c0f 0.0.1

data/Rakefile

@@ -0,0 +1,61 @@
+def dump_load_path
+  puts $LOAD_PATH.join("\n")
+  found = nil
+  $LOAD_PATH.each do |path|
+    if File.exists?(File.join(path,"rspec"))
+      puts "Found rspec in #{path}"
+      if File.exists?(File.join(path,"rspec","core"))
+        puts "Found core"
+        if File.exists?(File.join(path,"rspec","core","rake_task"))
+          puts "Found rake_task"
+          found = path
+        else
+          puts "!! no rake_task"
+        end
+      else
+        puts "!!! no core"
+      end
+    end
+  end
+  if found.nil?
+    puts "Didn't find rspec/core/rake_task anywhere"
+  else
+    puts "Found in #{path}"
+  end
+end
+require 'bundler'
+require 'rake/clean'
+
+require 'rake/testtask'
+
+require 'cucumber'
+require 'cucumber/rake/task'
+gem 'rdoc' # we need the installed RDoc gem, not the system one
+require 'rdoc/task'
+
+include Rake::DSL
+
+Bundler::GemHelper.install_tasks
+
+
+Rake::TestTask.new do |t|
+  t.pattern = 'test/tc_*.rb'
+end
+
+
+CUKE_RESULTS = 'results.html'
+CLEAN << CUKE_RESULTS
+Cucumber::Rake::Task.new(:features) do |t|
+  t.cucumber_opts = "features --format html -o #{CUKE_RESULTS} --format pretty --no-source -x"
+  t.fork = false
+end
+
+Rake::RDocTask.new do |rd|
+  
+  rd.main = "README.rdoc"
+  
+  rd.rdoc_files.include("README.rdoc","lib/**/*.rb","bin/**/*")
+end
+
+task :default => [:test,:features]
+

