All of us want our sensitive information to be hidden from people and for that we perform different kinds of things like hide those files or lock them using different softwares. But even though we do that, those files attractive people to itself as an object of security. Today I'm going to give you a slight introduction to what is called as Steganography. Its a practice of hiding an informational file within another file like you might have seen in movies an image has a secret message encoded in it. You can read more about Steganography fromWikipedia. In this tutorial I'm going to use a tool called steghide, which is a simple to use Steganography tool and I'm running it on myArch Linux. What I'm going to do is simply encode an image with a text file which contains some kind of information which I don't want other people to see. And at the end I'll show you how to decode that information back. So lets get started: Requirements: 1. steghide 2. a text file 3. an image file After you have installed steghide, fire up the terminal and typesteghide
It will give you list of options that are available. Now say I have a file with the name of myblogpassword.txt which contains the login password of my blog and I want to encode that file into an Image file with the name of arch.jpg so that I can hide my sensitive information from the preying eyes of my friends. In order to do that I'll type the following command in my terminal: steghide embed -ef myblogpassword.txt -cf arch.jpg
heresteghideis the name of the program embed flag is used to specify to steghide that we want to embed one file into another file -efoption is used to specify to steghide the name (and location, in case if its in some other directory) of the file that we want to embed inside of the another file, in our case its myblogpassword.txt -cfoption is used to specify the name (and location, in case if its in some other directory) of the file in which we want to embed our file, in our case its an image file named arch.jpg After typing the above command and hitting enter it will prompt for a password. We can specify a password here in order to password protect our file so that when anyone tries to extract our embedded file, they'll have to supply a password in order to extract it. If you don't want to password protect it you can just simply hit enter. Now myblogpassword.txt file is embedded inside of the image file arch.jpg. You'll see no changes in the image file except for its size. Now we can delete the plain password text file myblogpassword.txt. In order to extract the embedded file from the cover file, I'll type following command in the terminal: steghide extract -sf arch.jpg -xf myblogpass.txt
heresteghide is again name of the program extract flag specifies that we want to extract an embedded file from a stego file -sfoption specifies the name of the stego file or in other words the file in which we embedded another file, in our case here its the arch.jpg file -xfoption specifies the name of the file to which we want to write our embedded file, here it is myblogpass.txt (remember you must specify the name of file with its location if its somewhere else than the current directory) After typing the above command and hitting enter, it will prompt for a password. Supply the password if any or otherwise just simply hit enter. It will extract the embedded file to the file named myblogpass.txt. Voila! you got your file back but yes the image file still contains the embedded file. That's it, very easy isn't it? It was a pretty basic introduction you can look for other things like encrypting the file to be embedded before you embed it into another file and so on... enjoy :)
This morning I've found an scaring surprise on my Firefox Quantum. Casually it was connected to a proxy when an unexpected connection came up, the browser was connecting to an unknown remote site via HTTP and downloading a ZIP that contains an ELF shared library, without any type of signature on it.
This means two things
1) the owner of that site might spread malware infecting many many people. 2) the ISP also might do that.
Ubuntu Version:
Firefox Quantum version:
The URL: hxxp://ciscobinary.openh264.org/openh264-linux64-0410d336bb748149a4f560eb6108090f078254b1.zip
The zip contains these two files: 3f201a8984d6d765bc81966842294611 libgmpopenh264.so 44aef3cd6b755fa5f6968725b67fd3b8 gmpopenh264.info
The info file: Name: gmpopenh264 Description: GMP Plugin for OpenH264. Version: 1.6.0 APIs: encode-video[h264], decode-video[h264]
So there is a remote codec loading system that is unsigned and unencrypted, I think is good to be aware of it.
In this case the shared library is a video decoder, but it would be a vector to distribute malware o spyware massively, or an attack vector for a MITM attacker.
What is BurpSuite? Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.
In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed.
