Adafruit Bluefruit LE Sniffer Guide

# Adafruit Bluefruit LE Sniffer Guide This guide shows how to install/setup the Bluefruit LE Sniffer, a 2.4 GHz wireless development platform device, and its plugins. This tutorial will detail on how to sniff Bluetooth Low Energy packets and how to crack the encryption of a BLE connection. Please note that all the information provided is only tested on Ubuntu 20.04 TLS. For other operating systems, you may need to make some changes. Here's a summary of all the parts needed: 1. The actual BLE sniffing hardware. This guide uses the [Adafruit Bluefruit LE Sniffer](https://www.adafruit.com/product/2269) with V2 firmware. 2. The BLE Sniffer uses a Silicon Labs CP2104 to provide USB to serial conversion. In order for this to show up as a COM port, the Silicon Labs [Virtual COM Port driver](https://www.silabs.com/developers/usb-to-uart-bridge-vcp-drivers) is needed. 3. The BLE sniffing plugin uses [Python](https://www.python.org/). 4. To talk to the virtual com port from Python, the [pyserial module](https://pypi.org/project/pyserial/) needs to be installed. 5. [Wireshark](https://www.wireshark.org/) is the main software front end used to facilitate BLE sniffing and decoding. 6. To talk to the BLE sniffer from Wireshark, the Nordic Semiconductor [nRF Sniffer for BLE](https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE) plugin in is used. ## Step 1: Install Prerequisites & Software - **Prerequisites** There are some prerequisites that need to be installed before using the upcoming tools: ```bash= sudo apt install cmake libusb-1.0-0-dev make gcc g++ libbluetooth-dev wget pkg-config python3-numpy python3-qtpy python3-distutils python3-setuptools python3-pip flex bison git libpcap-dev sudo pip install --upgrade psutil ``` - **Silicon Labs VCP Driver** Installing this driver allows the CP2104 chip on the Adafruit BLE Sniffer to show up as a COM port on your PC. The Linux 3.x.x/4.x.x/5.x.x VCP Driver can be found in the downloads tab [here](https://www.silabs.com/developers/usb-to-uart-bridge-vcp-drivers). To install the driver on Ubuntu, open a command window in the driver's directory and run the following: ```bash= sudo make sudo cp cp210x.ko /lib/modules/<kernel-version>/kernel/drivers/usb/serial sudo insmod /lib/modules/<kernel-version>/kernel/drivers/usb/serial/usbserial.ko sudo insmod cp210x.ko ``` In my case, the `<kernel-version>` was 5.11.0-38-generic. If you are seeing errors when trying to run `sudo make`, it is likely an issue with the Makefile for the VCP Driver. Open the Makefile and change the SRCDIR variable as follows: ![](https://i.imgur.com/KGfA1ei.png) - **Python Serial Support** To provide access to the COM port, install the pyserial package using: ```bash= sudo pip install pyserial ``` If installed correctly, you should be able to import the pyserial package without errors: ``` $ python3 Python 3.8.10 (default, Sep 28 2021, 16:10:42) [GCC 9.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import serial >>> ``` - **Wireshark** Wireshark can be installed from the Ubuntu Software Store. ![Wireshark](https://i.imgur.com/6482KDl.png) - **BLE Sniffer Plugin** The nRF Sniffer for Bluetooth LE software is installed as an external capture plugin in Wireshark, and allows us to capture the traffic sniffed using the Adafruit BLE Sniffer. The latest plugin can be found [here](https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE/Download?lang=en#infotabs). At the time of this guide, the version is 4.0. 1. Install the Python requirements: Open a command window in the /extcap/ folder of the nRF Sniffer plugin directory and type `sudo pip install -r requirements.txt` to ensure you have installed the requirements. 