Bluetooth Pentesting guide

Bluetooth Pentesting guide


It’s interesting how in our daily lives, there are signals that we can’t perceive with our own eyes, but devices are capable of various wireless communications. Some of the wireless communication protocols in IoT include:

Wireless Protocols

  • WiFi (Wireless Fidelity)
  • Bluetooth
  • Zigbee
  • Z-Wave
  • LoRA
  • GSM

Now, let’s delve into the topic, focusing primarily on vulnerabilities in Bluetooth:

Vulnerabilites in Bluetooth

  • Authentication
  • MiTM (Man-in-the-Middle attacks)
  • DoS (Denial of Service)
  • MAC Spoofing
  • PIN Cracking
  • Brute force

In Android Bluetooth, we often encounter vulnerabilities such as:

  • RCE (Remote Code Execution)
  • EoP (Elevation of Privilege)
  • ID (Information Disclosure)
  • DoS (Denial of Service)
  • PAIR (Pairing without Authentication)
  • Bluetborne

At a more significant level, vulnerabilities can extend to:

  • Hardware
  • Memory Leakage

The procedure remains the same; we scan the surrounding devices and initiate attacks using information available in various write-ups on Google.

Now, let’s explore the nuances of how Bluetooth works.

Starting with the required installation tools:

A bash script for BLE Pentesting tools is available for installation on Ubuntu or Debian OS. Simply download it from here:


Give the script permission to run:

bash Copy code chmod +x Execute the script:

bash Copy code ./ This will install the necessary tools with their dependencies. Once equipped with the tools, the next step is to understand the process before delving into hacking, fuzzing, and MiTM attacks on BLE devices.

For the Bluetooth Pentest, you’ll need:

ESP32 (Espressif Device) Smartband purchased from Flipkart (₹359) or other online sellers. ESP32 Smartband

Bluetooth Pentest Guide:

Flashing the codes to ESP32 Understanding BLE with Mobile App Configuration Recon Techniques Finding Vulnerabilities Python & easy bash scripts Cheatsheet General Cheat Sheet:

bash Copy code dmesg | egrep -i ‘blue|firm’ Hcitool tool:

bash Copy code hciconfig - sudo apt-get install bluez For Non-LE Devices:

bash Copy code hcitool scan - to scan basic Bluetooth devices hcitool info -

For LE Devices:

hcitool lescan - for scanning LE devices
hcitool leinfo <baddr> - for getting info on LE Devices

Install bleak::

sudo pip3 install bleak
sudo pip install service_identity


sudo bleak-lescan


sudo sdptool browse --tree --raw <baddr> - 

Browse all available services on the device specified by a Bluetooth address as a parameter

© 2024 Mr-IoT