Everyone has their favorite security tools, but when it comes to mobile and web applications I've always found myself looking BurpSuite . It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I'm just going to go through the installation to paint a good picture of how to get it up quickly.
BurpSuite is freely available with everything you need to get started and when you're ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I'll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we'll get into that a little later.
Requirements and assumptions:
Mozilla Firefox 3.1 or Later Knowledge of Firefox Add-ons and installation The Java Runtime Environment installed
Download BurpSuite from http://portswigger.net/burp/download.htmland make a note of where you save it.
on for Firefox from https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait.
Video for setup and installation.
You need to install compatible version of java , So that you can run BurpSuite.
Algo que sabes, algo que tienes y algo que eres. Estas son las tres categorías de las que se sirven los sistemas para autenticar a un usuario, es decir, el proceso por el cual la identidad que está queriendo acceder puede responder a la pregunta de quién. Gran parte de los servicios de Internet, en sus inicios, solicitaban únicamente en el registro la necesidad de tener asociado un correo electrónico para cambiar la contraseña.
Figura 1: Cómo te pueden hackear cuentas de Whatsapp usando el buzón de voz
Para un atacante que quisiera conseguir el acceso a un servicio de una persona, primero debía conocer cuál era el correo electrónico de su objetivo, y luego centrarse en conseguir acceso al e-mail, robando la contraseña con un ataque de Spear Phishing, consiguiendo un token OAuth que permitiera leer todos los mensajes como se explica en Sappo, o aprovechándose de que la cuenta de e-mail de recuperación de contraseña sea olvidada y caduque. Pero el primer paso, siempre es el mismo. Conocer la dirección de e-mail que utiliza un objetivo para identificarse en los servicios de Internet cuando en inicio era solo para recibir mensajes.
El correo electrónico como elemento esencial para la autenticación
En muchas ocasiones, haciendo una simple búsqueda en Google usando técnicas de Hacking con Buscadores podríamos dar con el correo electrónico de una persona. Sin embargo, podría ser que esa persona no hubiera publicado nunca, por lo que podemos recurrir a las siguientes técnicas:
En cambio, en Outlook, si el correo existe directamente te solicita la contraseña. O, por ejemplo, en 2017, mi compañero Félix Brezo y yo identificamos las cuentas de Twitter de todos los Presidentes de Gobierno y vimos que al menos el 85% de ellos exponía un indicio de la cuenta utilizada en esta red social o que un 30% utilizaron una cuenta de Gmail para su registro.
- Combinaciones de nombre de usuario y servicio de correo: cuando nos encontramos en una situación en la que desconocemos cuál es la cuenta utilizada, en OSRFramework disponemos de una herramienta que se llama mailfy que, pasándoles como parámetro de entrada un nombre de usuario o una dirección de e-mail, te valida si hay una cuenta registrada en servicios como Facebook, Gmail y otros.
Esta es una herramienta que utilizamos mucho en nuestros ejemplos de búsqueda de información de fuentes OSINT para el mundo de la ciberinvestigación.
Una vez que hemos conseguido saber la dirección de correo electrónico, al final, todo concluye en poder recuperar el acceso perdido. Un sistema ampliamente aceptado por la mayoría de los servicios como método de recuperación de cuentas cuando te has olvidado de la contraseña, pero que a más de una "celebritry" le ha traído algún que otro disgusto.
El número de teléfono como elemento esencial para la autenticación
Viendo que las direcciones de correo electrónico y el uso de las contraseñas no era lo más recomendable, nació la autenticación basada en el número de teléfono. Con este objetivo, se han creado, entre otros, servicios como el de Mobile Connect, en donde se eliminan por completo las contraseñas. El usuario final introduce su número de teléfono y la operadora automáticamente te envía un desafío de cara a comprobar la posesión del número de teléfono y así finalizar la autenticación. Sin embargo, existen otros servicios de internet como WhatsApp y Telegram que basan la creación de sus cuentas en el número de teléfono.
