
Command:
Bash
hciconfig hci0 lp
Command Breakdown:
hciconfig: The HCI device configuration utility.
hci0: The target local adapter.
lp: The command to get the default link policy settings.
Ethical Context & Use-Case: The link policy determines how the adapter handles connections, including roles for switching, holding, and sniffing (RSWITCH, HOLD, SNIFF, PARK). A penetration tester would examine these policies to understand if the adapter is configured to allow low-power modes or role switching, which could be relevant when testing for vulnerabilities related to state changes in a Bluetooth connection.
--> Expected Output:
hci0: Type: Primary Bus: USB BD Address: 00:1A:7D:DA:71:13 ACL MTU: 310:10 SCO MTU: 64:8 Link policy: RSWITCH HOLD SNIFF PARK
Command:
Bash
sudo hciconfig hci0 inqparms 1024:512
Command Breakdown:
sudo: Privileges are needed to change adapter parameters.
hciconfig: The HCI device configuration utility.
hci0: The target local adapter.
inqparms 1024:512: Sets the inquiry scan window and interval. The values are in slots (0.625 ms each). Here, the window is 1024 slots and the interval is 512 slots.
Ethical Context & Use-Case: Altering the inquiry scan parameters allows a tester to fine-tune their discovery process. A larger window can increase the chances of discovering devices in a noisy RF environment, while a shorter interval makes the scan more aggressive. This can be used to test a target device's ability to handle frequent inquiry requests or to optimize discovery speed during a limited-time physical engagement.
--> Expected Output: (No output on success. The change is applied to the adapter.)
Command:
Bash
hciconfig hci0 commands
Command Breakdown:
hciconfig: The HCI device configuration utility.
hci0: The target local adapter.
commands: This command queries the adapter and displays a list of all HCI commands its firmware supports.
Ethical Context & Use-Case: This is a crucial fingerprinting technique. The list of supported HCI commands can reveal the adapter's chipset, manufacturer, and firmware version. An ethical hacker can use this information to search for known vulnerabilities or chipset-specific exploits that might apply to their own testing hardware or, in rare cases, a physically accessible target's adapter.
--> Expected Output:
hci0: Type: Primary Bus: USB BD Address: 00:1A:7D:DA:71:13 ACL MTU: 310:10 SCO MTU: 64:8 Commands: Inquiry, Inquiry Cancel, Periodic Inquiry Mode, Exit Periodic Inquiry ... (long list of supported commands) Read Local Version Information, Read Local Supported Features, Read Buffer Size, Read BD_ADDR, Read Link Policy Settings, Write Link Policy Settings, Set Event Mask, Reset, Read Transmit Power, ...
Command:
Bash
sudo hciconfig hci0 delkey B8:27:EB:4D:5A:6B
Command Breakdown:
sudo: Required to modify the security database of the adapter.
hciconfig: The HCI device configuration utility.
hci0: The target local adapter.
delkey B8:27:EB:4D:5A:6B: The command to delete the stored link key for the specified device address.
Ethical Context & Use-Case: This command forces the adapter to "forget" a previous pairing. In a testing scenario, this is used to re-test the entire pairing and bonding process from scratch with a target device. It ensures that no cached keys are used, allowing the tester to observe the initial key exchange and authentication procedure multiple times to check for inconsistencies or weaknesses.
--> Expected Output: (No output on success.)
Command:
Bash
sudo hciconfig hci0 leadv 3
Command Breakdown:
sudo: Required for changing advertising state.
hciconfig: The HCI device configuration utility.
hci0: The target local adapter.
leadv 3: Enables LE advertising. The type 3 specifies "Non connectable undirected advertising," meaning the device broadcasts data but will not accept connections.
Ethical Context & Use-Case: This is used to emulate a simple BLE beacon (like an iBeacon or Eddystone). An ethical hacker can use this to test how a target application or device reacts to receiving specific advertisement data without the possibility of a connection. It's a way to inject data into the target's environment to test parsing vulnerabilities or trigger specific behaviors in location-aware applications.
--> Expected Output: (No output on success. The adapter starts advertising.)
Command:
Bash
sudo hciconfig hci0 noleadv
Command Breakdown:
sudo: Required for changing advertising state.
hciconfig: The HCI device configuration utility.
hci0: The target local adapter.
noleadv: Disables any active LE advertising.
Ethical Context & Use-Case: This is the corresponding "stop" command for the previous example. After performing a test that involves advertising, it's critical to stop the broadcast. This concludes the test, reduces battery consumption, and removes the testing device's presence from the airwaves to maintain operational security.
--> Expected Output: (No output on success.)
Command:
Bash
hcitool spinq
Command Breakdown:
hcitool: The HCI command utility.
spinq: Command to Start Periodic Inquiry. The adapter will automatically perform an inquiry at regular intervals without further user interaction.
Ethical Context & Use-Case: This is useful for long-term monitoring of a physical area. Instead of repeatedly running hcitool scan, a tester can initiate a periodic inquiry to passively discover new devices that enter the area over time. This is more efficient and provides a continuous discovery mechanism during a physical engagement.
--> Expected Output: (No output on success, but the adapter begins its periodic scan.)
Command:
Bash
hcitool rssi B8:27:EB:4D:5A:6B
Command Breakdown:
hcitool: The HCI command utility.
rssi: Command to get the Received Signal Strength Indication for an active connection.
B8:27:EB:4D:5A:6B: The BD_ADDR of the connected device.
Ethical Context & Use-Case: RSSI can be used for proximity estimation. An ethical hacker can use this command on a connected device to gauge its physical distance. By monitoring changes in the RSSI value, one could infer if the target device (and its user) is moving closer or further away, which can be valuable intelligence during a physical penetration test.
