‹ 首页

offensive-bluetooth-classic

@snailsploit · 收录于 1 周前 · 上游提交 2 个月前

Bluetooth Classic (BR/EDR) attack methodology — device discovery, service enumeration via SDP, LMP/L2CAP layer attacks, legacy PIN cracking (BlueBorne / KNOB), Bluetooth file-transfer abuse (BlueSnarfing legacy), unauthenticated profile abuse (HSP, HFP, OPP), and modern relevance against older industrial / automotive / accessory targets. Use when in-scope devices use Bluetooth Classic (Bluetooth ≤ 4.0 BR/EDR) — common in legacy car kits, industrial sensors, older medical devices, and audio accessories.

适合你,如果需要对老旧蓝牙设备进行安全评估

/ 下载安装
offensive-bluetooth-classic.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add snailsploit/claude-red/offensive-bluetooth-classic
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- snailsploit/claude-red/offensive-bluetooth-classic
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify snailsploit/claude-red/offensive-bluetooth-classic
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
2669GitHub stars
~1.1K上下文体积 · 单文件
镜像托管

怎么用

商店整理自技能原文 · 版本 aeb41ec · 表述以原文为准
它做什么

装上后,Claude 会指导你使用蓝牙经典(BR/EDR)攻击方法,包括设备发现、服务枚举、LMP/L2CAP 层攻击、旧式 PIN 破解(BlueBorne/KNOB)、蓝牙文件传输滥用(BlueSnarfing)以及未认证配置文件滥用(HSP、HFP、OPP)。

什么时候触发

当目标设备使用蓝牙经典(蓝牙 ≤ 4.0 BR/EDR)时触发,常见于旧款车载套件、工业传感器、医疗设备和音频配件。

装好后可以这样说
技能原文 SKILL.md作者撰写 · MIT · aeb41ec

Bluetooth Classic (BR/EDR) Attacks

Older than BLE, less commonly attacked today, but still present in cars, industrial sensors, audio gear, and legacy enterprise hardware. Many of the well-known historic attacks (BlueSnarf, BlueBug) are mitigated; KNOB and the BlueBorne family remain relevant against unpatched devices.

Quick Workflow
  1. Discover devices with hcitool / bluetoothctl / redfang
  2. Enumerate exposed services via SDP
  3. Test each service profile for unauth access
  4. Check pairing crypto (KNOB applicability)
  5. Proximity-physical attacks for legacy / unpatched

Discovery
# Modern adapter (built-in or USB Bluetooth 4.0+)
sudo hciconfig hci0 up
sudo hcitool inq                       # inquiry
sudo hcitool scan --length=12          # 12-second scan

# bluetoothctl interactive
bluetoothctl
> scan on
> devices

# Discoverable-mode-only devices appear; non-discoverable need address brute
sudo redfang -r 00:00:00:00:00:00-FF:FF:FF:FF:FF:FF
# (very slow — ~7 hours per OUI prefix)
Service Discovery (SDP)
# List all services on a device
sdptool browse AA:BB:CC:DD:EE:FF
sdptool records AA:BB:CC:DD:EE:FF

Common profiles and their attack relevance:

| Profile | UUID | Attack | |---|---|---| | OBEX Object Push (OPP) | 0x1105 | BlueSnarf/BlueBug on legacy phones (mostly extinct) | | OBEX File Transfer (FTP) | 0x1106 | Browse / write filesystem on legacy devices | | Headset (HSP/HFP) | 0x1108 / 0x111E | Eavesdrop active call audio | | Serial Port Profile (SPP) | 0x1101 | Industrial/IoT debug ports — often unauthenticated | | HID | 0x1124 | Keyboard/mouse impersonation | | Audio Sink/Source (A2DP) | 0x110B / 0x110A | Audio injection/eavesdrop |

SPP Abuse

The Serial Port Profile (SPP) tunnels arbitrary data over Bluetooth as a virtual COM port. Industrial / IoT devices use it for debug or telemetry, often without authentication.

# Connect to SPP service, channel typically 1
sudo rfcomm bind /dev/rfcomm0 AA:BB:CC:DD:EE:FF 1
sudo screen /dev/rfcomm0 9600
# Then interact with the device's CLI / debug menu
KNOB (CVE-2019-9506)

Forces Bluetooth pairing to negotiate a 1-byte encryption key — making the link key trivially brute-forceable.

# Test with internalblue (requires Broadcom firmware patch)
git clone https://github.com/seemoo-lab/internalblue
internalblue
> log keys
# Patch firmware to allow 1-byte key; pair with target; observe weak key

Patched in firmware on most modern devices. Still works against:

  • Older Broadcom-based devices (pre-2019 BCM chipsets)
  • Embedded automotive Bluetooth stacks
  • Cheap consumer audio gear
BlueBorne (CVE-2017-1000251 et al.)

A family of buffer overflows / info leaks in major Bluetooth stacks (Linux BlueZ, Android, Windows, iOS). Mostly patched 2017–2018, but unpatched embedded Linux devices are common.

# Armis blueborne-scanner — checks for patch-level
git clone https://github.com/ArmisSecurity/blueborne
python blueborne_scanner.py AA:BB:CC:DD:EE:FF
HID Spoofing (PoC)

If pairing succeeds via Just Works or weak PIN, you can register as a HID device — keystroke injection on an unattended Bluetooth-paired host.

# bdaddr + HID example — register custom HID on rfcomm
hcitool dev
hciconfig hci0 class 0x000540   # HID device class
sdptool add HID
# Use a HID descriptor crafted as keyboard, send keystrokes
Audio Eavesdropping

If a target has Bluetooth headset paired and active, and you can re-pair (PIN brute or KNOB):

  • HSP/HFP profiles let you become the peer and receive audio
  • Some firmware allows simultaneous peer connections — eavesdrop without disrupting
Engagement Cheatsheet
# 1. Discover
sudo hcitool inq

# 2. Enumerate services per device
sdptool browse <MAC>

# 3. SPP (industrial/IoT) — connect and explore
sudo rfcomm bind /dev/rfcomm0 <MAC> 1
sudo screen /dev/rfcomm0 9600

# 4. Patch-level scan
python blueborne_scanner.py <MAC>

# 5. KNOB testing (with adapter that supports internalblue)
internalblue → log keys → re-pair target

# 6. Document profiles, auth state, exposed commands per device
Detection
  • No native Bluetooth Classic IDS in most environments
  • Active inquiry visible to nearby Bluetooth-aware monitoring (rare)
  • Re-pairing prompts on target devices may surface to users
Reporting
  • Identify chipset + firmware version per device (often visible in service records)
  • Map CVE applicability (BlueBorne, KNOB, BlueFrag, et al.)
  • Document specific profile abuses (SPP exposed without auth, HID spoofing successful, etc.)

Key References
  • internalblue: github.com/seemoo-lab/internalblue
  • KNOB attack: knobattack.com
  • BlueBorne: armis.com/blueborne
  • Bluetooth Core Spec — Volume 2 (BR/EDR Controller)
  • Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。