Empecemos por Whatsapp
Imaginemos la situación en la que un atacante quiere hacerse con una cuenta de un usuario de Whatsapp. Después de instalar la app, tendrá que indicar cuál es el número de teléfono de la cuenta que quiere recuperar en ese terminal y, posteriormente, seleccionar uno de los dos métodos de los que dispone la plataforma para hacer llegar al usuario el código de verificación.
Vamos a plantear tres escenarios que pueden darse. En el Escenario 1, nos encontramos en la situación en la que usuario legítimo dispone de su móvil y recibe un SMS debido a que el atacante ha solicitado el código para verificar el número.
Figura 4: Verificación de registro de WhatsApp por SMS
A pesar de que este escenario es menos probable de que pueda tener éxito, en el pasado, se ha dado la situación en la que a la víctima se le solicitaba el código de verificación en nombre de Whatsapp. Mira que en el mensaje del SMS lo pone bien claro: "¡No compartas este código con nadie!" Pero hay más métodos.
1.- Ingeniería social: Como hemos dicho, preguntándole a la víctima por medio de un e-mail, otro SMS, una cuenta maliciosa de WhatsApp o llamándole por teléfono directamente. Cuando se trata de engañar a un usuario, cualquier camino es válido.
2.- App maliciosa o vulnerable con permiso para acceder a los SMS: Si el atacante tiene controlada una app maliciosa con permisos para leer los SMS en el terminal podría recuperarlo siempre. Por ello, hay que tener mucho cuidado qué apps nos instalamos - no tengamos un troyano o una Gremlin App - y tener el sistema operativo y las apps actualizadas. Si tu terminal no soporta las últimas versiones del sistema operativo de Android, deberías pensar en cambiarlo.
3,. SIM Duplicada: Si alguien te puede duplicar tus documentos de identidad, con una fotocopia, o consigue convencer a un empleado en una tienda de tu operadora para conseguir un duplicado de tu SIM, podría recibir los SMS al mismo tiempo, por eso hay que tener mucho cuidado con tu información personal y documentos de identidad.
4.- SIM Swapping: En algunos países, los ataques se hacen abusando de las políticas de portabilidad de números, por lo que es importante conocer cómo de protegido está tu número frente a un intento de portabilidad.
5.- Ataques RTL: Se trata de abusar de la seguridad del canal SMS. Para ello, si el atacante está cerca y conoce bien las herramientas y ataques del Hacking de Comunicaciones Móviles, podría capturar el SMS cuando la antena más cercana los reenvíe hacia tu terminal.
6.- Previsualización de SMS: Si tienes la previsualización de mensajes SMS en la pantalla bloqueada de tu terminal, alguien podría acceder a ellos en un descuido. Sería un ataque local, pero igualmente peligroso. Igual que el truco con Siri para robar cuentas de e-mail.
Como veis, la verificación de dueño de WhatsApp por SMS tiene sus "corner cases" y hay que tener ciertas medidas de precaución, para evitar que uno de estos casos nos afecte. Aún así, quedan dos posibilidades más que pueden ser fácilmente aprovechables por un atacante cercano o remoto.
Escenario 2: Llamada de teléfono
En el Escenario 2, se envía el código de verificación por SMS y, si al cabo de un minuto, no se ha introducido, la víctima podría recibir una llamada a su número de teléfono donde se le indica cuál es su código de verificación.
Figura 5: Verificación por llamada al número de teléfono
En estos entornos, si el atacante dispusiera del teléfono de la víctima, directamente podría coger la llamada, escuchar el código de verificación y hacerse con la cuenta ya que para descolgar una llamada de teléfono no hay que desbloquear el terminal.
