Ngak Ngik Nguk: 2023

Jumat, 15 Desember 2023

Thank You.

Hello,

How are you doing? I am using this opportunity to inform you that the business that we both are working on before has been finally concluded with the assistance of another partner from Iceland who financed the transaction to a logical conclusion.

Contact Mr. Lorenzo Email: (bengatlorenzo@gmail.com) and ask him for the for the draft (3,750.000 USD)I left for you.

Meamwhile, you should send him your Name and telephone number/your mailing address where you want him to send the bank Draft in appreciation for your help.

Thanks for your past effort.

Regards,
Mrs. Precious Mph

Jumat, 30 Juni 2023

Please Confirm!

Hello,

I'm Dr. Bengat. I wish to urgently confirm from you if actually you know one Mrs. Jeanne White who claims to be your business associate/partner.

Kindly reconfirm this application put in by Mrs. Jeanne White - she submitted the under-listed bank account information supposedly sent by you to receive the funds on your behalf.

The bank information she applied with are stated thus:

Account Name: Mrs. Jeanne White
Bank name: Citi Bank NA
Bank address: #1230 Arch Street, Philadelphia, PA 19107, USA
Account Number: 013439887655
Routing Number: 2771722
Swift Code: CITIUS30

The said Mrs. Jeanne White is claiming to this office that you are dead and have Instructed that all relevant documentation/Information regarding your Payment/Transfer, be changed to her as the beneficiary of the payment short-listed among the foreign beneficiaries entitled to receive their payment.

For your Information, this Government has approved the total amount of EIGHT MILLION, FIVE HUNDRED THOUSAND UNITED STATES DOLLARS ONLY, in your favor, prior to the Federal Government instructions/mandate to offset all outstanding payments to the various legal foreign beneficiaries. We need to confirm from you if it's really true that you are dead as mentioned by your Associate.

You should note that, if we do not hear from you, we automatically assume that you are actually dead and the information passed to us by Mrs. Jeanne White is correct. Hence, you are hereby requested to reply to this Email immediately for confirmation, before we proceed with this payment and for us to know the true position of things with you so that we won't make any mistakes/errors in remitting your out-standing payment to a wrong person/account.

Lastly, you are advised to reply back to this email and reconfirm the details of this message if truly you're alive.

Full name................................
Direct telephone number.........
Address....................................
Age...........................................

Your quick response will help us a lot ( lorenzobengat@aliyun.com )

Yours, Sincerely,
Dr. L. Bengat

Selasa, 06 Juni 2023

Hackerhubb.blogspot.com

More information

Senin, 05 Juni 2023

Hacking All The Cars - Part 1

A step by step lab based mini course on analyzing your car network

I wanted to learn about hacking cars. As usual I searched around the internet and didn't find any comprehensive resources on how to do this, just bits and pieces of the same info over and over which is frustrating. I am not a car hacking expert, I just like to hack stuff. This mini course will run in a fully simulated lab environment available from open garages, which means in 5 minutes from now you can follow along and hack cars without ever bricking your girlfriends car. Since you obviously wouldn't attack your own Lambo, totally use your girlfriends Prius.

Below are the topics covered in this blog series so you can decide if you want to read further:

Whats covered in this car hacking mini course:

Setting up Virtual Environments for testing

Sniffing CAN Traffic

Parsing CAN Traffic

Reverse Engineering CAN IDs

Denial of service attacks

Replaying/Injecting Traffic

Coding your own CAN Socket Tools in python

Targeted attacks against your cars components

Transitioning this to attacking a real car with hardware

The first thing we are going to do before we get into any car hacking specifics such as "WTF is CAN?", is get your lab up and running. We are going to run a simple simulated CAN Bus network which controls various features of your simulated car. Its better to learn by doing then sit here and recite a bunch of car network lingo at you and hope you remember it.

I also don't want you to buy a bunch of hardware and jack into your real car right away. Instead there are options that can get you started hacking cars RIGHT NOW by following along with this tutorial. This will also serve to take away the fear of hacking your actual car by understanding what your doing first.

Video Playlist:

Setting up your Lab:

First things first, set yourself up with an Ubuntu VMware install, and load it up. Optionally you could use a Kali Iinux VM, however, that thing drives me nuts with copy paste issues and I think Kayak was giving me install problems. So support is on you if you would like to use Kali. However, I do know Kali will work fine with OpenGarages virtual car.. So feel free to use it for that if you have it handy and want to get started right away.

