CLI Usage

usage: sbleedy [-h] [-l] [-chw] [-fhw HARDWARE] [-i EXPLOITS] [-t TARGET] [-ct] [-ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]] [-in EXPLOITS [EXPLOITS ...]] [-wi] [-r] [-re] [-rej] [-hw HARDWARE [HARDWARE ...]] [-v] ...

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        target MAC address
  -l, --listexploits    List exploits or not
  -i, --info EXPLOITS   Prints information about the given exploit-indexes, e.g. --info 12-15,20
  -ct, --checktarget    Check connectivity and availability of the target
  -ch, --checkpoint     Start from a checkpoint (if one exists for the given target)
  -ex EXPLOITS [EXPLOITS ...], --exclude EXPLOITS [EXPLOITS ...]
                        Exclude exploits (e.g. --exclude exploit1, exploit2 OR --exclude 1,5)
  -in EXPLOITS [EXPLOITS ...], --include EXPLOITS [EXPLOITS ...]
                        Scan only for provided (e.g. --include exploit1, exploit2 OR --include 1-4), --exclude is not taken into account
  -wi, --withinput      Also run non automated scripts (that require user input or interaction. e.g. to establish a connection), per default (without this flag) only automated scripts (mass_testing = true) are being executed
  -r, --recon           Run a recon script. Saved in results/{target mac}/recon/
  -re, --report         Create a report for a target device
  -rej, --reportjson    Create a machine readable report for a target device
  -hw HARDWARE [HARDWARE ...], --hardware HARDWARE [HARDWARE ...]
                        Run only provided exploits based on hardware --hardware hardware1 hardware2; --exclude and --include are not taken into account
  -chw, --checkhardware Check for connected hardware
  -fhw, --flashhardware HARDWARE
                        Flash firmware onto connected hardware (e.g. -fhw nRF52840), get hardware names with -chw
  -v, --verbose         Verbosity on/off (additional output during exploit execution in terminal), Regardless of this flag the output is always saved in results/{target}/exploit_output.log

Available parameters

Not related to target:

• -h, --help: show the possible usage options
• -l, --listexploits: show a list of all exploits with basic information and if they're available (depends on the hardware) and automated
• -i, --info: get more information about specific exploits (by index), like the source of the PoC code or a description about the vulnerability
• -chw, --checkhardware: check if the connected hardware is recognized by the framework
• -fhw, --flashhardware HW_NAME: flash firmware onto connected hardware, e.g. -fhw nRF52840 (get available hardware names with -chw). If the hardware is connected, you will get a list of available firmware to select from

Related to target:

• -t, --target: set the bluetooth mac address of the target device, e.g. -t AB:CD:EF:GH:IJ:KL
• -ct, --checktarget: checks if the given target is available by running Bleak and L2Ping (for LE and BR/EDR devices)
• -r, --recon: run a recon script on the given target to get information about the device like the bluetooth manufacturer, the BT version or the features of the device. The results are saved in results/{target}/recon. As the selection of exploits depends on the information gathered by the recon script, the execution of exploits will be faster when you run the recon script once.
• -ch, --checkpoint: Start from a checkpoint, if one is available. If the user interrupts the execution of exploits with CTRL+C, a checkpoint is created with the already executed exploits. When the user starts from this checkpoint, the execution continues from this point.
• -in, --include: Pass a list of exploit by name (e.g. "-in knob_ble bleedingtooth_badchoice") or by index (e.g. "-in 3-5,8") to only run those exploits
• -ex, --exclude: Pass a list of exploit by name (e.g. "-ex knob_ble bleedingtooth_badchoice") or by index (e.g. "-ex 3-5,8") to exclude those exploits and run all except for those
• -wi, --withinput: Some of the exploits require user input, e.g. to accept a pairing request on the target device. These exploits are marked as non-automated in the list of exploits. As the purpose of the framework is to execute a bunch of exploits on its own, the non-automated exploits are excluded per default.
• -v, --verbose: Per default all output from the exploits is only being written into a log file in results/{target}/exploit_output.log. When you also want to get the output in the terminal live during execution, pass the -v flag.
• -re, --report: Show the results of the exploit execution in the terminal. The results will be displayed as a table with a status for every exploit (not tested, vulnerable, not vulerable, error during execution) and possibly some data, e.g. where an error occured or why the target device is marked as vulnerable, as well as the CVE for the vulnerability. No file is being generated.
• -rej, --reportjson: This command makes a report in json format and saves it to results/{target}/whole_report.json. The report contains the cone exploits with name, code, status (e.g. "Vulnerable"), data and cve, as well as the skipped exploits that weren't tested yet and some basic info about the target device, if available.

Workflow

A typical workflow would be:

• Get the mac address of your target device, e.g. AA:BB:CC:DD:EE:FF
• Run sbleedy -t AA:BB:CC:DD:EE:FF -ct to check if the target is available
• Run sbleedy -t AA:BB:CC:DD:EE:FF -r to execute the recon script on the target (to get the bluetooth version, profile and manufacturer)
• Run sbleedy -l to show a list of all available exploits
• Optional: run sbleedy -fhw [hw_name] to flash the hardware with the required firmware
• Run sbleedy -t AA:BB:CC:DD:EE:FF [-in, -ex, -hw -wi] to run all or selected exploits on the target (include or exclude specific exploits, run only the exploits that require a specific hardware or run all exploits, run just the automated ones)
• Run sbleedy -t AA:BB:CC:DD:EE:FF -re to get a report of the executed exploits and their findings