Skip to content

Workflow

Jump to bottom
sgxgsx edited this page May 13, 2024 · 1 revision

The toolkit has several ways it could be used, due to its modular nature, but the main feature of it is to test the Bluetooth Classic enabled device for possible known vulnerabilities. The modular nature of the toolkit allows a user to test either a specific vulnerability, all of them at once or a specific family of vulnerabilities if the hardware is available. The vulnerabilities that are present in the arsenal are mainly semi-automated, with an exception for a few, that require manual actions from the user. This is mainly because it's not possible or too specific to automate Bluetooth actions of the responding device. Overall the toolkit has the following use cases:

  • Collect reconnaisance information
  • Test 1 exploit
  • Test all exploits
  • Test all exploits but exclude some
  • Test only specific exploits
  • saving and restoring tests from a checkpoint

Typical workflow

Firstly it's recommended to collect reconnaissance information from the target device to add additional data for the toolkit as well as run additional analysis. For that run the following commands

  • Put a target device in discoverable mode, alternatively, you can test what kind of information is collected without any interaction from you, when the target device is in discoverable mode and when both a testing and target device a paired.
  • Get a MAC address of the target device. If needed use the following guide LINK_TO_FIND_OUT_MAC_ADDRESS
  • For reconnaissance purposes we need to change the virtual environment
source /usr/share/BlueToolkit/.venv/bin/activate
  • And then run
sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -r

After that, we could start to test all exploits or specific ones, but first, we need to verify the connectivity and available exploits to us

  • Change the Python environment
source /usr/share/BlueToolkit/.venv/bin/activate
  • Check available exploits
sudo -E env PATH=$PATH bluekit -l
  • Check connectivity with the target device
sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -ct
  • If everything is okay we can start to test all available exploits on our machine
sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF
  • Manual intervention is required while testing some of the exploits. Respond to the prompts to pair the device as soon as possible, and always pair. If after pairing your test device gets into a non-pairing state - reenable pairing for example by looking for a new device to pair with.
  • In the end all the data will be copied to ~/toolkit/data/ and structured by MAC addresses and then exploits. You can review the PCAP data, logs or results

Find out a target MAC address

Get a MAC address of the target device. For that, you try to run the following commands in bluetoothctl shell:

bluetoothctl
scan on
  • If you can't find the name of the target device and its MAC. Then enter the following command in bluetoothctl shell and try to pair the target device with the test device.
discoverable on
pairable on
  • Then exit bluetoothctl shell by typing
exit

List available exploits

To list available exploits run the following commands:

source /usr/share/BlueToolkit/.venv/bin/activate
sudo -E env PATH=$PATH bluekit -l

Create a report

To create a report based on the information from a toolkit execute the following command:

source /usr/share/BlueToolkit/.venv/bin/activate
sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF --report

Running only a specific exploit

It's recommended to collect reconnaissance before the exploit

  • First find out the MAC address of the target device. LINK_TO_FIND_OUT_MAC_ADDRESS
  • Change Python environment if needed
source /usr/share/BlueToolkit/.venv/bin/activate
  • Check connectivity with the target device if needed
sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -ct
  • Get an exploit name that you want to run LINK_LIST_EXPLOITS
  • Run invalid_max_slot or any other exploit.
sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -e invalid_max_slot

Running specific exploits

You have to do everything the same as in RUNNING_ONLY_A_SPECIFIC_EXPLOIT, except for the last command.

  • Run invalid_max_slot, au_rand_flooding and internalblue_knob exploit or any other exploits you want.
sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -e invalid_max_slot au_rand_flooding internalblue_knob

Running all exploits except some

You have to do everything the same as in RUNNING_ONLY_A_SPECIFIC_EXPLOIT, except for the last command.

  • Run all exploits except invalid_max_slot and au_rand_flooding or any other you want.
sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -ex invalid_max_slot au_rand_flooding

Note - --exclude and --exploit parameters are mutually excluded, you can't use both in the same command. --exploit parameter has a preference.

Saving a checkpoint

You could save a checkpoint of a running test if the toolkit finds a test device to be unavailable and gives you a prompt

  • You have to write the following command:
backup
  • Then the toolkit would back up already finished exploits and next time you would be able to start from a checkpoint.

Restoring tests from a checkpoint

You could restore tests from the checkpoint if there is one for a target device, by following all of the points as in RUNNING_ONLY_A_SPECIFIC_EXPLOIT except for the last command.

  • Then you need to add to your desired command the following parameter
-ch
  • For example if you were testing all exploits then your command would look as:
sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -ch
Clone this wiki locally