Install PreReq Libraries:

Once you load this up you are going to want to install CAN utilities and pre-requisite libraries. This is really easy to do with the following Apt-get commands:

sudo apt-get update

sudo apt-get install libsdl2-dev libsdl2-image-dev can-utils

Then we are going to pull down the ICSimulator repo:

git clone https://github.com/zombieCraig/ICSim.git

Starting the simulator:

Once this is done we can startup the simulator by changing directories to the downloaded repo and running the following 2 commands, which will setup a virtual CAN interface and a simulator GUI Cluster:

Run the setup Script to get the vcan0 interface up:

root@kali:~/ICSim# ./setup_vcan.sh

root@kali:~/ICSim# ./icsim vcan0

On a new terminal tab we will open up our simulators controller with the following command,

root@kali:~/ICSim#./controls vcan0

Note: that the controller must be the in-focus GUI screen to send keyboard commands to the simulator.

How to Use the Simulator:

The simulator has a speedometer with Right and Left turn signals, doors etc. Below are the list of commands to control the simulator when the Control panel is in focus. Give them each a try and note the changes to the simulator.

Up and Down keys control the gauges clusters speedometer

Left and Right keys Control the Blinkers

Right Shift + X, A or B open doors

Left Shift + X, A or be Close doors

Try a few of the above commands for example Right Shift +X and you will see the interface change like so, notice the open door graphic:

Awesome, thanks to OpenGarages you now you have your very own car to hack

Notice in the setup commands above we used a VCan0 interface. Run Ifconfig and you will now see that you indeed have a new network interface that speaks to the CAN network over VCan0.

ficti0n@ubuntu:~/Desktop/ICSim$ ifconfig vcan0

vcan0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

UP RUNNING NOARP MTU:16 Metric:1

RX packets:558904 errors:0 dropped:0 overruns:0 frame:0

TX packets:558904 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1

RX bytes:3663935 (3.6 MB) TX bytes:3663935 (3.6 MB)

Car networks run on a variety of protocols most prevalent being CAN. You can think of a CAN Bus like an old school networking hub where everyone can see everyone elses traffic. This is true to some extent although you may not see all of the cars traffic if its not connected to that particular bus your plugged into. You can think of CAN traffic kind of like UDP in that its send and forget, the main difference being parts of the CAN bus network don't actually have addresses and everything runs off arbitration IDs and priorities. Thats enough background to get you doing rather then reading.

With a little knowledge out of the way lets check if we can see our CAN traffic from our virtual car via the CanDump utility, which you installed as part of CanUtils package above. Using the following command on the vcan0 interface our simulator uses you can view a stream of traffic:

ficti0n@ubuntu:~/Desktop/ICSim$ candump vcan0

Above we can see a bunch of CAN frames, and if we perform actions on the vehicle we will see changes to data values in the CanDump output. However this may happen very fast, and we may not be able to see if for example we unlocked our simulators door. This is because things are changing constantly in the cars IDLE state. One single value changing may not stand out enough for us to take notice or may scroll so fast we cant see it.

Capture and Replay CAN Actions:

One option would be to perform an action and replay it, we should see the actions happen again in the replay if the traffic for the action we recorded is on the same bus network our device is plugged into. There are loads of networks within a car and its not guaranteed our network tap for example an OBD2 port plugin is connected to the same network as door we opened. Or the door may not be connected to the network at all depending on your car and its age or how its configured.

Replaying dumps with CanPlayer:

Another useful tool included with CanUtils package is CanPlayer for replaying traffic. If the functionality we are trying to capture is on the same Bus as the adaptor plugged into the car, or in this case our Virtual CAN interface, we can use CanDump to save traffic to a file. We then use CanPlayer to replay the traffic on the network. For example lets run CanDump and open a door and then replay the functionality with CanPlayer.

Lab 1 Steps:

Run CanDump
Right Shift + X to open a door
Cancel CanDump (ctrl+c)
Left Shift + X to close the door
Run can player with the saved dump and it will replay the traffic and open the door

Recording the door opening: (-l for logging)

ficti0n@ubuntu:~/Desktop/ICSim$ candump -l vcan0

Replaying the CanDump file: (use the file your can dump created)

ficti0n@ubuntu:~/Desktop/ICSim$ canplayer -I candump-2018-04-06_154441.log

Nice, so if all went well you should see that your door is now open again. If this did not happen when attacking a real car, just try to replay it again. CAN networks are not like TCP/IP, they are more like UDP in that you send out your request and its not expecting a response. So if it gets lost then it gets lost and you have to resend. Perhaps something with higher priority on the network was sending at the time of your replay and your traffic was overshadowed by it.

