Every car hacking tool I have come across required expensive ECUs, adapters or even full test benches. Having worked with test cars before, I got an insight into how time consuming and expensive, if not difficult it is to set a working HIL (Hardware-In-Loop) setup. I didn’t want to wait for hardware to understand how automotive networks behave - I wanted to simulate it.

So, I built my own virtual car hacking network using Linux tools, a bit of Python, and some creative problem solving.

Background

Automotive Cybersecurity is fascinating. Being extremely niche, it isn’t the first thing that comes to mind when someone thinks of cybersecurity. They imagine computers, massive server farms and a network that connects them all. But what is a modern car, if not a network of highly powerful computers, on wheels.

Working with cars as a pentester has had me dealing with security at the intersection of software and hardware - but I wanted to explore the same logic on my own terms.

A vehicle’s network is split into three specific interfaces:

1. CAN (Controller Area Network) - the most widely used
2. LIN (Local Interconnect Network) - for low-speed/low-cost devices
3. Automotive Ethernet (100BASE-T1, 1000BASE-T1, etc.) - higher bandwidth, growing adoption

Infotainment Systems, Sensors, ECUs, they all talk over these buses. Setting these up requires a lot of specialized hardware and software. This includes purchasing an expensive license with the already expensive hardware which is designed to simulate and control such networks. (Yes Vector, I’m talking about you). These tools are brilliant, but they’re practically out of reach when you’re hacking solo and not backed by a corporation.

So: emulate it.

The Idea

If network penetration testers can simulate servers and routers, why can’t car hackers simulate ECUs? After all, ECUs are basically computers that run a specific piece of software or a specific operating system on them, designed to only perform specific tasks.

In a world where we have virtual machines helping us run multiple computers on one, I started brainstorming if it was possible to create ECUs digitally, without all the fancy expensive hardware. What would you possibly need? GPS? Wi-Fi? Bluetooth? A platform to run apps and scripts? A logger? All of this already exists on a standard laptop. The only thing that stood out to me was the communication interfaces. CAN is not used anywhere apart from automotive networks. Neither is LIN or 100Base-T1 (Automotive Ethernet for a reason). This made me research even more. What could possibly help me simulate CAN?

“If there’s a will, there is a way.” ~ some wise person

The Build

After a bit of research, I came across SocketCAN. It’s a Linux kernel subsystem that exposes CAN interfaces like any other network device. Think CAN, but now it runs pretty much anywhere. It allows us to create virtual CAN interfaces on Linux, or connect to physical CAN networks present on an actual car.

It doesn’t have anything to do with what flavour you choose as it is built into the kernel. It is only a matter flipping the switch and enabling it:

1

sudo modprobe vcan

This will help enable the vcan (virtual CAN) interface module.

After this, you can create the virtual CAN interface:

1

sudo ip link add dev vcan0 type vcan

1

sudo ip link set up vcan0

Run this to confirm if you’ve got it:

1

ifconfig

1
2
3
4
5
6

vcan0: flags=193<UP,RUNNING,NOARP>  mtu 72
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

And voila! You now have a virtual CAN interface, ready to read and transmit CAN frames.

Sending packets

What’s the point of creating an interface if you’re not going to use it? To send packets on this interface, we have a set of can tools that you can install on pretty much any Linux machine as well.

I use the Blackarch repository on my Arch Linux machine. If you’re on Debian, you can use Kali Linux’s repository for the same. Both of them contain the package we want to install.

Fedora users please don’t come after me

Arch Linux:

1
2

sudo pacman -Syu
sudo pacman -S can-utils # tools for working with CAN

Debian:

1
2

sudo apt-get update && apt-get upgrade
sudo apt-get install can-utils

This will give you access to these tools:

1. candump
2. cansend
3. canplayer
4. cansniffer

…and more.

To send packets on the virtual bus (vcan0), use this command:

1

cansend vcan0 123#AABBCCDDEEFF

If it doesn’t output anything, congratulations! You’ve sent your first CAN frame using Linux!

But… how do we know that it got sent? We can use candump, which continuously listens for any CAN messages being transmitted on the bus you specify to it as an argument.