data/bin/c0f

@@ -0,0 +1,144 @@
+#!/usr/bin/env ruby
+# c0f - CAN of Fingers 
+# 
+# Analyzes CAN bus packets to create a fingerprint or identify a BUS line 
+# 
+# (c) 2015 Craig Smith <craig@theialabs.com> GPLv3 
+
+require 'optparse'
+require 'methadone'
+require 'formatador'
+require 'json'
+require 'c0f.rb'
+
+class App
+  include Methadone::Main
+  include Methadone::CLILogging
+
+  # Main c0f routine
+  main do |candevice|
+    options[:progress] = false if options[:quiet] == true
+    @stat = C0f::CANPacketStat.new
+    candb = nil
+    candump = nil
+    if candevice then
+      if options[:logfile] then
+        puts "You can specify logfile OR a candevice but not both"
+        exit 1
+      end
+    end
+    if not candevice and not options[:logfile] and not options["add-fp"] then
+      puts "Current use does not perform a valid action.  See --help"
+      exit -1
+    end
+    if options[:fpdb] then
+      candb = C0f::CANFingerprintDB.new(options[:fpdb])
+      puts "Loaded #{candb.count} fingerprints from DB" if not options[:quiet]
+    end
+    if not options["add-fp"].nil? then
+      if candb.nil? then
+        puts "Can not add a fingerprint unless a DB is specified"
+        exit 5
+      else
+        if not File.exists? options["add-fp"] then
+          puts "Fingerprint JSON file not found"
+          exit 6
+        else
+          fp = JSON.parse(File.read(options["add-fp"]))
+          if fp["Make"] == "Unknown" then
+            puts "You must specify at *least* the make before adding the fingerprint to the DB"
+            exit 20
+          end
+          r = candb.match_json(fp)
+          row = r.next
+          if row then
+            puts "Base Fingerprint already exists. TODO: Added common ID matching/inserting"
+            # TODO: add a fuzzy match and an exact match function.  If not exact and we don't have the
+            # same make, model, year and trim then insert the slightly different one
+            exit 10
+          else
+             id = candb.insert_json(fp)
+             puts "Successfully inserted fingprint (#{id})" if id
+          end
+        end
+      end
+    end
+    if not candevice.nil? then
+      progress = Formatador::ProgressBar.new(options["sample-size"]) { |b| 
+        b.opts[:color] = "green"
+        b.opts[:started_at] = Time.now
+        b.opts[:label] = "Reading Packets..." 
+      } if options[:progress]
+      IO.popen "candump -t a -n #{options["sample-size"]} #{candevice}" do |pipe|
+       pipe.each do |line|
+          progress.increment if options[:progress]
+          pkt = C0f::CANPacket.new
+          @stat.add pkt if pkt.parse line
+        end
+      end
+    end
+    if options[:logfile] then
+      log = options[:logfile]
+      if File.read log then
+        lines = File.readlines(log)
+        progress = Formatador::ProgressBar.new(lines.count) { |b| 
+          b.opts[:color] = "green"
+          b.opts[:started_at] = Time.now
+          b.opts[:label] = "Loading Packets..." 
+        } if options[:progress]
+        lines.each do |line|
+          progress.increment if options[:progress]
+          pkt = C0f::CANPacket.new
+          @stat.add pkt if pkt.parse line
+        end
+      else
+        puts "Could not read logfile #{log}"
+        exit 3
+      end
+    end
+    puts @stat if @stat.pkt_count > 0 and options["print-stats"]
+    if (options["print-fp"] or options["save-fp"]) and (options[:logfile] or candevice) then
+      if @stat.pkt_count < options["sample-size"] then
+         puts "Fingerprinting requires at least 2000 packets"
+         exit 4
+      end
+      fp = C0f::CANFingerprint.new(@stat)
+      if candb then
+        r = candb.match_json(fp.to_json)
+        row = r.next
+        if row then
+          fp.make = row["make"]
+          fp.model = row["model"]
+          fp.year = row["year"]
+          fp.trim = row["trim"]
+        end
+      end
+      puts fp.to_json if options["print-fp"]
+      if options["save-fp"] then
+        File.open(options["save-fp"], "w") { |f| f.write fp.to_json }
+      end
+    end
+  end
+
+  description "CAN Bus Passive Make/Model analyzer"
+  
+  options["print-fp"] = true
+  options[:progress] = true
+  options["sample-size"] = 2000
+  on("--logfile FILENAME", "CANDump logfile")
+  on("--print-stats", "Prints logfile stats (Default: No)")
+  on("--[no-]print-fp", "Print fingerprint info (Default: Yes)")
+  on("--[no-]progress", "Print a progress bar")
+  on("--add-fp FINGERPRINT", "Add a JSON fingerprint from a file to the DB")
+  on("--fpdb DB", "Location of saved fingerprint DB")
+  on("--quiet", "No output other than what is specified")
+  on("--sample-size PACKETCOUNT", "The number of packets to process")
+  on("--save-fp FILE", "Saves the fingerprint to a file")
+  arg :candevice, "Launch candump on a given CAN device", :optional
+
+  version C0f::VERSION
+
+  use_log_level_option :toggle_debug_on_signal => 'USR1'
+
+  go!
+end

data/c0f.gemspec

@@ -0,0 +1,30 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'c0f/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "c0f"
+  spec.version       = C0f::VERSION
+  spec.authors       = ["Craig Smith"]
+  spec.email         = ["craig@theialabs.com"]
+  spec.summary       = %q{c0f - CAN Bus Fingerprinting}
+  spec.description   = %q{c0f - CAN of Fingers.  CAN Bus fingerprinting to passively determine make/model of vehicle}
+  spec.homepage      = "http://opengarages.orb"
+  spec.license       = "GPLv3"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "minitest", "~> 4.7"
+  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency('rdoc')
+  spec.add_development_dependency('aruba')
+  spec.add_dependency('methadone', '~> 1.8')
+  spec.add_dependency('formatador')
+  spec.add_dependency('sqlite3')
+  spec.add_dependency('json')
+end

