Hak5 Packet Squirrel

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

The Packet Squirrel operates as an Ethernet Man in the Middle and comes preloaded with three exploit scripts.

Description

Packet Squirrel

The Packet Squirrel has an switch to choose between the three exploit payloads for logging the TCP dump, Using VPN Tunnelling and for DNS spoofing, or arming mode. An arming mode (switch in 4th position) you can easily access the device with ssh root@172.16.32.1 with the password hak5squirrel. It is possible to gain ssh access to the device during the attack modes with the IP address of the outgiong Ethernet interface as well.

Basic Cable Setup

  1. Plug the victims Ethernet cable into the "Ethernet In" Port
  2. Plug the gateway Ethernet cable into the "Ethernet Out" Port
  3. Power the device by plugging in the power cable

TCP/UDP Dumping Mode

  1. A USB Stick with an NTFS file system needs to be plugged in the USB-A Port before the Squirrel is Powered up.
  2. Flip the first position (which is nearest to the micro USB power in).
  3. Connect the Ethernet cable of the victim into the Ethernet port, which is at the same side as the power in USB connector and Connect the Gateway Ethernet cable to the other Port.
  4. Plug the power cable in and wait the one minute long start up sequence. The device can be either powered by the victim machine or by an USB power bank.
  5. The data traffic will be captured, if the LED starts blinking Yellow. If otherwise the LED circles between red, green and blue, then the USB stick has the wrong file system.
  6. Stop the capturing process by pressing the Button. Then the device takes some seconds to write the tcpdum to the USB Storage. As soon as the LED glows red the saving process has ended and you are good to go.
  7. You can now analyse the captured pcap file with wireshark.

DNS Spoofing Mode

  1. For this mode we have to start in arming mode (switch at fourth position)
  2. After gaining access with ssh we change to the DNS spoofing directory with cd /payloads/switch2.
  3. There we can define the Spoofed domain names by editing the spoofhost file
Example: address=/abc.com/216.58.207.164
#This Example would DNS spoof abc.com with an google IP, but this didn't work because Browser checks the Certificates and discovers the Spoofed IP.
  1. Unplug the Packet Squirrel and shift the switch to the second position.
  2. Plug it in and wait until the startup sequence is finished and the LED starts blinking yellow.

OpenVPN Mode

The VPN payload implements VPN access mode and VPN tunnelling mode. If you want to Setup your own OpenVPN (OVPN) server follow the instructions at the hak5 webpage. For the purpose of testing we use use an existing server from freeopenvpn.org.

  1. Start by selecting the desired server and download the the OVPN access certificate.
  2. Set the Packet Squirrel in Arming Mode and connect to its shell
  3. Copy the certificate with scp user@server:downloadfolder/filename.ovpn /root/payloads/switch3/config.ovpn
  4. Steer to the directory with cd /root/payloads/switch3/
  5. Edit the config.ovpn at line 30 to auth-user-pass credentials.txt
  6. Add an credentials file with nano credentials.txt and add the two lines:
    1. freeopenvpn
    2. <the displayed password>
  7. Before starting the VPN we choose the VPN mode:
    1. Open the payload.sh
    2. Set the For_Clients= to
      1. 0 for Access Mode
      2. 1 for Tunneling Mode
  8. Now set the Switch the the third Position and plug power out and in again
  9. You are good to go, if the yellow LED starts to flash after the boot up sequence

Access Mode

Packet Squirrel VPN1.jpg

Access mode allows the squirrel to access the VPN Network via the Secure Shell If the connection was established if the command ifconfig tun0 show the following output when it is issued at the Packet Squirrels Shell.

tun0 
     Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
     inet addr:192.168.231.245 P-t-P:192.168.231.245 Mask:255.255.255.0
     UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
     RX packets:12 errors:0 dropped:0 overruns:0 frame:0
     TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:100
     RX bytes:1404 (1.3 KiB) TX bytes:608 (608.0 B)

The Access Mode can be used to access an Private network that is used for testing and pen testing purposes like an honeypot virtual machine.

Tunneling Mode

Packet Squirrel VPN2.jpg

The Tunnelling mode encapsulates all the traffic and sends it to the VPN Server, from where it is send to the internet. VPN Tunnelling allows users to disguise their IP address you can check your current IP address with ipchicken.com.

Creating your own Payloads

The Packet Squirrel allows us to create our own attack payloads by loading them to the USB stick and naming them Switch1 to Switch3. It allows as to create payload in python, bash or PHP. For Python and Bash it is important to use the interpreter directive Python: #!/usr/bin/python, bash: #!/usr/bin/bash. Bash scripts can access the following pre-installed tools:

  • openvpn
  • autossh
  • tcpdump
  • meterpreter-https
  • cron
  • nmap
  • ncat-ssl
  • ncat
  • sshfs
  • tcpdump
  • wget

For more information go to the hak5.org webpage.

Used Hardware

Packet Squirrel

References