Welcome back, aspiring cyberwarriors!
In the light of our recent article on car hacking, we want to introduce you to a tool that makes this field much more approachable without removing the technical depth that makes it so interesting. The tool is called GearGoat, and it is designed to simulate a car’s internal network so that you can experiment, observe, and learn without needing physical access to a vehicle. If you have ever been curious about how modern cars communicate internally, or how attackers and researchers interact with those systems, this is a very practical place to start.
What is GearGoat
GearGoat is a car simulator developed by INE Labs. It allows you to practice working with the CAN bus, which is the internal communication network used by most modern vehicles. Instead of connecting to a real car, you interact with a web-based dashboard. Every action you perform on that interface generates realistic CAN packets on a virtual interface. You can use the same tools you would use in a real-world scenario. Tools like cansniffer, candump, and UDS scanners work exactly the same way with GearGoat as they would when connected to an actual vehicle.
In a real car, you would connect a CAN adapter such as CANable or Macchina M2 into the OBD-II port, which is typically located under the dashboard. This port is essentially a gateway into the vehicle’s internal network. Once connected, your system recognizes the adapter as a network interface, often named can0 in Linux. From there, you can start capturing and sending CAN messages. When someone interacts with the car, such as pressing the brake, turning on indicators, or accelerating, these actions generate CAN messages that travel across the network. These messages can be observed in real time using tools like cansniffer. GearGoat recreates this exact behavior. When you click a button in the simulator, it produces CAN traffic that looks and behaves like the real thing.
Setting Up
GearGoat runs inside a Docker container, which makes it easy to deploy. Most of the setup process has already been automated by the developers. To begin, you clone the repository and run the initial setup script. This script prepares the environment, installs required packages, and sets the foundation for the simulator to run properly:
kali > git clone https://github.com/ine-labs/GearGoat.git
kali > cd GearGoat
kali > sudo chmod +x initial_setup.sh
kali > sudo ./initial_setup.sh
Once that is complete, you need to configure the virtual CAN interface, commonly referred to as vcan0. This interface acts as a virtual version of a real CAN network, allowing your tools to interact with simulated traffic.
kali > sudo chmod +x vcan_setup.sh
kali > sudo ./vcan_setup.shIn some cases, especially on certain distributions, you might encounter issues related to missing kernel modules. The developer suggests installing additional modules using the following command:
kali > sudo apt-get install -y linux-modules-extra-$(uname -r)However, this approach may not always work on Kali Linux. In that case, you can manually load the required modules and create the interface yourself:
kali > sudo modprobe vcan
kali > sudo ip link add dev vcan0 type vcan
kali > sudo ip link set up vcan0
kali > ip link show vcan0
At this point, the environment should be ready. You can now launch the Docker container that runs GearGoat:
kali > sudo docker run --network="host" --privileged geargoat
After starting the container, the simulator will be hosted on http://localhost. Opening it in your browser presents you with a dashboard that represents various car functions. Each button on this interface corresponds to an action that generates CAN traffic.
Intercepting Traffic
When the simulator is running, it continuously generates CAN traffic. This gives you a realistic stream of data to analyze. To observe this traffic, you can use cansniffer, which is designed to highlight changes in CAN frames in real time:
kali > cansniffer -c vcan0
At first, the output can feel overwhelming. The tool highlights changing bytes dynamically, which is useful, but also visually noisy when you are trying to establish a baseline. Since the simulator is constantly sending data, you need a way to tell the tool what “normal” looks like. By pressing Shift + 3 + Enter, you tell cansniffer to treat the current state as the baseline. After repeating this a few times, the output stabilizes. The constant background traffic is no longer highlighted, and only meaningful changes stand out. This makes it much easier to focus on the effects of your actions.
Once the baseline is set, you can begin interacting with the simulator. For example, when you click the “Left Indicator” button, you will notice a change in the CAN data.
Here, the first byte of a frame changes, and the message is associated with the address 0x188. This tells you that this identifier is responsible for controlling the indicator state.
When you experiment with the speedometer by pressing “Accelerate,” you observe a different pattern. This time, the changes occur in the 4th and 5th bytes, and the associated address is 0x244. The speed increases gradually, and you can see the corresponding values changing in real time.
By repeating this process with other controls, such as door locks, you begin to map out how different functions are represented on the CAN bus. This is how reverse engineering of vehicle behavior is performed in real-world scenarios.
Sending Input
Once you understand which messages control specific functions, you can start sending input.
To control the indicators, you send CAN frames directly using the cansend tool:
kali > cansend vcan0 188#0100000000000000 # left
kali > cansend vcan0 188#0200000000000000 # right
These commands simulate turning on the left and right indicators. Because the CAN bus operates at a high speed, these changes can be difficult to capture. To make the effect more visible, we are repeatedly sending the message using the watch command:
kali > watch -n 0.1 "cansend vcan0 188#0200000000000000"When working with speed, things become slightly more complex. Earlier, you identified that the relevant address is 0x244 and that specific bytes control the value. To set a speed, you need to convert a human-readable value, such as miles per hour, into the format expected by the CAN message.
For example, to simulate a speed of 50 miles per hour, you can send:
kali > cansend vcan0 244#0000001F6F
The change happens very quickly, almost instantly. You can see the simulator is accelerating. If you want to experiment with different speeds, you can use the formula V = round(mph / 0.6213751 * 100) to calculate the appropriate value and convert it into hexadecimal format using big-endian representation.
Capturing and Replaying Traffic
You can also capture and replay traffic. This allows you to record a sequence of actions and then reproduce them automatically. In real-world testing, this can be used to simulate repeated behavior or to demonstrate how certain sequences affect a system.
To capture traffic, you use candump with logging enabled:
kali > candump -l vcan0 
This records the CAN messages into a log file. Once you have captured a sequence of interest, you can replay it using canplayer:
kali > canplayer -I .log When you run this, you will see the same actions being replayed on the simulator’s interface. The system behaves as if those inputs are happening again in real time.
Summary
In this article, we saw how GearGoat provides a safe and practical environment for learning car hacking. You interact with a simulated CAN bus that behaves in a realistic way. You can focus on understanding the communication patterns, message structures, and system responses without the risk of damaging real hardware. As with many areas of security, the goal is not just to use tools, but to understand what is happening beneath the surface.
Car hacking sits at the cutting edge of the cybersecurity field. For those who want to understand these systems hands-on, our three-day course focuses on real automotive attack techniques, including CAN protocol exploitation and the use of Software Defined Radio (SDR), explaining you how modern vehicles are actually compromised.
Source: HackersArise
Source Link: https://hackers-arise.com/automobile-hacking-hacking-with-geargoat/