One of my favourite TV shows is Person of interest. I was just finishing up my Computer science degree when the show first started airing I was amazed at how the Reese and Finch managed to so easily bluejack unsuspecting “numbers”. In High school I has a range of Bluetooth sniffers installed on my trusty and highly customizable Sony Ericsson. Unfortunately by the time person of interest started airing everyone had either moved to android or the iPhone and Bluetooth sniffing was never the same.
Recently I purchased the Ubertooth One to see how much Bluetooth sniffing has changed since my high school days, this post documents my first attempts at Bluetooth sniffing / cracking with the Ubertooth One.
What you will need
In order to be able to successfully set-up a Bluetooth sniffing system you will need the following:
- An Ubertooth One device.
- An additional Bluetooth dongle or Bluetooth adapter.
- A PC which runs Windows, Mac, OSX or Linux.
- A bootable USB running Kali Linux (this one is optional)
You can perform these activities on just about every major desktop operating system but for this tutorial we focussed on running this with Kali Linux.
The most difficult part of Bluetooth sniffing – installing all of the tools
I caution you – there are a number of resources on the internet dedicated to setting up the Ubertooth One, this post included. After spending a day and a half attempting to get bluetooth sniffing working with absolutely zero background on the subject, my perseverance and can do attitude kicked in and I had the Ubertooth and associated scanning commands working like a charm. In order to save everybody the trouble here are the golden rules of getting the Ubertooth running on your machine:
- Ignore all of the blog posts and websites which tell you how to install / configure the Ubertooth One (most of them are no longer relevant).
- Only follow the installation guide at this location
- Update your Ubertooth firmware asap.
One final tip make sure you have a range of additional Bluetooth tools you can use for Bluetooth debugging / sniffing if you’re having trouble with the install its good to have an arsenal of other tools you can use to verify if the issue you are experiencing is a configuration issue or a hardware issue.
Learning to walk before you can run, viewing the Wi-Fi spectrum with the Ubertooth On
Getting the Ubertooth One setup for Bluetooth sniffing isn’t the easiest activity to get up and running so I recommend before you go into any sniffing you walk through some of the Ubertooth Ones other capabilities i.e. spectrum analysis.
To get started make sure you have installed Kismet and spectools for spectrum analysis. To install kismet and spectools follow the commands below:
root@kali:~# git clone https://www.kismetwireless.net/spectools.git Cloning into 'spectools' root@kali:~# cd spectools root@kali:~/spectools# ./configure root@kali:~/spectools# make root@kali:~/spectools# make install
Now to run Spectools simply type:
Below are some screen caps of some of the Spectrum analysis I performed:
How does one listen in on Bluetooth?
Once your Ubertooth is setup and configured you can run the following commands to analyse Bluetooth traffic.
hcitool is one of the default linux Bluetooth utilities when running it will return the MAC address and name of any Bluetooth devices in range:
root@kali:~# hcitool scan
One of the Ubertooth utilities is ubertooth-scan also allows you to passively monitor Bluetooth traffic – below is the command line usage:
root@kali:~# ubertooth-scan –s
The majority of the scanning work I undertook was with using ubertooth-btle. This allows you to capture Bluetooth traffic between Bluetooth low energy compatible devices this is becoming one of the preferred methods of Bluetooth communication between new devices, next time you’re in a store just look at the Bluetooth devices most of them should say Bluetooth-low energy compatible.
To run ubertooth-btle in promiscuous mode and output the contents int a pcap file simply run the command:
root@kali:~# ubertooth-btle –p –f -c capture.pcap
Below is a sample of what the btle packets look like when your run ubertooth-btle in promiscuous mode:
systime=1441512979 freq=2440 addr=8d651b4d delta_t=3.599 ms 86 9e d1 00 65 92 86 01 5d 3e 0e 5e 65 e0 61 9a 7d f7 04 c8 9f f5 45 00 ce f5 cc c8 8f 67 02 f5 4f a7 f5 Data / AA 8d651b4d (valid) / 30 bytes Channel Index: 17 LLID: 2 / LL Data PDU / L2CAP start NESN: 1 SN: 0 MD: 0 Data: d1 00 65 92 86 01 5d 3e 0e 5e 65 e0 61 9a 7d f7 04 c8 9f f5 45 00 ce f5 cc c8 8f 67 02 f5 CRC: 4f a7 f5 systime=1441512979 freq=2440 addr=72f844df delta_t=146.421 ms 01 00 9b 72 68 Data / AA 72f844df (valid) / 0 bytes Channel Index: 17 LLID: 1 / LL Data PDU / empty or L2CAP continuation NESN: 0 SN: 0 MD: 0 Data: CRC: 9b 72 68
If you want to follow a specific device you can use the command below where “00000000” would be the devices MAC address:
root@kali:~# ubertooth-btle –a 00000000
Using crackle to decrypt Bluetooth packets
Crackle is an easy to use brute force cracking utility. Since most Bluetooth pairing codes which encrypt traffic between two devices are only 4-6 digits long they can be easily decrypted if the pairing between two devices is captured and this also allows you to listen in on future interactions between the two devices as we will show shortly, but fist lets walk through installing crackle which can be done by following the commands below:
root@kali:~# tar xf crackle-0.1.tgz root@kali:~# cd crackle-0.1 root@kali:~/crackle-0.1# ls aes.c aes-enc.c aes_i.h COPYING crackle.h README aes-ccm.c aes.h AUTHORS crackle.c Makefile test.c root@kali:~/crackle-0.1# make cc -Wall -Werror -g -c -o crackle.o crackle.c cc -Wall -Werror -g -c -o aes.o aes.c cc -Wall -Werror -g -c -o aes-ccm.o aes-ccm.c cc -Wall -Werror -g -c -o aes-enc.o aes-enc.c cc -Wall -Werror -g -c -o test.o test.c cc -o crackle crackle.o aes.o aes-ccm.o aes-enc.o test.o -lpcap root@kali:~/crackle-0.1# make install
Once crackle is installed we can begin walking through using crackle to decrypt pcap files with Bluetooth data on them. To do this simply run the following command on your desired pcap file:
root@kali:~/crackle-sample# crackle -i ltk_exchange.pcap -o decrypted.pcap TK found: 000000 ding ding ding, using a TK of 0! Just Cracks(tm) Warning: packet is too short to be encrypted (1), skipping LTK found: 7f62c053f104a5bbe68b1d896a2ed49c Done, processed 712 total packets, decrypted 3
Now to listen in on future communications between the two devices run the following command on a pcap file and supply the LTK value you discovered earlier:
root@kali:~/crackle-sample# crackle -i encrypted_known_ltk.pcap -o decrypted2.pcap -l 7f62c053f104a5bbe68b1d896a2ed49c Warning: packet is too short to be encrypted (1), skipping Warning: packet is too short to be encrypted (2), skipping Warning: could not decrypt packet! Copying as is.. Warning: could not decrypt packet! Copying as is.. Warning: could not decrypt packet! Copying as is.. Warning: invalid packet (length to long), skipping Done, processed 297 total packets, decrypted 7
With some of my own BLE captures there wasn’t enough packet info to run crackle successfully so I ran crackle with some sample files to give an overview of how the tool works.
Here are a few good resources you should check out:
Bluetooth, hopefully this article packages it up into a nice and easy digestible format as the process to get it to this level wasn’t that straight forward or error free.
As always please let me know if found this article useful or if you didn't, Don’t forget to like this post or leave a comment below to let me know another area you would be interested in reading about. Thanks for your continued support! Until next time!.