Difference between revisions of "Hak5 Packet Squirrel"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
(Added the ispyintel payload)
(2 intermediate revisions by the same user not shown)
Line 108: Line 108:
and press Enter 6 times.
and press Enter 6 times.
Then copy the generated client.ovpn file to Packet Squirrel in the /payload/switch3 folder and restart it with the switch on third position.
Then copy the generated client.ovpn file to Packet Squirrel in the /payload/switch3 folder and restart it with the switch on third position.
=== Meterpreter-via-SSH ===
This payload starts the Packet Squirrel in NAT mode and waits for user input. When the button is pressed, the payload connects to a remote SSH server and creates a local port tunnel. It then launches a meterpreter shell over the tunnel.
The intent is to hide the meterpreter network traffic behind a legitimate SSH activity.
You can download this payload from the offical [https://github.com/hak5/packetsquirrel-payloads/tree/master/payloads/library/remote-access/Meterpreter-via-SSH hak5 github].
==== Getting Started ====
Copy the playload to the Packet Squirrel into the desired switch folder. Now edit the scirpt to configure your server  options:
* SSH_USER - username on remote SSH server
* SSH_HOST - ip address of remote SSH Server


'''Note:''' If you changed the default meterpreter port don't forget to change it on the metasploit side as well.
* MSF_PORT
===== Generate SSH Key on Squirrel =====
Now you have to generate an ssh key-pair (just use default location and empty password) on your Packet Squirrel:
root@squirrel:~# ssh-keygen
===== Allow Squirrel on SSH Server =====
Then you have to copy the contents of /root/.ssh/id_rsa.pub from Packet Squirrel to the SSH Server authorized file:
user@server:~# mkdir ~/.ssh
user@server:~# echo 'paste id_rsa.pub contents inside this quote' > ~/.ssh/authorized_keys
===== Run Metasploit with Resource =====
msf@server:~# msfconsole -r server.rc
==== LED Definitions ====
# Configure NETMODE
#* Solid Magenta
# Connect to SSH Server
#* SUCCESS - Blink Amber 5 Times
#* FAIL - Blink Red 2 Times
# Launch meterpreter
#* SUCESS - Blink Cyan 1 Time
#* FAIL - Blink Red 1 Time
==== Hardening Recommendations ====
# Use an accout with limited privileges for SSH acces on the server.
# User a dedicated account for Packet Squirrel device (audit usage with SSH access logs).
# Disable PasswordAuthentication in sshd_config on the server.
=== ISpyintel ===
This payload will automate gathering various recon data on whatever passes between it's Ethernet ports. You can download this payload from the [https://github.com/hak5/packetsquirrel-payloads/tree/master/payloads/library/sniffing/ispyintel official hak5 github].
'''Note:'''This payload requires a usb stick to store loot.
==== Setup ====
# Edit the config variables at the top. The main variables are:
## <code>lootPath="/mnt/loot/intel"  # Path to loot</code>
## <code>mode="TRANSPARENT"          # Network mode we want to use</code>
## <code>interface="br-lan"          # Interface to listen on</code>
# Copy payload.sh into the ~/payloads/switch folder you wish to deploy on.
# Connect into a target machine with access to the LAN.
# Set switch to the spot and power up.
# Leave, get coffee, take a nap while everything is recorded and parsed for future use.
# When done; hit the button. The LED will rapidly flash white to let you know it is finishing up.
# When all is done the LED will just go blank. It is now safe to unplug and go about your day.
==== Tasks that are started ====
* tcpdump - records every packet that was send and received
* urlsnarf - collects all websites that were visited
* dsniff - attempts to acquire passwords and what not
* ngrep - on ports 80 and 21 with the filter for common password fields
* ngrep - on ports 80 and 21 with the filter for common session id fields
* log.txt - logs the progress of the payload for troubleshooting
==== Clean Up ====
Once the button is pressed the payload will automatically parse the TCPDump log file for the following items and store the results in seperate files.
As this process can take some time the LED will change to a rapid white blink letting you know the button command was recieved and the payload is in the process of shutting down.
* ipv4found.txt Will contain a unique list of all the ipv4 which the pcap file contains
* maybeEmails.txt Is a very loose search for possible email addresses that came across the wire in plain text.
=== Creating your own Payloads ===
=== Creating your own Payloads ===



Revision as of 16:07, 2 March 2021

Summary

Packet Squirrel device

The Packet Squirrel operates as an Ethernet Man in the Middle and comes preloaded with three exploit scripts. These three attack modes are Logging Network Traffic, Spoofing DNS and OpenVPN Tunnel. These can also be modified and exchanged with other scripts. The Packet Squirrel can also be combined with the Hak5 Cloud C2, a command and control server specially for Hak5 devices.

