Stats
Actions
Tags
From cybersec-toolkit
Guides Bluetooth Classic (BR/EDR) attack methodology — device discovery, SDP enumeration, LMP/L2CAP attacks, PIN cracking (BlueBorne/KNOB), and profile abuse. Use for authorized security testing of legacy Bluetooth devices.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:offensive-bluetooth-classicThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Older than BLE, less commonly attacked today, but still present in cars, industrial sensors, audio gear, and legacy enterprise hardware. Many of the well-known historic attacks (BlueSnarf, BlueBug) are mitigated; KNOB and the BlueBorne family remain relevant against unpatched devices.
Older than BLE, less commonly attacked today, but still present in cars, industrial sensors, audio gear, and legacy enterprise hardware. Many of the well-known historic attacks (BlueSnarf, BlueBug) are mitigated; KNOB and the BlueBorne family remain relevant against unpatched devices.
hcitool / bluetoothctl / redfang# Modern adapter (built-in or USB Bluetooth 4.0+)
sudo hciconfig hci0 up
sudo hcitool inq # inquiry
sudo hcitool scan --length=12 # 12-second scan
# bluetoothctl interactive
bluetoothctl
> scan on
> devices
# Discoverable-mode-only devices appear; non-discoverable need address brute
sudo redfang -r 00:00:00:00:00:00-FF:FF:FF:FF:FF:FF
# (very slow — ~7 hours per OUI prefix)
# List all services on a device
sdptool browse AA:BB:CC:DD:EE:FF
sdptool records AA:BB:CC:DD:EE:FF
Common profiles and their attack relevance:
| Profile | UUID | Attack |
|---|---|---|
| OBEX Object Push (OPP) | 0x1105 | BlueSnarf/BlueBug on legacy phones (mostly extinct) |
| OBEX File Transfer (FTP) | 0x1106 | Browse / write filesystem on legacy devices |
| Headset (HSP/HFP) | 0x1108 / 0x111E | Eavesdrop active call audio |
| Serial Port Profile (SPP) | 0x1101 | Industrial/IoT debug ports — often unauthenticated |
| HID | 0x1124 | Keyboard/mouse impersonation |
| Audio Sink/Source (A2DP) | 0x110B / 0x110A | Audio injection/eavesdrop |
The Serial Port Profile (SPP) tunnels arbitrary data over Bluetooth as a virtual COM port. Industrial / IoT devices use it for debug or telemetry, often without authentication.
# Connect to SPP service, channel typically 1
sudo rfcomm bind /dev/rfcomm0 AA:BB:CC:DD:EE:FF 1
sudo screen /dev/rfcomm0 9600
# Then interact with the device's CLI / debug menu
Forces Bluetooth pairing to negotiate a 1-byte encryption key — making the link key trivially brute-forceable.
# Test with internalblue (requires Broadcom firmware patch)
git clone https://github.com/seemoo-lab/internalblue
internalblue
> log keys
# Patch firmware to allow 1-byte key; pair with target; observe weak key
Patched in firmware on most modern devices. Still works against:
A family of buffer overflows / info leaks in major Bluetooth stacks (Linux BlueZ, Android, Windows, iOS). Mostly patched 2017–2018, but unpatched embedded Linux devices are common.
# Armis blueborne-scanner — checks for patch-level
git clone https://github.com/ArmisSecurity/blueborne
python blueborne_scanner.py AA:BB:CC:DD:EE:FF
If pairing succeeds via Just Works or weak PIN, you can register as a HID device — keystroke injection on an unattended Bluetooth-paired host.
# bdaddr + HID example — register custom HID on rfcomm
hcitool dev
hciconfig hci0 class 0x000540 # HID device class
sdptool add HID
# Use a HID descriptor crafted as keyboard, send keystrokes
If a target has Bluetooth headset paired and active, and you can re-pair (PIN brute or KNOB):
# 1. Discover
sudo hcitool inq
# 2. Enumerate services per device
sdptool browse <MAC>
# 3. SPP (industrial/IoT) — connect and explore
sudo rfcomm bind /dev/rfcomm0 <MAC> 1
sudo screen /dev/rfcomm0 9600
# 4. Patch-level scan
python blueborne_scanner.py <MAC>
# 5. KNOB testing (with adapter that supports internalblue)
internalblue → log keys → re-pair target
# 6. Document profiles, auth state, exposed commands per device
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitBLE attack methodology covering GATT enumeration, auth-free read/write, pairing downgrade, MITM relay, sniffing, and companion-app trust analysis for IoT devices, smart locks, and medical devices.
Detects and analyzes Bluetooth Low Energy security attacks including sniffing, replay, GATT enumeration, and MitM. Use for BLE security assessment, penetration testing, and monitoring.
Detects and analyzes BLE security attacks like sniffing, replay, GATT enumeration abuse, and MITM using Ubertooth One, nRF52840, bleak Python library, and crackle. For IoT device assessments and authorized pentesting.