El buzón de voz
Pero imaginemos que la víctima no coge la llamada. Entonces se da el Escenario 3. Automáticamente, WhatsApp te deja un mensaje en el buzón de voz. Y entonces te lo pueden robar del buzón de voz. Para acceder al buzón de voz, suelen existir dos maneras:
1.- Desde tu teléfono: Haciendo la llamada desde el número de teléfono para el que vas a acceder al buzón de voz, por lo que no necesitas dar la contraseña.
Figura 6: WhatsApp deja el código de verificación en el buzon
2) Desde otro teléfono: haciendo una llamada a un número de teléfono si la llamada que se está realizando no es desde el número de teléfono del buzón de voz. En esta situación, te solicitará el PIN en donde dispones de tres intentos. Si esos tres intentos son erróneos se cuelga la llamada. En esta situación, el atacante podría recurrir a estadísticas sobre la frecuencia de uso de los número PIN, en donde el 1234 es el más frecuente, seguido del 1111 y del 0000.
Telegram: El SMS, la llamada y el buzón de Voz
La popular competencia de WhatsApp, el popular Telegram dispone de un sistema parecido. Ofrece a los usuarios los mismos dos métodos: envío del código de verificación mediante SMS y, al cabo de dos minutos, llama al número de teléfono cuya cuenta se quiere recuperar para decirle cuál es el código de verificación, con la salvedad de que no deja el código en el buzón de voz. Esto hace que el problema del ataque al buzón de voz de WhatsApp no le afecte.
Figura 7: Telegram también dispone de código y llamada telefónica como métodos de validación.
Si bien es cierto que cualquier servicio en Internet debe crear procesos sencillos de cara a captar más usuarios y entendibles a nivel de seguridad para el usuario, esta última opción que ofrece WhatsApp de dejar el código de verificación en el buzón de voz no es ni sencilla, ya que es probable que nadie conozca cuál es su PIN para acceder al buzón de voz y, ni es segura, ya que un atacante con un poco de maña podría sin tener acceso físico al teléfono acceder a la información antes de que el usuario se dé cuenta.
Recomendaciones de seguridad
Como punto final, os recomiendo el artículo de Cómo espiar WhatsApp que, aunque tiene ya bastante tiempo, muchos de los ataques sigue funcionando de una forma similar. Respecto a tener protegido tu cuenta de WhatsApp, te dejo esta serie de Proteger tu cuenta de WhatsApp a prueba de balas.
Y para el caso concreto del buzón de voz, asegúrate de que nadie remotamente pueda acceder, ya sea porque tienes desactivado el buzón de voz o porque has cambiado el PIN por defecto. Asegúrate de eso. Por otra parte, tal vez WhatsApp deba replantearse dejar el PIN en un buzón de voz, ya que abre un vector de ataque que tal vez el usuario no sea consciente.
In the last article Learning Web Pentesting With DVWA Part 1: Installation, you were given a glimpse of SQL injection when we installed the DVWA app. In this article we will explain what we did at the end of that article and much more.
Lets start by defining what SQL injection is, OWASP defines it as: "A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands."
Which basically means that we can use a simple (vulnerable) input field in our web application to get information from the database of the server which hosts the web application. We can command and control (at certain times) the database of the web application or even the server.
In this article we are going to perform SQL injection attack on DVWA, so let's jump in. On the DVWA welcome page click on SQL Injection navigation link. We are presented with a page with an input field for User ID.
Now lets try to input a value like 1 in the input field. We can see a response from server telling us the firstname and surname of the user associated with User ID 1.
If we try to enter a user id which doesn't exist, we get no data back from the server. To determine whether an input field is vulnerable to SQL injection, we first start by sending a single quote (') as input. Which returns an SQL error.
We saw this in the previous article and we also talked about injection point in it. Before diving deeper into how this vulnerability can be exploited lets try to understand how this error might have occurred. Lets try to build the SQL query that the server might be trying to execute. Say the query looks something like this:
The 1 in this query is the value supplied by the user in the User ID input field. When we input a single quote in the User ID input field, the query looks like this:
The quotes around the input provided in the User ID input field are from the server side application code. The error is due to the extra single quote present in the query. Now if we specify a comment after the single quote like this: '-- - or '# we should get no error. Now our crafted query looks like this:
since everything after the # or -- - are commented out, the query will ignore the extra single quote added by the server side app and whatever comes after it and will not generate any error. However the query returns nothing because we specified nothing ('') as the user_id.
