一则汽车CAN总线的安全渗透题目分析

题目
目前大部分汽车采用基于CAN总线的诊断服务(ISO 14229-1),然而CAN报文有效数据最多只
有8个字节,因此引入CAN传输层协议(ISO 15765-2)以使CAN报文可以传输大于8字节的有效
数据。 白帽“小安”在做诊断相关测试的时候录制了一段Log,请帮助小安分析
1) 这段Log展示了哪个诊断服务过程?(须写明服务英文全称)
2) 这段Log体现了哪些风险?
3) 你可以利用上述某个风险基于最后两帧报文进行渗透吗?(须写明具体过程,如构造的报
文)
4) 这段Log中存在一个协议错误,你能发现出来吗?

Log

date Wed Nov 10 07:20:25.590 pm 2021
base hex  timestamps absolute
internal events logged
// version 15.2.0
// Measurement UUID: 9b4ce0cd-4350-4a9e-852b-d971f4db3044
   1.000246 1  706             Tx   d 8 02 27 01 00 00 00 00 00  Length = 240000 BitCount = 123 ID = 1798
   1.000476 1  70E             Tx   d 8 10 0E 67 01 88 62 74 AA  Length = 224000 BitCount = 115 ID = 1806
   1.000726 1  706             Tx   d 8 30 00 00 00 00 00 00 00  Length = 244000 BitCount = 125 ID = 1798
   1.000958 1  70E             Tx   d 8 20 2D 29 C2 70 FE 01 16  Length = 226000 BitCount = 116 ID = 1806
   1.001186 1  70E             Tx   d 8 21 B2 29 C2 70 FE 01 16  Length = 222000 BitCount = 114 ID = 1806
   1.001420 1  706             Tx   d 8 10 0E 27 02 B8 19 61 10  Length = 228000 BitCount = 117 ID = 1798
   1.001658 1  70E             Tx   d 8 30 00 00 C2 70 FE 01 16  Length = 232000 BitCount = 119 ID = 1806
   1.001888 1  706             Tx   d 8 20 A5 44 7D 47 14 CC AD  Length = 224000 BitCount = 115 ID = 1798
   1.002116 1  706             Tx   d 8 21 1A 44 7D 47 14 CC AD  Length = 222000 BitCount = 114 ID = 1798
   1.002346 1  70E             Tx   d 8 02 67 02 C2 70 FE 01 16  Length = 224000 BitCount = 115 ID = 1806
   2.000246 1  706             Tx   d 8 02 27 01 00 00 00 00 00  Length = 240000 BitCount = 123 ID = 1798
   2.000476 1  70E             Tx   d 8 10 0E 67 01 79 D8 77 71  Length = 224000 BitCount = 115 ID = 1806
   2.000714 1  706             Tx   d 8 30 00 00 7D 47 14 CC AD  Length = 232000 BitCount = 119 ID = 1798
   2.000944 1  70E             Tx   d 8 20 B1 F8 09 A9 32 B5 0F  Length = 224000 BitCount = 115 ID = 1806
   2.001176 1  70E             Tx   d 8 21 45 F8 09 A9 32 B5 0F  Length = 226000 BitCount = 116 ID = 1806
   2.001410 1  706             Tx   d 8 10 0E 27 02 47 A1 A3 B7  Length = 228000 BitCount = 117 ID = 1798
   2.001642 1  70E             Tx   d 8 30 00 00 09 A9 32 B5 0F  Length = 226000 BitCount = 116 ID = 1806
   2.001874 1  706             Tx   d 8 20 98 53 54 FE B8 C1 6C  Length = 226000 BitCount = 116 ID = 1798
   2.002108 1  706             Tx   d 8 21 E1 53 54 FE B8 C1 6C  Length = 228000 BitCount = 117 ID = 1798
   2.002338 1  70E             Tx   d 8 02 67 02 09 A9 32 B5 0F  Length = 224000 BitCount = 115 ID = 1806
   3.000246 1  706             Tx   d 8 02 27 01 00 00 00 00 00  Length = 240000 BitCount = 123 ID = 1798
   3.000476 1  70E             Tx   d 8 10 0E 67 01 20 D1 89 A4  Length = 224000 BitCount = 115 ID = 1806
   3.000714 1  706             Tx   d 8 30 00 00 54 FE B8 C1 6C  Length = 232000 BitCount = 119 ID = 1798
   3.000944 1  70E             Tx   d 8 20 B1 F5 B6 D1 96 42 A9  Length = 224000 BitCount = 115 ID = 1806
   3.001170 1  70E             Tx   d 8 21 6C F5 B6 D1 96 42 A9  Length = 220000 BitCount = 113 ID = 1806
   3.001404 1  706             Tx   d 8 10 0E 27 02 29 02 A8 5D  Length = 228000 BitCount = 117 ID = 1798
   3.001640 1  70E             Tx   d 8 30 00 00 B6 D1 96 42 A9  Length = 230000 BitCount = 118 ID = 1806
   3.001868 1  706             Tx   d 8 20 54 39 1B 14 EB 9D 26  Length = 222000 BitCount = 114 ID = 1798
