testing can network with help of cantoolz

(PEN)Testing CAN network with help of CANToolz

(Yet Another CAN Hacking Tool)

23/03/2016DCG #7812

From Berlin with LoveAlexeySintsov@asintsov

Defcon Russia (DCG #7812) 2

CAN bus, батяня. Батяня, CAN bus

https://en.wikipedia.org/wiki/CAN_bus

120 Ohm 120 Ohm


CAN networkCAN gateway/switch*

* Different topology possible


CAN utilities…• http://illmatics.com/content.zip - utilites by @0xcharlie and @nudehaberdasher

- A lot of cases and examples, very good and helpful• https://github.com/ericevenchick/CANard - abstract CAN lib - Abstract CAN lib, useful for creating own CAN tools (hardware independent) • https://github.com/zombieCraig/UDSim - and not only .. other tools by Craig Smith

- Fuzzing, reversing and etc

• Moarrrr: http://opengarages.org/index.php/Tools

But why I need “Yet Another CAN Hacking Tool”?

A lot of tools and console scripts, for different tasks…, but I want to have one interface If I want to use “combo” of those tools/tricks/tests (with minimum code-writing)? If I want to do a MITM? Not only for “hacking”, but testing framework (maybe useful for OEM/Vendors like validation scanner and etc) Something module/scenario based – if I want to share readable test cases/scenarios with others

I need something like BurpSuite/Metasploit for CAN Network/ECU analyses. With different modules and one interface. I want easily extend it with modules, run same modules in different “combos” and etc. So this tool I did for myself first… but if it can be useful for others – why not, finally we can help each other with contribution

http://illmatics.com/content.zip

http://illmatics.com/content.zip

https://github.com/ericevenchick/CANard

https://github.com/ericevenchick/CANard

https://github.com/zombieCraig/UDSim

https://github.com/zombieCraig/UDSim

http://opengarages.org/index.php/Tools

http://opengarages.org/index.php/Tools


CANToolz (concept)

CANToolz Module 1

CANToolz Module 2 CANToolz

Module 3

CANToolz framework (MITM example)

You can configure modules in any order to create own “test scenario”. Hardware “independent” scenarios (just need to have IO module for your hardware)Easy to share, easy to use (for me at least, one standard interface – console, WEB API)

https://github.com/eik00d/CANToolz

PIPE 1

PIPE 2

Supported:• ISO-TP• UDS




CANToolz (concept)

CANToolz Module 1

CANToolz Module 2 CANToolz

Module 3


Each module have IN and OUT and can handle CAN frame. These modules can be connected via any number of PIPES and perform different actions on any stage/step in the scenario. This gives flexibility and power ;)


PIPE 1

PIPE 2




CANToolz (hardware independent*)


USBtin - http://www.fischl.de/usbtin/

Fast CAN to USB device, support extended format

CANBusTriple - https://www.canb.us/

Arduino based CAN to USB device.Support up to 3 CAN buses!

These devices currently supported by the framework, but list will be extended in the future andanyone can add support for any other hardware module!Other (logical) modules are independent from hardware!



http://www.fischl.de/usbtin/



https://www.canb.us/




CANBusTriple 120 ohm


USBtin 120 Ohm


CANToolz (Arch)hw_USBtin


PIPE 1 PIPE 2

hw_CANBusTripleStep 1

mod_firewall

Loop

hw_USBtin read

hw_USBtinwrite

hw_CANBusTripleread

hw_CANBusTriplewrite

Step 2

Step 3

Step 4

Step 5

Step 6

mod_firewallBlock CAN frames

A,B,Cmod_firewall

Block CAN frames X,Y,Z

• You can use same module on any step - shared memory, same sate


Config file example:# Load modulesload_modules = { 'hw_USBtin' : ‘hw_CANBusTriple' : {'port':'auto', 'debug':1, 'speed':500}, 'mod_firewall' : {},}

# Scenario with steps

actions = [ {'hw_USBtin' : {'pipe': 1, 'action': 'read'}}, {'hw_CANBusTriple': {'pipe': 2, 'action': 'read'}},

