Every car hacking tool I have come across required expensive ECUs, adapters or even full test benches. Having worked with test cars before, I got an insight into how time consuming and expensive, if not difficult it is to set a working HIL (Hardware-In-Loop) setup. I didn’t want to wait for hardware to understand how automotive networks behave - I wanted to simulate it.

So, I built my own virtual car hacking network using Linux tools, a bit of Python, and some creative problem solving.

Background

Automotive Cybersecurity is fascinating. Being extremely niche, it isn’t the first thing that comes to mind when someone thinks of cybersecurity. They imagine computers, massive server farms and a network that connects them all. But what is a modern car, if not a network of highly powerful computers, on wheels.

Working with cars as a pentester has had me dealing with security at the intersection of software and hardware - but I wanted to explore the same logic on my own terms.

A vehicle’s network is split into three specific interfaces:

1. CAN (Controller Area Network) - the most widely used
2. LIN (Local Interconnect Network) - for low-speed/low-cost devices
3. Automotive Ethernet (100BASE-T1, 1000BASE-T1, etc.) - higher bandwidth, growing adoption

Infotainment Systems, Sensors, ECUs, they all talk over these buses. Setting these up requires a lot of specialized hardware and software. This includes purchasing an expensive license with the already expensive hardware which is designed to simulate and control such networks. (Yes Vector, I’m talking about you). These tools are brilliant, but they’re practically out of reach when you’re hacking solo and not backed by a corporation.

So: emulate it.

The Idea

If network penetration testers can simulate servers and routers, why can’t car hackers simulate ECUs? After all, ECUs are basically computers that run a specific piece of software or a specific operating system on them, designed to only perform specific tasks.

In a world where we have virtual machines helping us run multiple computers on one, I started brainstorming if it was possible to create ECUs digitally, without all the fancy expensive hardware. What would you possibly need? GPS? Wi-Fi? Bluetooth? A platform to run apps and scripts? A logger? All of this already exists on a standard laptop. The only thing that stood out to me was the communication interfaces. CAN is not used anywhere apart from automotive networks. Neither is LIN or 100Base-T1 (Automotive Ethernet for a reason). This made me research even more. What could possibly help me simulate CAN?

“If there’s a will, there is a way.” ~ some wise person

The Build

After a bit of research, I came across SocketCAN. It’s a Linux kernel subsystem that exposes CAN interfaces like any other network device. Think CAN, but now it runs pretty much anywhere. It allows us to create virtual CAN interfaces on Linux, or connect to physical CAN networks present on an actual car.

It doesn’t have anything to do with what flavour you choose as it is built into the kernel. It is only a matter flipping the switch and enabling it:

1

sudo modprobe vcan

This will help enable the vcan (virtual CAN) interface module.

After this, you can create the virtual CAN interface:

1

sudo ip link add dev vcan0 type vcan

1

sudo ip link set up vcan0

Run this to confirm if you’ve got it:

1

ifconfig

1
2
3
4
5
6

vcan0: flags=193<UP,RUNNING,NOARP>  mtu 72
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

And voila! You now have a virtual CAN interface, ready to read and transmit CAN frames.

Sending packets

What’s the point of creating an interface if you’re not going to use it? To send packets on this interface, we have a set of can tools that you can install on pretty much any Linux machine as well.

I use the Blackarch repository on my Arch Linux machine. If you’re on Debian, you can use Kali Linux’s repository for the same. Both of them contain the package we want to install.

Fedora users please don’t come after me

Arch Linux:

1
2

sudo pacman -Syu
sudo pacman -S can-utils # tools for working with CAN

Debian:

1
2

sudo apt-get update && apt-get upgrade
sudo apt-get install can-utils

This will give you access to these tools:

1. candump
2. cansend
3. canplayer
4. cansniffer

…and more.

To send packets on the virtual bus (vcan0), use this command:

1

cansend vcan0 123#AABBCCDDEEFF

If it doesn’t output anything, congratulations! You’ve sent your first CAN frame using Linux!

But… how do we know that it got sent? We can use candump, which continuously listens for any CAN messages being transmitted on the bus you specify to it as an argument.

