Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Testing CAN network with help of CANToolz

5,097 views

Published on

BlackBox testing CAN/ECU, fuzzing, MitM, reverse engineering and etc.

Published in: Automotive
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Testing CAN network with help of CANToolz

  1. 1. (PEN)Testing CAN network with help of CANToolz (Yet Another CAN Hacking Tool) 23/03/2016 DCG #7812 From Berlin with Love Alexey Sintsov @asintsov
  2. 2. CAN bus, батяня. Батяня, CAN bus Defcon Russia (DCG #7812) 2 https://en.wikipedia.org/wiki/CAN_bus 120 Ohm 120 Ohm
  3. 3. CAN network Defcon Russia (DCG #7812) 3 CAN gateway/switch* * Different topology possible
  4. 4. CAN utilities… Defcon Russia (DCG #7812) 4 • http://illmatics.com/content.zip - utilites by @0xcharlie and @nudehaberdasher - A lot of cases and examples, very good and helpful • https://github.com/ericevenchick/CANard - abstract CAN lib - Abstract CAN lib, useful for creating own CAN tools (hardware independent) • https://github.com/zombieCraig/UDSim - and not only .. other tools by Craig Smith - Fuzzing, reversing and etc • Moarrrr: http://opengarages.org/index.php/Tools But why I need “Yet Another CAN Hacking Tool”?  A lot of tools and console scripts, for different tasks…, but I want to have one interface  If I want to use “combo” of those tools/tricks/tests (with minimum code-writing)?  If I want to do a MITM?  Not only for “hacking”, but testing framework (maybe useful for OEM/Vendors like validation scanner and etc)  Something module/scenario based – if I want to share readable test cases/scenarios with others I need something like BurpSuite/Metasploit for CAN Network/ECU analyses. With different modules and one interface. I want easily extend it with modules, run same modules in different “combos” and etc. So this tool I did for myself first… but if it can be useful for others – why not, finally we can help each other with contribution
  5. 5. CANToolz (concept) Defcon Russia (DCG #7812) 5 CANToolz Module 1 CANToolz Module 2 CANToolz Module 3 CANToolz framework (MITM example) You can configure modules in any order to create own “test scenario”. Hardware “independent” scenarios (just need to have IO module for your hardware) Easy to share, easy to use (for me at least, one standard interface – console, WEB API) https://github.com/eik00d/CANToolz PIPE 1 PIPE 2 Supported: • ISO-TP • UDS
  6. 6. CANToolz (concept) Defcon Russia (DCG #7812) 6 CANToolz Module 1 CANToolz Module 2 CANToolz Module 3 CANToolz framework (MITM example) Each module have IN and OUT and can handle CAN frame. These modules can be connected via any number of PIPES and perform different actions on any stage/step in the scenario. This gives flexibility and power ;) https://github.com/eik00d/CANToolz PIPE 1 PIPE 2
  7. 7. CANToolz (hardware independent*) Defcon Russia (DCG #7812) 7 https://github.com/eik00d/CANToolz USBtin - http://www.fischl.de/usbtin/ Fast CAN to USB device, support extended format CANBusTriple - https://www.canb.us/ Arduino based CAN to USB device. Support up to 3 CAN buses! These devices currently supported by the framework, but list will be extended in the future and anyone can add support for any other hardware module! Other (logical) modules are independent from hardware!
  8. 8. CANBusTriple 120 ohm Defcon Russia (DCG #7812) 8
  9. 9. USBtin 120 Ohm Defcon Russia (DCG #7812) 9
  10. 10. CANToolz (Arch) Defcon Russia (DCG #7812) 10 hw_USBtin CANToolz framework (MITM example) PIPE 1 PIPE 2 hw_CANBusTriple Step 1 mod_firewall Loop hw_USBtin read hw_USBtin write hw_CANBusTriple read hw_CANBusTriple write Step 2 Step 3 Step 4 Step 5 Step 6 mod_firewall Block CAN frames A,B,C mod_firewall Block CAN frames X,Y,Z • You can use same module on any step - shared memory, same sate
  11. 11. Config file example: Defcon Russia (DCG #7812) 11 # Load modules load_modules = { 'hw_USBtin' : ‘hw_CANBusTriple' : {'port':'auto', 'debug':1, 'speed':500}, 'mod_firewall' : {}, } # Scenario with steps actions = [ {'hw_USBtin' : {'pipe': 1, 'action': 'read'}}, {'hw_CANBusTriple': {'pipe': 2, 'action': 'read'}}, {'mod_firewall' : {'pipe': 1, 'black_list': [1337, 31337]}}, {'mod_firewall' : {'pipe': 2, 'black_list': [0x1122, 0x2211]}}, {'hw_CANBusTriple': {'pipe': 1, 'action': 'write'}}, {'hw_USBtin' : {'pipe': 2, 'action': ‘write'}} ] {'port':'auto', 'debug':1, 'speed':500},
  12. 12. CANToolz (Arch) Defcon Russia (DCG #7812) 12 hw_USBtin CANToolz framework (MITM example) PIPE 1 PIPE 2 hw_USBtin~2 Step 1 mod_firewall Loop hw_USBtin read hw_USBtin write hw_USBtin~2 hw_USBtin~2 Step 2 Step 3 Step 4 Step 5 Step 6 mod_firewall Block CAN frames A,B,C mod_firewall Block CAN frames X,Y,Z • You can use module as different instances - not shared memory and state
  13. 13. Defcon Russia (DCG #7812) 13 # Load modules load_modules = { 'hw_USBtin' :, ‘hw_USBtin~2' : , 'mod_firewall' : {}, } # Scenario with steps actions = [ {'hw_USBtin' : {'pipe': 1, 'action': 'read'}}, {'hw_USBtin~2': {'pipe': 2, 'action': 'read'}}, {'mod_firewall' : {'pipe': 1, 'black_list': [1337, 31337]}}, {'mod_firewall' : {'pipe': 2, 'black_list': [0x1122, 0x2211]}}, {'hw_USBtin~2': {'pipe': 1, 'action': 'write'}}, {'hw_USBtin' : {'pipe': 2, 'action': ‘write'}} ] Config file example: {'port':'auto', 'debug':1, 'speed':500}, {'port':'auto', 'debug':1, 'speed':500, ‘bus':62},
  14. 14. CANToolz (Arch) Defcon Russia (DCG #7812) 14 hw_CANBUS Triple CANToolz framework (MITM example) PIPE 1 Step 1mod_firewall Loop hw_CANBUSTriple hw_CANBUSTriple Step 2 Step 3 mod_firewall Block CAN frames A,B,C,X,Y,Zl • CANBusTriple device support up to 3 buses!
  15. 15. Defcon Russia (DCG #7812) 15 # Load modules load_modules = { 'hw_CANBUSTriple': {'bus_1': 1, 'bus_2': 2}, # Init parameters 'mod_firewall' : {}, } # Scenario with steps actions = [ {'hw_CANBUSTriple' : {'pipe': 1, 'action': 'read'}}, {'mod_firewall' : {'pipe': 1, 'black_list': [1337, 31337, 0x1122, 0x2211]}}, {'hw_CANBUSTriple' : {'pipe': 1, 'action': ‘write'}} ] Config file example:
  16. 16. Example 1: MITM/Firewall Defcon Russia (DCG #7812) 16 Which CAN frames responsible for action? Unlock doors… CAN bus term. 120 Ohm! or
  17. 17. Example 1: MITM/Firewall Defcon Russia (DCG #7812) 17 # Load modules load_modules = { 'mod_firewall' : {}, 'mod_stat' : {}, 'hw_USBtin' : {'port':'auto', 'debug':1, 'speed':500}, 'hw_USBtin~2' : {'port':'auto', 'debug':1, 'speed':500,'bus':62} } # Scenario actions = [ {'hw_USBtin' : {'action':'read'}}, {'mod_firewall' : {‘white_list':[1337]}}, {'hw_USBtin~2' : {'action':'read', 'pipe':2}}, {'mod_stat': {'pipe': 1}}, {'mod_stat': {'pipe': 2}}, {'hw_USBtin' : {'action':'write','pipe':2}}, {'hw_USBtin~2' : {'action':'write'}} ]
  18. 18. Example 1: MITM/Firewall Defcon Russia (DCG #7812) 18
  19. 19. Example 1: MITM/Firewall Defcon Russia (DCG #7812) 19 black_body [[0,0x11,0x22,0x33]]
  20. 20. Example 2: CAN Gateway scan Defcon Russia (DCG #7812) 20 • Which frames will be blocked • Which frames can be passed?
  21. 21. Example 2: CAN Gateway scan Defcon Russia (DCG #7812) 21 # Load needed modules load_modules = { # IO hardware module connected to first BUS (IVI) 'hw_USBtin': {'port':'auto', 'debug':1, 'speed':500}, # IO hardware module (connected to OBD2) 'hw_USBtin~2': {'port':'auto', 'debug':1, 'speed':500, 'bus': 62 }, 'gen_ping' : {}, # Generator/Ping 'mod_firewall': {}, # We need firewall to block all other packets 'mod_stat': {} # Mod stat to see results } actions = [ {'hw_USBtin': {'action': 'read','pipe': 1}}, # Read to PIPE 1 from IVI {'hw_USBtin~2': {'action': 'read','pipe': 2}}, # Read to PIPE 2 from OBD2 port # Block all other CAN frames, but let frames with # data "x01x02x03x04x05x06x07x08" pass {'mod_firewall': {'white_body':[[1,2,3,4,5,6,7,8]],'pipe': 1}}, {'mod_firewall': {'white_body':[[1,2,3,4,5,6,7,8]], 'pipe': 2}}, {'mod_stat': {'pipe': 1}}, {'mod_stat': {'pipe': 2}}, # read from both pipes after filtration {'gen_ping': {'range': [1,2000],'mode':'CAN','body':'0102030405060708','pipe':3}}, # Generate CAN frames to PIPE 3 {'hw_USBtin': {'pipe': 3, 'action': 'write'}},# Write generated packets to both buses {'hw_USBtin~2': {'pipe': 3, 'action': 'write'}} ]
  22. 22. Example 2: CAN Gateway scan Defcon Russia (DCG #7812) 22
  23. 23. Example 2: CAN Gateway scan Defcon Russia (DCG #7812) 23 Generated packets will be sent to both BUSes, then if some of them pass CAN Gateway….
  24. 24. Example 2: CAN Gateway scan Defcon Russia (DCG #7812) 24 Generated packets will be sent to both BUSes, then if some of them pass CAN Gateway, we will receive it on other HW Interface (mod_firewall will block all other messages except generated) … we will receive passed frames on other HW interface (mod_firewall will block all other messages except generated)
  25. 25. Example 2: CAN Gateway scan Defcon Russia (DCG #7812) 25 Generated packets will be sent to both BUSes, then if some of them pass CAN Gateway, we will receive it on other HW Interface (mod_firewall will block all other messages except generated) There we can see 2 frames passes from First bus to Second and 1 frame that can pass from Second bus to first. (so now we have tested filtration based on frame ID)
  26. 26. Example 3: Replay… Defcon Russia (DCG #7812) 26 1. Collect traffic 2. Replay half 3. Another half 4. … (bin search) How to find which frames and are responsible for action You commercial could be here! Door control
  27. 27. Example 3: Replay… Defcon Russia (DCG #7812) 27 load_modules = { 'hw_USBtin': {'port':'auto', 'debug':1, 'speed':500}, # IO hardware module 'gen_replay': {'debug': 1}, # Module for sniff and replay 'mod_stat': {} # Stats } # Now let's describe the logic of this test actions = [ {'hw_USBtin': {'action': 'read','pipe': 1}}, # Read to PIPE 1 # We will sniff first from PIPE 1, then replay to PIPE 2 {'gen_replay': {'pipe': 1}}, {'hw_USBtin': {'action':'write','pipe': 2}} # Write generated packets (pings) ]
  28. 28. Example 3: Replay… Defcon Russia (DCG #7812) 28 Enable sniff mode
  29. 29. Example 3: Replay… Defcon Russia (DCG #7812) 29 Unlock door now and then disable sniff mode and lock door again…
  30. 30. Example 3: Replay… Defcon Russia (DCG #7812) 30
  31. 31. Example 3: Replay… Defcon Russia (DCG #7812) 31 Switch gen_replay to PIPE 2. (now we want to write sniffed frames back to the BUS)
  32. 32. Example 3: Replay… Defcon Russia (DCG #7812) 32 Replay first half of frames and see if doors will be unlocked… If not, then replay other half and continue same way (binary search)
  33. 33. Example 3: Replay… Defcon Russia (DCG #7812) 33 Replay first half of frames and see if doors will be unlocked… If not, then replay other half and continue same way (binary search)
  34. 34. Example 3: Replay… Defcon Russia (DCG #7812) 34 Than you can save found frames to file for future work
  35. 35. UDS Defcon Russia (DCG #7812) 35 ISO 14229-1 Most critical result - ECU firmware update • Session HIJACKING • Auth. brute force • Known seeds/keys • Weak algorithms How an attacker can get “unauthorized access” • RE firmware • Debug ports (direct memory access) • TESTER RE
  36. 36. GTA Defcon Russia (DCG #7812) 36 ISO 14229-1
  37. 37. Example 4: UDS traffic “detection” Defcon Russia (DCG #7812) 37 (if u have TESTER or ISOTP traffic)
  38. 38. Example 4: UDS traffic “detection” Defcon Russia (DCG #7812) 38 (if u have TESTER or ISOTP traffic)
  39. 39. Example 4.5: UDS “Scan/Ping” Defcon Russia (DCG #7812) 39 {'gen_ping' : { 'pipe':2, 'range': [1790, 1794], 'services':[ {'service':0x01, 'sub':0x0d}, {'service':0x09, 'sub':0x02}, {'service':0x2F, 'sub':0x03, 'data':[7,3,0,0]}], 'mode':'UDS'} Then listen “replay” with mod_stat and do anlysis of overall traffic
  40. 40. # Load modules load_modules = { 'gen_fuzz': {}, 'hw_USBtin' : {'port':'auto', 'debug':1, 'speed':500}, 'mod_stat': {} } # Scenario actions = [ # Fizz frames with ID: 222 and 555-999. Fuzz only first byte (index 0) {'gen_fuzz' : {'index':[0],'id': [222,[555,999]], 'data': [0,0,0,0,0,0,0,0] 'delay': 0}}, # Write generated packets {'hw_USBtin' : {'action':'write'}}, # Read response {'hw_USBtin' : {'action':'read', 'pipe': 2}}, {'mod_stat': {'pipe': 2}} ] Example 5: Fuzzer (discovery, UDS, etc) Defcon Russia (DCG #7812) 40 Run fuzzer and see results: • Brightness level of something have been changed something • Blinking of something • Got new ID in response
  41. 41. Contribution needed!! Defcon Russia (DCG #7812) 41 • More tests and checks (new modules) • New hardware support (new modules) • Net tests cases and scenarios (new configs) - sploits, scans, validation test - more ppl, have access to more hardware (cars) • Bugs fixing • Python3 support ( currently old Python only) - btw, Python3 supports SocketCAN • Refactoring
  42. 42. Structure Defcon Russia (DCG #7812) 42 CANToolz modules, handling single CANFrame in PIPEs. Main “business logic” elements are here. Main structures, to works with CAN, ISO-TP, UDS… and main CANToolz Engine with PIPES logic… Examples of scenarios – describes how to connect CANToolz modules
  43. 43. Init parameters and commands Defcon Russia (DCG #7812) 43 def do_init(self, params): if 'save_to' in params: … self._cmdList['p'] = ["Print count of loaded packets", 0, "", self.cnt_print] self._cmdList['r'] = ["Replay range from loaded, from number X to number Y", 1, " <X>-<Y> ", self.replay_mode] This method will be called when module loaded into the project list of commands that can be triggered any time Number of parameters of command Command’s parameters format (just help) Actual method that will be called by triggering the command
