IP and Service Scanning#
ECUs often have multiple IP addresses assigned, each one with a different use and therefore different open ports. To find the all open ports it is needed to scan all IPs on an ECU.
Getting ECU IP Addresses and VLANs#
Since some ECUs don’t implement ICMP or ARP and use VLANs a network scan can take a lot of time and still be unsuccessful. The best way to get IP Addresses of the ECU is to sniff for default communication with tshark or wireshark. (Or look for strings in the flash file)
Often OEMs user a schematic for their ECUs IP Address like: Subnet.Subnet.Vlan.ECUIP
IP |
VLAN |
|---|---|
192.168.4.42 |
4 |
192.168.10.42 |
10 |
192.168.42.42 |
42 |
This can be used to test all VLANs and IPs of the ECU in the Subnet.
Port Scanning#
After gathering the IP addresses of the ECU, the next step is to perform a port scan. Port scanning helps identify open ports and services running on those IPs, providing insight into system configuration.
Nmap (Network Mapper) is a powerful tool used for network discovery and security auditing. It helps in identifying live hosts, open ports, running services, operating systems, and potential vulnerabilities on a network. It is open source and available in GitHub: nmap A basic scan can be done with: nmap [target_ip]
When performing network scans on Electronic Control Units (ECUs) or other embedded systems, some specific configurations need to be done, to avoid the scan to fail:
Option |
Reason |
|---|---|
-n: Never do DNS resolution/Always resolve [default: sometimes] |
The ECU is targeted per IP which should not be resolved |
-Pn: Treat all hosts as online – skip host discovery |
Is needed because many ECUs don’t have ICMP implemented and therefore will not be detected as online. |
-v or -vv: Increase verbosity level (use -vv or more for greater effect) |
To get more feedback of nmap |
-sT disable stealth scan full and do connection scans instead. |
This will sometimes get more results since ECUs are unpredictable, and stealth is not needed. |
-sV: Probe open ports to determine service/version info |
Will use nmap specific scripts to test what’s behind an open port and detect version if possible (Will send a lot mor messages) |
-r: Scan ports sequentially - don’t randomize |
If you want reproducible results (In case ECU crashes ;) ) |
-p |
Per default nmap does NOT scan all Ports. Use -p 1-65535 to force a complete port scan. |
-e: Interface |
Set interface manually to avoid the OS to map the scan to a different interface. |
–disable-arp-ping |
Some ECUs dont have ARP implemented and therefore will make the scan fail |
–max-retries X |
Increase maximum retries of a port check, sometime an ECU misses a message (5-10 is a good value to be sure) |
-max-rtt-timeout X |
Decrease the max time the ECU has to answer (100ms), since the ECU is directly connected to the PC |
A ful command could look like this: sudo nmap -n -Pn -v -sT -sV -r -p 1-65535 -e ethX 192.168.XXX.XXX –disable-arp-ping –max-retries 10 –max-rtt-timeout 100ms