--> Expected Output: (Requires an active connection to the device)
RSSI return value: -48
Command:
Bash
hcitool lq B8:27:EB:4D:5A:6B
Command Breakdown:
hcitool: The HCI command utility.
lq: Command to get the Link Quality for an active connection.
B8:27:EB:4D:5A:6B: The BD_ADDR of the connected device.
Ethical Context & Use-Case: Link quality (a value from 0-255) is a measure of the health of the connection. A penetration tester can use this to assess the RF environment. A consistently low link quality might indicate distance, interference, or jamming, which could be part of the test scenario itself (e.g., testing how a device behaves under poor network conditions).
--> Expected Output: (Requires an active connection to the device)
Link quality: 255
Command:
Bash
hcitool tpl B8:27:EB:4D:5A:6B
Command Breakdown:
hcitool: The HCI command utility.
tpl: Command to get the Transmit Power Level for an active connection.
B8:27:EB:4D:5A:6B: The BD_ADDR of the connected device.
Ethical Context & Use-Case: This command reveals how much power the remote device is using to transmit. While less common, this data could be used for fingerprinting. Devices might use characteristic power levels, and observing these levels could help an attacker identify the device model or even its current state (e.g., some devices might increase power when streaming audio).
--> Expected Output: (Requires an active connection to the device)
Current transmit power level: 0
Command:
Bash
hcitool clkoff B8:27:EB:4D:5A:6B
Command Breakdown:
hcitool: The HCI command utility.
clkoff: Command to read the clock offset between the local and remote device's Bluetooth clock.
B8:27:EB:4D:5A:6B: The BD_ADDR of the connected device.
Ethical Context & Use-Case: The clock offset is fundamental to how Bluetooth's frequency hopping works. While advanced, this information can be used in sophisticated attacks like traffic prediction or injection. An ethical hacker might gather this information to assess the feasibility of such advanced attacks against a high-value target.
--> Expected Output: (Requires an active connection to the device)
Clock offset: 0x12a3
Command:
Bash
hcitool sr B8:27:EB:4D:5A:6B c
Command Breakdown:
hcitool: The HCI command utility.
sr: Command to perform a role switch on an active connection.
B8:27:EB:4D:5A:6B: The BD_ADDR of the connected device.
c: The target role to switch to (in this case, c for central).
Ethical Context & Use-Case: In a Bluetooth piconet, there is one central and multiple peripherals. Some vulnerabilities may only be triggered when a device is in a specific role. This command allows a tester to attempt to force a role switch, changing the dynamics of the connection and potentially exposing different code paths and attack surfaces on the target device.
--> Expected Output: (No output on success, but the role is changed for the active connection.)
Command:
Bash
sudo hcitool cmd 0x03 0x0003
Command Breakdown:
sudo: Required to send raw commands to the controller.
hcitool: The HCI command utility.
cmd: Subcommand to send a raw HCI command.
0x03: The OpCode Group Field (OGF) for "Controller Baseband Commands".
0x0003: The OpCode Command Field (OCF) for "Reset".
Ethical Context & Use-Case: Sending raw HCI commands is an advanced technique for interacting directly with the Bluetooth controller's firmware. This specific command issues a full reset to the local hci0 adapter. A tester would use this to ensure the adapter is in a completely clean, known-good state before beginning a sensitive test, clearing any unusual configurations or lingering state information.
--> Expected Output:
< HCI Command: ogf 0x03, ocf 0x0003, plen 0 > HCI Event: 0x0e plen 4 01 03 0C 00
(The event response 01 03 0C 00 indicates Command Complete for OGF 0x03, OCF 0x0003 with status 00/Success.)
Command:
Bash
sudo hcitool cmd 0x04 0x0005
Command Breakdown:
sudo: Required for raw command access.
hcitool: The HCI command utility.
cmd: Subcommand to send a raw HCI command.
0x04: The OGF for "Informational Parameters".
0x0005: The OCF for "Read Buffer Size".
Ethical Context & Use-Case: This command queries the controller to determine the exact size of its data buffers for ACL (asynchronous) and SCO (synchronous) data. This information is critical when planning buffer overflow attacks. An ethical hacker needs to know the precise buffer sizes to craft a payload that can potentially overwrite adjacent memory regions on the Bluetooth chip itself.
--> Expected Output:
< HCI Command: ogf 0x04, ocf 0x0005, plen 0 > HCI Event: 0x0e plen 11 01 05 10 00 F8 02 FF 08 08 00 00
(The event response contains the status and the buffer size parameters.)
Command:
Bash
sudo hcitool lerladd r F8:B7:A6:C5:D4:E3
Command Breakdown:
sudo: Required to modify the controller's resolving list.
hcitool: The HCI command utility.
lerladd: Subcommand to Add a device to the LE Resolving List.
r: Specifies the peer address type is "random".
F8:B7:A6:C5:D4:E3: The address of the peer device to add.
Ethical Context & Use-Case: The resolving list is used by the controller to resolve Resolvable Private Addresses (RPAs) back to a known Identity Address, using a shared key (IRK). By adding a device to this list, a tester can configure their adapter to specifically track a target device that uses address randomization for privacy, making it possible to identify the device even as its public address changes.
--> Expected Output: (No output on success.)
Command:
Bash
sudo hcitool lealclr
Command Breakdown:
sudo: Required to modify controller lists.
hcitool: The HCI command utility.
lealclr: Subcommand to Clear the LE Accept List. The Accept List is a feature that allows a controller to only listen for advertisements from a specific list of devices.