{'mod_firewall' : {'pipe': 1, 'black_list': [1337, 31337]}}, {'mod_firewall' : {'pipe': 2, 'black_list': [0x1122, 0x2211]}},

{'hw_CANBusTriple': {'pipe': 1, 'action': 'write'}}, {'hw_USBtin' : {'pipe': 2, 'action': ‘write'}}]

{'port':'auto', 'debug':1, 'speed':500},


CANToolz (Arch)hw_USBtin


PIPE 1 PIPE 2

hw_USBtin~2Step 1

mod_firewall

Loop

hw_USBtin read

hw_USBtinwrite

hw_USBtin~2

hw_USBtin~2

Step 2

Step 3

Step 4

Step 5

Step 6


A,B,Cmod_firewall

Block CAN frames X,Y,Z

• You can use module as different instances - not shared memory and state


# Load modulesload_modules = { 'hw_USBtin' :, ‘hw_USBtin~2' : , 'mod_firewall' : {},}


actions = [ {'hw_USBtin' : {'pipe': 1, 'action': 'read'}}, {'hw_USBtin~2': {'pipe': 2, 'action': 'read'}},

{'mod_firewall' : {'pipe': 1, 'black_list': [1337, 31337]}}, {'mod_firewall' : {'pipe': 2, 'black_list': [0x1122, 0x2211]}},

{'hw_USBtin~2': {'pipe': 1, 'action': 'write'}}, {'hw_USBtin' : {'pipe': 2, 'action': ‘write'}}]

Config file example:

{'port':'auto', 'debug':1, 'speed':500},{'port':'auto', 'debug':1, 'speed':500, ‘bus':62},


CANToolz (Arch)hw_CANBUS

Triple


PIPE 1

Step 1mod_firewall

Loop

hw_CANBUSTriple

hw_CANBUSTriple

Step 2

Step 3


A,B,C,X,Y,Zl

• CANBusTriple device support up to 3 buses!


# Load modulesload_modules = { 'hw_CANBUSTriple': {'bus_1': 1, 'bus_2': 2}, # Init parameters 'mod_firewall' : {},}


actions = [ {'hw_CANBUSTriple' : {'pipe': 1, 'action': 'read'}}, {'mod_firewall' : {'pipe': 1, 'black_list': [1337, 31337, 0x1122, 0x2211]}}, {'hw_CANBUSTriple' : {'pipe': 1, 'action': ‘write'}}]

Config file example:


Example 1: MITM/FirewallWhich CAN frames responsible for action? Unlock doors…

CAN busterm.120 Ohm!

or


Example 1: MITM/Firewall# Load modulesload_modules = { 'mod_firewall' : {}, 'mod_stat' : {}, 'hw_USBtin' : {'port':'auto', 'debug':1, 'speed':500}, 'hw_USBtin~2' : {'port':'auto', 'debug':1, 'speed':500,'bus':62}}

# Scenario

actions = [

{'hw_USBtin' : {'action':'read'}}, {'mod_firewall' : {‘white_list':[1337]}}, {'hw_USBtin~2' : {'action':'read', 'pipe':2}}, {'mod_stat': {'pipe': 1}}, {'mod_stat': {'pipe': 2}}, {'hw_USBtin' : {'action':'write','pipe':2}}, {'hw_USBtin~2' : {'action':'write'}}]


Example 1: MITM/Firewall


Example 1: MITM/Firewall

black_body [[0,0x11,0x22,0x33]]


Example 2: CAN Gateway scan

• Which frames will be blocked• Which frames can be passed?