   3.002098 1  706             Tx   d 8 21 F8 39 1B 14 EB 9D 26  Length = 224000 BitCount = 115 ID = 1798
   3.002326 1  70E             Tx   d 8 02 67 02 B6 D1 96 42 A9  Length = 222000 BitCount = 114 ID = 1806
   4.000246 1  706             Tx   d 8 02 27 01 00 00 00 00 00  Length = 240000 BitCount = 123 ID = 1798
   4.000480 1  70E             Tx   d 8 10 0E 67 01 F7 BF B9 DD  Length = 228000 BitCount = 117 ID = 1806
   4.000714 1  706             Tx   d 8 30 00 00 1B 14 EB 9D 26  Length = 228000 BitCount = 117 ID = 1798
   4.000944 1  70E             Tx   d 8 20 20 45 7B 4C E4 19 9B  Length = 224000 BitCount = 115 ID = 1806
   4.001172 1  70E             Tx   d 8 21 80 45 7B 4C E4 19 9B  Length = 222000 BitCount = 114 ID = 1806
   4.001402 1  706             Tx   d 8 10 0E 27 02 E5 EC C9 EB  Length = 224000 BitCount = 115 ID = 1798
   4.001636 1  70E             Tx   d 8 30 00 00 7B 4C E4 19 9B  Length = 228000 BitCount = 117 ID = 1806
   4.001870 1  706             Tx   d 8 20 6F B4 CC EA C2 1C A0  Length = 228000 BitCount = 117 ID = 1798
   4.002098 1  706             Tx   d 8 21 D2 B4 CC EA C2 1C A0  Length = 222000 BitCount = 114 ID = 1798
   4.002328 1  70E             Tx   d 8 02 67 02 7B 4C E4 19 9B  Length = 224000 BitCount = 115 ID = 1806
   5.000246 1  706             Tx   d 8 02 27 01 00 00 00 00 00  Length = 240000 BitCount = 123 ID = 1798
   5.000476 1  70E             Tx   d 8 10 0E 67 01 7E 5C A4 95  Length = 224000 BitCount = 115 ID = 1806
   5.000714 1  706             Tx   d 8 30 00 00 CC EA C2 1C A0  Length = 232000 BitCount = 119 ID = 1798
   5.000946 1  70E             Tx   d 8 20 57 05 AD 37 FD 05 67  Length = 226000 BitCount = 116 ID = 1806
   5.001178 1  70E             Tx   d 8 21 CC 05 AD 37 FD 05 67  Length = 226000 BitCount = 116 ID = 1806
   6.000246 1  706             Tx   d 8 02 27 01 00 00 00 00 00  Length = 240000 BitCount = 123 ID = 1798
   6.000480 1  70E             Tx   d 8 10 0E 67 01 42 D0 0A B3  Length = 228000 BitCount = 117 ID = 1806
   6.000718 1  706             Tx   d 8 30 00 00 CC EA C2 1C A0  Length = 232000 BitCount = 119 ID = 1798
   6.000948 1  70E             Tx   d 8 20 3F 63 1B 91 B1 8E 06  Length = 224000 BitCount = 115 ID = 1806
   6.001174 1  70E             Tx   d 8 21 4D 63 1B 91 B1 8E 06  Length = 220000 BitCount = 113 ID = 1806
   7.000246 1  706             Tx   d 8 02 27 01 00 00 00 00 00  Length = 240000 BitCount = 123 ID = 1798
   7.000480 1  70E             Tx   d 8 10 0E 67 01 FC 10 11 2C  Length = 228000 BitCount = 117 ID = 1806
   7.000718 1  706             Tx   d 8 30 00 00 CC EA C2 1C A0  Length = 232000 BitCount = 119 ID = 1798
   7.000948 1  70E             Tx   d 8 20 BA CB 0F 34 A8 26 EF  Length = 224000 BitCount = 115 ID = 1806
   7.001176 1  70E             Tx   d 8 21 CF CB 0F 34 A8 26 EF  Length = 222000 BitCount = 114 ID = 1806

解答:

1 ) 服务过程英文名: SecurityAccess
该服务用于安全验证。
根据以下特征判断出服务:
请求种子: 27 01
响应: 02 67 02
SecurityAccess的详细资料参考以下链接:
ISO14229:2013 之 安全访问SecurityAccess(0x27) - 张小力 - 博客园
2 ) 安全算法为栅栏算法,算法简单;安全算法采用静态算法,不能防止爆破,利用已有的
Seed-Key 匹配关系,可以通过爆破复现在匹配关系中的 Seed ,从而查找相应的 Key
通过安全访问
栅栏算法暴力破解参考以下链接:
暴力破解栅栏密码(Python)_清风阁-CSDN博客_栅栏密码解法
3 ) 考察栅栏算法的构造,正确密钥为: 0x91 0x85 0xB3 0x81 0xBD 0xBB 0x0E 0x48 0x37 0x03
0x3B 0xF9 ,报文构造注意符合 CAN 传输层协议,连续帧可以从 0x20 开始,以符合实际
Log
4 ) 连续帧开始的第一个帧应以 0x21 开始,直到 0x2F 之后的下一个连续帧才从 0x20 开始

你可能感兴趣的:(Penetration,test,网络,车联网,安全渗透,CAN总线,诊断服务)