Description

SSH connect
spoofhost file
Spoofed browser warning

The Packet Squirrel has an switch to choose between the three exploit payloads for logging the TCP dump, Using VPN Tunnelling and for DNS spoofing, or Arming Mode.

In Arming Mode (switch in 4th position, nearest to the USB port) you can easily access the device with ssh root@172.16.32.1 with the password hak5squirrel. Therefore Packet Squirrel acts as DHCP server. If you don't get an IP address, manually configure an IP from the 172.16.32.0/24 network on your ethernet interface. Arming Mode is indicated by a blue blinking LED an allows to configure the different payloads.

It is also possible to gain ssh access to the device during the attack modes with the IP address of the outgiong Ethernet interface as well.

Basic Cable Setup

  1. Plug the victims Ethernet cable into the "Ethernet In" Port
  2. Plug the gateway Ethernet cable into the "Ethernet Out" Port
  3. Power the device by plugging in the power cable

Firmware Upgrade

Shiped devices are installed with version 1.0, which can be seen in the VERSION file in the Packet Squirrel root folder. The current version 3.2 can be downloaded from the Hak5 website.

The file has to be named upgrade-version.bin (where version stands for the version number) and copied to the root directory of an NTFS or EXT4 formatted USB drive.

Plug in the USB drive in the Packet Squirrel and set the select switch to Arming Mode. Then power on the Packet Squirrel.

The upgrade process needs 5 minutes and is indicated by a solid red or blue LED light. When the firmware upgrade is finished, Packet Squirrel reboots and goes in Arming Mode. Shown by a blud blinking LED.

Then you can connect again with SSH and verify the new version, shown in Figure "SSH connect".

Payloads

Logging Network Traffic

This mode creates TCP/UDP dumps and saves them on the USB drive to analyse later on. Just follow these easy steps:

  1. A USB Stick with an NTFS file system needs to be plugged in the USB-A Port before the Squirrel is Powered up.
  2. Flip the first position (which is nearest to the micro USB power in).
  3. Connect the Ethernet cable of the victim into the Ethernet port, which is at the same side as the power in USB connector and Connect the Gateway Ethernet cable to the other Port.
  4. Plug the power cable in and wait the one minute long start up sequence. The device can be either powered by the victim machine or by an USB power bank.
  5. The data traffic will be captured, if the LED starts blinking Yellow. If otherwise the LED circles between red, green and blue, then the USB stick has the wrong file system.
  6. Stop the capturing process by pressing the Button. Then the device takes some seconds to write the tcpdum to the USB Storage. As soon as the LED glows red the saving process has ended and you are good to go.
  7. You can now analyse the captured pcap file, located in \loot\tcpdump with Wireshark.

After that, the connection trough the Packet Squirrel is shut down. To allow the client to connect to the network again, Packet Squirrel has to be rebooted.

DNS Spoofing Mode

This mode spoofs the client with DNS entries to redirect traffic to other IP addresses.

  1. For this mode we have to start in arming mode (switch at fourth position)
  2. After gaining access with ssh we change to the DNS spoofing directory with cd /payloads/switch2.
  3. There we can define the Spoofed domain names by editing the file spoofhost with nano spoofhost.
  4. In the file add entrys like address=/myspoofdomain.at/194.232.104.140 as shown in figure "spoofhost file". The example IP belongs to orf.at
  5. Unplug the Packet Squirrel and shift the switch to the second position.
  6. Plug it in and wait until the startup sequence is finished and the LED starts blinking yellow.

By browsing to the spoofed domain, the request gets redirected to the given IP. As shown in figure "Spoofed browser warning" browsers show certificate alerts because the domain and certificate do not match. But this mode can still be used to attack other applications which use domains with no validation.

OpenVPN Mode

OpenVPN Access Mode
OpenVPN Tunneling Mode

The VPN payload implements VPN access mode and VPN tunnelling mode. If you want to Setup your own OpenVPN (OVPN) server follow the instructions at the hak5 webpage. For the purpose of testing we use use an existing server from freeopenvpn.org.