Example 2: CAN Gateway scan# Load needed modulesload_modules = { # IO hardware module connected to first BUS (IVI) 'hw_USBtin': {'port':'auto', 'debug':1, 'speed':500}, # IO hardware module (connected to OBD2) 'hw_USBtin~2': {'port':'auto', 'debug':1, 'speed':500, 'bus': 62 }, 'gen_ping' : {}, # Generator/Ping 'mod_firewall': {}, # We need firewall to block all other packets 'mod_stat': {} # Mod stat to see results}

actions = [ {'hw_USBtin': {'action': 'read','pipe': 1}}, # Read to PIPE 1 from IVI {'hw_USBtin~2': {'action': 'read','pipe': 2}}, # Read to PIPE 2 from OBD2 port # Block all other CAN frames, but let frames with # data "\x01\x02\x03\x04\x05\x06\x07\x08" pass {'mod_firewall': {'white_body':[[1,2,3,4,5,6,7,8]],'pipe': 1}}, {'mod_firewall': {'white_body':[[1,2,3,4,5,6,7,8]], 'pipe': 2}},

{'mod_stat': {'pipe': 1}}, {'mod_stat': {'pipe': 2}}, # read from both pipes after filtration

{'gen_ping': {'range': [1,2000],'mode':'CAN','body':'0102030405060708','pipe':3}}, # Generate CAN frames to PIPE 3 {'hw_USBtin': {'pipe': 3, 'action': 'write'}},# Write generated packets to both buses {'hw_USBtin~2': {'pipe': 3, 'action': 'write'}} ]



Generated packets will be sent to both BUSes,then if some of them pass CAN Gateway….



Generated packets will be sent to both BUSes,then if some of them pass CAN Gateway, we will receive it on other HW Interface (mod_firewall will block all other messages except generated)

… we will receive passed frames on other HW interface (mod_firewall will block all other messages except generated)



Generated packets will be sent to both BUSes,then if some of them pass CAN Gateway, we will receive it on other HW Interface (mod_firewall will block all other messages except generated)

There we can see 2 frames passes from First bus to Second and 1 frame that can pass from Second bus to first. (so now we have tested filtration based on frame ID)


Example 3: Replay…1. Collect traffic

2. Replay half

3. Another half

4. … (bin search)

How to find which frames and are responsible for action

You commercial

could be here!

Door control


Example 3: Replay…

load_modules = { 'hw_USBtin': {'port':'auto', 'debug':1, 'speed':500}, # IO hardware module 'gen_replay': {'debug': 1}, # Module for sniff and replay 'mod_stat': {} # Stats}

# Now let's describe the logic of this testactions = [ {'hw_USBtin': {'action': 'read','pipe': 1}}, # Read to PIPE 1 # We will sniff first from PIPE 1, then replay to PIPE 2 {'gen_replay': {'pipe': 1}}, {'hw_USBtin': {'action':'write','pipe': 2}} # Write generated packets (pings) ]



Enable sniff mode



Unlock door now and then disable sniff mode and lockdoor again…



Switch gen_replay to PIPE 2.(now we want to write sniffed frames back to the BUS)



Replay first half of frames and see if doors will be unlocked…If not, then replay other halfand continue same way (binary search)



Than you can save found frames to file for future work


UDSISO 14229-1

Most critical result - ECU firmware update

• Session HIJACKING

• Auth. brute force

• Known seeds/keys

• Weak algorithms

How an attacker can get “unauthorized access”

• RE firmware• Debug ports (direct memory access)• TESTER RE


GTA ISO 14229-1


Example 4: UDS traffic “detection”(if u have TESTER or ISOTP traffic)


Example 4.5: UDS “Scan/Ping”

{'gen_ping' : { 'pipe':2, 'range': [1790, 1794], 'services':[ {'service':0x01, 'sub':0x0d}, {'service':0x09, 'sub':0x02}, {'service':0x2F, 'sub':0x03, 'data':[7,3,0,0]}], 'mode':'UDS'}

Then listen “replay” with mod_stat and do anlysis of overall traffic


# Load modulesload_modules = { 'gen_fuzz': {}, 'hw_USBtin' : {'port':'auto', 'debug':1, 'speed':500}, 'mod_stat': {}}

# Scenario

actions = [ # Fizz frames with ID: 222 and 555-999. Fuzz only first byte (index 0) {'gen_fuzz' : {'index':[0],'id': [222,[555,999]], 'data': [0,0,0,0,0,0,0,0], 'delay': 0}}, # Write generated packets {'hw_USBtin' : {'action':'write'}},

# Read response {'hw_USBtin' : {'action':'read', 'pipe': 2}}, {'mod_stat': {'pipe': 2}}

]

Example 5: Fuzzer (discovery, UDS, etc)

Run fuzzer and see results: • Brightness level of something

have been changed something • Blinking of something • Got new ID in response


Contribution needed!!• More tests and checks (new modules)

• New hardware support (new modules)

• Net tests cases and scenarios (new configs)- sploits, scans, validation test - more ppl, have access to more hardware (cars)

• Bugs fixing

• Python3 support ( currently old Python only)- btw, Python3 supports SocketCAN

• Refactoring


Structure

CANToolz modules, handling single CANFrame in PIPEs. Main “business logic” elements are here.

