Automotive / ICS / SCADA — PhantomYerra Help

1

Select Automotive / ICS from Home Screen

Click 🚗 Automotive / ICS. Select assessment type: Automotive (CAN/UDS), ICS/SCADA, or both.
2

Configure CAN Interface

Interface Type : SocketCAN (Linux) / Peak PCAN / Vector / Kvaser Device : can0, can1 (SocketCAN) or USB adapter Baud Rate : 500kbps (standard) / 250kbps (low-speed) / 1Mbps (CAN FD) DBC File : Upload .dbc file if available (for signal decoding)
3

Claude Runs Automotive Security Assessment

Phase 1: CAN traffic capture — cantools, python-can passive monitoring Phase 2: Signal decoding — decode known signals via DBC file Phase 3: ECU enumeration — UDS (ISO 14229) ECU scan via OBD-II Phase 4: UDS service test — test diagnostic services (0x11, 0x27, 0x31) Phase 5: Security access — seed/key bypass attempts (0x27 service) Phase 6: Fuzzing — CAN frame fuzzing on safe non-safety IDs Phase 7: Telematics — cellular/WiFi/BT attack surface analysis Phase 8: Report — findings with UNECE WP.29 mapping
4

ICS / SCADA Assessment (if selected)

Phase 1: Device discovery — nmap ICS NSE scripts on OT network Phase 2: Protocol audit — Modbus, DNP3, EtherNet/IP, S7, BACnet Phase 3: Auth testing — default credentials on HMI/SCADA servers Phase 4: Firmware check — PLC firmware version → CVE matching Phase 5: Network seg. — IT/OT boundary verification Phase 6: Report — IEC 62443 compliance mapping

⏱️ Automotive assessment: 4–8 hours. ICS/SCADA assessment: 1–3 days.

1

Complete Wizard and Approve Passive Capture First

Proposal: "Passively capture CAN traffic for 60 seconds — no injection" → [Approve] → 15,847 frames captured across 12 arbitration IDs
2

Approve UDS Service Enumeration

Proposal: "Enumerate ECUs via UDS broadcast (0x7DF) — read ECU info only" → [Approve] → 8 ECUs found: BCM, ECM, TCM, TPMS, IPC, ADAS_1, ADAS_2, GW Proposal: "Test UDS Security Access (0x27) on Gateway ECU — check for weak seed/key" → [Edit: reduce timeout to 5s] → [Approve]
3

Approve or Skip Fuzzing Steps

Proposal: "Fuzz CAN ID 0x200 (identified as non-safety body CAN frame)" → [Review safety classification] → [Approve] → 3 ECU resets triggered — potential DoS on TPMS module Proposal: "Attempt programming session on BCM ECU" → [Skip — outside scope for this engagement]

⏱️ Typical duration: 6–12 hours with active approval and safety reviews.

can-utils (candump, cansend, cansniffer) installed
python-can, cantools, caringcaribou installed
SocketCAN interface configured: sudo ip link set can0 up type can bitrate 500000

1

Set Up SocketCAN Interface

sudo modprobe can sudo modprobe can_raw sudo ip link set can0 up type can bitrate 500000 ip link show can0 # verify UP state
2

Passive CAN Traffic Capture

candump can0 -l # log to file cansniffer can0 # live display with change detection cantools decode --database vehicle.dbc - < candump.log # decode if DBC available
3

UDS ECU Enumeration

python3 -c " import can, isotp bus = can.interface.Bus(channel='can0', bustype='socketcan') # Send UDS broadcast: DiagnosticSessionControl (0x10 0x01) msg = can.Message(arbitration_id=0x7DF, data=[0x02,0x10,0x01], is_extended_id=False) bus.send(msg) # Read responses from ECUs (0x7E8 - 0x7EF range) " # Caringcaribou UDS scanner python3 -m caringcaribou uds discovery
4

ICS Modbus Audit

nmap --script modbus-discover -p 502 [plc-ip] nmap --script dnp3-info -p 20000 [rtu-ip] # Modbus read coils python3 -c " from pymodbus.client import ModbusTcpClient c = ModbusTcpClient('[plc-ip]') c.connect() result = c.read_coils(0, 100) print(result.bits) "

⏱️ Duration: 2–5 days for a comprehensive automotive or ICS security assessment.

Automotive / ICS / SCADA Security