BrotherOfJhonny/bleak

# BLEAK — 蓝牙链路利用与攻击知识库     一个基于Web界面的蓝牙低功耗/经典蓝牙渗透测试平台，集成活跃CVE漏洞利用和ESP32硬件。 ## ink for consistency, since it's a tool name, keep it as "bleak". So, the translation might be just "bleak" or perhaps the entire image link is not to be translated. But the user said "headings", so I should output the Chinese translation for the heading. Let's see: in the context, it might be a section heading like "BLEAK" or something. I'll assume the text to translate is "bleak". So, I'll keep it as "bleak" in the translation, but since it's English, it might not need translation. However, the instruction is to translate to Simplified Chinese, so I need to provide Chinese text. Perhaps for proper nouns, I just keep them in English. In the output, I should write the translation in Chinese, including the English terms. ## 功能模块 | 功能领域 | 功能模块 | |------|---------| | **侦察** | BLE/BT设备发现、嗅探器、GATT枚举、交互式浏览器 | | **分析** | 漏洞扫描器（15+检查项）、Fast Pair探测器、MAC地址轮换 | | **音频/漏洞利用** | WhisperPair (CVE-2025-36911)、BlueSpy (BSAM-PA-05)、RACE/Airoha (CVE-2025-20700) | | **HID / 广播** | BlueDucky (CVE-2023-45866)、BLE Spam Apple/Android/Samsung/Windows | | **设备** | 智能手表（Mi Band, Garmin, Galaxy Watch）、智能手机 BLE | | **报告** | 技术HTML + JSON + CSV、执行管理层报告 | ## 快速安装 ``` git clone https://github.com/seu-usuario/BLEAK.git && cd BLEAK sudo ./install.sh sudo ./run_web_lan.sh # Acesse: http://:8080 ``` ### 系统要求 - Kali Linux 2024+（推荐）或带有BlueZ的Debian/Ubuntu - Python 3.12+ - 蓝牙USB适配器 - ESP32-C3 或 S3（可选 — 用于BLE Spam Android/Samsung功能） ### 硬件兼容性 BLEAK在运行时会检测适配器和功能。它不依赖单一的固定配置，但每个模块需要不同的资源。 **基本配置文件：** - 带有活动BlueZ的Kali/Debian/Ubuntu系统 - Python 3.12+ - 一个暴露为 `hci0`、`hci1` 等的蓝牙适配器 - 基本工具：`bluetoothctl`、`hciconfig`、`btmgmt` 使用此配置，通常可以工作：BLE/经典蓝牙设备发现、GATT浏览器、基础漏洞扫描、BLE PoC、通过BlueZ的Fast Pair扫描和报告生成。 **推荐完整配置文件：** - 用于BlueZ的可靠HCI USB适配器 - 装有BLEAK固件的ESP32-C3或ESP32-S3 - 用户图形界面下功能正常的PipeWire或PulseAudio - 音频工具：`wpctl`、`pactl`、`pw-record`、`parecord` - 可选工具：`bettercap`、`sdptool`、`hcitool`、`bluez-tools` 使用此配置，还可以使用：通过ESP32进行更强大的Fast Pair扫描、BLE Spam、Karma、Beacon、MAC克隆、通过硬件实现的HID注入、BlueSpy、具有A2DP/HFP录音的WhisperPair、RACE/Airoha和嗅探器。 | 模块 | HCI/BlueZ | ESP32 | PipeWire/PulseAudio | 备注 | |---|---:|---:|---:|---| | BLE/经典蓝牙设备发现 | 是 | 否 | 否 | 一个HCI加密狗即可。 | | GATT浏览器 / 漏洞扫描 | 是 | 否 | 否 | 依赖设备处于可连接状态。 | | Fast Pair扫描器 | 是 | 可选 | 否 | ESP32有助于查看BlueZ可能会过滤的广播包。 | | WhisperPair 验证 | 是 | 可选 | 否 | 验证可能无需音频即可工作。 | | WhisperPair 录音 | 是 | 否 | 是 | 需要在BlueZ中可见的Classic/A2DP或HFP端点。 | | BlueSpy | 是 | 否 | 是 | 使用 `btmgmt`、`bluetoothctl`、`pactl`/`parecord`。 | | BLE Spam / Karma / Beacon | 部分 | 是 | 否 | 部分操作依赖ESP32固件。 | | HID注入 | 部分 | ESP32-S3 | 否 | 需要兼容的硬件/固件。 | | 嗅探器 | 部分 | 可选 | 否 | 根据适配器和所用后端而变化。 | | 报告 | 否 | 否 | 否 | 包含存档的证据，包括音频。 | **在其他机器上的预期限制：** - ESP32端口可能会变化（`/dev/ttyUSB0`、`/dev/ttyACM0`等）。 - 不同的加密狗在BLE、经典蓝牙和A2DP支持方面差异很大。 - 在PipeWire/PulseAudio中，如果 `bluez_card.*` 或 `wpctl` 节点未创建，验证可能工作而录音可能失败。 - 带有MAC轮换的耳机可能显示多个地址；已确认的音频证据会存档用于报告。 - 如果ESP32固件不是预期的BLEAK固件，ESP32模块可能无响应。 ### 手动安装 ``` python3 -m venv .venv && source .venv/bin/activate pip install -r requirements.txt sudo systemctl start bluetooth cp .env.example .env # Configure variáveis opcionais sudo ./run_web_lan.sh ``` ## 使用流程 (UX) 标签页遵循从左到右的逻辑渗透测试顺序： ``` 📡 Discovery → 🦈 Sniffer → 🔌 Enum → 🔬 Explorer → 🛡 Vuln & PoC → 🎧 Áudio → 📋 Relatórios ``` 1. **设备发现** — BLE/BT扫描，设备显示并自动指纹识别 2. **嗅探器** — 通过bettercap被动捕获BLE流量 3. **枚举** — 深入GATT：服务、特征、值 4. **浏览器** — 交互式读写GATT特征 5. **漏洞 & PoC** — 执行自动检查并生成PoC脚本 6. **音频** — WhisperPair、BlueSpy、RACE、A2DP捕获 7. **报告** — 生成技术报告或管理层报告 ## 已实现的漏洞利用 ### For example, in the examples, 'Running Naabu' becomes '运行 Naabu', which is Chinese text with English term. So, for "bleak", if it's a heading, I might translate it as "bleak" but in a Chinese context. Since "bleak" might not have a direct translation as a proper noun, I'll keep it as "bleak". 