Difference between revisions of "Hak5 Shark Jack"
| (36 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
== | {{Device|device_name=Shark Jack network attack tool|manufacturer=Hak5|link=https://lab401.com/products/shark-jack|image_link=https://stuff.elvis.science/uploads/models/assetmodel-image-8EubvbfP6k.png|description=Portable network attack tool, fast nmap scans. The Shark-Jack is a pen-testing utility developed by the ”Hak5” company and is designed for Ethernet plug and play vulnerability scanning in LANs. In its most basic form, it is essentially a small Linux-machine with a built-in Ethernet plug. The modest, portable physical nature of the device allows for quick and secretive reconnaissance activity. The Shark-Jack consists of following physical components: USB-C charging port, Battery, Status LED, RJ45 Ethernet Jack, MT7628DAN Mikrocontroller, 64 MB RAM, Casing with mode-switch. | ||
== Operation == | |||
It provides 3 modes of operation: Off, Arming, and Attack. In attack mode, the Shark Jack will execute the payload.sh or payload.txt bash script from the /root/payload directory. In arming mode, the Shark Jack will be configured with a static IP address of 172.16.24.1 and will simply start an SSH server, without automatically executing any script. In this mode, a perpetrator may load and configure scripts, or retrieve output files placed in the loot directory from previous reconnaissance or attack operations. This can be done using the Linux command line utility “scp”. The status LED lights are configurable using appropriate syntax inside the payload script, provided by the Shark-Jack firmware. | |||
== | == Example Usage == | ||
The user prepares a payload script which performs basic network auditing. Here, the user obtains an IP address via DHCP. The DHCP flow is initiated using the "NETMODE DHCP\_CLIENT" directive provided by the Shark Jack framework. Once an address is assigned, grep and sed is used to perform text manipulation on the output of the "ip addr" command, in order to filter the subnet. This subnet is then passed as a argument to nmap. A simple nmap with the option "-sn" is performed. This means that port scans and other elaborate scans are skipped. It is a fast way to determine available hosts. Additionally, a traceroute to Google servers is used to gain further insight into the network topology. The outputs of nmap and traceroute are appended to a loot file: | |||
#!/bin/bash | |||
#Using \ as pipe symbol because i dont know how to escape it in this wiki editor thingy | |||
* | LED SETUP | ||
NMAP_OPTIONS="-sn" LOOT_DIR=/root/loot/net | |||
mkdir -p $LOOT_DIR | |||
echo "Obtain IP address..." >> SLOOT_DIR/log.txt | |||
NETMODE DHCP_CLIENT | |||
while [ -z "$SUBNET" 1; do | |||
sleep 1 && SUBNET=$(ip addr \ grep -i eth0 \ grep -i inet \ grep -E -o" ( [0-91{1,3}[\. 1) {3710-91{1,33\/1{1}[0-91{1,23" \ sed 's/\.[0 | |||
9]*\//\.01 //') | |||
done | |||
echo "Obtained IP address in subnet: $SUBNET" >> $LOOT_DIR/log.txt | |||
LED ATTACK | |||
echo "Starting nmap with options §NMAP_OPTIONS" >> $LOOT_DIR/log.txt | |||
nmap SNMAP_OPTIONS $SUBNET -ON SLOOT_DIR/net-scan.txt echo "Starting traceroute >> SLOOT_DIR/log.txt | |||
traceroute 8.8.8.8 > SLOOT_DIR/net-scan.txt | |||
echo "Done" >> $LOOT_DIR/log.txt | |||
echo "Inspect loot under SLOOT_DIR/net-scan.txt" >> | |||
$LOOT_DIR/log.txt | |||
LED FINISH | |||
sleep 2 && halt" | |||
The user then puts the Shark Jack into arming mode and plugs the device into the Ethernet port of their machine. The user loads the prepared script onto the Shark Jack using scp. The Shark Jack is unplugged and switched into attack mode. It is ready to be deployed onto a target network. Once execution is done, the loot can be retrieved via arming mode. | |||
== Defense == | |||
- Make sure physical access to infrastructure is only possible for authorized personnel (lock doors to server rooms and server cabinets) | |||
- Disable unused ports | |||
- Physically inspect routers and switches on a regular basis | |||
- Network segmentation, subnets, to reduce attack surface | |||
- Monitor network for suspicious traffic | |||
== | == References == | ||
https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics | |||
https://github.com/hak5/sharkjack-payloads | |||
|technicalSpecification=https://docs.hak5.org/shark-jack/|supportedTechnologies=Ethernet, USB|includedEquipment=1x shark jack, 1x instruction card|elviscategory=Security/Crypto}} | |||
[[Category: | [[Category:Documentation]] | ||
Latest revision as of 18:16, 4 March 2024
| Name | Shark Jack network attack tool |
| Manufacturer | Hak5 |
| Link | https://lab401.com/products/shark-jack |
| Specification | https://docs.hak5.org/shark-jack/ |
| Technologies | Ethernet, USB |
| Included equipment | 1x shark jack, 1x instruction card |
|
Description
Portable network attack tool, fast nmap scans. The Shark-Jack is a pen-testing utility developed by the ”Hak5” company and is designed for Ethernet plug and play vulnerability scanning in LANs. In its most basic form, it is essentially a small Linux-machine with a built-in Ethernet plug. The modest, portable physical nature of the device allows for quick and secretive reconnaissance activity. The Shark-Jack consists of following physical components: USB-C charging port, Battery, Status LED, RJ45 Ethernet Jack, MT7628DAN Mikrocontroller, 64 MB RAM, Casing with mode-switch.