1

candump vcan0

While this is running, send the example CAN frame with cansend from another terminal again. This time, you’ll see it pop up on the listener as a properly formatted CAN frame:

1

vcan0  123   [6]  AA BB CC DD EE FF

Brilliant. You’ve now mastered the art of sending CAN frames on a bus using Linux, and only Linux.

What makes this fun is you can also build your own custom logger and transmitter using Python, with the python-can library. It can both send and listen for CAN frames on any CAN interface.

Here’s one if you want to try it out:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

#!/usr/bin/env python3
import can
import time
import threading

def receiver(bus):
    """Receive and print CAN messages."""
    print("[Receiver] Listening for CAN messages...")
    for msg in bus:
        print(f"[Received] ID: {msg.arbitration_id:#04x}, Data: {msg.data.hex().upper()}")

def sender(bus):
    """Send CAN messages periodically."""
    print("[Sender] Starting message transmission...")
    msg = can.Message(arbitration_id=0x123, data=[0x11, 0x22, 0x33, 0x44], is_extended_id=False)
    while True:
        try:
            bus.send(msg)
            print(f"[Sent] ID: {msg.arbitration_id:#04x}, Data: {msg.data.hex().upper()}")
            time.sleep(1)
        except can.CanError:
            print("[Error] Message not sent")

def main():
    # Connect to virtual CAN interface
    bus = can.interface.Bus(channel="vcan0", bustype="socketcan")

    # Start receiver in background thread
    recv_thread = threading.Thread(target=receiver, args=(bus,), daemon=True)
    recv_thread.start()

    # Start sending messages
    sender(bus)

if __name__ == "__main__":
    main()

This simple program lets you prototype virtual ECUs that send/receive frames — perfect for building test scenarios.

Reflection

My reflection on this piece of work includes this:

1. If I create ECUs built on either C or C++, using the same logic that a standard ECU would, I could have it generate CAN frames for specific functions and accept CAN frames to perform specific functions. This completely virtualizes the test bench and makes it portable.
2. The presence of Python (python-can) allows us to craft custom CAN packets, which opens doors to creating a fuzzer that mutates CAN frames randomly.
3. All of this put together gives us a basic, but robust virtual car, which can be used to practice pentesting and diagnostics(Enter, UDS).
4. I can safely test security features without messing with actual hardware(did I tell you it was very expensive?).
5. I can practice IDS detection in Wazuh or Suricata by integrating the CAN logs.
6. Train myself and others without physical ECUs.

Hacking isn’t about fancy gear. It’s about creativity. By virtualizing this challenge, I learned more about CAN networks, Linux Networking, and the hacker mindset in itself.

If you are into automotive cybersecurity but don’t know where to start, start by simulating - the best labs are the ones you build yourself.

What’s Next?

1. Create an instrument cluster/infotainment system next and connect it to my virtual network to simulate a more complete in-vehicle setup.
2. Setup UDS (Unified Diagnostics Services) request/response handling in a virtual ECU

Thanks for reading — I’ll keep posting updates as I build the next pieces (infotainment mock, UDS handlers, and a tiny fuzzer). If you want the example scripts or a reproducible repo structure, tell me and I’ll publish them on GitHub.

So, you wanna be a hacker?

Cool. I did too. I jumped into Kali, sprayed tools, and followed tutorials like a robot. Things worked, but I could not explain why. That was my first big lesson: without networking, most of security looks like magic. No magic here. Just packets, addresses, ports, and paths.

The moment it clicked

I kept asking myself:

• Why does a reverse shell call me back and not the other way around?
• What does netstat -tunlp actually show me?
• Why does ping sometimes fail even though the server is up?

The answer was not a broken tool. It was me not understanding the path the packets had to travel.

Learn these first

These are the pieces that changed my life in pentests and CTFs.