  1. Start by selecting the desired server and download the the OVPN access certificate.
  2. Set the Packet Squirrel in Arming Mode and connect to its shell
  3. Copy the certificate with scp user@server:downloadfolder/filename.ovpn /root/payloads/switch3/config.ovpn
  4. Steer to the directory with cd /root/payloads/switch3/
  5. Edit the config.ovpn at line 30 to auth-user-pass credentials.txt
  6. Add an credentials file with nano credentials.txt and add the two lines:
    1. freeopenvpn
    2. <the displayed password>
  7. Before starting the VPN we choose the VPN mode:
    1. Open the payload.sh
    2. Set the For_Clients= to
      1. 0 for Access Mode
      2. 1 for Tunneling Mode
  8. Now set the Switch the the third Position and plug power out and in again
  9. You are good to go, if the yellow LED starts to flash after the boot up sequence

Access Mode

Access mode allows the squirrel to access the VPN Network via the Secure Shell If the connection was established if the command ifconfig tun0 show the following output when it is issued at the Packet Squirrels Shell.

tun0 
     Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
     inet addr:192.168.231.245 P-t-P:192.168.231.245 Mask:255.255.255.0
     UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
     RX packets:12 errors:0 dropped:0 overruns:0 frame:0
     TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:100
     RX bytes:1404 (1.3 KiB) TX bytes:608 (608.0 B)

The Access Mode can be used to access an Private network that is used for testing and pen testing purposes like an honeypot virtual machine.

Tunneling Mode

The Tunnelling mode encapsulates all the traffic and sends it to the VPN Server, from where it is send to the internet. VPN Tunnelling allows users to disguise their IP address you can check your current IP address with ipchicken.com.

You can also install an simple openVPN Server on a linux machine with wget https://git.io/vpn -O openvpn.sh && bash openvpn.sh and press Enter 6 times. Then copy the generated client.ovpn file to Packet Squirrel in the /payload/switch3 folder and restart it with the switch on third position.

Meterpreter-via-SSH

This payload starts the Packet Squirrel in NAT mode and waits for user input. When the button is pressed, the payload connects to a remote SSH server and creates a local port tunnel. It then launches a meterpreter shell over the tunnel. The intent is to hide the meterpreter network traffic behind a legitimate SSH activity. You can download this payload from the offical hak5 github.

Getting Started

Copy the playload to the Packet Squirrel into the desired switch folder. Now edit the scirpt to configure your server options:

  • SSH_USER - username on remote SSH server
  • SSH_HOST - ip address of remote SSH Server

Note: If you changed the default meterpreter port don't forget to change it on the metasploit side as well.

  • MSF_PORT
Generate SSH Key on Squirrel

Now you have to generate an ssh key-pair (just use default location and empty password) on your Packet Squirrel:

root@squirrel:~# ssh-keygen
Allow Squirrel on SSH Server

Then you have to copy the contents of /root/.ssh/id_rsa.pub from Packet Squirrel to the SSH Server authorized file:

user@server:~# mkdir ~/.ssh
user@server:~# echo 'paste id_rsa.pub contents inside this quote' > ~/.ssh/authorized_keys
Run Metasploit with Resource
msf@server:~# msfconsole -r server.rc

LED Definitions

  1. Configure NETMODE
    • Solid Magenta
  2. Connect to SSH Server
    • SUCCESS - Blink Amber 5 Times
    • FAIL - Blink Red 2 Times
  3. Launch meterpreter
    • SUCESS - Blink Cyan 1 Time
    • FAIL - Blink Red 1 Time

Hardening Recommendations

  1. Use an accout with limited privileges for SSH acces on the server.
  2. User a dedicated account for Packet Squirrel device (audit usage with SSH access logs).
  3. Disable PasswordAuthentication in sshd_config on the server.

ISpyintel

This payload will automate gathering various recon data on whatever passes between it's Ethernet ports. You can download this payload from the official hak5 github. Note:This payload requires a usb stick to store loot.