After knowing how things might be working on the server side, we will start to attack the application. First of all we will try to determine the number of columns that the query outputs because if we try a query which will output the number of columns greater or smaller than what the original query outputs then our query is going to get an error. So we will first figure out the exact number of columns that the query outputs and we will do that with the help of order by sql statement like this:
'orderby1-- -
This MySQL server might execute the query as:
SELECTfirst_name,sur_nameFROMusersWHEREuser_id='' order by 1-- -';
you get the idea now. if we don't get any error message, we will increase the number to 2 like this:
'orderby2-- -
still no error message, lets add another:
'orderby3-- -
and there we go we have an error message. Which tells us the number of columns that the server query selects is 2 because it erred out at 3.
Now lets use the union select SQL statement to get information about the database itself.
'unionselectnull,version()-- -
You should first understand what a union select statement does and only then can you understand what we are doing here. You can read about it here. We have used null as one column since we need to match the number of columns from the server query which is two. null will act as a dummy column here which will give no output and the second column which in our case here is the version() command will output the database version. Notice the output from the application, nothing is shown for First name since we specified null for it and the maria db version will be displayed in Surname. Now lets check who the database user is using the user() function of mariadb:
'unionselectnull,user()-- -
After clicking the submit button you should be able to see the user of the database in surname. Now lets get some information about the databases in the database. Lets determine the names of databases from INFORMATION_SCHEMA.SCHEMATA by entering following input in the User ID field:
This lists two databases dvwa and information_schema. information_schema is the built in database. Lets look at the dvwa database. Get table names for dvwa database from INFORMATION_SCHEMA.TABLES
It gives a huge number of tables that are present in dvwa database. But what we are really interested in is the users table as it is most likely to contain user passwords. But first we need to determine columns of that table and we will do that by querying INFORMATION_SCHEMA.COLUMNS like this:
' union select null, COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users'-- -
We can see the password column in the output now lets get those passwords:
'unionselectuser,passwordfromusers-- -
Of-course those are the hashes and not plain text passwords. You need to crack them. Hope you learned something about SQL injection in this article. See you next time.
A step by step lab based mini course on analyzing your car network
I wanted to learn about hacking cars. As usual I searched around the internet and didn't find any comprehensive resources on how to do this, just bits and pieces of the same info over and over which is frustrating. I am not a car hacking expert, I just like to hack stuff. This mini course will run in a fully simulated lab environment available from open garages, which means in 5 minutes from now you can follow along and hack cars without ever bricking your girlfriends car. Since you obviously wouldn't attack your own Lambo, totally use your girlfriends Prius.
Below are the topics covered in this blogseries so you can decide if you want to read further:
Whats covered in this car hacking mini course:
Setting up Virtual Environments for testing
Sniffing CAN Traffic
Parsing CAN Traffic
Reverse Engineering CAN IDs
Denial of service attacks
Replaying/Injecting Traffic
Coding your own CAN Socket Tools in python
Targeted attacks against your cars components
Transitioning this to attacking a real car with hardware
The first thing we are going to do before we get into any car hacking specifics such as "WTF is CAN?", is get your lab up and running. We are going to run a simple simulated CAN Bus network which controls various features of your simulated car. Its better to learn by doing then sit here and recite a bunch of car network lingo at you and hope you remember it.
I also don't want you to buy a bunch of hardware and jack into your real car right away. Instead there are options that can get you started hacking cars RIGHT NOW by following along with this tutorial. This will also serve to take away the fear of hacking your actual car by understanding what your doing first.
