Skip to content

Post-Exploitation (7)

Auto-generated from modules/post/.
Load any module with use post/<name>.

Authorization required

Use only against equipment you own or have explicit written authorization to test. The authors disclaim liability for misuse.

Module index

Module Severity CVE Description
post/apple_link_key_extract 🟠 HIGH - Extract paired BT link key from Apple Magic Keyboard via L2CAP HID, USB contr…
post/ble_gatt_exfil 🟠 HIGH - Read all GATT characteristics from a BLE device and exfiltrate data
post/ble_notify_intercept 🟠 HIGH - Subscribe to all BLE notify/indicate characteristics and capture live data st…
post/bt_impersonation πŸ”΄ CRITICAL - Impersonate a paired Bluetooth device using stolen link key
post/bt_session_hijack πŸ”΄ CRITICAL - Inject stolen link key, evict the legitimate peer, and hijack the RFCOMM session
post/gatt_cache_poison 🟠 HIGH - Manipulate persistent GATT service cache on a bonded peer to redirect reads/w…
post/link_key_dump 🟠 HIGH - Extract stored Bluetooth link keys from /var/lib/bluetooth/

Modules

Apple Magic Keyboard Link Key Extraction

Extract paired BT link key from Apple Magic Keyboard via L2CAP HID, USB control transfers, or USB donor-spoof against a Mac

Severity: 🟠 HIGH · Protocol: CLASSIC

Option Required Default Description
mode βœ“ usb Mode: bluetooth, usb, usb_donor
keyboard_addr Magic Keyboard BD_ADDR (bluetooth mode)
target_keyboard_addr Target keyboard BD_ADDR to spoof on donor (usb_donor mode)
target_serial 17-char keyboard serial to spoof (usb_donor mode)
output_file Save extracted credentials to JSON

References: - https://github.com/marcnewlin/hi_my_name_is_keyboard

post/ble_gatt_exfil

BLE GATT Data Exfiltration

Read all GATT characteristics from a BLE device and exfiltrate data

Severity: 🟠 HIGH · Protocol: BLE

Option Required Default Description
target βœ“ Target BLE device MAC / UUID address
output_file JSON output file path (empty = auto-generated)
timeout 15 Connection timeout in seconds
read_timeout 3 Per-characteristic read timeout in seconds
sensitive_only false Only dump known-sensitive UUIDs (true/false)

References: - https://www.bluetooth.com/specifications/specs/gatt-specification-supplement/

post/ble_notify_intercept

BLE Notification/Indication Interceptor

Subscribe to all BLE notify/indicate characteristics and capture live data streams

Severity: 🟠 HIGH · Protocol: BLE

Option Required Default Description
target βœ“ Target BLE device MAC / UUID address
duration 60 Capture duration in seconds (0 = until Ctrl+C)
output_file JSONL output file (empty = auto-generated)
timeout 15 Connection timeout in seconds
verbose true Print every notification (true/false)

References: - https://www.bluetooth.com/specifications/specs/gatt-specification-supplement/ - https://www.usenix.org/conference/usenixsecurity19/presentation/ryan

post/bt_impersonation

BT Impersonation

Impersonate a paired Bluetooth device using stolen link key

Severity: πŸ”΄ CRITICAL Β· Protocol: CLASSIC

Option Required Default Description
target βœ“ Target device MAC to connect to
impersonate βœ“ MAC of the device to impersonate (must be paired with target)
link_key βœ“ Stolen link key (hex string, 32 chars)
interface hci0 HCI interface to use
key_type 4 Link key type (0=combination, 3=unauthenticated, 4=authenticated, 5=changed)
service sdp Service to connect after impersonation: rfcomm, l2cap, sdp, none
rfcomm_channel 1 RFCOMM channel for rfcomm service mode
restore true Restore original adapter MAC after attack (true/false)

References: - https://francozappa.github.io/about-bias/ - https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/bias-vulnerability/

post/bt_session_hijack

Classic BT RFCOMM Session Hijack

Inject stolen link key, evict the legitimate peer, and hijack the RFCOMM session

Severity: πŸ”΄ CRITICAL Β· Protocol: CLASSIC

Option Required Default Description
target βœ“ Target BD_ADDR to hijack session from (XX:XX:XX:XX:XX:XX)
impersonate βœ“ BD_ADDR of the legitimate peer to impersonate
link_key βœ“ Stolen link key (32 hex chars, no spaces)
channel 1 RFCOMM DLCI channel to connect on (1-30)
adapter hci0 Local HCI adapter
spoof_addr true Spoof local BD_ADDR to match impersonate (true/false)
evict_delay_ms 500 Wait after evicting legitimate peer (ms)
timeout 10 RFCOMM connection timeout in seconds
bt_dir /var/lib/bluetooth BlueZ storage directory

References: - https://francozappa.github.io/about-bias/ - https://www.usenix.org/conference/usenixsecurity22/presentation/becker

post/gatt_cache_poison

GATT Service Cache Poisoning

Manipulate persistent GATT service cache on a bonded peer to redirect reads/writes to attacker-controlled handles

Severity: 🟠 HIGH · Protocol: BLE

Option Required Default Description
mode βœ“ dump Mode: dump, inject, serve, service_changed
peer βœ“ Bonded peer BD_ADDR whose cache to poison
adapter hci0 Local HCI adapter
target_uuid Characteristic UUID to remap (inject mode)
new_handle New handle to point UUID to (hex, e.g. 0x002A)
output_file Output dump file (dump mode)
backup true Backup original cache before modification (true/false)
bt_dir /var/lib/bluetooth BlueZ storage directory

References: - https://www.bluetooth.com/specifications/specs/gatt-specification-supplement/ - https://github.com/bluez/bluez/blob/master/doc/gatt-api.txt - https://www.usenix.org/conference/usenixsecurity21/presentation/wu-jianliang

Link Key Dump

Extract stored Bluetooth link keys from /var/lib/bluetooth/

Severity: 🟠 HIGH · Protocol: DUAL

Option Required Default Description
adapter Specific adapter MAC to dump (empty = all adapters)
target Specific paired device MAC to dump (empty = all)
output_file Save extracted keys to file
show_ltk true Also extract BLE Long Term Keys (true/false)
bt_dir /var/lib/bluetooth Bluetooth storage directory (default: /var/lib/bluetooth)

References: - https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/doc/settings-storage.txt - https://blog.quarkslab.com/bluetooth-security.html