通过Fast Pair与耳机进行未授权配对 → A2DP音频捕获。 ``` Device: Redmi Buds, Edifier BLE, outros com Fast Pair (UUID 0xFE2C) Método: KBP write na char 0xFE2C1236 (sem autenticação) Resultado: Captura o áudio tocando no headphone da vítima ``` ### But let's list the lines and decide: 在Android/Linux上无需配对的蓝牙键盘注入。 ``` Requer: ESP32-S3 ou BlueDucky instalado em tools/ Payload: DuckyScript-style (STRING, ENTER, GUI r, DELAY ms) ``` ### 1. "" – This is not a textual heading; it's an image link. Perhaps the heading is "bleak" or the image represents something. I think I should consider the alt text "bleak" as the heading. So, I'll translate "bleak" as "bleak" in English, but in Chinese, it might be written as "bleak" or translated if it's a common word. However, in technical contexts, BLEAK is often kept in English. I'll proceed to keep it as "bleak". ``` Apple: Continuity (AirPods, HomePod popups) — via hci0 Android: Fast Pair Service Data UUID 0xFE2C + model ID aleatório — ESP32 Samsung: Galaxy Buds/Watch Fast Pair — ESP32 Windows: Swift Pair manufacturer data 0x0006 — ESP32 ``` ## ESP32 硬件 | 芯片 | 端口 | 固件 | 功能 | |------|-------|----------|-------------| | ESP32-C3 | /dev/ttyACM1 | bleak_esp32_c3_v5.ino | BLE Spam, Karma, 扫描, Beacon, MAC克隆 | | ESP32-S3 | /dev/ttyUSB1 | bleak_esp32_s3_v5.ino | C3的所有功能 + USB HID注入 | ``` # To be precise, the user said "headings", and these are likely titles or labels. For image links, the heading might be the alt text. So, I'll take the text part. lsusb # Let me write the translations: # 1. For "" – the heading is probably "bleak". So, translate to Chinese: since it's a proper noun, keep it as "bleak". But in Chinese text, it might be presented as "bleak" or with explanation. I think for translation, I should output the Chinese equivalent if possible. But "bleak" as a library name is often not translated. I'll keep it as "bleak" in English. So, the translated line might be "bleak" or "bleak 图像". But to match the format, I think just "bleak" since it's the alt text. # Perhaps the entire line is not to be translated literally. I need to output exactly 11 lines of translation. So, for each line, I'll provide the Simplified Chinese version of the heading. # Let's assume each line is a heading string that needs translation. sudo chmod 666 /dev/ttyUSB1 /dev/ttyACM1 ``` 通过Arduino IDE刷写 — 参见 `esp32_firmware/README.md`。 ## List the headings as text: ``` curl http://localhost:8080/api/status curl -X POST http://localhost:8080/api/discovery/start -d '{"timeout":30}' -H "Content-Type: application/json" curl http://localhost:8080/api/discovery/results # 1. bleak (from the alt text) curl -X POST http://localhost:8080/api/audio/whisperpair-flow \ -d '{"mac":"AA:BB:CC:DD:EE:FF"}' -H "Content-Type: application/json" curl http://localhost:8080/api/audio/whisperpair-status/ ``` 完整文档：`docs/API.md` ## 安全说明 - 代码中**未包含任何真实的密钥/token** - Mi Band的认证密钥 = 默认出厂密钥（公开） — 请在 `.env` 文件中覆盖 - `.env` 文件已在 `.gitignore` 中 — 切勿提交凭证 - 服务器绑定在 `0.0.0.0` — 请在隔离网络或使用防火墙的环境中使用 - 首次打开时显示强制法律免责声明 ## 法律声明 本工具**专门**用于： - 在授权范围内进行渗透测试的安全专业人员 - 在受控实验室环境中的研究人员 - 在自有设备或获得授权的学生 **未经授权的使用是犯罪行为**（巴西第12.737/2012号法律 · 美国计算机欺诈和滥用法 · 英国计算机滥用法）。 作者对误用不承担任何责任。 ## 参考文献 - [Google Fast Pair规范](https://developers.google.com/nearby/fast-pair/specifications) - [CVE-2025-36911](https://nvd.nist.gov/vuln/detail/CVE-2025-36911) · [CVE-2023-45866](https://nvd.nist.gov/vuln/detail/CVE-2023-45866) - [ESP32Marauder](https://github.com/justcallmekoko/ESP32Marauder) · [AppleJuice](https://github.com/ECTO-1A/AppleJuice) · [BlueDucky](https://github.com/pentestfunctions/BlueDucky)

标签：BLE垃圾信息攻击, BLE攻击, BlueZ工具, CVE漏洞, DNS枚举, ESP32硬件, Go语言工具, HID攻击, Python编程语言, Web应用界面, 加密, 安全知识库, 报告生成工具, 攻击平台, 智能设备安全, 漏洞扫描器, 硬件安全, 经典蓝牙攻击, 网络安全工具, 蓝牙协议分析, 蓝牙安全, 蓝牙识别, 逆向工具