1
00:00:07,020 --> 00:00:14,430
Now that we have our can utilities, the controller and network utilities and the ICI simulator working,

2
00:00:14,760 --> 00:00:17,850
we're ready to do a car replay attack.

3
00:00:18,060 --> 00:00:24,570
That means that we're going to see how to use a tool called Can Dump to capture packets on our controller

4
00:00:24,570 --> 00:00:25,310
area network.

5
00:00:25,590 --> 00:00:29,640
We'll also see how to use can player to replay those.

6
00:00:29,880 --> 00:00:34,350
So let's start by running can dump, dash, shell, and then we're going to switch back to our controller

7
00:00:34,350 --> 00:00:39,810
window and use the keyboard to issue a lot of commands will accelerate, lock and unlock doors, turn

8
00:00:39,810 --> 00:00:45,030
on the the turn lights, the turn signals, and then we'll capture all of that.

9
00:00:45,030 --> 00:00:51,560
It'll run to a log file and then we'll be able to replay that on another car network.

10
00:00:51,780 --> 00:00:54,410
So we'll see how this works on a simulated network.

11
00:00:54,420 --> 00:01:02,100
But remember, with just a cable that you can buy at Amazon can to USB or an onboard diagnostic link

12
00:01:02,100 --> 00:01:08,640
OBD link, you may be able to run this on your own vehicle and capture real packets and see what kind

13
00:01:08,650 --> 00:01:11,350
of things can be replayed with a simple replay attack.

14
00:01:11,670 --> 00:01:17,880
This is one of the simplest types of tests that you can run, and it'll give us everything we need to

15
00:01:17,880 --> 00:01:22,910
be able to do some actual car hacking if we wanted to do it on our own vehicle.

16
00:01:22,920 --> 00:01:29,640
And I'll show you a video or link to a video that actually shows my students and myself connecting this

17
00:01:29,640 --> 00:01:30,480
to my car.

18
00:01:30,480 --> 00:01:37,800
I have a little Volkswagen and we connected to it and we're able to see the dashboard in real time using

19
00:01:37,800 --> 00:01:39,710
this actual physical cable.

20
00:01:40,410 --> 00:01:45,080
So let's switch over to Cauli Linux and let's get the replay attack started.

21
00:01:45,090 --> 00:01:51,600
We'll do the first half capturing the data so we still have can sniff running in this back window here.

22
00:01:51,810 --> 00:01:53,550
And we have our controller up and running.

23
00:01:53,550 --> 00:01:55,100
We just did a slash.

24
00:01:55,170 --> 00:02:02,790
So we need a nice system and ran the AC simulator for the instrument cluster or the dashboard indicators.

25
00:02:03,210 --> 00:02:04,590
Then we did something similar.

26
00:02:04,590 --> 00:02:07,590
We did a dot slash controls inside.

27
00:02:07,590 --> 00:02:11,160
I see him on Becan Zero to get this controller.

28
00:02:11,520 --> 00:02:17,220
And remember when we pressed the controller, we're going to be able to see the dashboard spin up.

29
00:02:17,910 --> 00:02:18,480
It would go.

30
00:02:18,480 --> 00:02:24,000
So if I pressed my accelerator after clicking in the control panel, I can accelerate and then want

31
00:02:24,000 --> 00:02:24,570
to let up.

32
00:02:24,570 --> 00:02:25,740
It slows back down.

33
00:02:26,080 --> 00:02:30,960
I'm going to stop the can sniffer back here just by issuing a control, see.

34
00:02:30,960 --> 00:02:34,050
So click on this window control, see, and that will stop it.

35
00:02:35,040 --> 00:02:39,660
And what we're going to do instead of lugging this to the screen, is that we're going to dump this

36
00:02:39,660 --> 00:02:42,270
can traffic using can dump.

37
00:02:42,840 --> 00:02:46,410
And I'll resize my window a little bit so that we get it in the background there.

38
00:02:46,950 --> 00:02:52,470
We're going to use can dump and log this virtual can network traffic.