Setup

  1. Edit the config variables at the top. The main variables are:
    1. lootPath="/mnt/loot/intel" # Path to loot
    2. mode="TRANSPARENT" # Network mode we want to use
    3. interface="br-lan" # Interface to listen on
  2. Copy payload.sh into the ~/payloads/switch folder you wish to deploy on.
  3. Connect into a target machine with access to the LAN.
  4. Set switch to the spot and power up.
  5. Leave, get coffee, take a nap while everything is recorded and parsed for future use.
  6. When done; hit the button. The LED will rapidly flash white to let you know it is finishing up.
  7. When all is done the LED will just go blank. It is now safe to unplug and go about your day.

Tasks that are started

  • tcpdump - records every packet that was send and received
  • urlsnarf - collects all websites that were visited
  • dsniff - attempts to acquire passwords and what not
  • ngrep - on ports 80 and 21 with the filter for common password fields
  • ngrep - on ports 80 and 21 with the filter for common session id fields
  • log.txt - logs the progress of the payload for troubleshooting

Clean Up

Once the button is pressed the payload will automatically parse the TCPDump log file for the following items and store the results in seperate files. As this process can take some time the LED will change to a rapid white blink letting you know the button command was recieved and the payload is in the process of shutting down.

  • ipv4found.txt Will contain a unique list of all the ipv4 which the pcap file contains
  • maybeEmails.txt Is a very loose search for possible email addresses that came across the wire in plain text.

Creating your own Payloads

The Packet Squirrel allows us to create our own attack payloads by loading them to the USB stick and naming them Switch1 to Switch3. It allows as to create payload in python, bash or PHP. For Python and Bash it is important to use the interpreter directive Python: #!/usr/bin/python, bash: #!/usr/bin/bash. Bash scripts can access the following pre-installed tools: openvpn, autossh, tcpdump, meterpreter-https, cron, nmap, ncat-ssl, ncat, sshfs, tcpdump and wget

The featured Squirrel Script offers the following additional commands:

  • NETMODE

specifies which network mode Packet Sqirrel uses and how traffic is routed

Command Description
NETMODE BRIDGE Creates a bridge between the IN and OUT ehternet interface, with an own IP address for Packet Sqirrel
NETMODE TRANSPARENT Also creates a bridge between the interfaces but with no own IP address
NETMODE NAT Packet Squirrel gets an IP address from the target network, the client gets an IP from Packet Squirrel
NETMODE VPN same es NAT with VPN interface for client tunneling
NETMODE CLONE Clones the MAC address from the target client and uses it to connect to the LAN
  • LED

with this command the multi-color LED can be controlled

Possible configurations Description
LED Colors red, green, blue, yellow, cyan, magenta, white
LED Patterns SOLID, SLOW, FAST, SINGLE, DOUBLE, TRIPLE, SUCCESS, 1-10000
LED State SETUP, FAIL, ATTACK, STAGE, SPECIAL, CLEANUP, FINISH
  • BUTTON

The BUTTON command pauses the paylpoad until the hardware button is pressed or a specified time has passed

  • SWITCH

The SWITCH command returns the current position of the hardware payload selection switch. Output is "switch1", "switch2", "switch3" or "switch4".

Example

C2 server start
C2 Dashboard
C2 Packet Squirrel

Here is an example for the usage of Squirrel Script.

# Title: Caternet
# Author: Hak5Darren
# Version: 1.0
# Description: Forwards all traffic to local webserver hosting cat photos.
# Props: In loving memory of Hak5Kerby

LED SETUP
NETMODE NAT
echo "address=/#/172.16.32.1" > /tmp/dnsmasq.address
/etc/init.d/dnsmasq restart

LED ATTACK
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 53 -j REDIRECT --to-port 53
python -m SimpleHTTPServer 80

For more information go to the hak5.org webpage.

with Cloud C2

The Hak5 Cloud C2 is a command and control server for Hak5 devices. Installation and startup is shown in figure "C2 server start". By browsing to the configured address you can login to the dashboard, shown in figure "C2 dashboard".

To connect the Packet Squirrel with your C2 Cloud, click on the plus button in the lower right corner and choose the device. On the dashboard, open the added device and click on Setup, as shown in figure "C2 Packet Sqirrel". Then copy the downloaded file to the Packet Squirrel's /etc folder and reboot it. In the Overview tab you can also Edit, Reboot, Wipe and Remove your device.

In the Clients tab you can see all clients which were connected to your Packet Squirrel with hostname, MAC and IP address. In the Loot tab, you can open the current loot from your Packet Squirrel directly on your C2 server. And in the Terminal tab you can open a ssh session to your device.

Used Hardware

Packet Squirrel

References