2. Copy the nRF Sniffer capture tool into Wireshark's folder for personal external capture plugins: Open Wireshark as root using `sudo wireshark`. Go to **Help > About Wireshark** and select the **Folders** tab. ![](https://i.imgur.com/GWfJcgR.png) Double-click the location for the **Personal Extcap path** to open this folder. If it does not exist, Wireshark will ask if you want to create it. Copy the contents of the /extcap/ folder into this folder. ![](https://i.imgur.com/5gAoNTL.png) 3. Make sure that the nRF Sniffer files can be run correctly: Open a command window in Wireshark's folder for personal external capture plugins. Run the nRF Sniffer tool to list available interfaces: ```bash= sudo ./nrf_sniffer_ble.sh --extcap-interfaces ``` If the previous step returned an error, verify that Python 3 is accessible and up to date. 4. Enable the nRF Sniffer capture tool in Wireshark: Refresh the interfaces in Wireshark by selecting **Capture > Refresh Interfaces** or pressing **F5**. You should see that nRF Sniffer is displayed as one of the interfaces on the start page. ![](https://i.imgur.com/96c3AaK.png) ## Step 2: Using Wireshark To start sniffing, place the Bluefruit LE Sniffer between the two devices that are communicating and start capturing packets. ![](https://i.imgur.com/Aa00jx6.png) If the nRF Sniffer toolbar is not visible, select **View > Interface Toolbars > nRF Sniffer for Bluetooth LE**. Once the nRF Sniffer is running, it reports advertisements and lists nearby devices in the Device List. The nRF Sniffer has two modes of operation: - Listen on all advertising channels to pick up as many packets as possible from as many devices as possible. This is the default mode. - Follow one particular device and try to catch all packets sent to or from this particular device. This mode catches all: - Advertisements and Scan Responses sent from the device - Scan Requests and Connect Requests sent to the device - Packets in the connection sent between the two devices in the connection The software interface provides commands and options that control the nRF Sniffer operation. Details for the nRF Sniffer operation can be found [here](https://infocenter.nordicsemi.com/index.jsp?topic=%2Fug_sniffer_ble%2FUG%2Fsniffer_ble%2Fintro.html). ![](https://i.imgur.com/jsFIHbD.png) Captures can then be saved as PCAP files using **File > Save As** and selecting the pcap file format. ## Step 3: Using Crackle Crackle is a tool that attempts to decrypt BLE Encryption. Crackle is the right tool if you have captured a connection based on BLE Legacy Pairing. It cannot decrypt Bluetooth transmissions using LE Secure Connections. Crackle must observe the key exchange when it occurs. If two devices have previously paired and are re-establishing encryption, they will reuse a previously exchanged Long Term Key (LTK) to secure that connection and will not perform a key exchange. Crackle cannot be used in this scenario unless the LTK is already known (for example, by having sniffed and cracked the earlier key exchange). - **Install crackle** Run the following commands: ```bash= git clone https://github.com/mikeryan/crackle.git cd crackle make ``` - **Exploit BLE** Using the saved output log file from Wireshark, you can use the latest version of crackle by executing this command: ```bash= ./crackle -i <your_file.pcap> ``` If it did not work, Crackle will give an report which can help determine whether this tool is suitable. Firstly, Crackle can help determine whether or not there are Link Layer encrypted packets in a given PCAP or PcapNG file. If the reported number of encrypted packets is non-zero, then the device is likely using Link Layer encryption. ``` $ ./crackle -i input.pcap ... Analyzing connection n: xx:xx:xx:xx:xx:xx (public) -> yy:yy:yy:yy:yy:yy (public) Found 13 encrypted packets ``` Secondly, Crackle is capable of positively identifying the LE Secure Connections pairing packets. If they are present, Crackle is not suitable for decrypting the communications. ``` $ ./crackle -i input.pcap ... Analyzing connection n: xx:xx:xx:xx:xx:xx (public) -> yy:yy:yy:yy:yy:yy (public) Found 11 encrypted packets Unable to crack due to the following error: LE Secure Connections ```