🔌 The OSI model

Think of it as a map. If you know the layer, you know where to debug.
If you want to explore it in depth, check out:

• Cisco OSI Model Overview
• Packet Traveling Series by Practical Networking

Real world hints by layer:

• L1 Physical - bad cable, wrong interface, Wi-Fi channel noise. If link lights are off, stop blaming the firewall.
• L2 Data Link - ARP and MAC. ARP spoofing lives here. If you see duplicate IP warnings, check the ARP table with ip neigh.
• L3 Network - IP and routing. If 192.168.1.10 cannot reach 192.168.2.10, you likely need a router or a route.
• L4 Transport - TCP vs UDP. TCP handshake fails means no state created on the server. SYNs leaving but no SYN ACK returning usually means a path or filter issue.
• L5 Session - long lived connections. If a VPN drops every 30 minutes, look for session timers.
• L6 Presentation - certs and encodings. TLS errors like unsupported protocol live here.
• L7 Application - HTTP, DNS over HTTPS, SMTP. If the app returns 200 but nothing changes, it is probably an app logic bug, not the network.

🌐 IP addressing and subnetting

You do not need to be a human subnet calculator. You do need to know:

• Private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
• What a mask does. /24 means 256 addresses, /25 splits that in half.
• Simple test: put one VM on 192.168.1.10/24 and another on 192.168.2.10/24. They will not ping without a router. Add a route and watch it work.

Want to practice subnetting?

• Subnetting Made Easy
• Subnetting Practice Game

🚪 Ports and protocols that actually matter

Quick cheats you will use daily:

• 22 SSH - remote shell. If login hangs after password, suspect TCP filtering or AllowUsers policy before you blame credentials.
• 80/443 HTTP/S - everything from health checks to C2 beacons rides here. Proxies often rewrite requests. Capture and compare.
• 53 DNS - resolution issues look like random failures. Test with dig @resolver_ip example.com to bypass system DNS.
• 445 SMB - Windows auth and file shares. If smbclient fails only on large files, think MTU or signing.

More:

• IANA Service Name and Transport Protocol Port Number Registry

📦 Packet flow and basic tools

Tools I use in order when something breaks:

1. ping to test reachability. If ICMP is blocked, move on.
2. traceroute to see the path. Sudden star means a filter or NAT.
3. ss -tulnp or netstat -tunlp to list listeners.
4. tcpdump -nni eth0 port 443 to confirm packets leave and return.
5. Wireshark for the story behind the packets.

🔥 NAT, DHCP, DNS, routing

This is the unsexy part that makes everything work.

• NAT hides private hosts. Reverse shells fail a lot here. Use a listener on a port allowed outbound.
• DHCP gives IPs. If two boxes fight for the same address, the lease server is probably duplicated or mis-scoped.
• DNS is the phonebook. If a domain resolves to different IPs than you expect, check split horizon and hosts files.
• Routing decides the next hop. Wrong default gateway is the classic silent killer.

Learn more:

• NAT Explained – IPCisco
• How DHCP Works – Microsoft Learn
• DNS in detail – Cloudflare Learning

Learn stack without pain

What helped me when I started:

• TryHackMe Network Fundamentals module – hands-on labs.
• Professor Messer Network+ videos – structured theory.
• Packet Tracer or GNS3 – virtual routers/switches without real gear.
• Wireshark – see the truth on the wire.

If you are on Linux, make nmap, netcat, ip, and ss part of your daily toolkit.

What to do right after reading (Practical Exercises)

1. Capture your browser loading a site in Wireshark and find the three-way handshake.
2. Split 192.168.1.0/24 into two /25s. Put two VMs on different halves and make them ping using a router VM.
3. Run ss -tulnp then open a new nc -lvp 4444 listener and watch the new entry appear.

Why this matters in real attacks

When you understand networking:

• ARP spoofing, DNS poisoning, and MITM are not tricks. They are predictable outcomes you can detect and block.
• You stop pasting scripts and start fixing root causes.
• You can explain failures to a client in plain English and get them fixed the same day.

Final words

Networking is not flashy, but it is the floor under your feet. Build it solid now and future you will move faster, break less, and spend more time popping shells than debugging routes.

If you are stuck, tell me what you tried and what you saw on the wire. I will help you untangle it step by step.