SbleedyGonzales is a command-line tool designed to run various exploits against Bluetooth devices. With its fast execution and easy-to-use interface, Sbleedy Gonzales allows security researchers and developers to identify known vulnerabilities in BLE and BR/EDR devices in an automated manner without requiring knowledge about them.
- Multiple Exploit Support: Run several BLE + BR/EDR vulnerability exploits at once.
- Custom Exploit Execution: Easily add new exploits and customize attack parameters.
- Detailed Reports: Generates JSON-based reports for each exploit executed against a target device.
- Cross-Platform: Compatible with Linux-based platforms with Bluetooth support.
- Hardware Support: Easy option to flash the hardware with the necessary firmware.
Sbleedy Gonzales includes various BLE-related exploits, such as:
- Sweyntooth: A suite of exploits targeting BLE vulnerabilities like L2CAP length overflow, truncated L2CAP, and more, leading to Crashes, Deadlocks and Security Bypasses.
- KNOB BLE: A security vulnerability that allows attackers to interfere with the pairing process by reducing the entropy of the encryption key, making it easier to perform brute-force attacks and potentially gain unauthorized access.
- BleedingTooth: Set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated remote attacker in short distance to execute arbitrary code with kernel privileges on vulnerable devices.
- And many more...
Read the SbleedyGonzales Wiki-Page for more information about all included exploits.
- Bluetooth Adapter: A compatible Bluetooth adapter that supports BLE (test by running hciconfig)
The framework requires Python2.7 and Python3.10. There is a shell script provided to install these versions and all required dependencies in virtual environments. There's also a Dockerfile available to use SbleedyGonzales in a container with tools like Podman or Docker. Please refer to the Installation Wiki Page for further instructions.
usage: sbleedy [-h] [-l] [-chw] [-fhw HARDWARE] [-i EXPLOITS] [-t TARGET] [-ct] [-ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]] [-in EXPLOITS [EXPLOITS ...]] [-wi] [-r] [-re] [-rej] [-hw HARDWARE [HARDWARE ...]] [-v] ...
options:
-h, --help show this help message and exit
-t TARGET, --target TARGET
target MAC address
-l, --listexploits List exploits or not
-i, --info EXPLOITS Prints information about the given exploit-indexes, e.g. --info 12-15,20
-ct, --checktarget Check connectivity and availability of the target
-ch, --checkpoint Start from a checkpoint (if one exists for the given target)
-ex EXPLOITS [EXPLOITS ...], --exclude EXPLOITS [EXPLOITS ...]
Exclude exploits (e.g. --exclude exploit1, exploit2 OR --exclude 1,5)
-in EXPLOITS [EXPLOITS ...], --include EXPLOITS [EXPLOITS ...]
Scan only for provided (e.g. --include exploit1, exploit2 OR --include 1-4), --exclude is not taken into account
-wi, --withinput Also run non automated scripts (that require user input or interaction. e.g. to establish a connection), per default (without this flag) only automated scripts (automated = true) are being executed
-r, --recon Run a recon script. Saved in results/{target mac}/recon/
-re, --report Create a report for a target device
-rej, --reportjson Create a report for a target device
-hw HARDWARE, --hardware HARDWARE
Scan only for provided exploits based on hardware, e.g. --hardware nRF52840; --exclude and --exploit are not taken into account
-chw, --checkhardware Check for connected hardware
-fhw, --flashhardware HARDWARE
Flash firmware onto connected hardware (e.g. -fhw nRF52840), get hardware names with -chw
-v, --verbose Verbosity on/off (additional output during exploit execution in terminal), Regardless of this flag the output is always saved in results/{target}/exploit_output.log
EXAMPLES:
Run sbleedy recon:
$ sudo sbleedy -t AA:BB:CC:DD:EE:FF -r
Run sbleedy connectivity check:
$ sudo sbleedy -t AA:BB:CC:DD:EE:FF -ct
Run sbleedy with specific exploits:
$ sudo sbleedy -t AA:BB:CC:DD:EE:FF -in 1-3,5
Run sbleedy and list all available exploits:
$ sudo sbleedy -l
Documentation is available at the [SbleedyGonzales Wiki](https://github.com/b0rdst31n/SbleedyGonzales/wiki).
To get the mac address of your target device, there is a helper script available for BLE devices (see Wiki - Helper Scripts), or just use
the standard Linux commands such as 'sudo hcitool scan' (BR/EDR) or 'sudo hcitool lescan' (LE).This project builds upon the foundational work provided by BlueToolkit. While adapting some elements from BlueToolkit's structure and code, I have tailored and expanded upon these components to fit the specific requirements of my framework for automated BLE exploit running. Special thanks to the contributors of BlueToolkit for providing a solid foundation and valuable resources for Bluetooth exploration. This framework includes the following PoC implementations for BLE vulnerabilities:
- Sweyntooth Bluetooth Low Energy Attacks by Matheus Garbelini
- Bleedingtooth BadKarma, BadVibes and BadChoice by Google Security Research
- KNOB BLE Attack by Matheus Garbelini
- BlueBorne CVE-2017-0785 and CVE-2017-0781 by ojasookert and CVE-2017-1000251 by marcinguy
- Keystroke Injection by Marc Newlin
- Custom BlueToolkit Exploits by sgxgsx
- Btlejacking by virtualabs
- Crackle by mikeryan