1

candump vcan0

While this is running, send the example CAN frame with cansend from another terminal again. This time, you’ll see it pop up on the listener as a properly formatted CAN frame:

1

vcan0  123   [6]  AA BB CC DD EE FF

Brilliant. You’ve now mastered the art of sending CAN frames on a bus using Linux, and only Linux.

What makes this fun is you can also build your own custom logger and transmitter using Python, with the python-can library. It can both send and listen for CAN frames on any CAN interface.

Here’s one if you want to try it out:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

#!/usr/bin/env python3
import can
import time
import threading

def receiver(bus):
    """Receive and print CAN messages."""
    print("[Receiver] Listening for CAN messages...")
    for msg in bus:
        print(f"[Received] ID: {msg.arbitration_id:#04x}, Data: {msg.data.hex().upper()}")

def sender(bus):
    """Send CAN messages periodically."""
    print("[Sender] Starting message transmission...")
    msg = can.Message(arbitration_id=0x123, data=[0x11, 0x22, 0x33, 0x44], is_extended_id=False)
    while True:
        try:
            bus.send(msg)
            print(f"[Sent] ID: {msg.arbitration_id:#04x}, Data: {msg.data.hex().upper()}")
            time.sleep(1)
        except can.CanError:
            print("[Error] Message not sent")

def main():
    # Connect to virtual CAN interface
    bus = can.interface.Bus(channel="vcan0", bustype="socketcan")

    # Start receiver in background thread
    recv_thread = threading.Thread(target=receiver, args=(bus,), daemon=True)
    recv_thread.start()

    # Start sending messages
    sender(bus)

if __name__ == "__main__":
    main()

This simple program lets you prototype virtual ECUs that send/receive frames — perfect for building test scenarios.

Reflection

My reflection on this piece of work includes this:

1. If I create ECUs built on either C or C++, using the same logic that a standard ECU would, I could have it generate CAN frames for specific functions and accept CAN frames to perform specific functions. This completely virtualizes the test bench and makes it portable.
2. The presence of Python (python-can) allows us to craft custom CAN packets, which opens doors to creating a fuzzer that mutates CAN frames randomly.
3. All of this put together gives us a basic, but robust virtual car, which can be used to practice pentesting and diagnostics(Enter, UDS).
4. I can safely test security features without messing with actual hardware(did I tell you it was very expensive?).
5. I can practice IDS detection in Wazuh or Suricata by integrating the CAN logs.
6. Train myself and others without physical ECUs.

Hacking isn’t about fancy gear. It’s about creativity. By virtualizing this challenge, I learned more about CAN networks, Linux Networking, and the hacker mindset in itself.

If you are into automotive cybersecurity but don’t know where to start, start by simulating - the best labs are the ones you build yourself.

What’s Next?

1. Create an instrument cluster/infotainment system next and connect it to my virtual network to simulate a more complete in-vehicle setup.
2. Setup UDS (Unified Diagnostics Services) request/response handling in a virtual ECU

Thanks for reading — I’ll keep posting updates as I build the next pieces (infotainment mock, UDS handlers, and a tiny fuzzer). If you want the example scripts or a reproducible repo structure, tell me and I’ll publish them on GitHub.

Setting up a SIEM (Security Information and Event Management) system might sound intimidating if you’re just getting started, but it’s a rewarding project that gives you real insight into how cybersecurity professionals monitor and detect threats. I recently built a Wazuh-based SIEM entirely with Docker and connected my personal Linux workstation as an agent. In this post, I’ll walk you through the process with practical commands for both Arch Linux and Debian users.

Wazuh started as a fork of OSSEC, one of the first open-source host-based intrusion detection systems, but has evolved into a full-blown security platform with log analysis, vulnerability detection, and compliance monitoring.

System Overview

Here’s what I used:

• Host OS: Arch Linux (but I include Debian commands too, since many readers might be on either)
• Deployment method: Docker (because containers make complex stacks easier to manage)
• Architecture: Single-node setup running Manager, Indexer, and Dashboard on one machine
• Agent: My own Linux workstation
• Use case: Personal monitoring and vulnerability detection in a home lab

Step 1: Installing Docker and Docker Compose

Before we get started, make sure Docker is installed and running. If you don’t have it, here’s how:

On Arch Linux:

1
2
3
4

sudo pacman -S docker docker-compose
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
newgrp docker

On Debian or Ubuntu:

1
2
3
4
5

sudo apt update
sudo apt install docker.io docker-compose
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
newgrp docker

Docker was originally released in 2013 and revolutionized how developers package and deploy applications. Today, it’s an essential tool in cybersecurity labs for simulating complex environments quickly.

