Time
9 minutes
Difficulty
Intermediate

Video Transcription

00:05
Hello, everyone, welcome back to breaking stuff with Joe I, as always in North eponymous host Joe Perry. And today we're going to be having a first in the breaking stuff with Joe Siri's. Because this is gonna be the first time that we talked about a wireless exploitation tool, the specific tool that issue crackle,
00:23
a Bluetooth exploitation and cracking tool that is absolutely, phenomenally powerful
00:29
and provides the ability to gain access to otherwise private Bluetooth channels. It's a very simple tool, very, very straightforward, a single line command,
00:37
but it's one of the more powerful and versatile tools we're gonna talk about in the series.
00:42
Since we're discussing Bluetooth hacking and we're discussing the concept of breaking into Bluetooth connections, we're gonna spend a little bit of time talking about just how vulnerable and dangerous Bluetooth really can be, because it is a terrifying technology of your work in security. Bluetooth is a nightmare. It provides such a massive attack service.
01:00
It's a very poorly understood standard by a lot of people who implemented,
01:04
and it just it potentially introduces a shopping number vulnerabilities into a system.
01:10
So, of course, this video is gonna be mainly focused on pen testers, particularly pen testers. We're looking for that initial access to a given target and are trying to think outside the box a little bit along the way. So the course of this video, we're gonna see how we run. Crackle. We're gonna discuss how we construct the necessary p cat file,
01:26
how you can crack a temporary key and extract long term and short term keys with that temporary key.
01:30
And of course, as part of that process, we're gonna understand every step along the way about why Bluetooth is dangerous. So stay tuned. It's gonna take us about 10 minutes, and you're going to get to understand how you could use crackle every day to break stuff.
01:49
So here we are, as always, in our trusty Callie V. M. And before we actually jump into this tool and show how it works because it's a pretty simple tool. The youth I do want to take a second. And as I alluded to in the intro, gonna talk about why Bluetooth is such a frustrating
02:04
tool or technology for security professionals, and it comes down pretty simply to the fact that Bluetooth was not designed with security in mind. Generally speaking, when people are using Bluetooth devices, they're doing them very close. You know, a near field kind of communication. Att. The distance of kind of an NFC, you know, just a couple of feet from your phone, your Bluetooth headset
02:23
or your phone, your car
02:25
or your TV to your audio bar, whatever you might be using. But Bluetooth is designed for these very sort of intimate uses, and because of that, it's not a particularly secure tool. It's not a particularly secure technology. The issue there comes into the fact that even though it's being used for the short range communications,
02:44
Bluetooth can travel further than you would anticipate.
02:46
And often when people are trying to, you know, break in, they'll do a break. You know your Bluetooth security or get access to your tools.
02:53
What they'll do is something called war driving, where they'll actually go in a car, driving around the neighborhood with a Bluetooth sniffer, basically just looking to see if they can find any errant connections or any communication happening that they could get access to.
03:07
And, you know, we tend to think of tools and technologies like Bluetooth. Is this sort of one toe, one just direct connection.
03:14
But that's just not fundamentally how radiation works, which is what this really is, is just radio energy. And so, because of that, Bluetooth is sending all of this data just out in, however, you know, whatever the strength of that signal might be, anyone in that area can get access to that communication. And if they're capable of decrypting it with a tool like, for example, crackle,
03:34
they're going to be capable of actually breaking and taking control of your systems. And so you know, I mentioned earlier all the different uses of Bluetooth and one of the dangers. There is the idea
03:44
that Bluetooth is going to be connecting to
03:46
you know it's gonna come from your phone or from your headphones or from your sound bar or whatever, but it's connecting back to your phone or your car or your computer. You know these tools that you use for very important tasks that you might have great security on them normally.
04:00
But this Bluetooth provides a huge attack vector that a lot of people don't secure properly or don't even consider needing to be secured. No, Bluetooth has definitely made great strides in the last several years of increasing security. But it's still a huge attack factor for security, personal for security professionals
04:18
and shall we say, less
04:20
civic minded people. So that's why that's my little mini random Bluetooth and why I absolutely hate it on a personal level, even though I will admit that I do still use it on some of my my own tool, my own stuff at home.
04:32
But it is definitely a security risk and one that you should be conscious off. And to illustrate that we're gonna talk here very, very briefly about the tool crackle. And as I mentioned in the intro, Crackle is just a Bluetooth hacking tool you can use to retrieve a temporary key. And from that potentially rich retrieve the long term keys for a Bluetooth connection and completely decrypt it.
