Skip to main content

Exploring Metasploit Hardware Bridge for Hardware and Automotive Penetration Testing

Back in 2017 Metasploit had introduced Hardware Bridge API. It is recently that I learnt about its existence and hence I decided to give it a try. Currently I don't have a real automotive hardware at my home lab to do these tasks, so I decided to explore with some virtual network and devices ( yeah life sucks sometimes !  )

So whats to cool about the Metasploit Hardware Bridge API ? Just like metasploit provides a framework with some various integrations with tools, management of exploitation process ( enum, exploit , post exploitation, etc ) , similarly Metasploit Hardware Bridge API does the same thing for Hardware/Physical devices.

As of now there are few good opensource tools ( cantools, caringcaribou, scappy ,etc)  which are into automotive security testing. However they lack  proper framework support ( something that metasploit provides in software exploitation ). Hence I was quite eager to try this feature of Metasploit.

In this post I will provide a overall features provided by Hardware Bridge with respect to Automotive. As I don't have a real CAN Hardware, I have set a virtual CAN interface over which I am communicating.

Next we will create a relay service in our system. This relay service can be used to querying the API service. If we try accessing the url that is created and access some api endpoints like "/status", we can see JSON data of the status
{
  "operational": 0,
  "hw_specialty": {
    "automotive": true
  },
  "hw_capabilities": {
    "can": true,
    "custom_methods": true
  },
  "last_10_errors": {},
  "api_version": "0.0.4",
  "fw_version": "not supported",
  "hw_version": "not supported"
}
Next I created one local hardware bridge. This will detect any SocketCan interfaces that is running on the system automatically. As I was running a virtual CAN interface, it was able to detect it and establish a session with the CAN interface. The hw_bridge that opens up we interact directly with the device via CAN bus. As already stated by the precautionary message "All action performed on this hardware bridge could have real world consequences" so we must be careful when we are working with some real hardware targets.
We can switch to interactive session once we connect to the hardware interface and we will be presented with a hwbridge console from where we can enter the other commands related to automotive/hardware.
As of now( 16.04.2019) these are the commands available for Automotive. CAN and CAN-ISOTP standards are only available.
It has support of sending CAN packets right from the hwbridge console and we can craft some sample CAN frames and send it to the virtual CAN bus ( vcan0 )
Just for verification, I issued candump command to sniff  CAN frames
The Hardware Bridge has also got some good support for UDS related security testing. Specially during diagnostic session control, to keep session alive we need to send some testepresent CAN messages in bus to that the ecu keeps the session alive. Also it has the feature to run testersession as background session.
Just for verification, I issued candump command to sniff  CAN frames, and we can confirm it is sending tester keep alive CAN frames to the bus.
Last but not the least it has some good post modules to run on the target via the CAN interface. I couldn't explore much of these due to absence of real target.We can write our own module specific to different ECU / TCU using the framework.

Thanks for reading !

References
https://blog.rapid7.com/2017/02/02/exiting-the-matrix/
http://opengarages.org/hwbridge/?javascript#get-status-and-capabilities 

Popular posts from this blog

KringleCon : Sans Holiday Hack 2018 Writeup

SANS HOLIDAY HACK 2018 Writeup , KRINGLECON The objectives  Orientation Challenge  Directory Browsing  de Bruijn Sequences  Data Repo Analysis  AD Privilege Discovery  Badge Manipulation  HR Incident Response  Network Traffic Forensics  Ransomware Recovery  Who Is Behind It All? First I go to Bushy Evergreen and try to solve the terminal challenge . Solving it is fairly easy , Escape_Key followed by  ":q" without quotes After this we move to the kiosk and solve the questions The question were based on the themes of previous Holiday Hack Challenges. Once we answer it correctly we get the flag. For this I visited Minty Candycane and I tried to solve the terminal challenge.  The application has command injection vulnerability , so injecting a system command with the server ip allows execution of the command. So first I perform an `ls` operation to list of the directory contents , followed by a cat of t
Read more

Linux Privilege Escalation : SUID Binaries

After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs SUID - Set User ID The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges. How does a SUID Bit enable binary looks like ? -r- s r-x---  1 hack-me-bak-cracked hack-me-bak         7160 Aug 11  2015 bak How to find all the SUID enabled binaries ? hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null /bin/su /bin/fusermount /bin/umount /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/newgrp /usr/bin
Read more

Bluetooth Low Energy : Build, Recon,Enumerate and Attack !

Introduction In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer. Code BLE Internals and Working The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE. Generic Access Profile (GAP) - This profiles describes how two BLE devices defines discovery and establishment of connection with each other. There are two types of data payload that can be used. The Advertising Data Payload and Scan Response Payload . The GAP uses br
Read more