Operation
It provides 3 modes of operation: Off, Arming, and Attack. In attack mode, the Shark Jack will execute the payload.sh or payload.txt bash script from the /root/payload directory. In arming mode, the Shark Jack will be configured with a static IP address of 172.16.24.1 and will simply start an SSH server, without automatically executing any script. In this mode, a perpetrator may load and configure scripts, or retrieve output files placed in the loot directory from previous reconnaissance or attack operations. This can be done using the Linux command line utility “scp”. The status LED lights are configurable using appropriate syntax inside the payload script, provided by the Shark-Jack firmware.
Example Usage
The user prepares a payload script which performs basic network auditing. Here, the user obtains an IP address via DHCP. The DHCP flow is initiated using the "NETMODE DHCP\_CLIENT" directive provided by the Shark Jack framework. Once an address is assigned, grep and sed is used to perform text manipulation on the output of the "ip addr" command, in order to filter the subnet. This subnet is then passed as a argument to nmap. A simple nmap with the option "-sn" is performed. This means that port scans and other elaborate scans are skipped. It is a fast way to determine available hosts. Additionally, a traceroute to Google servers is used to gain further insight into the network topology. The outputs of nmap and traceroute are appended to a loot file:
#!/bin/bash
#Using \ as pipe symbol because i dont know how to escape it in this wiki editor thingy
LED SETUP
NMAP_OPTIONS="-sn" LOOT_DIR=/root/loot/net
mkdir -p $LOOT_DIR
echo "Obtain IP address..." >> SLOOT_DIR/log.txt
NETMODE DHCP_CLIENT
while [ -z "$SUBNET" 1; do
sleep 1 && SUBNET=$(ip addr \ grep -i eth0 \ grep -i inet \ grep -E -o" ( [0-91{1,3}[\. 1) {3710-91{1,33\/1{1}[0-91{1,23" \ sed 's/\.[0
9]*\//\.01 //')
done
echo "Obtained IP address in subnet: $SUBNET" >> $LOOT_DIR/log.txt
LED ATTACK
echo "Starting nmap with options §NMAP_OPTIONS" >> $LOOT_DIR/log.txt
nmap SNMAP_OPTIONS $SUBNET -ON SLOOT_DIR/net-scan.txt echo "Starting traceroute >> SLOOT_DIR/log.txt
traceroute 8.8.8.8 > SLOOT_DIR/net-scan.txt
echo "Done" >> $LOOT_DIR/log.txt
echo "Inspect loot under SLOOT_DIR/net-scan.txt" >>
$LOOT_DIR/log.txt
LED FINISH
sleep 2 && halt"
The user then puts the Shark Jack into arming mode and plugs the device into the Ethernet port of their machine. The user loads the prepared script onto the Shark Jack using scp. The Shark Jack is unplugged and switched into attack mode. It is ready to be deployed onto a target network. Once execution is done, the loot can be retrieved via arming mode.
Defense
- Make sure physical access to infrastructure is only possible for authorized personnel (lock doors to server rooms and server cabinets)
- Disable unused ports
- Physically inspect routers and switches on a regular basis
- Network segmentation, subnets, to reduce attack surface
- Monitor network for suspicious traffic
References
https://docs.hak5.org/shark-jack/getting-started/shark-jack-basics
https://github.com/hak5/sharkjack-payloads