Ethical Context & Use-Case: Before starting a broad reconnaissance scan, a penetration tester should clear the LE Accept List. If a previous user or process configured the list, the adapter might be ignoring advertisements from potential targets. This command ensures the adapter is in a default state where it will receive packets from all nearby advertising devices.
--> Expected Output: (No output on success.)
Command:
Bash
sudo hcitool lecc --scan-interval 100 --scan-window 50 --conn-interval-min 30 --conn-interval-max 50 --conn-latency 0 --supervision-timeout 500 F8:B7:A6:C5:D4:E3
Command Breakdown:
sudo: Required to create LE connections.
hcitool lecc: Command to create an LE connection.
--scan-interval 100: Sets the interval for scanning for the target (in 0.625 ms units).
--scan-window 50: Sets the duration of the scan (in 0.625 ms units).
--conn-interval-min 30: Minimum desired connection interval.
--conn-interval-max 50: Maximum desired connection interval.
--conn-latency 0: Slave latency.
--supervision-timeout 500: Link supervision timeout.
F8:B7:A6:C5:D4:E3: The address of the target device.
Ethical Context & Use-Case: This command allows for fine-grained control over the LE connection process. A tester can use this to probe a target's connection handling. By providing unusual or out-of-spec parameters, it may be possible to trigger error conditions, crashes, or unexpected behavior in the target's Bluetooth stack, revealing potential denial-of-service vulnerabilities.
--> Expected Output:
Connection handle 64
Command:
Bash
sudo l2ping -r B8:27:EB:4D:5A:6B
Command Breakdown:
sudo: Often needed for raw socket access.
l2ping: The L2CAP ping utility.
-r: The "reverse ping" flag. This sends a command to the remote device, requesting that it ping the local device back.
B8:27:EB:4D:5A:6B: The target's BD_ADDR.
Ethical Context & Use-Case: A reverse ping tests the communication path in the opposite direction. This is useful for testing firewall rules or connection policies on the target device. If a standard l2ping works but a reverse ping (l2ping -r) fails, it could indicate that the target device is configured to initiate outgoing connections but block incoming L2CAP echo requests, providing a valuable piece of information about its security posture.
--> Expected Output:
Reverse ping from B8:27:EB:4D:5A:6B to 00:1A:7D:DA:71:13 ... 44 bytes from B8:27:EB:4D:5A:6B id 0 time 35.19ms 44 bytes from B8:27:EB:4D:5A:6B id 1 time 33.81ms 2 sent, 2 received, 0% loss
Command:
Bash
sudo sdptool add SP
Command Breakdown:
sudo: Required to modify the local SDP daemon's records.
sdptool: The Service Discovery Protocol utility.
add: The command to add a new service record to the local server.
SP: The short name for the "Serial Port" profile. This will add a generic Serial Port service record.
Ethical Context & Use-Case: This is a powerful technique for device impersonation and baiting. An ethical hacker can add a service record (like a Serial Port or a File Transfer service) to their own machine. This makes their machine appear to offer that service to any scanning devices. This can be used to entice a target device to connect, allowing the tester to capture the connection attempt and analyze the protocol it uses to interact with the emulated service.
--> Expected Output:
Serial Port service registered
Command:
Bash
sudo sdptool del 0x10002
Command Breakdown:
sudo: Required to modify local SDP records.
sdptool: The SDP utility.
del: The command to delete a service record.
0x10002: The record handle of the service to delete. This handle would be obtained from running sdptool browse localhost.
Ethical Context & Use-Case: This is the cleanup operation for the previous example. After a test involving service emulation is complete, the tester must remove the fake service record. This returns their testing machine to a default state and ensures it is no longer advertising a potentially confusing or misleading service.
--> Expected Output: (No output on success.)
Command:
Bash
sdptool search --bdaddr B8:27:EB:4D:5A:6B HID
Command Breakdown:
sdptool: The SDP utility.
search: The command to search for a specific service.
--bdaddr B8:27:EB:4D:5A:6B: The address of the remote device.
HID: The short name for the Human Interface Device profile.
Ethical Context & Use-Case: Discovering a HID service is a high-value finding for a penetration tester. This indicates the target is a keyboard, mouse, gamepad, or has similar input capabilities. A vulnerable HID device could be a target for keystroke injection attacks (e.g., MouseJack or KeyJack), allowing an attacker to remotely type commands or control the cursor on the host machine the HID device is connected to.
--> Expected Output:
Searching for HID on B8:27:EB:4D:5A:6B ...
Service Name: Wireless Keyboard
Service RecHandle: 0x10005
Service Class ID List:
"Human Interface Device" (0x1124)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 17
"HIDP" (0x0011)
...
bluetoothctlCommand (inside bluetoothctl):
discoverable-timeout 180
Command Breakdown:
discoverable-timeout: The bluetoothctl command to set the duration for which the adapter remains discoverable.
180: The timeout value in seconds.
Ethical Context & Use-Case: When making the testing machine discoverable for a specific scenario, it's poor practice to leave it discoverable indefinitely. Setting a timeout ensures that the device automatically becomes hidden after a set period. This enhances the operational security of the penetration tester by minimizing the window in which their machine is visible on the airwaves.
--> Expected Output:
[bluetooth]# discoverable-timeout 180 Changing discoverable-timeout succeeded
DisplayYesNoCommand (inside bluetoothctl):
agent DisplayYesNo
Command Breakdown:
agent: The bluetoothctl command for managing the authentication agent.