Video Playlist:
Setting up your Lab:
First things first, set yourself up with an Ubuntu VMware install, and load it up. Optionally you could use a Kali Iinux VM, however, that thing drives me nuts with copy paste issues and I think Kayak was giving me install problems. So support is on you if you would like to use Kali. However, I do know Kali will work fine with OpenGarages virtual car.. So feel free to use it for that if you have it handy and want to get started right away.
Install PreReq Libraries:
Once you load this up you are going to want to install CAN utilities and pre-requisite libraries. This is really easy to do with the following Apt-get commands:
Once this is done we can startup the simulator by changing directories to the downloaded repo and running the following 2 commands, which will setup a virtual CAN interface and a simulator GUI Cluster:
Run the setup Script to get the vcan0 interface up:
root@kali:~/ICSim# ./setup_vcan.sh
root@kali:~/ICSim# ./icsim vcan0
On a new terminal tab we will open up our simulators controller with the following command,
root@kali:~/ICSim#./controls vcan0
Note: that the controller must be the in-focus GUI screen to send keyboard commands to the simulator.
How to Use the Simulator:
The simulator has a speedometer with Right and Left turn signals, doors etc. Below are the list of commands to control the simulator when the Control panel is in focus. Give them each a try and note the changes to the simulator.
Up and Down keys control the gauges clusters speedometer
Left and Right keys Control the Blinkers
Right Shift + X, A or B open doors
Left Shift + X, A or be Close doors
Try a few of the above commands for example Right Shift +X and you will see the interface change like so, notice the open door graphic:
Awesome, thanks to OpenGarages you now you have your very own car to hack
Notice in the setup commands above we used a VCan0 interface. Run Ifconfig and you will now see that you indeed have a new network interface that speaks to the CAN network over VCan0.
ficti0n@ubuntu:~/Desktop/ICSim$ ifconfig vcan0
vcan0 Link encap:UNSPECHWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
Car networks run on a variety of protocols most prevalent being CAN. You can think of a CAN Bus like an old school networking hub where everyone can see everyone elses traffic. This is true to some extent although you may not see all of the cars traffic if its not connected to that particular bus your plugged into. You can think of CAN traffic kind of like UDP in that its send and forget, the main difference being parts of the CAN bus network don't actually have addresses and everything runs off arbitration IDs and priorities. Thats enough background to get you doing rather then reading.
With a little knowledge out of the way lets check if we can see our CAN traffic from our virtual car via the CanDump utility, which you installed as part of CanUtils package above. Using the following command on the vcan0 interface our simulator uses you can view a stream of traffic:
ficti0n@ubuntu:~/Desktop/ICSim$ candump vcan0
Above we can see a bunch of CAN frames, and if we perform actions on the vehicle we will see changes to data values in the CanDump output.However this may happen very fast, and we may not be able to see if for example we unlocked our simulators door. This is because things are changing constantly in the cars IDLE state. One single value changing may not stand out enough for us to take notice or may scroll so fast we cant see it.
Capture and Replay CAN Actions:
One option would be to perform an action and replay it, we should see the actions happen again in the replay if the traffic for the action we recorded is on the same bus network our device is plugged into. There are loads of networks within a car and its not guaranteed our network tap for example an OBD2 port plugin is connected to the same network as door we opened.Or the door may not be connected to the network at all depending on your car and its age or how its configured.
Replaying dumps with CanPlayer:
Another useful tool included with CanUtils package is CanPlayer for replaying traffic. If the functionality we are trying to capture is on the same Bus as the adaptor plugged into the car, or in this case our Virtual CAN interface, we can use CanDump to save traffic to a file. We then use CanPlayer to replay the traffic on the network. For example lets run CanDump and open a door and then replay the functionality with CanPlayer.
