Packet Squirrel

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Introduction

The Packet Squirrel designed by Hak5 is a very useful tool for every individual that wants to explore multiple functions of a man in the middle in a network. Thus it can provide a VPN, alter network traffic, disguise IP and MAC addresses, packet sniffing, DNS spoofing, reverse shell and root shell access. It is very discreet allowing for stealth deployment and switch between network devices. It is mainly used for penetration testing and system administration but can also be abused in legally questionable ways. This paper contains an overview about the Packet Squirrel’s specifications as well as an thorough explanation of all its functions. It also describes how payload development and deployment for the Packet Squirrel works.

Specifications

The Packet Squirrel has the following specifications:

  • 64 MB of DDR2 RAM
  • 16 MB Onboard Flash
  • USB 2.0 Host Port
  • Atheros AR9331 System-On-Chip (SoC) at 400 MHz MIPS Chip (also called "Hornet")
  • 4-way payload select switch
  • RGB Indicator LED
  • Scriptable Push-Button

It does not support Power over Ethernet (POE) and is powered by 5V USB at about 120mA.

Connecting to the Packet Squirrel

To connect to the Packet Squirrel, the device must be wired up and connected. To do this, follow these steps:

  1. Put the switch in position 4 to enter Arming Mode.
  2. Connect the Packet Squirrel to a computer using an Ethernet cable.
  3. Connect the Packet Squirrel to a power source.

Once the Packet Squirrel has completed the boot sequence, the green blinking LED will turn blue, indicating that it is in Arming Mode and ready for an SSH connection. Use the following default settings to connect via SSH:

  • Username: root
  • Password: hak5squirrel
  • IP Address: 172.16.32.1

LED Indicator

The Packet Squirrel has an RGB LED light to indicate various states. The different states are as follows:

  • Green blinking light: booting sequence
  • Blue blinking light: Arming Mode
  • Red blinking light: Error reading USB disk
  • Cyan light (blinking one or two times): starting payload 1 and payload 2

USB Flash Disk Support

The Packet Squirrel only supports USB flash disks formatted with the EXT4 or NTFS file systems. If a USB flash disk is formatted with FAT32 (which is the default for most USB flash disks), it will need to be reformatted.

On Windows, this can be done by right clicking the USB flash disk in the explorer, selecting format, choosing NTFS under file system options, and pressing Start. On Linux, the following commands can be used:

  1. Locate the USB flash disk: 
    df
  2. Unmount the USB flash disk: 
    sudo umount /dev/USB
  3. Format the USB flash disk with the NTFS file system: 
    sudo mkfs.ntfs /dev/USB

Internet Access

To access the internet, the Packet Squirrel must be connected to a network that supports DHCP and is itself connected to the internet. The Packet Squirrel will search for a network connection from its Ethernet Out port.

Firmware

Occasionally, the Packet Squirrel will receive updates with new firmware and new features and security patches. Hak5 recommends keeping the Packet Squirrel up to date with the latest firmware. To install the latest firmware:

  1. Download the latest firmware update file from Hak5's download page, making sure that the file name is upgrade-version.bin.
  2. Copy the upgrade file to the root of a USB flash disk that is formatted with either the NTFS or EXT4 file system.
  3. Plug the USB flash disk into the powered-off Packet Squirrel, and switch it to Arming mode.
  4. Power on the Packet Squirrel. The upgrade process will take 5-10 minutes and will be indicated by a blue flashing LED.
  5. During the firmware flashing, the LED will indicate various states: a green flashing light indicates booting up, a red/blue alternating light indicates the beginning of the firmware flash, a solid red or blue light indicates that the firmware flash is in progress, and a green flashing light indicates rebooting.
  6. Once the upgrade is complete, the Packet Squirrel will be running the latest firmware.

The settings of the Packet Squirrel can be restored to default by performing a factory reset. This will restore the Packet Squirrel to the initial configuration of the latest installed firmware. To do this, hold the push button for 7 seconds.