DisplayYesNo: Sets the I/O capability of the agent. This tells the connecting device that the local machine has a display and can accept a "yes" or "no" input, which is used for numeric comparison pairing.
Ethical Context & Use-Case: To properly test different pairing mechanisms, the tester must be able to emulate various device types. Setting the agent to DisplayYesNo allows the testing machine to participate in secure numeric comparison pairing. The tester can then verify if the target device correctly displays the 6-digit passkey and waits for confirmation, or if it has a vulnerability that allows this step to be bypassed.
--> Expected Output:
[bluetooth]# agent DisplayYesNo Agent is already registered
Command (inside bluetoothctl):
trust B8:27:EB:4D:5A:6B
Command Breakdown:
trust: The bluetoothctl command to mark a device as trusted.
B8:27:EB:4D:5A:6B: The address of the device to trust.
Ethical Context & Use-Case: Marking a device as "trusted" configures the system to allow it to reconnect in the future without requiring re-authentication. A penetration tester would do this to test post-pairing security. For example, does the trusted device gain automatic access to sensitive services upon reconnection? Can a trusted relationship be exploited if the device's link key is compromised?
--> Expected Output:
[bluetooth]# trust B8:27:EB:4D:5A:6B [CHG] Device B8:27:EB:4D:5A:6B Trusted: yes Changing B8:27:EB:4D:5A:6B trust succeeded
Command (inside bluetoothctl):
block B8:27:EB:4D:5A:6B
Command Breakdown:
block: The bluetoothctl command to add a device to the block list.
B8:27:EB:4D:5A:6B: The address of the device to block.
Ethical Context & Use-Case: Blocking a device prevents it from establishing any connection. This can be used to test how a target system or application behaves when a required peripheral (like a headset or sensor) is suddenly and permanently unavailable. Does the application handle the error gracefully, or does it crash or enter an insecure state? It can also be a simple denial-of-service test.
--> Expected Output:
[bluetooth]# block B8:27:EB:4D:5A:6B [CHG] Device B8:27:EB:4D:5A:6B Blocked: yes Changing B8:27:EB:4D:5A:6B block succeeded
Command (inside bluetoothctl):
bearer B8:27:EB:4D:5A:6B le
Command Breakdown:
bearer: The bluetoothctl command to get or set the preferred transport bearer.
B8:27:EB:4D:5A:6B: The address of the dual-mode device.
le: Sets the preferred bearer to Bluetooth Low Energy.
Ethical Context & Use-Case: Some devices support both Classic (BR/EDR) and LE Bluetooth. This command allows a tester to explicitly tell the stack to prefer connecting over LE. This is useful for forcing the device to use the LE communication stack, allowing the tester to focus their efforts on analyzing the GATT services and BLE-specific security features of the target.
--> Expected Output:
[bluetooth]# bearer B8:27:EB:4D:5A:6B le [CHG] Device B8:27:EB:4D:5A:6B PreferredBearer: le Changing le succeeded
Command (inside bluetoothctl):
menu gatt list-attributes F8:B7:A6:C5:D4:E3
Command Breakdown:
menu gatt: Enters the GATT (Generic Attribute Profile) submenu in bluetoothctl.
list-attributes: Lists all discovered services, characteristics, and descriptors for a connected device.
F8:B7:A6:C5:D4:E3: The address of the connected LE device.
Ethical Context & Use-Case: This is the primary enumeration step for a BLE device after connection. It provides a complete map of the device's GATT server. The ethical hacker will analyze this list to understand the device's capabilities (e.g., battery service, heart rate service, a proprietary control service) and identify characteristics that can be read from or written to, forming the basis of the attack surface analysis.
--> Expected Output: (Requires an active LE connection)
[F8:B7:A6:C5:D4:E3]# menu gatt [F8:B7:A6:C5:D4:E3:/service000c/char000d]# list-attributes F8:B7:A6:C5:D4:E3 Primary Service /org/bluez/hci0/dev_F8_B7_A6_C5_D4_E3/service0009 0000180f-0000-1000-8000-00805f9b34fb Battery Service Characteristic /org/bluez/hci0/dev_F8_B7_A6_C5_D4_E3/service0009/char000a 00002a19-0000-1000-8000-00805f9b34fb Battery Level Descriptor /org/bluez/hci0/dev_F8_B7_A6_C5_D4_E3/service0009/char000a/desc000b 00002902-0000-1000-8000-00805f9b34fb Client Characteristic Configuration ... (and so on)
Command (inside bluetoothctl GATT menu):
select-attribute /org/bluez/hci0/dev_F8_B7_A6_C5_D4_E3/service0009/char000a read
Command Breakdown:
select-attribute ...: Selects the "Battery Level" characteristic identified in the previous step.
read: Reads the current value of the selected characteristic.
Ethical Context & Use-Case: Reading characteristic values is how a client retrieves data from a BLE server. A penetration tester will attempt to read all readable characteristics to gather information about the device's state. This could reveal sensitive information, configuration settings, or operational data that could be useful for further attacks.
--> Expected Output:
[F8:B7:A6:C5:D4:E3:/service0009/char000a]# read Attempting to read /org/bluez/hci0/dev_F8_B7_A6_C5_D4_E3/service0009/char000a [CHG] Attribute /org/bluez/hci0/dev_F8_B7_A6_C5_D4_E3/service0009/char000a Value: 5e . Value: 0x5e (94)
Command (inside bluetoothctl GATT menu):
# Assuming there is a writable characteristic, e.g., for controlling a light select-attribute /org/bluez/hci0/dev_XX_XX_XX_XX_XX/service0010/char0011 write "0x01 0xff 0x00"
Command Breakdown:
select-attribute ...: Selects a writable characteristic (e.g., a control point).
write "0x01 0xff 0x00": Writes a sequence of bytes to the characteristic. The format is a string of space-separated hexadecimal values.