Lab 1 Steps:
Run CanDump
Right Shift + X to open a door
Cancel CanDump (ctrl+c)
Left Shift + X to close the door
Run can player with the saved dump and it will replay the traffic and open the door
Recording the door opening:(-l for logging)
ficti0n@ubuntu:~/Desktop/ICSim$ candump -l vcan0
Replaying the CanDump file:(use the file your can dump created)
Nice, so if all went well you should see that your door is now open again. If this did not happen when attacking a real car, just try to replay it again. CAN networks are not like TCP/IP, they are more like UDP in that you send out your request and its not expecting a response. So if it gets lost then it gets lost and you have to resend. Perhaps something with higher priority on the network was sending at the time of your replay and your traffic was overshadowed by it.
Interacting with the Can Bus and Reversing Traffic:
So thats cool, but what about actually understanding what is going on with this traffic, CanDump is not very useful for this, is scrolls by to quickly for us to learn much from.Instead we can use CanSniffer with colorized output to show us the bytes within packets that change. Below is an example of CanSniffer Traffic:
You will see 3 fields, Time, IDand Data. Its pretty easy to figure out what these are based on thier name. The most important part for our usage in this blog are the ID and the Data fields.
The ID field is the frame ID which is loosely associated with the device on the network which is effected by the frame being sent. The ID to also determines the priority of the frame on the network.The lower the number of the CAN-ID the higher priority it has on the network and more likely it will be handled first.The data field is the data being sent to change some parameter like unlocking a door or updating output. You will notice that some of the bytes are highlighted RED. The values in red are the values that are changing during the idle state you are currently in.
Determine which ID and Byte controls the throttle:
So with the terminal sniffing window open put the simulator and the controller into the foreground, with the controller being the window you have clicked and selected.Pay attention to the CanSniffer output while hitting the UP ARROW and look for a value that was white but is now Red and increasing in value as the throttle goes up.This might take you a few minutes of paying attention to whats going on to see.
The following 2 pictures show ID 244 in the IDLE state followed by pressing the up button to increase the speed. You will notice a byte has turned red and is increasing in value through a range of HEX values 0-F. It will continue to enumerate through values till it reaches its max speed.
The byte in ID 244 which is changing is the value while the throttle is engaged, so 244 associated in some way with the increasing speed. The throttle speed is a good value to start with as it keeps increasing its value when pressed making it easier to spot while viewing the CanSniffer output.
Singling out Values with Filters:
If you would like to single out the throttle value then click the terminal window and press -000000 followed by the Enter key which will clear out all of the values scrolling. Then press +244 followed by the Enter key which will add back the throttle ID. You can now click the controller again and increase the speed with your Up arrow button without all the noise clouding your view.You will instead as shown below only have ID 244 in your output:
To get back all of the IDs again click the terminal window and input +000000 followed by the Enter key. Now you should see all of the output as before.Essentially 000000 means include everything. But when you put a minus in front of it then it negates everything and clears your terminal window filtering out all values.
Determine Blinker ID:
Now lets figure out another ID for the blinkers. If you hit the left or right arrow with the controls window selected you will notice a whole new ID appears in the list, ID 188 shown in the picture below which is associated with the blinker.
This ID was not listed before as it was not in use within the data output until you pressed the blinker control.Lets single this value out by pressing -000000 followed by +188. Just like in the throttle example your terminal should only show ID 188, initially it will show with 00 byte values.
As you press the left and the right blinker you will see the first Byte change from 00 to 01 or 02. If neither is pressed as in the screenshot above it will be 00. Its kind of hard to have the controller in focus and get a screenshot at the same time but the ID will remain visible as 00 until it times out and disappears from the list when not active. However with it filtered out as above you can get a better view of things and it wont disappear.
Time for YOU to do some Protocol Reversing:
This lab will give you a good idea how to reverse all of the functionality of the car and associate each action with the proper ID and BYTE. This way you can create a map of intended functionality changes you wish to make.Above we have done a few walk throughs with you on how to determine which byte and ID is associated with an action. Now its time to map everything out yourself with all the remaining functionality before moving on to attacking individual components.