Payloads

Payloads are commands that can be executed on the Packet Squirrel, which may have the potential to damage the device. [Hakb] To select a payload, the switch must be put in the correct position for the desired payload before booting:

  • Position 1: Logging Network Traffic
  • Position 2: Spoofing DNS
  • Position 3: Deployment
  • Position 4: Boot in Arming Mode and enable SSH access.

Payloads can be booted either internally from the device or externally via a USB flash drive. If a USB flash drive containing payloads is connected to the Packet Squirrel, it will be given priority over the internal payloads. If the Packet Squirrel is booted without a USB flash drive or if the USB flash drive does not contain any payloads, the internally stored payloads will be used.

Default Payloads

The Packet Squirrel comes with three pre-built payloads: - Tcpdump (no further configuration required) - Dns spoof (must be configured via SSH or SCP) - OpenVPN (must be configured via SSH or SCP) [DK17]

Logging Network Traffic with TCP dump

This default payload does not need further configuration. It only needs to have an USB flash drive formatted in NTFS or EXT4 (see chapter 2. USB Flash Disk Support) plugged in in order to log network traffic. The payload will save the logs as default pcap files into a loot folder on the USB flash drive.

Steps

  1. Firstly, plug in the properly formatted USB flash disk into the USB slot of the packet squirrel. If the Packet Squirrel cannot read the USB flash disk because it is formatted incorrectly, the LED will start flashing red.
  2. Adjust the switch position to position 1 (far left) in order to select the default tcpdump payload.
  3. Connect the device from which the packets are going to be captured from to the Packet Squirrel's Ethernet port via an Ethernet cable. The device can be anything that has network access, such as a network printer, computer, or IP camera.
  4. Plug the network into the Packet Squirrel's Ethernet Out port.
  5. When everything is connected, power on the Packet Squirrel by connecting it to a power source with a micro USB cable. As soon as the flashing green light changes to yellow, the Packet Squirrel is booted and ready. It immediately starts saving pcap files including the packets between the network and the network device to the loot folder after boot up.
  6. When the USB flash disk runs out of space, the LED will turn to a solid green.
  7. To stop capturing packets, push the button on top of the Packet Squirrel. The LED will flash red, indicating completion of the writing process. The USB flash drive can now be unplugged and the pcap files can be analyzed with a protocol parser such as Wireshark. If the Packet Squirrel is unplugged before the button on top is pushed, it may result in corrupted or non-readable files.

DNS Spoof

This default payload provides the function of interrupting the communication of the target and the network by supplying spoofed responses to all requests with the Packet Squirrel’s IP address. The Packet Squirrel will place itself between the target and the LAN resulting in the interception of DNS requests.

In order to add DNS spoof payloads containing custom mapping to the Packer Squirrel, the switch needs to be put in arming mode (position 4, far right) before powering it on. The next step is to edit the file located in /root/payloads/switch2/spoofhost. This can be done via SCP or SSH. The # needs to be replaced by the address that will be spoofed. After editing, the file needs to be saved, the Packet Squirrel powered off, and the switch needs to be put back in position 2.

Payloads

To start spoofing, the Packer Squirrel now needs to be connected to the network and the network device that will be spoofed and then powered on by connecting it to a power source via a micro USB cable. As soon as it poweres on the DNS spoof payload will run. This is indicated by the LED flashing yellow.[DK17]

The yellow flashing LED can be disabled by modifying line 22 in the 

/root/payloads/switch2/file

from LED Attack to LED OFF.

openVPN

Client tunneling and remote access are the two primary capabilities offered by the Openvpn default payload. If the switch is in the second position, the Packet Squirrel will by default offer remote access to the network. The target has to be connected to the Ethernet in port of the Packet Squirrel in order to gain access to the network connected to the Ethernet out port of the Packet Squirrel. An OpenVPN connection will initiate. Before the functions can be used, a few requirements need to be met. The /root/payloads/switchfile needs to be correctly configured so it can tunnel all the traffic of the target. Line 5 needs be be changed to FOR CLIENTS=1. In either of the two modes the Packet Squirrel will enable it’s SSH server to provide remote access.