Main structures, to works with CAN, ISO-TP, UDS… and main CANToolz Engine with PIPES logic…

Examples of scenarios – describes how to connect CANToolz modules


Init parameters and commands

def do_init(self, params): if 'save_to' in params: …

self._cmdList['p'] = ["Print count of loaded packets", 0, "", self.cnt_print]self._cmdList['r'] = ["Replay range from loaded, from number X to number Y",\ 1, " <X>-<Y> ", self.replay_mode]

This method will be called when module loaded into the project

list of commands that can be triggered any time

Number of parameters of command

Command’s parameters format (just help)

Actual method that will be called by triggering the command


Pre/post actions

def do_start(self, params): self._i = 0 self.do_something1(self.something)

def do_stop(self, params): self._i = 0 self.do_something2(self.something)

This methods will be called just before main loop started, and when it will stooped


# handle message in the pipe def do_effect(self, can_msg, args): if can_msg.CANData: if 'black_list' in args and can_msg.CANFrame.frame_id in args.get('black_list', []): can_msg.CANData = False return can_msg

Main action (CAN frame handling)

Main methodMessage OUT

Arguments for current step

Flag, if message contains CAN frame

CAN Frame

Message IN


Example of module

Let’s say that on Example 5 (fuzzing) we have found Frames (ID and data format) that areresponsible for Dashboard panel brightness level and status. Let’s create a simple module to control it via CANToolz.

ID DATA

111 01fa000000000000 - Brightness level, form 0-255 (second byte)111 0201000000000000 - Idle mode (second byte, 00 – idle mode)


Example of module(code)from libs.module import *from libs.can import *import copy

class mod_panel_control(CANModule): name = "Panel control module" help = """ This module change dahsboard panel things. Init parameters: None Module parameters:

'pipe' - integer, 1 or 2 - from which pipe to print, default 1 """ def do_init(self, params): self._active = True self._cmdList['1'] = ["Idle mode on", 0, "", self.turn_off] self._cmdList['0'] = ["Idle mode off", 0, "", self.turn_on] self._cmdList['b'] = ["Change brightness level (0 - 255)", 1, "<level>", self.change_level] self._frame = None


Example of module(code) # Effect (could be fuzz operation, sniff, filter or whatever) def do_effect(self, can_msg, args): if self._frame: can_msg.CANFrame = copy.deepcopy(self._frame) can_msg.CANData = True self._frame = None return can_msg

def turn_off(self): self._frame = CANMessage(111,8,[2,0,0,0,0,0,0,0], False, CANMessage.DataFrame)

def turn_on(self): self._frame = CANMessage(111,8,[2,1,0,0,0,0,0,0], False, CANMessage.DataFrame)

def change_level(self, level): b_level = int(level) if 0 < b_level < 256: self._frame = CANMessage(111,8,[1,b_level,0,0,0,0,0,0], False, CANMessage.DataFrame)


Example of module(cfg)

# Load modulesload_modules = { 'mod_panel_control': {}, 'hw_USBtin' : {'port':'auto', 'debug':1, 'speed':500},}

# Scenario

actions = [ # Fizz frames with ID: 222 and 555-999. Fuzz only first byte (index 0) {'mod_panel_control' : {}}, # Write generated packets {'hw_USBtin' : {'action':'write'}}

]


Example of module(control)


Thx for contribution and help!

Sergey Kononenko @kononencheg

Boris Ryutin @dukebarman

Also to @isox_xx and all JBFC

Contributors are WELCOME!

testing can network with help of cantoolz

Automotive