# 3. Perform IoT Attacks

## 1. Perform Replay Attack on CAN Protocol

{% embed url="<https://youtu.be/LQ1Wb5mExi0>" %}

The Controller Area Network (CAN) protocol is a robust communication system that allows microcontrollers and devices to interact without a central computer. It uses a message-based approach for reliable data exchange, even in noisy environments. CAN is widely used in automotive industry due to its reliability and simplicity. In modern vehicles, CAN protocol is central to system communication, enabling connections between engine controls, brakes, and infotainment units. However, this interconnectivity can be exploited by hackers to manipulate vehicle functions, posing safety risks.

Here, we are using the ICSim tool to simulate CAN protocol and demonstrate how attackers sniff the transmitted packets and perform replay attack to gain basic control over the target.

Install the simulator

```
sudo apt-get install can-utils
```

<figure><img src="/files/lU1YMGmXqpdvNLvXzYAz" alt=""><figcaption></figcaption></figure>

Now, to setup a virtual CAN interface issue following commands:

```
sudo modprobe can
sudo modprobe vcan
sudo ip link add dev vcan0 type vcan
sudo ip link set up vcan0
```

<figure><img src="/files/twiyV6viv6CAyFB2oQHz" alt=""><figcaption></figcaption></figure>

\
To check whether Virtual CAN interface is setup successfully, run **ifconfig**. Here, **vcan0** interface is present which confirms that our Virtual CAN interface is setup successfully.

<figure><img src="/files/MWGjIMAO2ESdbHSVS2Le" alt=""><figcaption></figcaption></figure>

run **cd ICSim** to navigate to ICSim directory and execute **make** command to create two executable files for IC Simulator and CANBus Control Panel.

Run **./icsim vcan0** to start the ICSim simulator. You will see the IC Simulator interface

<figure><img src="/files/wCxV8NjcM5sgJGfDxzCc" alt=""><figcaption></figcaption></figure>

Similarly, execute **./controls vcan0** to start the CANBus Control Panel. You will see the CANBus Control Panel interface.

<figure><img src="/files/NDaS4j4AJBQch5QikOkv" alt=""><figcaption></figcaption></figure>

Now, we will start sniffer to capture the traffic sent to the ICSim Simulator by CANBus control panel simulator. To do so, open a new terminal tab and execute **sudo su** to run the programs as a root user (When prompted, enter the password **toor**). Navigate to ICSim directory to do so run **cd ICSim/**.

Execute **cansniffer -c vcan0** to start sniffing on the vcan0 interface. Leave this sniffer on.

<figure><img src="/files/ndLk4FhFosgeJuEUgs6Y" alt=""><figcaption></figcaption></figure>

Open a new terminal and execute **sudo su** to run the programs as a root user (When prompted, enter the password toor). Navigate to ICSim directory to do so run **cd ICSim/**. To capture the logs run **candump -l vcan0**.

After starting to capture the logs, open ICSim and Controller simulator and perform functions such as acceleration, turning left/right, opening and locking doors so that logs are generated. Once you are done, terminate the ongoing process by pressing **Ctrl + C**.

| ICSim Functions               | Keys                                  |
| ----------------------------- | ------------------------------------- |
| Accelerate                    | Up arrow                              |
| Left/Right Turn               | Left arrow/ Right arrow               |
| Unlock Rear Left/Right doors  | Right Shift + X / Right Shift + Y     |
| Unlock Front Left/Right doors | Right Shift +A / Right Shift + B      |
| Lock all doors                | Hold Right Shift key + Tap Left Shift |
| Unlock all doors              | Hold Left Shift key + Tap Right Shift |

<figure><img src="/files/NUCuC7CwcnJGgzpfYx3h" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/BL2RUBWFmsI1kEq8Xswy" alt=""><figcaption></figcaption></figure>

Now verify if you have obtained the log file by executing **ls** command.Now, to perform replay attack, run **canplayer -I candump-2024-05-07\_063502.log** and press enter

```
canplayer -I candump-2024-05-07_063502.log
```

Once the log file is executed, you can see the movements that were performed while creating the log file in real time in IC Simulator and CANBus control panel simulator.

<figure><img src="/files/lXBqAvOCGFLq5YcrANQU" alt=""><figcaption></figcaption></figure>

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}
CEH Prep Course
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ceh-practical.cavementech.com/module-18.-iot-and-ot-hacking/3.-perform-iot-attacks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.