Interacting with the Can Bus and Reversing Traffic:

So thats cool, but what about actually understanding what is going on with this traffic, CanDump is not very useful for this, is scrolls by to quickly for us to learn much from. Instead we can use CanSniffer with colorized output to show us the bytes within packets that change. Below is an example of CanSniffer Traffic:

To startup can sniffer run the following:

ficti0n@ubuntu:~/Desktop/ICSim$ cansniffer -c vcan0

You will see 3 fields, Time, ID and Data. Its pretty easy to figure out what these are based on thier name. The most important part for our usage in this blog are the ID and the Data fields.

The ID field is the frame ID which is loosely associated with the device on the network which is effected by the frame being sent. The ID to also determines the priority of the frame on the network. The lower the number of the CAN-ID the higher priority it has on the network and more likely it will be handled first. The data field is the data being sent to change some parameter like unlocking a door or updating output. You will notice that some of the bytes are highlighted RED. The values in red are the values that are changing during the idle state you are currently in.

Determine which ID and Byte controls the throttle:

So with the terminal sniffing window open put the simulator and the controller into the foreground, with the controller being the window you have clicked and selected. Pay attention to the CanSniffer output while hitting the UP ARROW and look for a value that was white but is now Red and increasing in value as the throttle goes up. This might take you a few minutes of paying attention to whats going on to see.

The following 2 pictures show ID 244 in the IDLE state followed by pressing the up button to increase the speed. You will notice a byte has turned red and is increasing in value through a range of HEX values 0-F. It will continue to enumerate through values till it reaches its max speed.

The byte in ID 244 which is changing is the value while the throttle is engaged, so 244 associated in some way with the increasing speed. The throttle speed is a good value to start with as it keeps increasing its value when pressed making it easier to spot while viewing the CanSniffer output.

Singling out Values with Filters:

If you would like to single out the throttle value then click the terminal window and press -000000 followed by the Enter key which will clear out all of the values scrolling. Then press +244 followed by the Enter key which will add back the throttle ID. You can now click the controller again and increase the speed with your Up arrow button without all the noise clouding your view. You will instead as shown below only have ID 244 in your output:

To get back all of the IDs again click the terminal window and input +000000 followed by the Enter key. Now you should see all of the output as before. Essentially 000000 means include everything. But when you put a minus in front of it then it negates everything and clears your terminal window filtering out all values.

Determine Blinker ID:

Now lets figure out another ID for the blinkers. If you hit the left or right arrow with the controls window selected you will notice a whole new ID appears in the list, ID 188 shown in the picture below which is associated with the blinker.

This ID was not listed before as it was not in use within the data output until you pressed the blinker control. Lets single this value out by pressing -000000 followed by +188. Just like in the throttle example your terminal should only show ID 188, initially it will show with 00 byte values.

As you press the left and the right blinker you will see the first Byte change from 00 to 01 or 02. If neither is pressed as in the screenshot above it will be 00. Its kind of hard to have the controller in focus and get a screenshot at the same time but the ID will remain visible as 00 until it times out and disappears from the list when not active. However with it filtered out as above you can get a better view of things and it wont disappear.

Time for YOU to do some Protocol Reversing:

This lab will give you a good idea how to reverse all of the functionality of the car and associate each action with the proper ID and BYTE. This way you can create a map of intended functionality changes you wish to make. Above we have done a few walk throughs with you on how to determine which byte and ID is associated with an action. Now its time to map everything out yourself with all the remaining functionality before moving on to attacking individual components.

Lab Work Suggestion:

Take out a piece of paper and a pencil
Try unlocking and locking doors and write down the ID which controls this action (remember your filters)
Try unlocking each door and write down the BYTES needed for each door to open
Try locking each doors and what Bytes change and what are their values, write them down
Do the same thing for the blinkers left and right (Might be different then what I did above)
What ID is the speedometer using? What byte changes the speed?

Attacking Functionality Directly:

With all of the functionality mapped out we can now try to target various devices in the network directly without interacting with the controllers GUI. Maybe we broke into the car via cellular OnStar connection or the center console units BLE connection which was connected to the CAN network in some way.
After an exploit we have direct access to the CAN network and we would like to perform actions. Or maybe you have installed a wireless device into an OBD2 port under the dashboard you have remote access to the automobile.

Using the data from the CAN network reversing lab above we can call these actions directly with the proper CAN-ID and Byte. Since we are remote to the target we can't just reach over and grab the steering wheel or hit the throttle we will instead send your CAN frame to make the change.