04:53
And what we're gonna do here is I'm gonna show you just how easy crackle is to use,
04:57
and I'm going to show you. Ah, very quick
05:00
cracking a temporary key and pulling it up. So to get crackle, it doesn't mess. It doesn't come installed by default on all versions of Callie, so to get it. You're just gonna want to run a pseudo
05:10
get
05:16
Sorry I could get installed
05:23
there. You and of course, I already have it. But once it runs, it'll install crackle on your system. You'll be able to use it if you want to play around and kind of learn to use crackle effectively. I highly recommend you go through on Get Husband will include the link below this video There. Some sample files on the crackle. Get for learning Thio
05:42
for learning to use the stool to crack Bluetooth connections
05:45
so Crackle is going to take as its input
05:47
a single peak cap file. And one of the things that I absolutely love about the stool is that it is very, very nearly idiot proof. There are almost no arguments to it. It's very simple. Given the input pea cap. Give it the output pea cap, and if you have a long term key, give it the long term key
06:03
S so you can just I mean, it's almost no really use to it, and almost no real complex used to it. It's just a straightforward Give it your pea cap and it's gonna make it work now for the peacock to be effective. You can see here
06:16
there are some things that you need to do to make sure you're giving it a useful peek out. And to do that, what you're actually looking for is it needs to have a complete parent between two Bluetooth devices. So whenever the headphones or whatever is first connecting to
06:29
the car or the phone or whatever, it's where is acting is the server. In this case, you need to have captured that traffic. And as long as you do that, then Crackle is gonna be able to pull out that temporary key from the blue too.
06:41
Sorry about that. I started disabled slack notifications, but I'm just the worst.
06:46
So here in my crack a folder, you'll see that I have a peek out file. This is one that I pulled off of that get have. It's a very, very simple file that's gonna show us just sort of that the use of crackle and how quickly it can work.
06:58
We're gonna go and we're gonna run, crackle,
07:01
and then we're going to give it attack. Oh, and we'll just say decrypt dot cat
07:10
And there you can go in just a couple of seconds it jumped through. Found the temporary key, which admittedly, in this case is straight zeros, which is a very, very insecure key. Obviously makes it much easier to crack. But it found that key almost immediately. And you can see that it gives you a little bit of information about the fact that the packet that we use is actually very short. It's not properly encrypted.
07:29
So it skipped that first packet, and then it found
07:31
right here the long turkey. So now, with this long term key, you can remember from when we were looking just a second ago.
07:43
You can see here that if you want to run it with the long term key,
07:46
you just type attack l with the key that you were given back, sir,
07:50
Let's run this again real fast and see what we can get.
08:00
Because it was very silly and forgot to copy Paste.
08:03
There we go.
08:05
So we're just gonna copy that? Lt k clear this again,
08:09
and then we will do crackle
08:11
tank. I
08:13
look
08:15
protect. Oh, final
08:16
decrypt
08:18
and then talk l and you just give it
08:22
that key
08:24
and run it
08:24
and you can see that it processed a total of 709 packets, but it didn't actually decrypt any on. The reason for that, actually, is because,
08:33
for whatever reason, most of these packets are too short to be decrypted. Aren't actually the Bluetooth connection. But what's important here is that we were able to very quickly give it the long term key and was able to go through and identify all of the blue to traffic break the original temporary key. And now we're able to break any communication that happens across this Bluetooth.
08:50
Now, the reason why we weren't able to film or information or doom or decrypting.
08:52
It's pretty simple. This was the most basic example file of Pea Cap. I pulled it down just to kind of give us the very quick overview. If you want to play around more like I said, we'll have the link for the get hub underneath this video and you'll be able to pull down all the files that they have their in their tests directory and play with that against crackle. It's a phenomenal tool,
09:13
very useful, and hopefully now you can see just how dangerous Bluetooth is.
09:16
You could see how quickly *** that we cracked that pea cap. And even more than seeing how dangerous Bluetooth is, hopefully you can see how in your own penetration testing work, this particular tool is a very, very quick way to gain entrance to otherwise six year networks. So thank you all for watching. As always, this has been breaking stuff with Joe, and I have been your upon its host, Joe Perry.
09:37
See again,
09:37
Cyberia.

How to Use Crackle (BSWJ)

Crackle is a tool for breaking into ostensibly secure bluetooth communications, allowing the security professional to access the keys used to initiate and manage encryption, thereby rendering the hidden content into plain text. It's an indispensable utility for security professionals attacking a network with bluetooth present.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor