Hak5 Plunder Bug

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
Plunder Bug


The Plunder Bug by Hak5 is a LAN Tap device enabling interception and eavesdropping of data communicated through an Ethernet link. Its use cases are diverse, as it could be used as a diagnostic tool supporting troubleshooting in a network. If used for malicious purposes, such as sniffing attacks, it might prove itself effective because of its small form factor and therefore increasing the likelihood of being recognized. It is very easy to use and works out-of-the-box but offers only limited configurability.


Plunder Bug Network Deployment

The Plunder Bug can be viewed as a simpler version of a Hak5 Packet Squirrel. It allows the user to tap network traffic and to access it for network scanning.


The device offers two Ethernet ports, each for one of the devices sharing a communication link that we want to sniff the traffic. A USB-C device is used for the attacker. Traffic coming through either of the Ethernet ports will get mirrored to the attacker.


  1. Connect the Ethernet port of the victim machine with one of the two Ethernet Ports of the Plunder Bug with an short Ethernet cable.
  2. Connect the other Ethernet port with the with the Ethernet cable which was previously plugged in the victim device.
  3. Power up the Plunder Bug by Connecting the USB-C female to USB-A male cable with an device which is under your control (preferably a raspberry pi with an battery shield).

Plunder Bug Modes

Plunder Bug Mute/Unmute Output

The only configurable parameter for the Plunder Bug is to run it either in a "muted" and "unmuted" mode. The Plunder Bug mirrors all network traffic and sends it to the USB-C port when operating in the muted mode. The unmuted mode gives extra capabilities compared to the muted mode. In addition to passively listening to traffic, the USB-C port is used for sending frames out on the link, effectively making it a small portable switch. This mode would also allow one to perform network scans from the attacking device. According to specification in [1], the device is set to unmuted mode by default.

To change between the Plunder Bug modes download the shell script from downloads.hak5.org:

Shell script usage:

  • make it executable with chmod +x ./plunderbug.sh
  • run the script as root or superuser:
./plunderbug.sh [options]

     --mute                 to use mute mode
     --unmute               to use unmuted mode

Sniffing Data

The following will describe the necessary steps that are needed to sniff data from an Ethernet link.

Local Access

If you can access the tapping device locally, open Wireshark and select the Ethernet interface from the Plunder Bug that is connected via the USB cable. On some Mac and Linux systems the driver for the AX88772C chipset does not install automatically. To download the drivers and further instructions the following link is helpful[2].

Remote Access

Sniffing Node

  1. Make sure that tcpdump and ssh-server is installed

Wireshark Machine

  1. Configure the SSH Remote capture Interface
  2. Server Tab:
    1. Enter IP
    2. Enter Port (usually 22)
  3. Server Tab:
    1. Enter Username & Password
  4. Capture Tab:
    1. Enter Capturing Interface into Remote Interface

Save TCP dumps

  1. Make sure tcpdump is installed
  2. Run tcpdump and log it into a file
sudo tcpdump > tcplog.pcap

Plunder Bug Usage Example

For this example, we placed the Plunder Bug in a test LAN Network as shown in the network schematic.


In this example, we first perform a network scan with nmap and then sniff data with Wireshark.

1. Performing a network scan

 sudo nmap -sP -e eth1

-sP option tries to resolve the hostname

-e eth1 defines the Plunder Bug as operating Interface


 Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-03 11:57 CEST
 Nmap scan report for
 Host is up (0.0035s latency).
 MAC Address: 00:18:4D:8F:53:0E (Netgear)
 Nmap scan report for
 Host is up (0.00022s latency).
 MAC Address: DC:A6:32:7D:13:C7 (Unknown)
 Nmap scan report for
 Host is up (0.00028s latency).
 MAC Address: DC:A6:32:7D:0C:17 (Unknown)
 Nmap done: 256 IP addresses (3 hosts up) scanned in 20.53 seconds

The output shows that 3 Hosts are online:

  • The Netgear Router
  • Raspberry Pi 1
  • Raspberry Pi 2

2. Sniff with Wireshark

Wireshark gives us the following output if we sniff at the Plunder Bug Ethernet interface


3. Plunder Bug as a Switch

The Plunder Bug has two Ethernet ports and one USB-C port. One of the Ethernet port and the USB-C port can be used as ordinary ethernet ports, as long as the second Ethernet port has access to the Internet. It is important to note that the LAN interfaces are limited to 100 Mbit/s.

Plunder Bug as a Switch

The only requirement for using the Plunder Bug as a Switch is to have the device in unmuted-mode, meaning the device connected via USB-C has the possibility to send packets through the Plunder Bug.

Prevent Packet Sniffing

It is nearly impossible to prevent sending mirrored packets to the attackers, but taking the ability away to read and understand the mirrored packets may achieve a more secure environment.

Plunderbug http post capture.png

Above, an packet with HTTP got captured with the Plunder Bug. Now, the Attacker has the possibilty to read the account credentials for the "testphp.vulweb.com" website, since an insecure protocol was used: HTTP. HTTP does not encrypt the payload, but instead it sends out the Form in plain text. This can be prevented by using HTTPS, which encryptes the data, as on the picture below.

Plunderbug https tls post.png

Also, the user has the possibility to use VPN to protect itself against packet sniffing, since every sent-out packet will be encrypted, therefore taking away the attacker's ability to read and understand the captured packages.

Plunder Bug Android App

As an attacker, to be more inconspicuous, it is possible to connect and sniff packets via an android mobile phone. The App "Plunder Bug - Smart LAN Tap" needs to be installed to fullfil this requirement, which can be found on the Google Play Store.


  1. Have an Android Phone
  2. Android Phone needs to be rooted (since root permissions are needed)
  3. Install the Application "Plunder Bug"
  4. USB-C to USB-C Cable (since newest Android Phones have USB-C Ports)

Steps to sniff packets

  1. Setup the Environment

Setup the Environment for the Plunder Bug: Connect the Ethernet Port of the victim's machine with one of the Ethernet port of the Plunder Bug and use the previous plugged Ethernet cable to connect with the other Ethernet port of the Plunder Bug. Now, get the USB-C to USB-C cable and connect to the Android device.

  1. Start the App and record packets

The app should recognize the plugged-in Plunder Bug and should give you the opportunity to start recording packets.

Plunderbug app start recording.png

Start capturing the packets by clicking on the turquoise button below.

Plunderbug app recording.png

On the screen, some statistics can be found. It displayes the numbers of packets the Plunder Bug has captured and the time ellapsed since the packet recording has started. To stop recording the packets, press on the right button below to save the recored packets in a pcap file. The saved files can be found under the register "Files"

Plunderbug app files overview.png

After clicking on the pcap file, the statistics can be found once again and the user has the opportunity to share the file. Normally, the user saves the pcap file to later view the captured packages on Wireshark (or on any other Application, which has the possibility to read pcap files).

Plunderbug app pcap statistics.png

Used Hardware

Plunder Bug