Using HackRF look for spikes in GQRX when the device sends bursts of data. Capture the data at this frequency and process it in GNURadio to obtain meaningful information. You can use hackrf_transfer to replay captured data.

Determine characteristics and services are on the target. Use gattool to write data to the devices characteristics.

Capture the pairing packets and use crackle if traffic is encrypted.

Capture traffic while interacting with the target device using Ubertooth One. This can assist in determining if cleartext traffic is in use or if relay attacks are possible.

Capture comms using zb_dump and analyze using wireshark.

Perform replay attacks using zb_replay

Look for keys in captured comms.

More coming soon.