data/features/c0f.feature

@@ -0,0 +1,45 @@
+Feature: Analyze CAN Bus fingerprints
+  In order to determine fingerprints for CAN Bus traffic
+  I want to have a tool that can analyze, save and report CAN bus fingerprints
+  So I can eventually make fingerprints for shellcode
+
+  Scenario: Basic UI
+    When I get help for "c0f"
+    Then the exit status should be 0
+    And the banner should be present
+    And the banner should document that this app takes options
+    And the following options should be documented:
+      |--version|
+      |--logfile|
+      |--[no-]progress|
+      |--[no-]print-fp|
+      |--print-stats|
+      |--add-fp|
+      |--fpdb|
+      |--quiet|
+      |--sample-size|
+      |--save-fp|
+    And the banner should document that this app's arguments are:
+      | candevice |
+
+  Scenario: Parse a valid CANDump Log with enough sample packets
+    Given a valid candump logfile at "/tmp/sample-can.log"
+    When I successfully run `c0f --logfile /tmp/sample-can.log --quiet`
+    Then the stdout should contain valid JSON
+    And the Make is "Unknown" and the Model is "Unknown" and the Year is "Unknown" and the Trim is "Unknown"
+    And the common IDs should be "166 158 161 191 18E 133 136 13A 13F 164 17C 183 143 095"
+    And the main ID should be "143"
+    And the main interval should be "0.009998683195847732"
+
+  Scenario: Take a valid signature and initialze a fingerprint database with it
+    Given a completed fingerprint at "/tmp/sample-fp.json" and a fingerprint db at "/tmp/can.db"
+    When I successfully run `c0f --add-fp /tmp/sample-fp.json --fpdb /tmp/can.db`
+    Then the output should contain "Created Tables"
+    And the output should contain "Successfully inserted fingprint"
+
+  Scenario: Match a canbus fingerprint to that in the fingerprint DB
+    Given a valid fingerprint db at "/tmp/sample-fp.db" valid logfile "/tmp/sample-can.log"
+    When I successfully run `c0f --fpdb /tmp/sample-fp.db --logfile /tmp/sample-can.log --quiet`
+    Then the stdout should contain valid JSON
+    And the Make is "Honda" and the Model is "Civic" and the Year is "2009" and the Trim is "Hybrid"
+

data/features/step_definitions/c0f_steps.rb

@@ -0,0 +1,51 @@
+# Put your step definitions here
+require "fileutils"
+require 'json'
+
+Given(/^a valid candump logfile at "(.*?)"$/) do |logfile|
+  FileUtils.copy "test/sample-can.log", logfile
+end
+
+Then(/^the stdout should contain valid JSON$/) do
+    expect { JSON.parse(all_output) }.not_to raise_error
+end
+
+Then(/^the common IDs should be "(.*?)"$/) do |idstr|
+  ids = idstr.split
+  fp = JSON.parse(all_output)
+  missing = false
+  ids.each do |id|
+    found = false
+    fp["Common"].each do |cid|
+      found = true if cid["ID"] == id
+    end
+    missing = true if not found
+  end
+  expect(missing).to be_falsey
+end
+
+Then(/^the main ID should be "(.*?)"$/) do |id|
+  fp = JSON.parse(all_output)
+  expect(fp["MainID"] == id).to be_truthy
+end
+
+Then(/^the main interval should be "(.*?)"$/) do |i|
+  fp = JSON.parse(all_output)
+  expect(fp["MainInterval"] == i).to be_truthy
+end
+
+Given(/^a completed fingerprint at "(.*?)" and a fingerprint db at "(.*?)"$/) do |fp_dest, candb_dest|
+  File.unlink candb_dest if File.exists? candb_dest
+  FileUtils.cp "test/sample-fp.json", fp_dest
+end
+
+Given(/^a valid fingerprint db at "(.*?)" valid logfile "(.*?)"$/) do |db_dest, log_dest|
+  FileUtils.cp "test/sample.db", db_dest
+  FileUtils.cp "test/sample-can.log", log_dest
+end
+
+Then(/^the Make is "(.*?)" and the Model is "(.*?)" and the Year is "(.*?)" and the Trim is "(.*?)"$/) do |make, model, year, trim|
+  fp = JSON.parse(all_output)
+  expect((fp["Make"] == make and fp["Model"] == model and fp["Year"] == year and fp["Trim"] == trim)).to be_truthy
+end
+