Step 2: Cloning the Wazuh Docker Repository

Wazuh maintains an official Docker repository with all the configurations needed for different deployments. Grab the single-node setup like this:

1
2

git clone https://github.com/wazuh/wazuh-docker -b v4.12.0
cd wazuh-docker/single-node

Step 3: Generating SSL Certificates

To secure communication between the components, you’ll need to generate SSL certificates. First, create the directory:

1

mkdir -p config/wazuh_indexer_ssl_certs/

Next, create the configuration files. Here’s the config/certs.yml file content:

1
2
3
4
5
6
7

nodes:
  - name: wazuh.indexer
    type: indexer
  - name: wazuh.manager
    type: manager
  - name: wazuh.dashboard
    type: dashboard

And the generate-indexer-certs.yml file:

1
2
3
4
5
6
7
8

version: '3.3'
services:
  generator:
    image: wazuh/wazuh-certs-generator:0.0.2
    hostname: wazuh-certs-generator
    volumes:
      - ./config/wazuh_indexer_ssl_certs/:/certificates/
      - ./config/certs.yml:/config/certs.yml

Then run:

1

docker-compose -f generate-indexer-certs.yml run --rm generator

If you get errors about overwriting files, just clear the folder and try again:

1
2

rm -rf config/wazuh_indexer_ssl_certs/*
docker-compose -f generate-indexer-certs.yml run --rm generator

Step 4: Starting the Wazuh Stack

With everything set, launch the whole Wazuh environment:

1

docker-compose up -d

This will bring up the manager, indexer, and dashboard.

Step 5: Accessing the Web Dashboard

Open your browser and head to:

1

https://<your-server-ip>

This would be localhost if you’re setting it up locally.

The default login credentials are:

• Username: admin
• Password: SecretPassword (or check the .env file in the repo)

Expect a warning about the self-signed certificate. This is normal. You can safely proceed for now.

Adding Your Own Machine as an Agent

Wazuh’s strength lies in monitoring endpoints. I connected my Arch Linux workstation as an agent, but these steps work the same on Debian.

Download and install the agent:

1
2
3
4

curl -sO https://packages.wazuh.com/4.12/wazuh-agent-4.12.0-linux-x86_64.tar.gz
tar -xvzf wazuh-agent-4.12.0-linux-x86_64.tar.gz
cd wazuh-agent-4.12.0
sudo ./install.sh

Register the agent with the manager:

1
2

sudo /var/ossec/bin/agent-auth -m <wazuh-manager-ip>
sudo systemctl enable --now wazuh-agent

After a short while, your agent will show up in the dashboard, forwarding logs and security events.

The first version of Wazuh was released in 2015, and it has since become one of the most widely used open-source security platforms worldwide.

You’re now done! You should be able to explore the dashboard and learn all the features Wazuh has to offer.

Real-World Detection: CVE-2025-4598

Shortly after getting everything running, Wazuh’s Vulnerability Detector flagged a real systemd vulnerability on my machine (CVE-2025-4598). This was a practical example of how such tools help spot risks before attackers do.

Don’t worry, I patched it right away. Wouldn’t want to make it too easy for you hackers, right?

Why This Matters

Setting this up wasn’t just an academic exercise. I now have a hands-on understanding of log collection, normalization, and alerting. In fields like automotive cybersecurity, knowing what’s happening on endpoints and spotting anomalies early is crucial—and this kind of setup lets you practice those skills.

What’s Next?

Here are some things you can try for yourself now that you’ve got the hang of setting it up:

• Crafting custom detection rules tailored to your environment
• Simulating attacks to validate your alerts
• Adding Windows or other OS agents
• Expanding to multi-node deployments for scalability

Final Thoughts

Wazuh is a fantastic project for anyone looking to deepen their cybersecurity skills. Using Docker simplifies the setup, and the dashboard delivers meaningful insights out of the box. Whether you’re a beginner or an experienced professional, experimenting with Wazuh builds a solid foundation for real-world security monitoring.

Thanks for reading! Feel free to reach out if you want to discuss or share your own setups.