Server Setup

First an OpenVPN server needs to be set up. This is usually done on a virtual private server (VPS) or a dedicated server with a static IP address: 

wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

Client Setup

After the server configuration is complete, a new client certificate must be created and put into the Packet Squirrel's 

/root/payloads/switch3/config.ovpn

directory.

This can be achieved by SSHing into the Packet Squirrel in Arming Mode and copying the config.ovpn from the OpenVPN server via the Secure Copy function(SCP).

Deployment

Once the OpenVPN server is prepared and the client on the Packet Squirrel is set up, the switch on the Packet Squirrel must be placed in position 3. The Packet Squirrel itself needs to be put between a target and a network. An established OpenVPN connection is indicated by a flashing yellow LED. Client Tunneling mode does not need any further configuration. The VPN is used to tunnel the connection. The target’s internet connection will not be able to pass via the VPN if Remote Access Mode is enabled, but it may be utilized to SSH into the Packet Squirrel. To achieve this, one must SSH into the VPN server and find out the Packet Squirrel’s IP address on the openVPN network.

Payload Development

Payloads for Hak5’s Packet Squirrel can be coded in any text editor and can be written in bash, Python or PHP. In order to work correctly they have to have the according file extensions such as .sh, .py or .php. A .txt file will be processed according to it’s interpreters rules. Payloads must begin with an interpreter directive: Bash payloads begin with the shebang #!/bin/bash and Python payloads begin with the shebang #!/usr/bin/python. In order to deploy custom payloads, the switch has to be in the according position before booting.

Ducky Script for the Packet Squirrel

The payload language of Hak5 equipment is called Ducky Script. It provides several specific commands to the Packet Squirrel:

  • NETMODE Specifies the networking mode to NAT, BRIDGE, TRANSPARENT or VPN.
  • NETMODE BRIDGE establishes a bridge between the two Ethernet interfaces. In this mode, the Packet Squirrel as well as the target device receive IP addresses from the router of the target’s network.
  • NETMODE TRANSPARENT is similar NETWORK BRIDGE mode except that the Packet Squirrel does not get an IP address from the target network’s router. The Packet Squirrel will not have network access (and therefore no internet access). It can still sniff the packets between the network and the target.
  • NETMODE NAT allows the Packet Squirrel to obtain an IP address from the target network’s router and the Packet Squirrel provides an IP address to the target device.
  • NETMODE VPN is similar to NAT with special VPN interface setup for client tunneling.
  • NETMODE CLONE clones and spoofs the MAC address of the target device from the Ethernet in port it to use on the LAN from the Ethernet Out port of the Packet Squirrel. The MAC address is sniffed from the Packet Squirrels Ethernet In port (target) and the MAC address is changed on the Packet Squirrels Ethernet Out port. For a stealth deployment the Packet Squirrel has to clone the targets MAC address of the target device from the Ethernet In port before plugging the cable to the Ethernet Out port. The Packet Squirrel’s LED will indicate that the MAC address has been cloned successfully by blinking white for a few seconds.
  • LED Control the RGB LED. Can set the color and pattern of the payload state.
  • BUTTON Pauses the payload for a specified amount of time or until the button is pressed.


Included Tools

The Packet Squirrel includes several tools out of the box:

  • openvpn
  • autossh
  • tcpdump
  • meterpreter-https
  • cron
  • nmap
  • ncat-ssl
  • ncat
  • sshfs
  • tcpdump
  • wget

Used Hardware

Packet Squirrel + Field Guide

References

Retrieved from "https://wiki.elvis.science/index.php?title=Packet_Squirrel&oldid=14378"