One way we can do this is via the CanSend utility. Lets take our information from our lab above and make the left turn signal flash with the following ID 188 for the turn signal by changing the first byte to 01 indicating the left signal is pressed. CanSend uses the format ID#Data. You will see this below when sending the turn signal via CanSend.

ficti0n@ubuntu:~/Desktop/ICSim$ cansend vcan0 188#01000000

You should have noticed that the left signal flashed. If not pay more attention and give it another try or make sure you used the correct ID and changed the correct byte. So lets do the same thing with the throttle and try to set the speed to something with ID 244 that we determined was the throttle.

ficti0n@ubuntu:~/Desktop/ICSim$ cansend vcan0 244#00000011F6

My guess is that nothing happened because its so fast the needle is not going to jump to that value. So instead lets try repeating this over and over again with a bash loop which simply says that while True keep sending the throttle value of 11 which equates to about 30mph:

ficti0n@ubuntu:~/Desktop/ICSim$ while true; do cansend vcan0 244#00000011F6; done

Yes thats much better, you may notice the needle jumping back and forth a bit. The reason the needle is bouncing back and forth is because the normal CAN traffic is sent telling the car its actually set to 00 in between your frames saying its 30mph. But it worked and you have now changed the speed the car sees and you have flashed the blinker without using the cars normal blinker controls. Pretty cool right?

Monitor the CAN Bus and react to it:

Another way to handle this issue is to monitor the CAN network and when it sees an ID sent it will automatically send the corresponding ID with a different value.. Lets give that a try to modify our speed output by monitoring for changes. Below we are simply running CanDump and parsing for ID 244 in the log output which is the throttle value that tells the car the speed. When a device in the car reports ID 244 and its value we will immediately resend our own value saying the speed is 30mph with the value 11. See below command and try this out.

ficti0n@ubuntu:~/Desktop/ICSim$ candump vcan0 | grep " 244 " | while read line; do cansend vcan0 244#00000011F6; done

With this running after a few seconds you will see the speed adjust to around 30MPH once it captures a legitimate CAN-ID 244 from the network traffic and sends its own value right after.

Ok cool, so now while the above command is still running click the controller window and start holding down the Up arrow with the controller in focus.. After a few seconds or so when the speed gets above 30MPH you will see the needle fighting for the real higher value and adjusting back to 30MPH as your command keeps sending its on value as a replacement to the real speed.

So thats one way of monitoring the network and reacting to what you see in a very crude manner. Maybe someone stole your car and you want to monitor for an open door and if they try to open the door it immediately locks them in.

Conclusion and whats next:

I am not an expert car hacker but I hope you enjoyed this. Thats about as far as I want to go into this subject today, in the next blog we will get into how to code python to perform actions on the CAN network to manipulate things in a similar way. With your own code you are not limited to the functionality of the tools you are provided and can do whatever you want. This is much more powerful then just using the CanUtils pre defined tools. Later on I will also get into the hardware side of things if you would like to try this on a real car where things are more complicated and things can go wrong.

Related news

Proxying Newer Versions Of Android With Genymotion

I did a quick video last night for someone on proxying the newer version of Android SDK with Genymotion as the changes back in version 7 make it a bit more difficult to proxy https traffic and I get a lot of questions on a regular basis even years later...

Hopefully this video helps anyone else out that may be running into the same troubles.. This is proxying the latest version of android as of this writing which is version 10 but should work just fine on newer versions unless there is a major change in the future again that specifically restricts this method..

Mobile Hacking - Proxying Newer Versions of Android with Burp and Genymotion:

You can follow along with the video but additionally for reference below are the commands used:

Step 1: Create a Burp Cert for Android

1. Export the certificate from burp to .DER format via the proxy tab import/export

2. Change the format from der to pem:

openssl x509 -inform DER -in cacert.der -out cacert.pem

3. Pull the hash of the certificate subject name and rename the cert to the hah.0 format:

openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1

mv cacert.pem <hash>.0

Step 2: Create a new Emulator:

1. Create a version 10 Galaxy x10 with bridge mode networking (or whatever newest version required)

2. Click 3 dots under my installed devices in genymotion --> Edit --> Change to bridged mode

Step 3: Setup certificate on device

1. Check devices and push the certificate to the SD card:

adb devices

adb push <hash.0> /sdcard/

2. Connect to the device and install the cert with proper permissions:

adb remount

adb shell

mv /sdcard/<hash.0> /system/etc/security/cacerts/

chmod 644 /system/etc/security/cacerts/<hash.0>

3. Reboot the device:

reboot

Step 4: Verify and setup the proxy:

1. Settings --> search for Trusted --> Scroll down till you see portswigger

2. Setup your Burp proxy to the correct IP/Port combo of your external interface IP

3. In Genymotion click Settings --> wifi --> Gear -> Pencil Icon -> Add in Proxy info under advanced

4. Go forth and proxy things