Lab Work Suggestion:
Take out a piece of paper and a pencil
Try unlocking and locking doors and write down the ID which controls this action (remember your filters)
Try unlocking each door and write down the BYTES needed for each door to open
Try locking each doors and what Bytes change and what are their values, write them down
Do the same thing for the blinkers left and right (Might be different then what I did above)
What ID is the speedometer using?What byte changes the speed?
Attacking Functionality Directly:
With all of the functionality mapped out we can now try to target various devices in the network directly without interacting with the controllers GUI. Maybe we broke into the car via cellular OnStar connectionor the center console units BLE connection which was connected to the CAN network in some way. After an exploit we have direct access to the CAN network and we would like to perform actions. Or maybe you have installed a wireless device into an OBD2 port under the dashboard you have remote access to the automobile.
Using the data from the CAN network reversing lab above we can call these actions directly with the proper CAN-ID and Byte.Since we are remote to the target we can't just reach over and grab the steering wheel or hit the throttle we will instead send your CAN frame to make the change.
One way we can do this is via the CanSend utility. Lets take our information from our lab above and make the left turn signal flash with the following ID 188 for the turn signal by changing the first byte to 01 indicating the left signal is pressed. CanSend uses the format ID#Data. You will see this below when sending the turn signal via CanSend.
You should have noticed that the left signal flashed. If not pay more attention and give it another try or make sure you used the correct ID and changed the correct byte.So lets do the same thing with the throttle and try to set the speed to something with ID 244 that we determined was the throttle.
My guess is that nothing happened because its so fast the needle is not going to jump to that value. So instead lets try repeating this over and over again with a bash loop which simply says that while True keep sending the throttle value of 11 which equates to about 30mph:
ficti0n@ubuntu:~/Desktop/ICSim$ while true; do cansend vcan0 244#00000011F6;done
Yes thats much better, you may notice the needle jumping back and forth a bit. The reason the needle is bouncing back and forth is because the normal CAN traffic is sent telling the car its actually set to 00 in between your frames saying its 30mph.But it worked and you have now changed the speed the car sees and you have flashed the blinker without using the cars normal blinker controls. Pretty cool right?
Monitor the CAN Bus and react to it:
Another way to handle this issue is to monitor the CAN network and when it sees an ID sent it will automatically send the corresponding ID with a different value.. Lets give that a try to modify our speed output by monitoring for changes. Below we are simply running CanDump and parsing for ID 244 in the log output which is the throttle value that tells the car the speed. When a device in the car reports ID 244 and its value we will immediately resend our own value saying the speed is 30mph with the value 11.See below command and try this out.
ficti0n@ubuntu:~/Desktop/ICSim$ candump vcan0 | grep " 244 " | while read line; do cansend vcan0 244#00000011F6; done
With this running after a few seconds you will see the speed adjust to around 30MPH once it captures a legitimate CAN-ID 244 from the network traffic and sends its own value right after.
Ok cool, so now while the above command is still running click the controller window and start holding down the Up arrow with the controller in focus.. After a few seconds or so when the speed gets above 30MPH you will see the needle fighting for the real higher value and adjusting back to 30MPH as your command keeps sending its on value as a replacement to the real speed.
So thats one way of monitoring the network and reacting to what you see in a very crude manner.Maybe someone stole your car and you want to monitor for an open door and if they try to open the door it immediately locks them in.
Conclusion and whats next:
I am not an expert car hacker but I hope you enjoyed this. Thats about as far as I want to go into this subject today, in the next blog we will get into how to code python to perform actions on the CAN network to manipulate things in a similar way.With your own code you are not limited to the functionality of the tools you are provided and can do whatever you want. This is much more powerful then just using the CanUtils pre defined tools. Later on I will also get into the hardware side of things if you would like to try this on a real car where things are more complicated and things can go wrong.
Related posts
