crackle 介绍

裂纹利用在BLE配对过程,允许攻击者猜测或很快蛮力TK(临时密钥)的一个漏洞。随着传统知识和配对过程中收集的其他数据中,STK(短期密钥)和后来的LTK(长期密钥)可以被收集。

随着STK及乐庭的主机和从机之间的所有通信进行解密。

资料来源:https://github.com/mikeryan/crackle
crackle 首页
crackle 源代码版本库

包含在crackle封装工具

crackle - 爆破和解密BLE加密
:~# crackle
Usage: crackle -i <input.pcap> [-o <output.pcap>] [-l <ltk>]
Cracks Bluetooth Low Energy encryption (AKA Bluetooth Smart)

Major modes:  Crack TK // Decrypt with LTK

Crack TK:

    Input PCAP file must contain a complete pairing conversation. If any
    packet is missing, cracking will not proceed. The PCAP file will be
    decrypted if -o <output.pcap> is specified. If LTK exchange is in
    the PCAP file, the LTK will be dumped to stdout.

Decrypt with LTK:

    Input PCAP file must contain at least LL_ENC_REQ and LL_ENC_RSP
    (which contain the SKD and IV). The PCAP file will be decrypted if
    the LTK is correct.

    LTK format: string of hex bytes, no separator, most-significant
    octet to least-significant octet.

    Example: -l 81b06facd90fe7a6e9bbd9cee59736a7

Optional arguments:
    -v   Be verbose
    -t   Run tests against crypto engine

Written by Mike Ryan <>
See web site for more info:
    http://lacklustre.net/projects/crackle/

crackle 示例

读取输入文件(-i ltk_exchange.pcap)和写入解密输出到磁盘(-o LTK-decrypted.pcap):

:~# crackle -i ltk_exchange.pcap -o ltk-decrypted.pcap

!!!
TK found: 000000
ding ding ding, using a TK of 0! Just Cracks(tm)
!!!

Warning: packet is too short to be encrypted (1), skipping
LTK found: 7f62c053f104a5bbe68b1d896a2ed49c
Done, processed 712 total packets, decrypted 3