data/features/support/env.rb

@@ -0,0 +1,16 @@
+require 'aruba/cucumber'
+require 'methadone/cucumber'
+
+ENV['PATH'] = "#{File.expand_path(File.dirname(__FILE__) + '/../../bin')}#{File::PATH_SEPARATOR}#{ENV['PATH']}"
+LIB_DIR = File.join(File.expand_path(File.dirname(__FILE__)),'..','..','lib')
+
+Before do
+  # Using "announce" causes massive warnings on 1.9.2
+  @puts = true
+  @original_rubylib = ENV['RUBYLIB']
+  ENV['RUBYLIB'] = LIB_DIR + File::PATH_SEPARATOR + ENV['RUBYLIB'].to_s
+end
+
+After do
+  ENV['RUBYLIB'] = @original_rubylib
+end

data/lib/c0f.rb

@@ -0,0 +1,9 @@
+require "c0f/version"
+require "c0f/can_packet"
+require "c0f/can_packet_stat"
+require "c0f/can_fingerprint"
+require "c0f/can_fingerprint_db"
+
+module C0f
+
+end

data/lib/c0f/can_fingerprint.rb

@@ -0,0 +1,97 @@
+module C0f
+  class CANFingerprint
+    attr_reader :common_ids, :most_common, :padding
+    attr_accessor :make, :model, :year, :trim
+    # Requires CANPacketStat
+    def initialize(stats, db=nil)
+      @stats = stats
+      @db = db
+      @most_common = nil
+      @common_ids = Array.new
+      @padding = nil
+      self.analyze
+      @make = "Unknown"
+      @model = "Unknown"
+      @year = "Unknown"
+      @trim = "Unknown"
+    end
+
+    # intended for direct access to the most common IDs interval
+    def main_interval
+      @most_common.avg_delta
+    end
+
+    def main_id
+      @most_common.id
+    end
+
+    # helper function
+    def dynamic
+      @stats.dynamic
+    end
+
+    def to_s
+      s = "Make: #{@make} Model: #{@model} Year: #{@year} Trim: #{@trim}\n"
+      s += "Dyanmic: #{@stats.dynamic}\n"
+      s += "Padding: 0x#{@padding}\n" if @padding.to_s(16).upcase
+      s += "Common IDs: #{@common_ids}\n"
+      s += "Most Common: #{@most_common.id} Expected interval: #{@most_common.avg_delta}ms\n"
+      s
+    end
+
+    def to_json
+     s = '{"Make": "' + @make + '", "Model": "' + @model + '", "Year": "' + @year + '", "Trim": "' + @trim + '"'
+     s += ', "Dynamic": "' + (@stats.dynamic ? "true" : "false") + '", '
+     s += '"Padding": "' + @padding.to_s(16).upcase + '", ' if @padding
+     s += '"Common": [ '
+     json_ids = Array.new
+     @common_ids.each do |id|
+       json_ids << '{ "ID": "' + id + '" }'
+     end
+     s += json_ids.join(',')
+     s += ' ], "MainID": "' + @most_common.id + '", "MainInterval": "' + @most_common.avg_delta.to_s + '"'
+     s += "}"
+     s
+    end
+
+    # Analyzes the CANPacketStats
+    # @stat must be set
+    def analyze
+      high_count = 0
+      padd_stat = Hash.new
+      # First pass
+      # * calculate the IDs we saw the most
+      @stats.pkts.each_value do | pkt|
+        high_count = pkt.count if pkt.count > high_count
+        if not @stats.dynamic then
+          if padd_stat.has_key? pkt.data[-1] then
+            padd_stat[pkt.data[-1]] += 1
+          else
+            padd_stat[pkt.data[-1]] = 1
+          end
+        end
+      end
+      # Second pass
+      fastest_interval = 5.0
+      @stats.pkts.each_value do |pkt|
+        # Common IDs are ones that the highest report - 1% of the total reported
+        if pkt.count >= high_count - (@stats.pkt_count * 0.01) then
+          @common_ids << pkt.id
+          if pkt.avg_delta < fastest_interval then
+            fastest_interval = pkt.avg_delta
+            @most_common = pkt
+          end
+        end
+      end
+      if @stats.dynamic then
+        highest_pad = 0
+        padd_stat.each do |val, count|
+          if count > highest_pad
+            hightest_pad = count 
+            @padding = val
+          end
+        end
+      end
+    end
+  end # CANFingerprint
+end