Ethical Context & Use-Case: Writing to characteristics is the primary method for controlling a BLE device. An ethical hacker will identify all writable characteristics and attempt to send both valid and malformed data to them. This is done to test access controls (can a value be written without authentication?), probe for functionality (what does writing this value do?), and test for input validation vulnerabilities (can writing a very long string cause a crash?).
--> Expected Output:
[XX:XX:XX:XX:XX:/service0010/char0011]# write "0x01 0xff 0x00" Attempting to write /org/bluez/hci0/dev_XX_XX_XX_XX_XX/service0010/char0011 Write successful Value: 01 ff 00 ...
Command (inside bluetoothctl GATT menu):
select-attribute /org/bluez/hci0/dev_F8_B7_A6_C5_D4_E3/service0009/char000a notify on
Command Breakdown:
select-attribute ...: Selects a characteristic that supports notifications.
notify on: Enables notifications for the selected characteristic. This writes to the characteristic's Client Characteristic Configuration Descriptor (CCCD) to start the notifications.
Ethical Context & Use-Case: Notifications are a way for a BLE device to push data to a client asynchronously. By enabling notifications on a characteristic (like a heart rate sensor), a tester can passively receive a stream of data from the device. This is a powerful way to monitor the device's state in real-time and capture data that may not be available via a simple read operation.
--> Expected Output:
[F8:B7:A6:C5:D4:E3:/service0009/char000a]# notify on Attempting to enable notifications for /org/bluez/hci0/dev_F8_B7_A6_C5_D4_E3/service0009/char000a [CHG] Attribute /org/bluez/hci0/dev_F8_B7_A6_C5_D4_E3/service0009/char000a Notifying: yes Notify successful
(After this, the console will print any value changes pushed by the device.)
Command (inside bluetoothctl):
menu advertise service 0x180D 0x1234 manufacturer 0xffff 0x11 0x22 0x33 discoverable on back advertise on
Command Breakdown:
menu advertise: Enters the advertising manager menu.
service 0x180D 0x1234: Adds a service UUID (0x180D for Heart Rate) and associated service data (0x1234) to the advertisement packet.
manufacturer 0xffff 0x11 0x22 0x33: Adds manufacturer-specific data. 0xffff is a placeholder for "not a registered company ID".
discoverable on: Sets the discoverable flag in the advertisement.
back: Returns to the main menu.
advertise on: Starts broadcasting the custom advertisement packet.
Ethical Context & Use-Case: This allows a penetration tester to craft a custom BLE advertisement packet. This can be used to impersonate a specific type of device (e.g., a heart rate monitor) to test how a central device (like a fitness app) reacts. It can also be used to send malicious or unexpected data in the advertisement packet itself to test for parsing vulnerabilities on scanning devices.
--> Expected Output:
[bluetooth]# advertise on Advertising started [CHG] Controller 00:1A:7D:DA:71:13 Advertising: yes
Command:
Bash
sudo rfcomm listen /dev/rfcomm0 10
Command Breakdown:
sudo: Required to create device nodes and listen on RFCOMM channels.
rfcomm: The RFCOMM configuration utility.
listen: The command to wait for an incoming connection.
/dev/rfcomm0: The local virtual serial device to create upon connection.
10: The RFCOMM channel to listen on.
Ethical Context & Use-Case: This sets up the testing machine as a server waiting for a connection on a specific RFCOMM channel. This is used to test client devices. For example, if you are testing a barcode scanner that sends data over Bluetooth serial, you can use this command to accept its connection. Once connected, you can use a terminal program like minicom on /dev/rfcomm0 to see the data it sends, testing for unencrypted sensitive data or injection vulnerabilities.
--> Expected Output:
Waiting for connection on channel 10
(The command will block until a connection is made or it is cancelled.)
Command:
Bash
sudo rfcomm watch /dev/rfcomm0 10 /bin/echo "Client connected"
Command Breakdown:
sudo: Required privileges.
rfcomm watch: Similar to listen, but it re-listens after a client disconnects and can execute a command.
/dev/rfcomm0: The device to create.
10: The RFCOMM channel to watch.
/bin/echo "Client connected": The command to execute when a client connects. The standard I/O of this command will be redirected to the RFCOMM device.
Ethical Context & Use-Case: This is a more advanced version of the listening server. It can be used to create a simple "honeypot" service. For example, a tester could have it run a script that presents a fake login prompt (/bin/cat /etc/fake_login_prompt) to any device that connects. This allows the tester to capture credentials or commands that the client device automatically sends upon connection.
--> Expected Output:
Waiting for connection on channel 10 Connection from B8:27:EB:4D:5A:6B to /dev/rfcomm0 Client connected ... Disconnected
Command:
Bash
sudo rfcomm connect /dev/rfcomm0 B8:27:EB:4D:5A:6B 2 -E
Command Breakdown:
sudo: Required to create the /dev/rfcomm device node.
rfcomm connect: The command to initiate an RFCOMM connection.
/dev/rfcomm0: The local device to bind the connection to.
B8:27:EB:4D:5A:6B: The target device address.
2: The target RFCOMM channel number.
-E: A flag to enable encryption for the connection.
Ethical Context & Use-Case: When testing a service that supposedly supports secure communication, this command allows the ethical hacker to explicitly request encryption. The success or failure of this command helps to verify the security configuration of the remote service. If the connection succeeds, traffic sent over /dev/rfcomm0 will be encrypted at the baseband layer.
--> Expected Output:
Connected /dev/rfcomm0 to B8:27:EB:4D:5A:6B on channel 2 Press CTRL-C for hangup
btmgmt to Find a Service by UUIDCommand:
Bash
sudo btmgmt find-service 0x1101
Command Breakdown:
sudo: Required for management commands.
btmgmt: The Bluetooth management tool.
find-service: The command to discover nearby devices that offer a specific service.
0x1101: The UUID for the Serial Port Profile (SPP).
Ethical Context & Use-Case: This is a more targeted discovery method than a general scan. Instead of finding all devices, this command specifically finds devices that are advertising a particular service of interest. This is highly efficient for a penetration tester who is looking for a specific attack surface (like SPP) and wants to quickly identify all potential targets in the vicinity that have it.
--> Expected Output:
Discovery started hci0: find_service result dev B8:27:EB:4D:5A:6B rssi -55
btmgmt to Set IO CapabilityCommand:
Bash
sudo btmgmt io-cap 3
Command Breakdown:
sudo: Required.
btmgmt: The Bluetooth management tool.
io-cap: The command to set the Input/Output capabilities of the local adapter.
3: Represents "NoInputNoOutput", which is used for "Just Works" pairing.
Ethical Context & Use-Case: This is a crucial command for testing pairing security. By setting the local I/O capability to NoInputNoOutput, the tester's machine tells remote devices that it has no way to display a passkey or accept one. This forces the use of the least secure "Just Works" pairing method. The tester can then determine if a target device will insecurely pair using this method, even if the target itself has a screen and keyboard.
--> Expected Output:
hci0: IOCap set to 0x03
btmgmt to Toggle Secure Connections (SC) SupportCommand:
Bash
sudo btmgmt sc off
Command Breakdown:
sudo: Required.
btmgmt: The Bluetooth management tool.
sc off: The command to disable support for Secure Connections (SC), an enhanced security feature that uses ECDH key exchange.
Ethical Context & Use-Case: To test for downgrade attacks, a penetration tester can disable support for modern security features like SC on their own device. They can then attempt to pair with a target that supports SC. If the target device agrees to pair using an older, less secure legacy pairing method, it indicates a vulnerability where an attacker can force the use of weaker cryptography.
--> Expected Output:
hci0: SC support disabled
btmgmt to Add a Device ManuallyCommand:
Bash
sudo btmgmt add-device B8:27:EB:4D:5A:6B -a 0 -l 1 -k 123...abc
Command Breakdown:
sudo: Required.
btmgmt add-device: Command to add a device and its security keys to the kernel.
B8:27:EB:4D:5A:6B: The device address.
-a 0: Address type (0 for public).
-l 1: Link key type (1 for combination key).
-k 123...abc: The 16-byte link key in hexadecimal.
Ethical Context & Use-Case: If a penetration tester manages to obtain a device's link key through some other means (e.g., a vulnerability in the key storage mechanism), this command can be used to manually add the device and its key to the tester's machine. This allows them to connect to the target, impersonating a previously paired device, without going through the pairing process at all.
--> Expected Output:
hci0: device B8:27:EB:4D:5A:6B added
btmgmt to Add an Advertising InstanceCommand:
Bash
sudo btmgmt add-adv -d 010203 -s 040506 -u 180d -i 200 1
Command Breakdown:
sudo: Required.
btmgmt add-adv: Adds a new LE advertising instance.
-d 010203: Sets the advertising data payload.
-s 040506: Sets the scan response data payload.
-u 180d: Advertises the Heart Rate service UUID.
-i 200: Sets the advertising interval to 200 slots.
1: The instance ID for this advertisement.
Ethical Context & Use-Case: btmgmt provides more granular control over advertising than bluetoothctl. A tester can create multiple, distinct advertising instances simultaneously. This could be used to emulate several different BLE devices at once from a single adapter, creating a complex and confusing environment to test the robustness and logic of a central scanning device.
--> Expected Output:
hci0: advertising instance 1 added
hcidump to Save a Capture to a FileCommand:
Bash
sudo hcidump -w capture.dump
Command Breakdown:
sudo: Required to access the HCI interface.
hcidump: The HCI data parsing utility.
-w capture.dump: The -w flag writes the raw captured traffic to the specified file in btsnoop format.
Ethical Context & Use-Case: Real-time analysis with btmon is useful, but for deep, methodical analysis, saving a capture is essential. An ethical hacker will capture all traffic during an important interaction (like a pairing sequence). Later, they can load this capture.dump file into Wireshark or other analysis tools to inspect every packet in detail, searching for anomalies or vulnerabilities.
--> Expected Output: (No output to the terminal, but the file capture.dump is created and traffic is saved to it. Press Ctrl+C to stop.)
hcidump to Read and Analyze a Capture FileCommand:
Bash
hcidump -r capture.dump -x
Command Breakdown:
hcidump: The HCI data parsing utility.
-r capture.dump: The -r flag reads and parses a capture file instead of listening on a live interface.
-x: Dumps the packet data in hexadecimal format.
Ethical Context & Use-Case: This command is for offline analysis of a previously saved capture. It allows the tester to review the captured traffic without needing to be physically present at the test site. The -x flag is particularly useful for looking at the raw byte values of payloads, which is necessary when reverse engineering a proprietary protocol or verifying a handcrafted packet.
--> Expected Output: (A formatted dump of all packets from the capture.dump file will be printed to the console.)
> HCI Event: Connect Request (0x04) plen 10 B8 27 EB 4D 5A 6B 00 1F 80 01 ... < HCI Command: Accept Connection Request (0x01|0x0009) plen 7 B8 27 EB 4D 5A 6B 01 ...
hcidump to Dump Data in ASCIICommand:
Bash
hcidump -r capture.dump -a
Command Breakdown:
hcidump: The HCI utility.
-r capture.dump: Reads from the specified capture file.
-a: Dumps the packet data in ASCII format alongside the hex dump.
Ethical Context & Use-Case: When analyzing protocols that transmit human-readable strings (like device names, service names, or some characteristic values), the -a flag is incredibly helpful. It automatically translates the hex data to ASCII, which can instantly reveal interesting information like hardcoded passwords, device identifiers, or command strings without requiring manual conversion.
--> Expected Output:
> HCI Event: Remote Name Req Complete (0x07) plen 255
status 0x00 bdaddr B8:27:EB:4D:5A:6B name 'raspberrypi'
72 61 73 70 62 65 72 72 79 70 69 raspberrypi
gatttool in Interactive ModeCommand:
Bash
gatttool -b F8:B7:A6:C5:D4:E3 -I
Command Breakdown:
gatttool: The tool for BLE device interaction.
-b F8:B7:A6:C5:D4:E3: Specifies the target device address.
-I or --interactive: Enters the interactive mode.
Ethical Context & Use-Case: While largely superseded by bluetoothctl, gatttool is still present on many systems and its interactive mode provides a straightforward way to explore a BLE device. An ethical hacker would use this mode to manually connect, discover services and characteristics, and perform read/write operations in a step-by-step manner, which can be useful for careful, deliberate probing of a device's GATT interface.
--> Expected Output:
[F8:B7:A6:C5:D4:E3][LE]>
Command (inside gatttool):
connect
Command Breakdown:
connect: The command within gatttool's interactive mode to establish a connection to the device specified with the -b flag.
Ethical Context & Use-Case: This is the first step inside the interactive gatttool shell. It establishes the LE link, which is a prerequisite for any further GATT operations like service discovery or characteristic reading. The success or failure of this command is the first test of the device's availability and willingness to accept connections.
--> Expected Output:
[F8:B7:A6:C5:D4:E3][LE]> connect Attempting to connect to F8:B7:A6:C5:D4:E3 Connection successful [F8:B7:A6:C5:D4:E3][LE]>
Command (inside gatttool):
primary
Command Breakdown:
primary: The command to discover all primary services on the connected device.
Ethical Context & Use-Case: This is the service enumeration command in gatttool. It queries the device and lists the attribute handles and UUIDs for each primary service. This provides the high-level map of the device's functionality, which the tester will use to decide which services to investigate more deeply.
--> Expected Output:
[F8:B7:A6:C5:D4:E3][LE]> primary attr handle: 0x0001, end grp handle: 0x0008 uuid: 00001800-0000-1000-8000-00805f9b34fb attr handle: 0x0009, end grp handle: 0x000c uuid: 0000180f-0000-1000-8000-00805f9b34fb attr handle: 0x000d, end grp handle: 0xffff uuid: 0000180a-0000-1000-8000-00805f9b34fb
Command (inside gatttool):
characteristics 0x0009 0x000c
Command Breakdown:
characteristics: The command to discover characteristics within a specified handle range.
0x0009: The starting handle of the service (obtained from the primary command).
0x000c: The ending handle of the service (obtained from the primary command).
Ethical Context & Use-Case: After discovering services, the next step is to enumerate the characteristics within each one. This command drills down into a specific service (in this case, the one starting at handle 0x0009) and reveals the data points or control points it contains. This is how a tester identifies specific items like "Battery Level" or "Device Name".
--> Expected Output:
[F8:B7:A6:C5:D4:E3][LE]> characteristics 0x0009 0x000c handle: 0x000a, char properties: 0x12, char value handle: 0x000b, uuid: 00002a19-0000-1000-8000-00805f9b34fb
Command (inside gatttool):
char-read-hnd 0x000b
Command Breakdown:
char-read-hnd: The command to read a characteristic's value using its value handle.
0x000b: The value handle of the characteristic to read (obtained from the characteristics command).
Ethical Context & Use-Case: This is the gatttool equivalent of the read command in bluetoothctl. It fetches the current value of a data point on the BLE device. Testers use this to extract information and profile the target, looking for any sensitive or interesting data that is exposed.
--> Expected Output:
[F8:B7:A6:C5:D4:E3][LE]> char-read-hnd 0x000b Characteristic value/descriptor: 5e
Command (inside gatttool):
char-write-req 0x0012 0100
Command Breakdown:
char-write-req: The command to write a value to a characteristic (with response).
0x0012: The value handle of a writable characteristic.
0100: The value to write, as a hexadecimal string.
Ethical Context & Use-Case: This command allows a tester to send data to the target device to change its state or trigger an action. This is the primary method for testing input validation and access control on BLE devices. The tester can try sending valid commands, malformed data, or commands that should require authentication to see how the device responds.
--> Expected Output:
[F8:B7:A6:C5:D4:E3][LE]> char-write-req 0x0012 0100 Characteristic value was written successfully
Command (inside gatttool):
char-write-cmd 0x0012 deadbeef
Command Breakdown:
char-write-cmd: The command to write a value to a characteristic without requesting a response from the server (a "write command").
0x0012: The value handle of a writable characteristic that supports write without response.
deadbeef: The value to write.
Ethical Context & Use-Case: Some characteristics are designed for high-throughput data transfer and use "write without response" to improve speed. This can sometimes be a vector for denial-of-service attacks. A tester can use this command to flood the target with data as fast as possible to see if it can handle the load or if its buffer overflows and it crashes.
