# Pentesting BLE - Bluetooth Low Energy

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS红队专家）</strong></a><strong>！</strong></summary>

支持HackTricks的其他方式：

* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

</details>

## 介绍

自蓝牙4.0规范以来，BLE仅使用40个信道，覆盖2400至2483.5 MHz范围。相比之下，传统蓝牙在同一范围内使用79个信道。

BLE设备通过发送**广播包**（**信标**）进行通信，这些包向其他附近设备广播BLE设备的存在。这些信标有时也会**发送数据**。

监听设备，也称为中央设备，可以通过向广告设备发送专门的**扫描请求**来响应广播包。对该扫描的**响应**使用与**广播**包相同的结构，还包含无法放入初始广告请求中的附加信息，例如完整设备名称。

![](/files/UdxQ88xGFGn4c6WtItj0)

前导字节同步频率，而四字节的访问地址是一个**连接标识符**，用于在多个设备尝试在相同信道上建立连接的情况下使用。接下来，协议数据单元（**PDU**）包含**广告数据**。有几种类型的PDU；最常用的是ADV\_NONCONN\_IND和ADV\_IND。如果设备**不接受连接**，则使用**ADV\_NONCONN\_IND** PDU类型，仅在广播包中传输数据。如果设备**允许连接**并且一旦**建立连接**就**停止发送广告**包，则使用**ADV\_IND**。

### GATT

**通用属性配置文件**（GATT）定义了**设备应如何格式化和传输数据**。当您分析BLE设备的攻击面时，通常会集中注意力在GATT（或GATTs）上，因为这是**触发设备功能**以及存储、分组和修改数据的方式。GATT以16位或32位值的形式在表中列出设备的特征、描述符和服务。**特征**是在中央设备和外围设备之间**发送的数据**值。这些特征可以有**提供有关它们的附加信息的描述符**。如果这些特征与执行特定操作相关，则通常会将**特征\*\*\*\*分组**在**服务**中。

## 枚举

```bash
hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up

# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66
```

### GATTool

**GATTool** 允许与另一个设备建立连接，列出该设备的特征，并读取和写入其属性。\
GATTTool可以使用 `-I` 选项启动交互式 shell：

```bash
gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
handle: 0x0002, char properties: 0x20, char value handle:
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x02, char value handle:
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[...]

# Write data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)

# Read data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16

# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
```

### Bettercap

#### BLE Sniffing

**Passive Sniffing**

Passive sniffing is the process of monitoring BLE traffic without actively participating in the communication. Bettercap can be used to passively sniff BLE traffic by setting up a BLE proxy and forwarding all traffic through it.

To start passive sniffing with Bettercap, use the following command:

```bash
ble.recon on
```

This command will enable BLE reconnaissance mode in Bettercap, allowing you to passively sniff BLE traffic in the vicinity.

**Active Sniffing**

Active sniffing involves actively participating in the BLE communication by sending specific packets to devices and capturing their responses. Bettercap supports active sniffing by allowing you to send custom BLE packets and analyze the responses.

To start active sniffing with Bettercap, use the following command:

```bash
ble.recon on
ble.enum
```

The `ble.enum` command will send enumeration packets to nearby devices and display their responses, allowing you to gather information about the devices in the vicinity.

```bash
# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported

# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
```

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS Red Team Expert）</strong></a><strong>！</strong></summary>

其他支持HackTricks的方式：

* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacktricks.xsx.tw/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.