  44. 44. Pre/post actions Defcon Russia (DCG #7812) 44 def do_start(self, params): self._i = 0 self.do_something1(self.something) def do_stop(self, params): self._i = 0 self.do_something2(self.something) This methods will be called just before main loop started, and when it will stooped
  45. 45. # handle message in the pipe def do_effect(self, can_msg, args): if can_msg.CANData: if 'black_list' in args and can_msg.CANFrame.frame_id in args.get('black_list', []): can_msg.CANData = False return can_msg Main action (CAN frame handling) Defcon Russia (DCG #7812) 45 Main method Message OUT Arguments for current step Flag, if message contains CAN frame CAN Frame Message IN
  46. 46. Example of module Defcon Russia (DCG #7812) 46 Let’s say that on Example 5 (fuzzing) we have found Frames (ID and data format) that are responsible for Dashboard panel brightness level and status. Let’s create a simple module to control it via CANToolz. ID DATA 111 01fa000000000000 - Brightness level, form 0-255 (second byte) 111 0201000000000000 - Idle mode (second byte, 00 – idle mode)
  47. 47. Example of module(code) Defcon Russia (DCG #7812) 47 from libs.module import * from libs.can import * import copy class mod_panel_control(CANModule): name = "Panel control module" help = """ This module change dahsboard panel things. Init parameters: None Module parameters: 'pipe' - integer, 1 or 2 - from which pipe to print, default 1 """ def do_init(self, params): self._active = True self._cmdList['1'] = ["Idle mode on", 0, "", self.turn_off] self._cmdList['0'] = ["Idle mode off", 0, "", self.turn_on] self._cmdList['b'] = ["Change brightness level (0 - 255)", 1, "<level>", self.change_level] self._frame = None
  48. 48. Example of module(code) Defcon Russia (DCG #7812) 48 # Effect (could be fuzz operation, sniff, filter or whatever) def do_effect(self, can_msg, args): if self._frame: can_msg.CANFrame = copy.deepcopy(self._frame) can_msg.CANData = True self._frame = None return can_msg def turn_off(self): self._frame = CANMessage(111,8,[2,0,0,0,0,0,0,0], False, CANMessage.DataFrame) def turn_on(self): self._frame = CANMessage(111,8,[2,1,0,0,0,0,0,0], False, CANMessage.DataFrame) def change_level(self, level): b_level = int(level) if 0 < b_level < 256: self._frame = CANMessage(111,8,[1,b_level,0,0,0,0,0,0], False, CANMessage.DataFrame)
  49. 49. Example of module(cfg) Defcon Russia (DCG #7812) 49 # Load modules load_modules = { 'mod_panel_control': {}, 'hw_USBtin' : {'port':'auto', 'debug':1, 'speed':500}, } # Scenario actions = [ # Fizz frames with ID: 222 and 555-999. Fuzz only first byte (index 0) {'mod_panel_control' : {}}, # Write generated packets {'hw_USBtin' : {'action':'write'}} ]
  50. 50. Example of module(control) Defcon Russia (DCG #7812) 50
  51. 51. Thx for contribution and help! Defcon Russia (DCG #7812) 51 Sergey Kononenko @kononencheg Boris Ryutin @dukebarman Also to @isox_xx and all JBFC Contributors are WELCOME!

×