ble_crack ========= Presentation ------------- This module can be used to bruteforce a legacy Pairing, according to the provided input parameters. Indeed, it is used by `ble_mitm `_ and `ble_sniff `_ in order to crack the Temporary Key if a legacy Pairing process happens during the module's execution. This module tries to generate every possible PIN codes, then it generates the corresponding Confirm value according to the Rand value provided. If a value matches, the PIN code is found and the corresponding Temporary Key is generated. If enough informations are provided (e.g. *MASTER_RAND* and *SLAVE_RAND*), it may also generates the associated Short Term Key. However, cracking the Temporary Key only doesn't require both pairs of Confirm / Rand values. This module is offline, so it doesn't require a specific interface. Input parameters ----------------- +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | Name | Default value | Possible values | Description | +========================================+=======================================+=============================================================+===========================================================================================+ | MASTER_RAND | | | Master's random value | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | SLAVE_RAND | | | Slave's random value | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | MASTER_CONFIRM | | | Master's confirm value | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | SLAVE_CONFIRM | | | Slave's confirm value | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | PAIRING_REQUEST | | | Payload of the pairing request | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | PAIRING_RESPONSE | | | Payload of the pairing response | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | INITIATOR_ADDRESS | 11:22:33:44:55:66 | | Initiator's BD address | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | INITIATOR_ADDRESS_TYPE | public | public\|random | Initiator's BD address type | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | RESPONDER_ADDRESS | 11:22:33:44:55:66 | | Responder's BD address | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | RESPONDER_ADDRESS_TYPE | public | public\|random | Responder's BD address type | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ Output parameters ------------------ If no key has been found or if some parameters are missing, no output parameters are generated. If only the Temporary Key has been found, the following output parameters are generated : +----------------------------------------+-------------------------------------------------------------+----------------------------------------------------------------------+ | Name | Possible values | Description | +========================================+=============================================================+======================================================================+ | PIN | | PIN code found | +----------------------------------------+-------------------------------------------------------------+----------------------------------------------------------------------+ | TEMPORARY_KEY | | Temporary Key found | +----------------------------------------+-------------------------------------------------------------+----------------------------------------------------------------------+ If the associated Short Term Key has been generated, the following output parameters are generated : +----------------------------------------+-------------------------------------------------------------+----------------------------------------------------------------------+ | Name | Possible values | Description | +========================================+=============================================================+======================================================================+ | PIN | | PIN code found | +----------------------------------------+-------------------------------------------------------------+----------------------------------------------------------------------+ | TEMPORARY_KEY | | Temporary Key found | +----------------------------------------+-------------------------------------------------------------+----------------------------------------------------------------------+ | SHORT_TERM_KEY | | Short Term Key found | +----------------------------------------+-------------------------------------------------------------+----------------------------------------------------------------------+ Usage ------ If you want to generate the Temporary Key only, provide the input parameters similarly to the following example (you can replace *MASTER_RAND* and *MASTER_CONFIRM* by *SLAVE_RAND* and *SLAVE_CONFIRM* if needed): :: $ sudo mirage ble_crack MASTER_RAND=d320734c11a25d7e10abd74c9e480cff PAIRING_REQUEST=0707100d000401 PAIRING_RESPONSE=07071005000002 INITIATOR_ADDRESS=66:1E:3D:EF:23:C5 INITIATOR_ADDRESS_TYPE=random RESPONDER_ADDRESS=C4:BE:84:39:8E:07 RESPONDER_ADDRESS_TYPE=public MASTER_CONFIRM=23ae7797139d11968c3cdc6a57fc2a30 [INFO] Module ble_crack loaded ! [INFO] Cracking TK ... [SUCCESS] Pin found : 0 [SUCCESS] Temporary Key found : 00000000000000000000000000000000 [INFO] Mirage process terminated ! If you want to generate the corresponding Short Term Key, you need to provide the two Rand values (*MASTER_RAND* and *SLAVE_RAND*) : :: $ sudo mirage ble_crack MASTER_RAND=d320734c11a25d7e10abd74c9e480cff PAIRING_REQUEST=0707100d000401 PAIRING_RESPONSE=07071005000002 INITIATOR_ADDRESS=66:1E:3D:EF:23:C5 INITIATOR_ADDRESS_TYPE=random RESPONDER_ADDRESS=C4:BE:84:39:8E:07 RESPONDER_ADDRESS_TYPE=public MASTER_CONFIRM=23ae7797139d11968c3cdc6a57fc2a30 SLAVE_RAND=b0340c45c213a6f8e48b4273aefe6368 [INFO] Module ble_crack loaded ! [INFO] Cracking TK ... [SUCCESS] Pin found : 0 [SUCCESS] Temporary Key found : 00000000000000000000000000000000 [SUCCESS] Short Term Key found : 64f4a6094c4ae81868f2902613b2590e [INFO] Mirage process terminated !