Module to Probe Different Data Points in a CAN Packet - Metasploit
This page contains detailed information about how to use the post/hardware/automotive/canprobe metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Module to Probe Different Data Points in a CAN Packet
Module: post/hardware/automotive/canprobe
Source code: modules/post/hardware/automotive/canprobe.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): Hardware
Target service / protocol: -
Target network port(s): -
List of CVEs: -
Scans between two CAN IDs and writes data at each byte position. It will either write a set byte value (Default 0xFF) or iterate through all possible values of that byte position (takes much longer). Does not check for responses and is basically a simple blind fuzzer.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/hardware/automotive/canprobe
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/hardware/automotive/canprobe
msf post(canprobe) > show options
... show and set options ...
msf post(canprobe) > set SESSION session-id
msf post(canprobe) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/hardware/automotive/canprobe")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
A basic fuzzer for CAN IDs. It can scan through CAN IDs and probes each data section with a set value. The defualt is 0xFF. It can also iterate through all the possible values for each byte as well. It has no concept of what is going on and makes no attempt to check for return packets.
Options
STARTID
The CAN ID to start your scan from.
STOPID
The CAN ID to stop the CAN scan. If no STOPID is specified it will only scan one ID (STARTID).
FUZZ
If true the data segment will iterate through all possiblities (0-255).
PROBEVALUE
The value to put at each data segment. The default is 0xFF. When Fuzz is enabled this value is ignored.
PADDING
If you need to pad out the packet to be 8 packets for each request you can set this value to something between 0-255.
CANBUS
The bus to scan. See 'supported_buses' for a list of available buses.
Scenarios
To quickly test how a vehicle or ECU reacts to random data throughout the packet. For instance, you have identified some door controls using a certain CAN ID. By probing the other values you can often identify other door related functions.
Note: This is not a scanner. You would not want to run this against all the IDs in a car and expect (good) results.
hwbridge > run post/hardware/automotive/canprobe CANBUS=can0 STARTID=0x320 fuzz=true
[*] Probing 0x320...
[*] Probe Complete
Go back to menu.
Msfconsole Usage
Here is how the hardware/automotive/canprobe post exploitation module looks in the msfconsole:
msf6 > use post/hardware/automotive/canprobe
msf6 post(hardware/automotive/canprobe) > show info
Name: Module to Probe Different Data Points in a CAN Packet
Module: post/hardware/automotive/canprobe
Platform: Hardware
Arch:
Rank: Normal
Provided by:
Craig Smith
Compatible session types:
Hwbridge
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CANBUS no CAN Bus to perform scan on, defaults to connected bus
FUZZ false no If true interates through all possible values for each data position
PADDING no If a value is given a full 8 bytes will be used and padded with this value
PROBEVALUE 255 no Value to inject in the data stream
SESSION yes The session to run this module on.
STARTID 768 no CAN ID to start scan
STOPID no CAN ID to stop scan
Description:
Scans between two CAN IDs and writes data at each byte position. It
will either write a set byte value (Default 0xFF) or iterate through
all possible values of that byte position (takes much longer). Does
not check for responses and is basically a simple blind fuzzer.
Module Options
This is a complete list of options available in the hardware/automotive/canprobe post exploitation module:
msf6 post(hardware/automotive/canprobe) > show options
Module options (post/hardware/automotive/canprobe):
Name Current Setting Required Description
---- --------------- -------- -----------
CANBUS no CAN Bus to perform scan on, defaults to connected bus
FUZZ false no If true interates through all possible values for each data position
PADDING no If a value is given a full 8 bytes will be used and padded with this value
PROBEVALUE 255 no Value to inject in the data stream
SESSION yes The session to run this module on.
STARTID 768 no CAN ID to start scan
STOPID no CAN ID to stop scan
Advanced Options
Here is a complete list of advanced options supported by the hardware/automotive/canprobe post exploitation module:
msf6 post(hardware/automotive/canprobe) > show advanced
Module advanced options (post/hardware/automotive/canprobe):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the hardware/automotive/canprobe module can do:
msf6 post(hardware/automotive/canprobe) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the hardware/automotive/canprobe post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(hardware/automotive/canprobe) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
The hwbridge requires a functional automotive extention
Here is a relevant code snippet related to the "The hwbridge requires a functional automotive extention" error message:
29: ])
30: end
31:
32: def run
33: unless client.automotive
34: print_error("The hwbridge requires a functional automotive extention")
35: return
36: end
37: stopid = datastore['STARTID']
38: stopid = datastore['STOPID'] unless datastore['STOPID'].nil?
39: data = "%02X" % datastore['PROBEVALUE']
Go back to menu.
Related Pull Requests
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8332 Merged Pull Request: Canprobe Module
Go back to menu.
See Also
Check also the following modules related to this module:
- post/hardware/automotive/can_flood
- post/hardware/automotive/diagnostic_state
- post/hardware/automotive/ecu_hard_reset
- post/hardware/automotive/getvinfo
- post/hardware/automotive/identifymodules
- post/hardware/automotive/malibu_overheat
- post/hardware/automotive/mazda_ic_mover
- post/hardware/automotive/pdt
Authors
- Craig Smith
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.