# Pentesting BLE - Bluetooth Low Energy {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** šŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** šŸ¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} ## Introduction Available since the Bluetooth 4.0 specification, BLE uses only 40 channels, covering the range of 2400 to 2483.5 MHz. In contrast, traditional Bluetooth uses 79 channels in that same range. BLE devices communicate is by sending **advertising packets** (**beacons**), these packets broadcast the BLE deviceā€™s existence to other nearby devices. These beacons sometimes **send data**, too. The listening device, also called a central device, can respond to an advertising packet with a **SCAN request** sent specifically to the advertising device. The **response** to that scan uses the same structure as the **advertising** packet with additional information that couldnā€™t fit on the initial advertising request, such as the full device name. ![](<../../.gitbook/assets/image (152).png>) The preamble byte synchronizes the frequency, whereas the four-byte access address is a **connection identifier**, which is used in scenarios where multiple devices are trying to establish connections on the same channels. Next, the Protocol Data Unit (**PDU**) contains the **advertising data**. There are several types of PDU; the most commonly used are ADV\_NONCONN\_IND and ADV\_IND. Devices use the **ADV\_NONCONN\_IND** PDU type if they **donā€™t accept connections**, transmitting data only in the advertising packet. Devices use **ADV\_IND** if they **allow connections** and **stop sending advertising** packets once a **connection** has been **established**. ### GATT The **Generic Attribute Profile** (GATT) defines how the **device should format and transfer data**. When youā€™re analyzing a BLE deviceā€™s attack surface, youā€™ll often concentrate your attention on the GATT (or GATTs), because itā€™s how **device functionality gets triggered** and how data gets stored, grouped, and modified. The GATT lists a deviceā€™s characteristics, descriptors, and services in a table as either 16- or 32-bits values. A **characteristic** is a **data** value **sent** between the central device and peripheral. These characteristics can have **descriptors** that **provide additional information about them**. **Characteristics** are often **grouped** in **services** if theyā€™re related to performing a particular action. ## Enumeration ```bash hciconfig #Check config, check if UP or DOWN # If DOWN try: sudo modprobe -c bluetooth sudo hciconfig hci0 down && sudo hciconfig hci0 up # Spoof MAC spooftooph -i hci0 -a 11:22:33:44:55:66 ``` ### GATTool **GATTool** allows to **establish** a **connection** with another device, listing that deviceā€™s **characteristics**, and reading and writing its attributes.\ GATTTool can launch an interactive shell with the `-I` option: ```bash gatttool -i hci0 -I [ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful [A4:CF:12:6C:B3:76][LE]> characteristics handle: 0x0002, char properties: 0x20, char value handle: 0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb handle: 0x0015, char properties: 0x02, char value handle: 0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb [...] # Write data gatttool -i -b --char-write-req -n gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps) # Read data gatttool -i -b --char-read -a 0x16 # Read connecting with an authenticated encrypted connection gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c ``` ### Bettercap ```bash # Start listening for beacons sudo bettercap --eval "ble.recon on" # Wait some time >> ble.show # Show discovered devices >> ble.enum # This will show the service, characteristics and properties supported # Write data in a characteristic >> ble.write >> ble.write ff06 68656c6c6f # Write "hello" in ff06 ``` {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** šŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** šŸ¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}