Exploring Metasploit Hardware Bridge for Hardware and Automotive Penetration Testing

Back in 2017 Metasploit had introduced Hardware Bridge API. It is recently that I learnt about its existence and hence I decided to give it a try. Currently I don't have a real automotive hardware at my home lab to do these tasks, so I decided to explore with some virtual network and devices ( yeah life sucks sometimes !  )

So whats to cool about the Metasploit Hardware Bridge API ? Just like metasploit provides a framework with some various integrations with tools, management of exploitation process ( enum, exploit , post exploitation, etc ) , similarly Metasploit Hardware Bridge API does the same thing for Hardware/Physical devices.

As of now there are few good opensource tools ( cantools, caringcaribou, scappy ,etc)  which are into automotive security testing. However they lack  proper framework support ( something that metasploit provides in software exploitation ). Hence I was quite eager to try this feature of Metasploit.

In this post I will provide a overall features provided by Hardware Bridge with respect to Automotive. As I don't have a real CAN Hardware, I have set a virtual CAN interface over which I am communicating.

Next we will create a relay service in our system. This relay service can be used to querying the API service. If we try accessing the url that is created and access some api endpoints like "/status", we can see JSON data of the status
{
  "operational": 0,
  "hw_specialty": {
    "automotive": true
  },
  "hw_capabilities": {
    "can": true,
    "custom_methods": true
  },
  "last_10_errors": {},
  "api_version": "0.0.4",
  "fw_version": "not supported",
  "hw_version": "not supported"
}
Next I created one local hardware bridge. This will detect any SocketCan interfaces that is running on the system automatically. As I was running a virtual CAN interface, it was able to detect it and establish a session with the CAN interface. The hw_bridge that opens up we interact directly with the device via CAN bus. As already stated by the precautionary message "All action performed on this hardware bridge could have real world consequences" so we must be careful when we are working with some real hardware targets.
We can switch to interactive session once we connect to the hardware interface and we will be presented with a hwbridge console from where we can enter the other commands related to automotive/hardware.
As of now( 16.04.2019) these are the commands available for Automotive. CAN and CAN-ISOTP standards are only available.
It has support of sending CAN packets right from the hwbridge console and we can craft some sample CAN frames and send it to the virtual CAN bus ( vcan0 )
Just for verification, I issued candump command to sniff  CAN frames
The Hardware Bridge has also got some good support for UDS related security testing. Specially during diagnostic session control, to keep session alive we need to send some testepresent CAN messages in bus to that the ecu keeps the session alive. Also it has the feature to run testersession as background session.
Just for verification, I issued candump command to sniff  CAN frames, and we can confirm it is sending tester keep alive CAN frames to the bus.
Last but not the least it has some good post modules to run on the target via the CAN interface. I couldn't explore much of these due to absence of real target.We can write our own module specific to different ECU / TCU using the framework.

Thanks for reading !

References
https://blog.rapid7.com/2017/02/02/exiting-the-matrix/
http://opengarages.org/hwbridge/?javascript#get-status-and-capabilities