--> Expected Output: (No output is printed, as no response is requested.)
Command:
Bash
sudo btvirt -L -l2
Command Breakdown:
sudo: Required to create virtual HCI devices.
btvirt: The Bluetooth emulator tool.
-L: Creates LE-only controllers.
-l2: Specifies the number of local controllers to create (in this case, two).
Ethical Context & Use-Case: btvirt is an incredibly powerful tool for development and testing without needing physical hardware. An ethical hacker can use it to create multiple virtual Bluetooth adapters on a single machine. This allows them to simulate complex scenarios, such as having one virtual adapter act as a malicious central device and another act as a malicious peripheral, to test for man-in-the-middle vulnerabilities between two virtual target devices.
--> Expected Output:
Virtual HCI devices created
(Running hciconfig after this would show hci0 and hci1).
Command:
Bash
sudo btvirt -B
Command Breakdown:
sudo: Required.
btvirt: The Bluetooth emulator.
-B: Creates a BR/EDR (Classic Bluetooth) only controller, with LE support disabled.
Ethical Context & Use-Case: This allows a tester to create a virtual adapter that only supports Classic Bluetooth. This is useful for testing how a dual-mode target device behaves when it can only connect to a Classic-only peer. It helps isolate the Classic stack for testing and ensures that the connection doesn't unexpectedly get established over LE.
--> Expected Output:
Virtual HCI devices created
obexctl to Enter Interactive ModeCommand:
Bash
obexctl
Command Breakdown:
obexctl: The command-line interface for BlueZ's OBEX (Object Exchange) functionality.
Ethical Context & Use-Case: OBEX is a protocol used for file transfers, common in older Bluetooth devices. Entering the obexctl shell is the first step in testing these services. From here, a penetration tester can connect to a device offering an OBEX service (like FTP or OPP) and attempt to push or pull files, testing for vulnerabilities like unauthenticated access or directory traversal.
--> Expected Output:
[obex]#
Command (inside obexctl):
connect B8:27:EB:4D:5A:6B
Command Breakdown:
connect: The command to establish a connection to a remote OBEX server.
B8:27:EB:4D:5A:6B: The address of the target device.
Ethical Context & Use-Case: This command attempts to establish a transport session with the remote device's OBEX service. A successful connection confirms the service is active and available. The tester would then proceed to enumerate the capabilities of the service (e.g., what object types can be exchanged).
--> Expected Output:
[obex]# connect B8:27:EB:4D:5A:6B Attempting to connect to B8:27:EB:4D:5A:6B [CHG] Device B8:27:EB:4D:5A:6B Connected: yes Connection successful [B8:27:EB:4D:5A:6B]#
Command (inside obexctl):
ls
Command Breakdown:
ls: The command to list files and folders in the current remote directory. This is only supported if the remote device offers the OBEX File Transfer Profile (FTP).
Ethical Context & Use-Case: If a target device allows an unauthenticated OBEX FTP connection, this command could be devastatingly effective. It allows the tester to browse the remote device's file system. They would look for sensitive files, configuration files with passwords, or user data that should not be exposed.
--> Expected Output:
[B8:27:EB:4D:5A:6B]# ls [ ] config.txt (file) 256 bytes [ DIR ] images (folder) [ ] firmware.bin (file) 1048576 bytes
Command (inside obexctl):
send /path/to/local/file.txt
Command Breakdown:
send: The command to push a file to the remote device using the OBEX Object Push Profile (OPP).
/path/to/local/file.txt: The path to the file on the local machine that will be sent.
Ethical Context & Use-Case: This is used to test for vulnerabilities related to file acceptance. Can an unauthenticated user push a file to the device? Is there any validation on the file type or size? A tester could attempt to push a large file to cause a denial-of-service, or a file with a malicious name (e.g., ../../etc/passwd) to test for directory traversal vulnerabilities. For safety, the file itself should be benign, like a simple text file.
--> Expected Output:
[B8:27:EB:4D:5A:6B]# send /home/kali/test.txt Transferring /home/kali/test.txt Transfer succeed
ciptool to Search for CAPI DevicesCommand:
Bash
ciptool search
Command Breakdown:
ciptool: The utility for the Common ISDN Access Profile (CIP).
search: The command to search for devices offering the CAPI/CIP service.
Ethical Context & Use-Case: CIP/CAPI is a very old and obscure profile for providing ISDN-like services over Bluetooth. While extremely rare today, finding a device that still supports it would be a significant discovery for a penetration tester. Such legacy profiles often have weaker security and are less tested than modern ones, making them a potentially fruitful, if unlikely, attack vector.
--> Expected Output:
Searching for CAPI/CIP devices ... Device AA:BB:CC:11:22:33 found
The information, tools, and techniques presented in this article are provided for educational and research purposes only. All demonstrations and examples are intended to be performed within a controlled laboratory environment, on networks and devices that you own, or for which you have been granted explicit, written permission to conduct security testing by the legal owner.
The use of these tools against any system without prior authorization is illegal. Unauthorized access to computer systems, interception of data, or disruption of services are criminal offenses in most jurisdictions worldwide. The author, instructor, and hosting platform (Udemy) do not condone any illegal or malicious activity and bear no responsibility or liability for any misuse of the information provided herein. By proceeding with this course material, you acknowledge your responsibility to adhere to all applicable laws and to act in a strictly ethical and professional manner. Cybersecurity is about protection and defense; this knowledge is provided to build a more secure world, not to harm it.