39
00:02:52,470 --> 00:02:55,110
So we're going to do a can dump.

40
00:02:56,280 --> 00:03:01,950
And this is a controller area network dump, just like we would capture part packets from Wireshark

41
00:03:01,950 --> 00:03:10,290
or from any other packet sniffing application can dump Dash L and that's sure log.

42
00:03:10,290 --> 00:03:15,390
So we're going to do a candombe dash L on our virtual controller area.

43
00:03:15,390 --> 00:03:17,430
Network V can zero.

44
00:03:18,030 --> 00:03:25,020
When we run this, we can click over into our control panel and now we'll press our accelerator.

45
00:03:25,050 --> 00:03:26,340
So I'm hitting the up arrow.

46
00:03:26,640 --> 00:03:31,950
I'm going to go ahead and turn on the right turn signal, then I'm going to turn the left turn signal

47
00:03:31,950 --> 00:03:33,630
on while I'm accelerating.

48
00:03:33,630 --> 00:03:38,910
I might as well shift and A and B then X and Y.

49
00:03:39,480 --> 00:03:40,930
I'm holding down the right shift.

50
00:03:40,930 --> 00:03:41,760
I want to do those.

51
00:03:41,760 --> 00:03:48,570
I can lock everything back with a right shift and left shift together, and then I'm going to turn on

52
00:03:48,570 --> 00:03:51,570
the signals again, left and right.

53
00:03:53,660 --> 00:03:54,190
Cool.

54
00:03:55,960 --> 00:04:01,390
So we're just doing a few things so that we've got some traffic in this candombe file and noticing it's

55
00:04:01,390 --> 00:04:06,340
creating a file with the timestamp so you can see the date and time that I'm recording there.

56
00:04:08,820 --> 00:04:15,630
Just get yourself about a minute's worth of can traffic so we can slow down, we can turn on this turn

57
00:04:15,630 --> 00:04:19,170
signal and speed back up, then we can do our right shift.

58
00:04:19,170 --> 00:04:21,780
And then A, B, X, y.

59
00:04:23,060 --> 00:04:30,650
And we can leave things unlocked if we want to, then we can click back over to the candombe file control,

60
00:04:30,650 --> 00:04:39,380
see and do unless and now when we list, there's a new file this can dump next twenty seventeen 078

61
00:04:39,390 --> 00:04:42,490
team and the time stamp in a log file.

62
00:04:43,070 --> 00:04:52,960
Now we can use the log to a C program to read this on the screen in ASCII characters or readable characters.

63
00:04:53,570 --> 00:05:00,680
What we're going to do next is run a replay attack on this controller area network by taking that log

64
00:05:00,680 --> 00:05:04,960
file and replaying it on the same V can zero.

65
00:05:05,150 --> 00:05:10,480
We will take control of the car and we won't be able to override it over here on our control panel.

66
00:05:11,180 --> 00:05:16,760
Anything we do, it'll still be able to run whatever commands we did before on the icy simulator.

67
00:05:16,760 --> 00:05:22,880
So if you are using this in a real car and you capture packets like this, whatever you did before will

68
00:05:22,880 --> 00:05:26,150
be able to be rebroadcast across that controller area network.

69
00:05:26,570 --> 00:05:27,650
So be careful.

70
00:05:27,650 --> 00:05:33,560
If you're doing this on a car, do it parked and idling in a very safe area, maybe a big field or a

71
00:05:33,560 --> 00:05:34,880
large empty parking lot.

72
00:05:35,450 --> 00:05:37,910
Don't do any of this on an open road.

73
00:05:38,120 --> 00:05:43,190
These are really dangerous tools if they're used incorrectly, but they can be very valuable tools.

74
00:05:43,190 --> 00:05:48,260
If you want to be able to work on your own vehicle, test your own vehicle, get diagnostic codes from

75
00:05:48,260 --> 00:05:52,910
your vehicle, or test the security of your vehicle by capturing and replaying log files.

76
00:05:53,150 --> 00:05:55,520
We'll see how the replay attack works in the next lesson.